Privacy Policy
This Privacy Policy explains how Hexram AS processes personal data when you visit our websites, contact us, request a proposal, or (where relevant) participate in travel services we arrange.
Data Controller
Hexram AS is the controller of your personal data.
Organisation number: 937 230 079
Business address: Josefines gate 2B, 0351 Oslo, Norway
Email: info@hexramtravel.com
What personal data do we collect
A) Contact form/direct contact
When you contact us (forms, email, phone, or social media), we may process: name, email, phone (if provided), and the content of your message (including any details you choose to share).
B) Website technical & usage data
To operate, secure, and understand overall use of our websites, limited data may be processed automatically (e.g., general browser/device info, language/approximate region, pages viewed, timestamps, cookie choices/identifiers). Our websites are built on Squarespace, which provides core site functionality and may provide basic analytics depending on configuration.
C) Business relationship & travel services (where applicable)
Depending on your relationship with us, we may process:
Proposal stage: name, contact details, location (if relevant), travel interests, budget indications, and details you share (including about other travelers, if you provide it).
Bookings/travel guests: contact details, preferred name (if provided), date of birth (when needed), address (when relevant), itinerary/logistics (accommodation, activities, transport), flight/transfer details (when relevant), travel insurance details (only if necessary), passport/ID details only when required, and preferences/special occasions you share.
Special category data: health/medical considerations, allergies/dietary needs, mobility needs, information about children, and waivers, only if you choose to provide it and it is necessary for safe/appropriate delivery.
Emergency contacts: name and phone number (and relationship, if provided).
Data minimisation: We aim to collect and share only what is relevant and proportionate for the purpose.
Social media links
Our websites link to our official LinkedIn and Instagram accounts, owned and managed by Hexram AS and our employees on behalf of the company. If you click those links, the third-party platform’s own privacy and cookie policies apply, and they may collect data using their own tracking technologies.
How we use your data
We use personal data to:
respond to inquiries and communicate with you
prepare proposals and administer our business relationship
arrange and deliver services (where applicable), including coordination with suppliers and logistics
operate, maintain, secure, and improve our websites (including basic analytics/insights)
comply with legal obligations and handle disputes/claims if needed
Legal bases (GDPR)
We process personal data based on one or more of the following legal bases, as applicable:
steps prior to entering into a contract / contract performance (e.g., proposals, bookings, service delivery)
legitimate interests (e.g., responding to inquiries, operating and securing our websites, business administration)
legal obligation (e.g., compliance and record-keeping where required)
consent (e.g., non-essential cookies; and where required for certain special category data)
vital interests (rare emergencies)
Special category data: Where we process special category data (e.g., health/allergies), we do so only when necessary and permitted, typically based on explicit consent and/or where required to protect vital interests in emergencies.
Cookies
Cookies support necessary site functions and (depending on configuration and your choices) performance/analytics. You can manage cookies via browser settings and our cookie banner/settings (if enabled). Third-party platforms (e.g., LinkedIn/Instagram) use their own cookies once you leave our websites.
Who we share personal data with (data flow)
We do not sell personal data.
To deliver proposals and services, we may share relevant personal data strictly as needed with:
operational service providers (e.g., website platform/hosting, IT support, security, analytics/insights)
travel suppliers (where applicable) such as accommodation, transport providers, guides, and activity operators. Only to the extent required to arrange and deliver the requested service
professional advisers (lawyers, accountants, auditors, insurers)
potential acquirers/investors (and advisers) in a transaction
authorities where required by law or valid/lawful requests
User acknowledgement: By engaging our services and providing personal data, you understand that this type of sharing may occur where it is necessary to perform our services and obligations.
If you provide data about others: If you share personal data about others, you confirm that you have the authority to share that information with Hexram for the relevant purpose.
International transfers
Some providers may process personal data outside the European Economic Area. Where this happens, we seek to ensure an appropriate level of protection by taking reasonable steps such as: assessing the transfer, choosing reputable providers, implementing available contractual/technical measures, and applying additional safeguards where appropriate.
Security
We use reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or alteration. No system is completely secure, but we work to reduce risk.
Retention
We keep personal data only as long as needed for the purposes above:
inquiries/proposals: typically 6-18 months after last contact
travel services (where applicable): as needed for delivery and follow-up/documentation
website/analytics: according to platform and configuration settings
legal/compliance: longer where required by law or for legitimate claim handling
Minors and age requirement
Our websites and contact forms are intended for adults. If you are under 18 years of age, please do not submit personal data to us or use our websites without the involvement and supervision of a parent or legal guardian.
Your rights
You may have rights to access, correct, delete, restrict, object, and (where applicable) data portability, and to withdraw consent. We normally respond within a couple of days. If needed, we may request information to verify your identity. You may complain to a supervisory authority (e.g., Datatilsynet in Norway).