Privacy Policy

Intro
Please note that all mentions to "Facebook" apply the same to Facebook's new company name "Meta". Oculus belongs to Meta as well.

Data protection information 
Protecting your data is very important to us. To ensure transparent cooperation, we draw your attention to important processing activities and special features. To be able to use our services, please purchase and download our apps, once available, from the Oculus Store and/or App Lab from Facebook. Data processing and payment procedures are carried out exclusively via Oculus/Facebook. We do not collect or receive any personal data from you here. Further information on data protection from Oculus can be found at https://www.oculus.com/legal/privacy-policy.       

Purpose and legal basis of data processing 
Data processing at immerVR GmbH is carried out to provide apps and services for immersive media in accordance with Article 6 (1) (b) of the GDPR for pre-contractual or contractual measures. These include: 
• answering enquiries 
• administration
• offer preparation, contract processing and order processing 
• providing the platform 
• maintaining business relationships      

  As a company, we are subject to different legal obligations. In order to fulfil these obligations, it may be necessary to process personal data in the public interest pursuant to Article 6 (1c) of the GDPR or Article 6 (1e) of the GDPR. 
• control and reporting obligations 
• creditworthiness, age and identity checks 
• prevention of criminal acts   

  Controller pursuant to Article 4(7) EU General Data Protection Regulation (GDPR)
immerVR GmbH 
Im Zollstock 12
91093 Hessdorf
Germany
Daniel Pohl
su  ort@immervr.com 
If you have any questions about our data protection, please email us.   

  Scope 
These data protection information shall apply to the following offers and relevant subpages: 
https://www.immerVR.com
https://www.linkedin.com/company/immerVR
https://twitter.com/immerVR 
https://www.youtube.com/immerVR
https://www.facebook.com/immerVR    

- whenever reference is made to this data protection information from one of our services, regardless of how you call it up or use it.    

Collection of personal data in our apps: immerGallery, immerGallery Demo and future apps
We are working with Facebook’s Oculus Store and Facebook's App Lab. We collect, process and store the following data from you and use it for the purpose of improving our apps, e.g. fixing a bug or creating a better user experience. In our apps, you can submit an internal developer log file with a current screenshot of the usage of our app to us, e.g. in the case a failure happens inside the app and you want to notify us about it. The legal basis is Article 6 (1) (b) of the GDPR.  
• IP address, for the purpose of knowing if the report comes from the same user within keeping the same IP address    
• submission date, time and time zone for the purpose of knowing when incidents/bugs happened
• data in the app log file might reveal used path and file names on the system where the app is running for the purpose of understanding as developer from which location which files were loaded. It contains the used version number of the app for the purpose of knowing in which app version the incident/bug happened. It might contain which buttons and interactions happened during the app usage, which virtual reality system is used with what kind of input controllers for the purpose of reconstructing what lead to the incident/bug. Furthermore, the used screen frequency is shown and the status of relevant Android permissions to run the app for reconstructing the environment settings for the incident/bug. HMD-specific events like HMDAcquired, HMDMounted, VrFocusAquired, TrackingAquired, and according lost events are stored in the log file for reconstructing the scenario of the incident/bug. Recentering events and the result of the Oculus user entitlement check are stored for reconstructing the events. If a local config file is used for the app, the values of that config file are transmitted, e.g. keeping the option "FloorFor2D" enabled during program restarts for the purpose of replicating the same settings when the incident/bug happened. System memory statistics like the total amount of reserved memory, texture memory, texture count, frame rate, frame time, draw call, number of triangles, amount of mesh memory, CPU and GPU levels over time and the status of the internal garbage collection can be included in the log files for giving the developers an overview of the system status and resources. Results of the recognition of the voice control might be included in the log files, but no audio data for the purpose of improving voice control with wrongly detected inputs. Statistics about the app usage, e.g. the number of app starts or the usage time of the app over multiple sessions might be included when sending the log file for the purpose of giving further information for debugging issues.
• the screenshot shows what the user is currently seeing, e.g. a photo, for the purpose of having a visual representation of what the user saw during the bug/incident


During run-time, the app itself is not using user-specific data by itself (excluding of course user inputs or content provided by the user). However, the requried call to the Oculus Entitlement check might internally use user data to verify the entitlement status. We do not have access to that user-specific data, please refer to the Oculus Store, Oculus Terms and Conditions and Oculus Privacy Policy for further information.

Voice control in the apps are executed locally. No audio is submitted to a cloud or another server. As mentioned above, we might store the recognized voice controls as text in the log file, which is only sent upon the user's explicit and voluntary command to us.

In the case where we have user-specific data from you, you can request that data by contacting us at the address (see email above or postal address) above while providing evidence of your user identity. Furthermore, you can request that your user-specific data is deleted through contacting us through the email address mentioned above.

As determined by the Oculus Store, Oculus Terms and Conditions and Oculus Privacy Policy, Oculus/Facebook/Meta might collect data from you automatically while using our app. We do not have influence on this and cannot enable or disable this. Data might include: user ratings of the app, time spent in the app, if user has been using the app within the last 28 days, averaged data over multipe users regarding age, gender, country, region and similiar properties. Furthermore, crash statistics might be automatically created by Oculus/Facebook/Meta and include information about the used devices (e.g. Quest, Quest 2), regions of the user and so on. We do not have influence on this and cannot enable or disable this. 

Our virtual reality apps are based on the Unity game engine. We do not have influence on this or access to the data, but Unity might do the following: Unity has collected some or all of the following information about your device: unique device identifiers (e.g., IDFV for iOS devices and Android ID for Android devices); IP address; country of install (mapped from IP address); device manufacturer and model platform type (iOS, Android, Mac, Windows, etc.) and the operating system and version running on your system or device; language; CPU information such as model, the number of CPUs present, frequency, and instruction set support flags; the graphics card type and vendor name; graphics card driver name and version (e.g., “nv4disp.dll 6.10.93.71”); which graphics API is in use (e.g., “OpenGL 2.1” or “Direct3D 9.0c”); amount of system and video RAM present; current screen resolution; version of the Unity Editor used to create the game; sensor flags (e.g., device support for gyroscope, touch pressure or accelerometer); application or bundle identification (“app ID”) of the game installed; unique advertising identifiers provided for iOS and Android devices (e.g., IDFA or Android Ad ID); and a checksum of all the data that gets sent to verify that it transmitted correctly.


Collection of personal data upon contact
 
If you email us or contact us via the contact form, we process and store the following data from you and use it to answer your enquiry. The legal basis is Article 6 (1) sentence 1 (b) of the GDPR: 
• first name, surname 
• email address 
• email receipt date 
• time zone difference to Greewich Mean Time    

Collection of personal data upon visit to our website 
(1) When using the website merely for information purposes, i.e. if you do not register or otherwise provide us with information, we shall collect only the personal data that your browser sends to our server. If you would like to look at our website, we will collect the following data, which are technically necessary for us to notify you of our website and to ensure stability and security (the legal basis is Article 6 (1) sentence 1 (f) of the GDPR): 
– IP address 
– date and time of the request 
– time zone difference to Greenwich Mean time (GMT) 
– content of the request (specific page) 
– access status/HTTP status code 
– data transferred in each case 
– the website from which the request originates 
– browser 
– operating system and its surface 
– language and version of browser software. 
(2) We do not use cookies for our website. 
(3) We do not use tracking technologies. 
(4) No automated decision-making, known as profiling, takes place during the visit to our website. 
(5) We process your personal data only for the purpose specified here. Any further processing for other purposes requires your prior consent.       

  Collection of personal data under Submit your photo 
Under “Submit your photo”, you can submit your photo using the form provided at that site. We might select it and publish it either in our apps or on this website or on our image servers. Please note our content guidelines and copyright requirements. The legal basis is Article 6 (1) (b) of the GDPR. 
• IP address 
• email address 
• name or pseudonym 
• GPS data, if applicable
• other image or audio meta data, if applicable
• submission date, time and time zone

You can choose whether your name should be displayed before publication. We inform you that all the images you make available to immerVR GmbH are handed over to us with their rights to commercial use including advertisements and usage in our apps. You are responsible for clarifying the image rights in advance. Please take note of our content guidelines.   

  Collection of personal data in the application procedure 
Personal data you submit to us as part of an application will be collected and processed for the purpose of processing the application procedure. Your personal data will only be processed for processing your application and not for other purposes. Processing is carried out for the purpose of fulfilling the contract or for legitimate reasons pursuant to Article 6 (1) sentence 1 (b) or (f) of the GDPR. Should you voluntarily inform us of special categories of personal data pursuant to Article 9 of the GDPR, such as severely disabled status, processing will be carried out on the basis of Article 9(2)(b) of the GDPR, as the processing of such data is necessary for the exercise of the profession. If we ask you for special categories of personal data pursuant to Article 9 of the GDPR, the processing will be carried out on the basis of your consent pursuant to Article 9(2)(a) of the GDPR. Electronic processing is possible, especially for applications received by electronic means such as e-mail or the contact form on the website. If the application is transferred to an employment relationship, the application documents will be stored for the purpose of processing the employment contract. In the event of no employment relationship, the application documents shall be automatically deleted three months after the application procedure has been completed, unless justified interests under Article 6 (1) sentence 1 (f) of the GDPR preclude their erasure. Such a legitimate interest exists, for example, where proceedings are pending under the General equal treatment Act (AGG). In this case, we will store the data until the procedure is completed. You can also give us your consent for an extended storage period for your applicant data so that we can take you into account for the future when awarding a job.   

  Objection under Article 6 (1) (b) of the GDPR (for Submit your photo) 
In the above cases, you will be able to make use of your objection in connection with the processing described below (possibly for part of the data). To do this, send us an email to the address above. We inform you that the objection does not affect the lawfulness of the processing carried out. As a security measure, when submitting a photo to us, we assign an identification number to the holder. Using this number is the required to object.    

Transmission of data 
Our hosting provider Strato, based in Germany, and those divisions and employees of immerVR GmbH will receive the data they need to fulfil their contractual and statutory obligations and legitimate interests. In addition, processors commissioned by us (especially it service providers) receive your data if and to the extent that they need the data to perform their respective services. Where there are legal obligations or legitimate interests, public bodies (e.g. courts, authorities) may be recipients of their personal data. Recipients may also be third parties to whom we have referred to the above. Your data will only be passed on to third parties on the basis of the above legal basis. Furthermore, no data will be passed on to third countries. 

   Recipients of personal data 
Recipient category: 
External content providers providing content (e.g. images, videos, embedded posting from social networks, promotional banners, fonts, updates) required to display the service 
Data concerned: access data 
Legal basis: Article 6(1)(f) of the GDPR 
Legitimate interest: proper function of services; (accelerated) presentation of content 

Recipient category: 
IT security service providers 
Data concerned: access data 
Legal basis: Article 6(1)(f) of the GDPR 
Legitimate interest: Preventing attacks by exploiting security gaps/vulnerabilities    

Newsletter dispatch 
With your consent, you can subscribe to our newsletter informing you about news from immerVR GmbH. We use the double opt-in procedure to register for our newsletter. This means that after registering, we will send you an email to the email address in which we request confirmation that you wish to send the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. We also store your IP addresses and dates for logging in and confirmation. The purpose of the procedure is to provide evidence of your registration and, if necessary, to investigate possible misuse of your personal data. The only requirement for sending the newsletter is your email address. The provision of other separately marked data is voluntary and is used to address you in person. Once you have been confirmed, we will save your email address for the purpose of sending the newsletter. The legal basis is Article 6 (1) sentence 1 (a) of the GDPR. You can revoke your consent to sending the newsletter at any time and order it. You can explain the revocation by clicking on the link provided in each newsletter email or by sending an email to our email address mentioned above or by sending a message to the contact details specified in the publishing details. Please note that we will evaluate your user behaviour when sending the newsletter. For this evaluation, the emails sent contain web beacons or tracking pixels that represent one-pixel image files stored on our website. For the purposes of the evaluations, we link the data listed above under “visit to our website” and the web beacons with their email address and an individual ID. The data will only be collected in pseudonymised form, so IDs will not be linked to your other personal data, and direct personal connections will not be possible. You can object to this tracking at any time by clicking on the separate link provided in each email or displaying us about one that is not complete, and you may not be able to use all the functions. If you have the images displayed manually, the above-mentioned tracking takes place. Information from the provider: Sendinblue GmbH, Köpenicker Str. 126 in 10179 Berlin. Further information on the purpose and scope of data collection and its processing can be found in the data protection notices. You will also find further information on your rights and the protection of your privacy here: https://de.sendinblue.com/datenschutz-uebersicht/    

Facebook / Meta 
Name and address of controllers pursuant to Article 26 of the GDPR 
Jointly responsible for the operation of this Facebook page are in the interests of the EU, Basic data Protection Regulation and other data protection provisions: Facebook Ireland Ltd. (hereinafter referred to as “Facebook”), 4 Grand Canal Square, Grand Canal Harbour in Dublin 2 Ireland and immerVR GmbH, Im Zollstock 12 in 91093 Hessdorf/Germany, Daniel Pohl - email address mentioned above. 

Below we will inform you about the processing of personal data specifically for our Facebook page. 
We operate this page to draw attention to our services and products, to have you as visitors and users of this Facebook page, and to enable contact through our website. Further information about us and you can find out more about our activities within the company on our website under www.immervr.com. As operators of the Facebook page, we have no interest in the survey and further processing of your individual personal data for analysis or marketing purposes. The operation of this Facebook page, including the processing of personal data is provided on the basis of our legitimate interests in contemporary and supportive information and interaction opportunities for and with our users and visitors in accordance with Article 6 (1) (f) of the GDPR. 

Processing of personal data by Facebook 
In its judgment of 5 June 2018, the European Court of Justice (ECJ) ruled that: http://www.curia.europa.eu/juris/document/document.jsftext=&docid=202543&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=298398 that the operator of a Facebook page is jointly responsible with Facebook for processing personal data. We know that Facebook uses users’ data for advertising (analysis, production of personalised advertising), user profiling and market research. Facebook sets cookies for storing and further processing this information a, that is to say, small text files which appear on the various user devices be stored. If the user has a Facebook profile and if logged in, storage and analysis will also be carried out across all devices. The Facebook Privacy Policy contains further information on: Data processing: https://www.facebook.com/about/privacy/ 
Options for objecting (so-called opt-out) can be found here: https://www.facebook.com/settings?tab=ads and set http://www.youronlinechoices.com here. Facebook Inc., the US parent company Facebook Ireland Ltd., has been under the EU U.S. Privacy Shield since 2020-07-16 following a ruling by the European COURT of Justice. certified. It cannot be guaranteed that your data will not be transmitted to the United States and that it will be subject to our European level of data protection. We are currently examining the possibilities of other legal bases. The transmission and further processing of users’ personal data in third countries, such as the United States, and the possible risks to the users cannot be excluded from us as operators of the page.  

Statistical data 
Statistical data can be found on the Facebook’s "Insights".  Different categories can be accessed by us. These statistics shall be compiled by: Facebook created and provided. In terms of production and presentation, we Operator of side no influence. We cannot stop this function or prevent the production and processing of the data. The following data relating to our Facebook page will be made available to us by Facebook for an election period and for the categories fans, subscribers, people reached and interacting persons: total number of page calls, “favor me” information, page activities, contribution responses, reach, video views, range of contributions, comments, shared content, responses, proportion of men and women, background to land and city, language, appeals and clicks in the shop, clicks on route planners, clicks on telephone numbers. This also provides data on Facebook groups linked to our Facebook page. The constant development of Facebook is changing the availability and processing of the data, so that we can refer to the above details for further details. Refer to Facebook’s data protection statement. We use this data to make our contributions and activities more attractive to users. For example, we use the distribution by age and gender for an adapted approach and the preferred visiting times of users to optimise the timing of our contributions. Help provide information about the type of terminal equipment used by visitors we are adapting our contributions visually and structurally. In accordance with the Facebook terms and conditions of use to which each user subscribes when drawing up a Facebook profiles approved, we can access the website’s subscribers and fans, identify and view their profiles and other shared information.   

  User rights 
Since only Facebook has complete access to user data, we recommend  to contact Facebook directly if you have any questions or requests for information to your rights as a user (e.g. right to erasure). You can contact Facebook’s data protection officer via the online contact form provided by Facebook under https://www.facebook.com/help/contact/540977946302970. If you need help or have any other questions, please contact us under at our email address mentioned above.    

Right to object 
If you no longer want the data processing described here, please remove the link between your user profile and our website by using the functions “I no longer like this page” and/or “no longer subscribe to this page”.   

PayPal

On our website, we have implemented a PayPal donation button for our for-profit organization immerVR GmbH. Donating does not entitle to receiving any service or product. When you use PayPal to donate to us, you can click on the donation button. By using this button, a connection from your browser to servers from PayPal will be initialized through which PayPal will receive your IP address. For the donation process, data will be transferred to PayPal. We do not have access or influence on this process. We refer you to the Privacy Policy from PayPal at https://www.paypal.com/va/webapps/mpp/ua/privacy-full.

In our PayPal account statements we might be able to see the name and address of the donor. This will only be used, if required, for tax and finance processing.

  Inclusion of YouTube videos 
We have integrated YouTube videos into our website, which are stored on https://www.YouTube.com and can be played directly from our website. These are all included in the extended data protection mode, i.e. no data about you as a user will be transferred to YouTube if you do not play the videos. Only when you play the videos will the data referred to in paragraph 2 be transferred. We have no influence on this data transfer. The legal basis for the inclusion of YouTube videos is Article 6 (1) sentence 1 (f) GDPR. By visiting the website, YouTube will be informed that you have consulted the relevant sub-page of our website. The data mentioned under “visit to our website”, this declaration, will also be transmitted. This is done regardless of whether YouTube provides a user account through which you have been logged or whether there is no user account. Once you have logged in to Google, your data will be allocated directly to your account. If you do not wish to be assigned to YouTube with your profile, you must log in before activating the button. YouTube stores your data as user profiles and uses them for advertising, market research and/or needs-based design of its website. Such an evaluation is carried out in particular (even for uninvited users) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have a right to object to the formation of these user profiles, and you must address this to YouTube in order to do so. Information from the provider: YouTube LLC, 901 Cherry Ave, San Bruno, APPROX. 94066, USA. Google Ireland limited, Gordon House, Barrow Street, Dublin 4, Ireland is responsible for data processing. Further information on the purpose and scope of the data collection and its processing by YouTube can be found in the Data Protection Declaration. You will also find further information on your rights and employment options to protect your privacy: https://www.google.de/intl/en/policies/privacy.   

  No obligation to provide and consequences of non-provision
The provision of personal data is not legally or contractually prescribed and you are not obliged to provide data. We will inform you in the course of the input process if the provision of personal data is required for the relevant service (e.g. by calling it a “mandatory field”). In the case of necessary data, non-provision means that the service in question cannot be provided.    

Retention period of your data
We process your personal data, where necessary, for the duration of the business relationship and as long as it is necessary for the aforementioned purposes, as well as in accordance with the statutory retention and documentation obligations arising in particular from the fiscal code and the commercial code, which usually amount to 10 years. In addition, personal data may be stored and stored for as long as the data are relevant to pending judicial or administrative proceedings in which the controller has a party status.    

Your rights 
(1) You have the following rights with regard to personal data concerning you: 
• the right to information, 
• the right to rectification or erasure, 
• the right to restrict processing, 
• the right to object to the processing,
• the right to data portability. 
(2) You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us. Please address this complaint to the competent supervisory authority under www.lda.bayern.de If you need help in implementing your rights, please contact us.   

  Objection 
You have the right to object to the processing of your personal data at any time. Please send this in writing by email or by post to the address of the ImmerVR GmbH. We kindly point out that the exercise of their rights may, in individual cases, be subject to certain conditions.    

Ensuring data security and data protection 
To ensure the protection and security of your personal data, we are implementing a large number of technical and organisational security measures, the effectiveness of which we regularly review.       

January 2022