Privacy Policy

SemVR Platform
Effective Date: January 15, 2025
Last Updated: January 15, 2025

1. Introduction

Welcome to SemVR (“we,” “our,” or “us”). SemVR is a virtual reality educational platform designed to provide immersive learning experiences to schools, educators, and students across Southern Africa and beyond.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform accessible at https://semvr-platform.pages.dev (the “Platform”). Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Platform.

We reserve the right to make changes to this Privacy Policy at any time. We will alert you about any changes by updating the “Last Updated” date of this Privacy Policy. You are encouraged to periodically review this Privacy Policy to stay informed of updates.

2. Information We Collect

2.1 Personal Information You Provide

We collect personal information that you voluntarily provide to us when you:

Register for an account on the Platform
Make a booking for a VR experience
Create or join a class
Participate in VR learning sessions
Contact us for support

Types of personal information we collect include:

For School Administrators:

School name and type (elementary, middle, high school, university, institution)
School physical address
School contact email address
School contact phone number
Administrator’s first and last name
Administrator’s email address
Administrator’s password (encrypted using bcrypt hashing)

For Educators:

First name and last name
Email address
Password (encrypted using bcrypt hashing)
School affiliation
Subject areas taught
Class/group information

For Students:

First name and last name
Email address
Password (encrypted using bcrypt hashing)
School affiliation
Grade level
Class enrollment information

2.2 Educational and Usage Data

When you use the Platform, we automatically collect information about your educational activities and engagement:

Session Participation Data:

VR session attendance records (join time, departure time)
Session duration in seconds
Interaction counts with educational content
Engagement scores (calculated on a 0-100 scale)
Session completion status

Learning Assessment Data:

Quiz responses and answers
Quiz scores and performance metrics
Learning progress indicators
Assessment completion records

Booking and Scheduling Data:

VR experience selections
Scheduled dates and times
Expected participant numbers
Session codes for class access
Booking status and notes

2.3 Technical and System Information

We automatically collect certain technical information when you access the Platform:

IP address and general location information
Browser type and version
Device information (type, operating system)
Access times and dates
Pages viewed and features used
Referring website addresses
Performance and diagnostic data

2.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Platform and store certain information. Cookies are files with small amounts of data that are stored on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.

Types of cookies we use:

Essential Cookies: Required for Platform functionality (authentication, session management)
Analytical Cookies: Help us understand how users interact with the Platform
Preference Cookies: Remember your settings and preferences

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Educational Services

Provide access to VR educational experiences
Facilitate virtual classroom sessions and bookings
Track student participation and learning progress
Generate educational reports and analytics for educators
Assess learning outcomes and engagement levels

3.2 Platform Operations

Create and manage user accounts
Authenticate users and maintain security
Process bookings and schedule VR sessions
Enable class management and student enrollment
Provide technical support and customer service

3.3 Communication

Send booking confirmations and session reminders
Notify users of platform updates and new features
Respond to inquiries and support requests
Send administrative information about accounts or subscriptions

3.4 Analytics and Improvement

Analyze usage patterns to improve Platform functionality
Monitor Platform performance and diagnose technical issues
Conduct research to enhance educational effectiveness
Develop new features and VR experiences

3.5 Compliance and Safety

Comply with legal obligations and regulatory requirements
Enforce our Terms of Service and policies
Protect against fraudulent or illegal activity
Safeguard the rights and safety of our users

4. Legal Basis for Processing (GDPR/POPIA Compliance)

For users in the European Union, United Kingdom, and South Africa, our legal basis for collecting and using personal information depends on the specific context:

4.1 Contractual Necessity

Processing is necessary to provide our educational services and fulfill our contract with schools and users.

4.2 Legitimate Interests

We process data for our legitimate business interests, such as:

Improving our Platform and services
Ensuring platform security and preventing fraud
Analyzing usage to enhance educational outcomes

4.3 Legal Obligations

We process data to comply with legal requirements, such as:

South African Protection of Personal Information Act (POPIA)
EU General Data Protection Regulation (GDPR) where applicable
Educational data protection regulations

In some cases, we process data based on your explicit consent, which you may withdraw at any time by contacting us at privacy@semvr.com.

5. How We Share Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

5.1 Within Educational Institutions

School Administrators can access data for students and educators within their school
Educators can access data for students enrolled in their classes
Students can only access their own learning data

5.2 Service Providers

We may share information with trusted third-party service providers who assist us in:

Cloud hosting and infrastructure (Cloudflare Pages, D1 Database)
Email delivery services (for notifications and communications)
Analytics and performance monitoring
Payment processing (if applicable)

All service providers are contractually obligated to maintain the confidentiality and security of your information.

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

Valid legal processes (court orders, subpoenas)
Government or regulatory requests
Protection of our rights, property, or safety
Emergency situations involving danger to persons

5.4 Business Transfers

If SemVR is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different Privacy Policy.

6. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

6.1 Technical Safeguards

Password Encryption: All passwords are hashed using bcrypt with salt rounds (industry-standard cryptographic protection)
Secure Transmission: Data transmitted between your device and our servers is encrypted using HTTPS/TLS protocols
Database Security: Access to our production database is restricted and monitored
Authentication: JSON Web Tokens (JWT) with 24-hour expiration for session management

6.2 Organizational Safeguards

Access controls limiting employee access to personal information
Regular security audits and vulnerability assessments
Incident response procedures for data breaches
Staff training on data protection practices

6.3 Infrastructure Security

Cloudflare’s global edge network with DDoS protection
Distributed database architecture for reliability
Automated backups and disaster recovery procedures
Geographic data replication for resilience

Important Note: While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.1 Retention Periods

Active Accounts:

Personal information: Retained while your account remains active
Educational records: Retained for the duration of enrollment plus 3 years
Session participation data: Retained for 5 years for educational analytics

Inactive Accounts:

Accounts inactive for 2 years may be subject to deletion
We will provide 30 days’ notice before deleting inactive accounts

Legal Obligations:

Financial records: 7 years (as required by tax regulations)
Legal claims: Duration of statutory limitation periods

7.2 Deletion Requests

You may request deletion of your personal information at any time (subject to legal retention requirements). See Section 9 for how to exercise your rights.

8. Children’s Privacy

8.1 Age Requirements

SemVR’s Platform is designed for educational use by schools and learning institutions. We recognize that many of our users are minors (under age 18).

For students under the age of 18:

Account registration must be performed by the school or educational institution
Schools are responsible for obtaining parental consent where required
We collect only information necessary for educational purposes

8.3 COPPA Compliance (US Users)

For users under 13 in the United States:

We comply with the Children’s Online Privacy Protection Act (COPPA)
Schools act as agents for parents in providing consent
Parents may review their child’s information by contacting their school administrator

8.4 Educational Data Protection

We adhere to educational privacy laws including:

Family Educational Rights and Privacy Act (FERPA) for US schools
South African Protection of Personal Information Act (POPIA) Chapter 5 (Special Personal Information)

9. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your personal information:

9.1 Right to Access

You have the right to request copies of your personal information. We may charge a reasonable fee for providing copies beyond the first request.

9.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal information.

9.3 Right to Erasure (“Right to be Forgotten”)

You have the right to request deletion of your personal information, subject to:

Legal retention requirements
Contractual obligations
Legitimate business interests

9.4 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of data.

9.5 Right to Data Portability

You have the right to request transfer of your personal information to another service provider in a structured, commonly used format.

9.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

9.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@semvr.com
Subject Line: “Data Protection Request – [Your Name]”

We will respond to your request within 30 days (or as required by applicable law).

10. International Data Transfers

10.1 Data Location

Your information is primarily stored and processed on Cloudflare’s global network, which may involve transfer to countries outside your country of residence, including countries that may not have equivalent data protection laws.

10.2 Safeguards

When we transfer data internationally, we implement appropriate safeguards, including:

Standard contractual clauses approved by regulatory authorities
Adequacy decisions by relevant data protection authorities
Cloudflare’s adherence to international data protection frameworks

11. Third-Party Links

The Platform may contain links to third-party websites, applications, or VR content not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of third-party sites. We encourage you to review the privacy policy of every site you visit.

12. Regional-Specific Provisions

12.1 South African Users (POPIA Compliance)

Under South Africa’s Protection of Personal Information Act (POPIA):

Information Officer:

Email: info.officer@semvr.com
Responsible for ensuring POPIA compliance

Your POPIA Rights:

Right to access and rectify personal information
Right to object to direct marketing
Right to lodge complaints with the Information Regulator

Contact the Information Regulator:

Website: https://www.justice.gov.za/inforeg/
Email: inforeg@justice.gov.za
Phone: +27 10 023 5207

Under the EU General Data Protection Regulation (GDPR):

Data Protection Officer:

Email: dpo@semvr.com

Your GDPR Rights: All rights listed in Section 9 apply.

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

12.3 California Users (CCPA Compliance)

Under the California Consumer Privacy Act (CCPA):

Categories of Personal Information We Collect:

Identifiers (name, email, address)
Educational information
Internet activity
Geolocation data

Your CCPA Rights:

Right to know what personal information is collected
Right to delete personal information
Right to opt-out of sale (Note: We do not sell personal information)
Right to non-discrimination for exercising rights

To Exercise CCPA Rights: Email: privacy@semvr.com or call: [Your Phone Number]

13. Marketing Communications

13.1 Educational Updates

We may send you information about:

New VR experiences and curriculum content
Platform features and enhancements
Educational best practices and resources
Webinars and training opportunities

13.2 Opt-Out Options

You may opt out of marketing communications by:

Clicking “unsubscribe” in any marketing email
Updating your account notification preferences
Emailing opt-out@semvr.com

Note: You cannot opt out of essential service communications (booking confirmations, security alerts, policy updates).

14. Data Breach Notification

In the event of a data breach that affects your personal information:

14.1 Our Response

We will investigate and contain the breach promptly
We will assess the risk to your rights and freedoms
We will notify relevant supervisory authorities within 72 hours (where required)

14.2 User Notification

If the breach poses a high risk to your rights:

We will notify affected users without undue delay
Notification will include: nature of breach, likely consequences, measures taken, and recommended actions

15. Business Accounts

15.1 School/Institution Accounts

When schools register for SemVR:

The school is the data controller for student and educator data
SemVR acts as a data processor on behalf of the school
Schools remain responsible for obtaining necessary consents

15.2 Data Processing Agreement

Schools may request a formal Data Processing Agreement (DPA) by contacting: legal@semvr.com

16. Automated Decision Making

16.1 Educational Analytics

We use automated systems to:

Calculate engagement scores based on interaction data
Generate learning progress reports
Recommend VR experiences based on curriculum alignment

16.2 Human Oversight

Significant educational decisions (grading, promotion, intervention) should never be based solely on automated processing. Educators should always apply human judgment and contextual understanding.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

Changes in our practices
Legal or regulatory requirements
New features or services

17.1 Notification of Changes

Material Changes: We will provide prominent notice (email, platform notification) 30 days before changes take effect
Minor Changes: Updated “Last Updated” date; continued use constitutes acceptance

17.2 Version History

Previous versions of this Privacy Policy are available upon request at privacy@semvr.com.

18. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

SemVR Platform
Email: privacy@semvr.com
Support: support@semvr.com
Website: https://semvr-platform.pages.dev

Data Protection Inquiries: Email: dpo@semvr.com
Response Time: Within 30 days

For School/Institution Partnerships: Email: schools@semvr.com

19. Acceptance of This Policy

By using the SemVR Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, please discontinue use of the Platform immediately.

20. Governing Law

This Privacy Policy is governed by the laws of South Africa, without regard to its conflict of law provisions. Disputes arising from this Privacy Policy will be subject to the exclusive jurisdiction of the courts of South Africa.

Thank you for trusting SemVR with your educational journey.

This Privacy Policy was last updated on January 15, 2025 and is effective immediately for all new users and 30 days from the date of notice for existing users.