Therapy withVR

Privacy Policy

This Privacy Policy explains how Therapy withVR, operated by withVR BV, collects, uses, stores, and protects your personal data when you use the Therapy withVR platform. It also explains your rights under applicable data protection law.

withVR BV is the data controller for personal data processed through the platform. withVR BV has not appointed a Data Protection Officer as it does not meet the thresholds requiring such an appointment under GDPR Article 37. For all data protection matters, contact legal@withvr.app. If you have questions about this policy or wish to exercise your rights, contact us at:

1. Scope of This Policy

This policy applies to all personal data processed by withVR BV in connection with the Therapy withVR platform, including the Web App and the VR App (installed on Meta Quest headsets). It applies to:

• Customers, users, and account holders who use the platform
• Individuals whose data is entered into the platform by a user (such as pseudonymized client profiles)
• Visitors to withvr.app
• Business partners, researchers, and institutions who contract with withVR BV

This policy applies to users worldwide, including those in the European Economic Area (EEA), the United Kingdom, the United States, and other jurisdictions. Where different rules apply based on location, those differences are noted in the relevant sections below.

2. What Data We Collect and How

2.1 Account data

When you create an account, we collect the following:

2.2 Profile data (pseudonymized)

Within the platform, you can create profiles representing the individuals you work with. We strongly recommend using a pseudonym, initials, or a reference code rather than a real name.

2.3 Session data

Every session generates an automatically created log. This log contains:

• Session start and end times, and duration
• Which avatars were used and where they were placed
• Avatar emotions and animations triggered during the session
• Sentences sent to the person inside VR, and sounds played
• Goal ratings (if entered)
• Session configuration settings

2.4 AI feature data

If you activate OpenAI features (translation, text generation, autocorrect, Whisper speech recognition, speaker grammar, formality, or emotional speech), text you enter into AI-powered fields is sent to OpenAI for processing via their API. Some of this input and generated text may also be stored in the Therapy withVR database for operational purposes.

Avatar voices are always generated using Google Text-to-Speech, regardless of whether OpenAI features are enabled. Text strings for voice synthesis are sent to Google for this purpose.

Do not enter client names, patient information, or any personally identifiable information into AI-powered text fields. These features are designed for generating conversation content, not for processing personal data about the individuals you work with.

2.5 Technical and usage data

We collect limited technical data to operate and improve the platform, including:

• Browser type and operating system (for compatibility purposes)
• Platform version information
• Anonymized usage analytics (via Google Analytics 4 on withvr.app). GA4 does not store full IP addresses; IP data is used only during collection for approximate geolocation and is not retained or accessible in reports
• Internal platform analytics: account activity data (including login frequency, last active timestamps, subscription status, and feature usage patterns) is exported from Firebase to Google BigQuery for internal analysis. This data is used to understand how the platform is used, to monitor subscription status, and to improve the service. This processing takes place entirely within Google Cloud infrastructure under the same Data Processing Agreement. The data is accessed only by withVR BV and is not shared with third parties

Anonymous website analytics data (Google Analytics) is not used to identify individual users. Internal platform analytics data does contain account information but is used only for service operation and improvement, and is processed under the legitimate interest legal basis (Art. 6(1)(f) GDPR). You may object to this processing at any time (see Section 9).

2.6 Data we do not collect

The following data is never collected by the Therapy withVR platform:

• Audio or video recordings of sessions
• Speech samples or recordings from the person inside VR
• Biometric data from VR headset sensors (head tracking data is processed locally by the Meta Quest device and is not transmitted to or stored by withVR)
• Protected Health Information (PHI) - the platform is not designed to receive or process PHI
• Student educational records - the platform is not designed to receive or process such records
• Precise location data
• Financial payment data (payments are processed by Stripe; withVR does not store card details)
• Special category data as defined under GDPR Article 9 (health data, biometric data, data revealing racial or ethnic origin, religious beliefs, etc.) - the platform is not designed to receive or process such data

3. Legal Basis for Processing (GDPR)

For users in the EEA and the UK, we process personal data on the following legal bases under Article 6 of the GDPR and UK GDPR:

Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 9).

4. AI Features and Third-Party AI Processing

Therapy withVR includes AI-powered features. This section explains what those features are, which providers process data, and how your data is handled.

4.1 Avatar Voices: Google Text-to-Speech

All avatar speech inside VR is generated using Google Text-to-Speech. When an avatar speaks, the text of what they say is sent to Google's Cloud Text-to-Speech API, which converts it to spoken audio.

The person inside VR hears a synthetic voice, not a human recording. This applies to all avatar speech, regardless of whether optional OpenAI features are enabled.

Text sent to Google for voice synthesis is processed in accordance with Google Cloud's data processing terms. Google does not use this data to train its models.

4.2 Optional OpenAI features

The following features are optional and off by default. They are only activated when the user deliberately enables them in the platform Settings:

Text entered into these features is processed via the OpenAI API. Under OpenAI's API data usage policy, data submitted via the API is not used to train or improve OpenAI's models by default.

No client names, session recordings, or personally identifiable information about the individuals you work with are sent to OpenAI or Google as part of normal platform operation. You are advised not to enter identifiable information into any AI-powered text field.

4.3 AI feature data deletion

You may request deletion of any input or generated text stored in the Therapy withVR database as a result of using AI features. Contact legal@withvr.app to make this request.

Therapy withVR cannot control or delete data that has already been processed by OpenAI's or Google's own systems. For data held by those providers, refer to their respective privacy policies.

5. Third Parties and Data Sharing

We are in the software business, not the data-selling business. We will never sell your personal data to any third party.

We use the following third-party services to operate the platform. Each acts as a data processor under a Data Processing Agreement (DPA) or equivalent contractual arrangement:

A full, maintained sub-processor list is available at withvr.app. We will notify you at least 30 days before adding a new sub-processor.

We may disclose personal data to competent authorities where required by law or by a binding court order. We will inform you of any such disclosure unless we are legally prohibited from doing so.

6. How Long We Retain Your Data

We retain personal data for the minimum period necessary for the purpose for which it was collected, and in accordance with applicable law. The following retention periods apply:

Data is deleted or anonymized at the end of the applicable retention period unless a longer period is required by specific legislation or for the resolution of an ongoing legal dispute. You will be informed if this applies to your data.

You may request early deletion of your personal data at any time (see Section 9). Some data cannot be deleted before the end of the retention period where required by law.

7. International Data Transfers

All platform data is stored on Google Cloud servers in Frankfurt, Germany, within the European Economic Area. This means your core account and session data is stored within the EU and benefits from GDPR protections without requiring additional transfer mechanisms.

7.1 Transfers to OpenAI (United States)

When optional OpenAI features are activated, text entered into AI-powered fields is transferred to OpenAI servers in the United States. This transfer is governed by Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c), providing appropriate safeguards for EEA-to-US data transfers.

7.2 Transfers to Stripe (United States)

Payment processing may involve data transfers to Stripe's US infrastructure. Stripe operates under Standard Contractual Clauses and participates in the EU-US Data Privacy Framework where applicable.

7.3 UK users

Therapy withVR processes personal data of UK residents in accordance with the UK GDPR and the Data Protection Act 2018. The legal bases for processing under UK GDPR are equivalent to those described in Section 3. For transfers of UK personal data to third countries (including the US), we rely on the UK's International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, as applicable.

UK residents have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113.

8. How We Protect Your Data

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These include:

• All data stored on Google Cloud servers in Frankfurt, Germany, benefiting from Google’s enterprise-grade security infrastructure. All data at rest in Google Cloud Firestore is encrypted using AES-256, managed by Google Cloud’s default encryption infrastructure
• Application-level AES-256 encryption of profile names with unique initialization vectors per record, providing an additional layer of protection beyond infrastructure-level encryption
• All data in transit encrypted using TLS 1.2 or higher
• Firebase Authentication manages all login credentials - withVR never has access to user passwords
• Administrative access to the Firebase project is restricted to a single individual (the founder). No other personnel or third parties have direct access to the production database or infrastructure. Multi-factor authentication on administrative accounts is planned
• No audio or video recordings stored - session data is limited to text labels and timestamps
• Regular security monitoring and patch management in accordance with the withVR Patch Management Policy. withVR BV can provide documentation to support institutional Data Protection Impact Assessments (DPIAs) under GDPR Article 35 on request. Contact legal@withvr.app
• Cloud Audit Logs enabled across the production Firebase project, capturing administrative actions and customer-data operations on Cloud Firestore, Cloud Storage for Firebase API, and Google Cloud Storage. Logs are retained per Google Cloud's default retention policy (400 days) and used solely for security incident investigation and compliance verification under GDPR Article 32.

No transmission of data over the internet is completely secure. While we take all reasonable steps to protect your personal data, we cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority as described in Section 10.

9. Your Rights

Under the GDPR and UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at legal@withvr.app. We will respond within one month of receiving your request.

Please note that some rights cannot be exercised in all circumstances - for example, we may be unable to delete data that we are required by law to retain, or where the data is necessary for a legal claim. We will inform you if this applies.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, withVR will:

• Notify the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit (GBA)) within 72 hours of becoming aware of the breach
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Notify affected UK users and the Information Commissioner's Office (ICO) in accordance with UK GDPR requirements
• Document all breaches internally, including those that do not require notification

Breach notifications to users will include: the nature of the breach; the categories and approximate number of personal data records affected; the likely consequences; and the measures we have taken or propose to take to address the breach.

To report a suspected security issue, contact legal@withvr.app.

11. Children and Minors

The Therapy withVR platform is intended for use by professionals aged 18 or over. User accounts may only be created by individuals who are at least 18 years old and have the legal capacity to enter into a binding agreement.

The platform may be used by clinicians, educators, and researchers in sessions with minors under professional supervision. In such cases, the supervising professional is responsible for ensuring that appropriate parental or guardian consents are in place and that no personally identifiable information about the minor is entered into the platform.

In some EU member states, the GDPR sets a digital consent age of 13-16 for data processing by online services. This applies to the minor's own consent over their personal data, and is separate from the requirement that account holders be at least 18 years old.

Users in US educational settings working with children under 13 are responsible for compliance with the Children's Online Privacy Protection Act (COPPA). The platform is not designed to collect personal data directly from children under 13.

If you believe a minor has created an account or that data relating to a minor has been entered into the platform without appropriate authorization, please contact legal@withvr.app and we will take appropriate action.

12. Healthcare Users: HIPAA

Therapy withVR is not a HIPAA covered entity and does not function as a business associate under the Health Insurance Portability and Accountability Act (HIPAA). The platform is architected so that Protected Health Information (PHI) does not enter the system.

For users in US healthcare settings, this means that Therapy withVR falls outside the scope of your Business Associate Agreement requirements. The platform is designed as a practice environment, not a clinical records system. No clinical notes, diagnoses, patient identifiers, or health records are stored.

Users in US healthcare settings are responsible for ensuring that no PHI is entered into the platform. If PHI is inadvertently submitted, contact legal@withvr.app immediately and we will take steps to identify and securely delete it.

13. Educational Users: FERPA

FERPA (Family Educational Rights and Privacy Act) obligations rest with educational institutions, not with vendors. Therapy withVR is not directly subject to FERPA. The platform is designed so that student educational records do not need to enter the system.

For users in US educational settings, the platform is designed to support FERPA-compliant use. withVR will work with institutions to address their specific FERPA requirements on request. Contact legal@withvr.app.

FERPA-protected data is never sold or disclosed to third parties for any commercial purpose. Any disclosure is strictly limited to legal obligations or institutional direction.

14. Cookies

The Therapy withVR platform and website use cookies. A separate Cookie Policy, available at withvr.app, explains what cookies are used, their purpose, how consent is obtained, and how to manage your cookie preferences.

Non-essential cookies (including analytics cookies) are only set after you have given your consent through our cookie consent mechanism.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the platform, or applicable law. If we make material changes, we will notify you at least 30 days before the changes take effect, by email and/or by an in-platform notification.

Your continued use of the platform after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you should stop using the platform before the effective date.

The version number and effective date at the top of this policy identify the version you are reading. Previous versions are available on request.

16. Contact and Complaints

For any questions, requests, or concerns about this Privacy Policy or the processing of your personal data:

You also have the right to lodge a complaint with the supervisory authority in your country. In Belgium, this is the Gegevensbeschermingsautoriteit (GBA). In the UK, this is the Information Commissioner's Office (ICO). Contact details are provided in Section 10.

withVR BV · Jozef Hebbelynckstraat 21, Merelbeke 9820, Belgium · legal@withvr.app · withvr.app