withVR Privacy Policy


Please read this Privacy Policy, which is a legally binding agreement between you, the end user ("you"), and withVR BV and/or its affiliates (collectively, "withVR", "we" or"us"), carefully before using any withVR products and sharing your data.

withVR produces customizable virtual reality software for speaking situations. To do this, we create virtual reality environments that enable individuals to be exposed into speaking situations that they might fear or become anxious in. For withVR to function, we use state-of-the-art technology that communicates with devices across different physical and virtual (e.g. cloud) platforms. To make this all possible we collect and share some of your personal data. We are committed to your privacy. This statement informs you of the types of personal data we collect when you visit our websites and how we process them. With this privacy statement we also fulfill our duty to inform you pursuant to Art. 13 GDPR.

This implies that:

  • we process your personal data in accordance with the purpose for which it was provided, these goals and type of personal data are described in this Privacy Statement;

  • the processing of your personal data is limited to only those data that are minimally required for the purposes for which they are processed;

  • we ask for your explicit consent if we need it for the processing of your personal data;

  • we have taken appropriate technical and organizational measures to ensure the security of your personal data;

  • we do not share personal data with other parties, unless this is necessary to fulfill the purposes for which they were provided;

  • we are aware of your rights regarding your personal data, we want to respect them and inform you about them.

As withVR, we are responsible for the processing of your personal data. If after reviewing our Privacy Statement you have questions about the processing of your personal data or the exercise of your rights, you can contact us via the information below:

withVR BV

Jozef Hebbelynckstraat 21

Merelbeke 9820

hello@withvr.app

1. What is the scope of this privacy statement

This privacy statement applies to the personal data that we process as a data controller. It applies to the processing of personal data of our customers, consumers, suppliers, personnel, business partners … in relation to our products and services, as well as to the personal data of third parties that we have to process for the implementation of an agreement. This privacy statement applies when you visit our office or our website, when you subscribe to our newsletter, have an appointment with our representatives, or in any other way when using our products and services. We also try to process and secure the personal data of our prospects as carefully as possible, in accordance with our privacy statement.

This Privacy Policy addresses compliance with GDPR and FERPA. The Platform is not designed for processing Protected Health Information (PHI) under HIPAA, and users are advised not to upload PHI.

This Privacy Policy applies to all personal data processed by withVR, including cross-border data transfers. For users within the EEA, we ensure compliance with GDPR’s data transfer mechanisms, such as Standard Contractual Clauses (SCCs).

2. Which data do we collect and how?

It is not obligatory to communicate your personal data, but to provide you with the best experience we need you to create an account that contains your personal information. This way you can identify yourself to other users and claim your and your clients’ progress in your own name.

This account data includes private data that we will never share like your email address. Password, and date of birth. It also includes data that we will show to other users, like your first name and last name, country, etc.

This data is provided by you when creating and filling in your account. We also collect data that comes from you using the application. This includes private data like your clients and session reports that we will not share with other players unless you first give permission. You are of course free to share this with whomever you want.

The Platform is not intended for the collection or processing of Protected Health Information (PHI). Users are strongly advised against uploading such data. Any PHI uploaded or processed is done at the user's discretion and responsibility, outside the intended use of the Platform.

For educational settings, this may include student information classified as "educational records" under FERPA, such as names, grades, or other personally identifiable information (PII), only when shared in compliance with FERPA.

Personal data is processed based on the following lawful bases:

  • Consent: For features requiring explicit permission, such as subscribing to newsletters or using optional AI tools.

  • Contractual Necessity: To provide services or fulfill agreements with users.

  • Legal Obligations: To comply with GDPR, HIPAA, FERPA, or other applicable laws.

  • Legitimate Interests: For purposes like analyzing anonymized data to improve services, provided such processing does not override individual rights.

Public data that we will share consists of for example total sessions, duration in sessions, goal progress, avatars and spawn locations used, which commands (Animations, Emotions, Speaking, Sounds, etc.) were used, etc. We also collect anonymous data for analytical purposes on both our website and withVR application. This data is not used to identify users or clients, but to analyze and improve our services.

It is not our intention to process personal data of minors (persons under the age of 16)

2.1. Sensitive Data and Legal Restrictions

We strongly advise users not to upload, input, or share sensitive information, such as PHI or student educational records, unless explicitly authorized by applicable laws (HIPAA or FERPA). Any such data processed via our Platform must be handled in accordance with these legal requirements.

3. What do we do with that collected data?

We use the collected data to provide you with the best speaking situation experience possible. To do this, we give you an online identity with the data you provide us, so you can identify yourself and your clients. This helps us to differentiate user accounts and for you to differentiate your clients. You can also use this data to monitor your clients’ progress with the possibility to improve their experience using withVR. The anonymous data we collect is used for analytic purposes to keep improving our services.

Lastly, your private data will always remain private and is not shared in any way, shape or form.

We process your personal data for various purposes, but in every situation we only process the data that is minimally necessary to achieve the relevant goal. For example, the processing of your personal data is necessary:

  • for the preparation, execution or termination of our agreement or cooperation;

  • to comply with the legal or regulatory provisions to which we are subject;

  • for defending our legitimate interests, in which case we always aim for a balance between our interest and your privacy.

  • If the processing of your personal data is not necessary for one of these three reasons, we will always request your permission to process your data.

When using the AI features, such as ChatGPT or Whisper, some inputted and generated text may be stored in our database for functionality purposes. However, we cannot control what happens with data sent to these third-party services. Users should carefully consider the information they input, and no sensitive data should be entered unless necessary and authorized.

For users in the EEA, we process personal data in accordance with GDPR principles of transparency, purpose limitation, data minimization, and storage limitation.

3.1. Use of PHI and Educational Records

PHI is not collected, processed, or intended for use by the Platform. If PHI is inadvertently uploaded, it will be securely deleted upon identification and not processed or stored for any purpose.

4. Do we share data with third parties?

We are in the computer software business, not the data selling business. Therefore, we will never sell your data to any third parties.

We do use third party solutions to support our services, like Google Analytics for analytics, or Stripe for payments.

Third-party processors (e.g., Google Analytics, Stripe) are bound by Data Processing Agreements (DPAs) to ensure GDPR compliance. These agreements require them to implement appropriate technical and organizational measures to protect your data.

FERPA-protected data are never sold or disclosed to third parties for marketing purposes. Disclosure of such data is strictly limited to:

  • Legal Obligations: When required by law or a court order, we will disclose FERPA-protected data while ensuring compliance with the relevant legal framework.

  • Institutional Direction: FERPA-protected data will only be disclosed or accessed as directed by the educational institution or as required by law. Educational institutions are solely responsible for ensuring compliance with FERPA when using the Platform.

5. How long do we store your data?

We store and process the personal data for a period that is necessary in function of the purposes of the processing and in function of the (whether or not contractual) relationship that we have with you. Customer data and data from suppliers or subcontractors will in any case be removed from our systems after a period of ten years after the termination of the agreement or the project, except for personal data that we have to keep for a longer period of time on the basis of specific legislation or in case of an ongoing dispute for which we still need the personal data.

  • FERPA-protected records: Retained as directed by the educational institution or until the data is no longer needed for the purposes for which it was collected.


6. How do we protect your data?

We take the necessary technical and organizational measures to process your personal data with an adequate level of security and to protect it against destruction, loss, forgery, modification, unauthorized access or notification by mistake to third parties, as well as any other unauthorized processing of this data. In no case can withVR be held liable for any direct or indirect damage resulting from incorrect or unlawful use of the personal data by a third party.

6.1. Additional Safeguards for HIPAA and FERPA Compliance

  • HIPAA Compliance: We utilize administrative, technical, and physical safeguards to secure data. These include data encryption, access controls, and incident response procedures.

  • FERPA Compliance: We implement privacy and security measures to ensure that educational records are accessed and processed only by authorized individuals or entities as directed by the educational institution. FERPA-protected data will only be disclosed or accessed as directed by the educational institution or as required by law.


7. Your rights

In accordance with and under the terms of the Belgian privacy legislation and the provisions of the General Data Protection Regulation, we inform you that you have the following rights:

7.1. Right to be informed and access

You have the right to know at any time whether or not we process your personal data, and if we process them, to view these data and to receive additional information about:

  • the processing purposes;

  • the concerned categories of personal data;

  • recipients or categories of recipients (in particular recipients in third countries);

  • if possible, the retention period, or if this is not possible, the criteria for determining this period;

  • the existence of your privacy rights;

  • the right to file a complaint with the supervisory authority;

  • the information we possess about the source of the data in case we obtain personal data via a third party;

  • the existence of automated decision-making.

7.2. Right of rectification

You have the right to have incomplete, incorrect, inappropriate or outdated personal data corrected. In order to keep your data up-to-date, we request you to report any change, such as a move or the change of your e-mail address.

7.3. Rights under GDPR

  • Access and Portability: You have the right to access your personal data and, where technically feasible, request a copy in a structured, machine-readable format.

  • Right to Erasure ("Right to Be Forgotten"): You may request that we delete your personal data, subject to exceptions under GDPR, such as compliance with legal obligations.

  • Right to Restriction of Processing: You can request that we limit the processing of your personal data under certain circumstances, such as while a dispute about data accuracy is resolved.

  • Right to Object: You may object to the processing of your personal data for specific purposes, such as direct marketing, in line with GDPR requirements.

7.4. Rights under HIPAA

  • Access to data: You have the right to request access to any data we maintain about you. This includes the right to obtain a copy of your data in electronic or other formats, as required by HIPAA.

  • Amendment of data: You may request corrections to inaccurate or incomplete data maintained through the Platform, subject to certain limitations under HIPAA.

  • Accounting of Disclosures: You can request a report of certain disclosures of your data made by us in accordance with HIPAA.

7.5. Rights under FERPA

  • Access to Educational Records: Parents or eligible students (18 years or older) have the right to access student educational records processed through the Platform. Requests for access should be directed to the educational institution that uses the Platform.

  • Correction of Educational Records: Parents or eligible students may request corrections to inaccurate or misleading information in educational records in compliance with FERPA.

7.6. Right to erasure

You have the right to have your personal data deleted in the following cases and without unreasonable delay:

  • your personal data is no longer required for the purposes for which they were collected or otherwise processed by withVR;

  • you withdraw your prior consent to the processing and there is no other legal basis that withVR can rely on for (further) processing;

  • you object to the processing of your personal data and there are no more serious, justified grounds for the (further) processing by withVR;

  • your personal data is processed unlawfully;

  • your personal data must be deleted in order to comply with a legal obligation;

  • your personal data was collected when you were still a minor.

Please note that we cannot always delete all requested personal data, e.g. when the processing is necessary for the notification, exercise or substantiation of a legal claim. We will inform you of this via an answer to your request.

7.7. Right to data portability

This gives you the right to ‘recover’ your personal data. This is only possible for personal data that you have provided to withVR yourself, based on your permission or after an agreement. In all other cases you cannot exercise this right (eg when the processing takes place on the basis of a legal obligation). For example, there are two aspects to this right:

  • you can request withVR to recover your personal data in a structured, common and machine-readable form; and

  • you can request withVR to pass the personal data directly to another controller. You are responsible for the correctness and security of the (email) address you provide for the transfer. If the transfer proves technically impossible, withVR has the right to refuse this.

7.8. Right to object the processing of your data

You have the right to object to the processing of your personal data for serious and legitimate reasons. Please note, however, that you cannot oppose the processing of personal data that is necessary for us to perform a legal obligation, the execution of the agreement or when it is in our legitimate interest, and this for as long as this information is necessary for the purposes for which they were collected.

7.9. Right to withdraw consent

If the processing of the personal data is based on the prior consent, you have the right to withdraw this permission. Your personal data will then only be processed if we have a different legal basis for this.

7.10. Automated individual decision-making, including profiling

We confirm that the processing of personal data does not include profiling and that you are not subject to fully automated decisions.

If you have a remark or complaint about the processing of your personal data or the exercise of your rights, we ask you to contact us directly. In addition, you always have the right to file a complaint with the Data Protection Authority (formerly Privacy Commission), which is the supervisory authority in the area of privacy protection.

7.11. Exercising Your Rights

To exercise your rights under GDPR (e.g., access, rectification, deletion), you may contact us at legal@withvr.app. We will respond to your request within one month of receipt, as required by law.

7.12. Right to request deletion of AI-generated data

You have the right to request deletion of any data stored in our database that was inputted or generated through the use of AI features, such as ChatGPT or Whisper. However, please note that we do not have control over the deletion of data sent to third-party services like ChatGPT or Whisper. For data processed by these third parties, you must refer to their privacy policies for further information.

Gegevensbeschermingsautoriteit

Drukpersstraat 35

1000 Brussel

Phone: +32 (0)2 274 48 00

e-mail: contact@apd-gba.be

8. Data Breach Notification

In the event of a data breach affecting personal data or educational records protected under FERPA, we will notify affected individuals, relevant institutions, and authorities as required by GDPR, HIPAA, and FERPA.

  • GDPR Compliance: We will notify affected users and the relevant Data Protection Authority (DPA) within 72 hours of becoming aware of a personal data breach, as required under GDPR.

  • HIPAA Compliance: We will notify affected individuals and the U.S. Department of Health and Human Services (HHS) within 60 days of discovering a breach.

  • FERPA Compliance: For breaches involving educational records, we will work with the educational institution to ensure affected parents or eligible students are notified promptly, as required under FERPA.

In FERPA-related breaches, we will work closely with the relevant educational institution to ensure timely and effective notifications, as FERPA requires institutions to lead breach communications with parents or eligible students.

9. What if the privacy policy changes?

We update this privacy policy to stay transparent with our users. Should major changes be made, we will send out an email detailing these changes.

10. Contact information

For questions regarding GDPR, HIPAA or FERPA compliance, please contact our Compliance Officer at legal@withvr.app.

VR speaking situations for speech and voice therapists

Learn more

VR speaking situations for researchers

Learn more