Privacy Policy immerGallery, immerGallery Demo and immerGallery Business

Data protection information
Protecting your data is very important to us. To ensure transparent cooperation, we draw your attention to important processing activities and special features.

To be able to use our services, please purchase and download our apps immerGallery and immerGallery Demo from the Meta Horizon Store from Meta. Data processing and payment procedures for the purchase in the store are carried out exclusively via Meta. We do not collect or receive any personal data from you in this purchase process. Further information on data protection from Meta can be found at https://www.meta.com/legal/privacy-policy/.

Purpose and legal basis of data processing
Data processing at immerVR GmbH is carried out to provide apps and services for immersive media in accordance with Article 6 (1) (b) of the GDPR for pre-contractual or contractual measures. These include:
• answering enquiries
• administration
• offer preparation, contract processing and order processing
• providing the platform
• maintaining business relationships

As a company, we are subject to different legal obligations. In order to fulfil these obligations, it may be necessary to process personal data in the public interest pursuant to Article 6 (1) (c) of the GDPR or Article 6 (1) (e) of the GDPR, such as:
• control and reporting obligations
• creditworthiness, age and identity checks
• prevention of criminal acts

Controller pursuant to Article 4(7) EU General Data Protection Regulation (GDPR):
immerVR GmbH
Im Zollstock 12
91093 Hessdorf
Germany
Managing Director: Daniel Pohl
Email: support@immervr.com

If you have any questions about our data protection, please email us.


Collection of personal data in our apps: immerGallery, immerGallery Demo and immerGallery Business
Our apps are distributed via the Meta Horizon Store. We collect, process and store certain data from you and use it for the purpose of improving our apps, for example to fix bugs or create a better user experience.

In our apps, you can voluntarily submit an internal developer log file, for example if a failure occurs inside the app and you want to notify us about it. The legal basis is Article 6 (1) (b) of the GDPR (performance of a contract) and, where appropriate, Article 6 (1) (f) GDPR (our legitimate interest in error analysis and app improvement).

The data submitted with developer log files can include in particular:
• IP address (last segment anonymized), for the purpose of knowing if multiple reports come from the same user while keeping the IP address partially anonymized
• submission date, time and time zone for the purpose of knowing when incidents/bugs happened
• data in the app log file that might reveal used paths and file names on the system where the app is running, for the purpose of understanding from which location which files were loaded
• the used version number of the app, for the purpose of knowing in which app version the incident/bug happened
• information about which buttons and interactions happened during the app usage, and which virtual reality system and input controllers are used, for the purpose of reconstructing what led to the incident/bug
• screen frequency, status of relevant Android permissions and other environment settings to reconstruct the system environment during the incident/bug
• HMD-specific events (e.g. HMDAcquired, HMDMounted, VrFocusAcquired, TrackingAcquired and the corresponding “lost” events) for reconstructing the scenario of the incident/bug
• recentering events and the result of the Meta user entitlement check to reconstruct the sequence of events
• information about the local settings used for the app (e.g. whether keeping the rotation in 360° content enabled during program restarts), to replicate the same settings when the incident/bug happened
• system memory statistics such as total amount of reserved memory, texture memory, texture count, frame rate, frame time, number of draw calls, number of triangles, amount of mesh memory, CPU and GPU levels over time and the status of the internal garbage collection, to give developers an overview of the system status and resources
• results of the recognition of the voice control as text (but no audio data), for the purpose of improving voice control with wrongly detected inputs
• statistics about the app usage, e.g. the number of app starts or the usage time of the app over multiple sessions, for the purpose of supporting debugging and improving the app
• a list of purchased add-ons and/or unlocked rewards, to help debug entitlement and reward-related issues

During run-time, the app itself is not using user-specific data by itself (excluding user inputs or content provided by the user) beyond what is necessary for licensing, rewards and platform features described here. However, the required call to the Meta Entitlement check might internally use user data to verify the entitlement status. We do not have access to the user-specific data used internally by Meta for this entitlement check; please refer to the Meta Horizon Store, Meta's Terms and Conditions and Meta's Privacy Policy for further information.

Meta IDs and/or hashed versions of these may be used to authenticate you as a valid user of our apps. Your reward gallery status is synced externally to guarantee that after a reinstall of the app, you still have access to this content.

Use of Meta User ID and in-app currency (“StereoGold”)
We use the Meta platform feature “User ID” as follows:
• We receive your Meta User ID via the Meta platform. For our internal systems, we immediately convert this User ID into a one-way hash (a pseudonymous identifier). We do not store the plain Meta User ID in our databases.
• We use this hashed User ID to track the amount of StereoGold you have, either collected by app usage or through in-app purchases.
• We also use the same hashed User ID to track which reward galleries you have unlocked and to ensure that these rewards are restored after app reinstallations or when you use the app on the same account again.

This processing is necessary to provide the core functionality of the app (management of StereoGold and unlocked content) and is therefore based on Article 6 (1) (b) GDPR (performance of the contract with you). The hashing of the User ID helps us to minimize the personal data processed.

The hashed User ID and the associated StereoGold and reward gallery data are stored for as long as you use our app and as long as necessary for the purposes described above. If you request deletion of your data, we will delete or anonymize the corresponding records, unless statutory retention obligations apply.

We do not use your Meta User ID or the hash of it for advertising, profiling across different services, or for sharing with third parties, except where necessary for technical processing by our processors (e.g. hosting providers) under data processing agreements.

Voice control
Voice control in the app is executed locally. No audio is submitted to a cloud or another server. As mentioned above, we may store the recognized voice controls as text in the log file, which is only sent to us upon the user's explicit and voluntary command.

In cases where we have user-specific data from you, you can request access to that data by contacting us at the address (email or postal address) above while providing evidence of your user identity. Furthermore, you can request that your user-specific data is deleted by contacting us through the email address mentioned above.

As determined by the Meta Horizon Store, Meta's Terms and Conditions and Meta's Privacy Policy, Meta might collect data from you automatically while using our app. We do not have influence on this and cannot enable or disable it. Data might include: user ratings of the app, time spent in the app, whether the user has been using the app within the last 28 days, aggregated data over multiple users regarding age, gender, country, region and similar properties. Furthermore, crash statistics might be automatically created by Meta and include information about the used devices (e.g. Quest, Quest 2, Quest 3), regions of the user and similar information. We do not control this processing.

Use of Meta platform features (User ID, User Profile, Avatars)
For Meta Quest devices, we may use platform features such as:
• User ID: grants the app access to the user ID to enable various features
• User Profile: grants the app access to the Meta username and profile photo
• Avatars: grants the app access to Meta Avatars, a persistent identity across the Meta ecosystem. With Meta Avatars, users can bring their visual identities into our app.

We use these features in particular to:
• identify you across sessions and verify your entitlement to use the app;
• associate your in-app currency (StereoGold) and unlocked reward galleries with your account, using a hashed version of your User ID as described above;
• optionally display your Meta username, profile picture and/or Avatar within the app to you and, where applicable, to other users (for example, in multiplayer sessions) so that you can recognize yourself and others;
• ensure that your rewards and progress can be restored if you reinstall the app or switch devices while using the same Meta account.

These platform features are used only to run, support and maintain features of our app requested by you and are used in accordance with the Meta/Oculus Developer Data Use Policy (https://developer.oculus.com/policy/data-use/).

Unity game engine
Our virtual reality app immerGallery is based on the Unity game engine. We do not have influence on this processing or direct access to the collected data, but Unity might process some or all of the following information about your device:
unique device identifiers (e.g., IDFV for iOS devices and Android ID for Android devices); IP address; country of install (mapped from IP address); device manufacturer and model; platform type (iOS, Android, Mac, Windows, etc.) and the operating system and version running on your system or device; language; CPU information such as model, the number of CPUs present, frequency, and instruction set support flags; graphics card type and vendor name; graphics card driver name and version; which graphics API is in use (e.g., “OpenGL 2.1” or “Direct3D 9.0c”); amount of system and video RAM present; current screen resolution; version of the Unity Editor used to create the game; sensor flags (e.g., device support for gyroscope, touch pressure or accelerometer); application or bundle identification (“app ID”) of the game installed; unique advertising identifiers provided for iOS and Android devices (e.g., IDFA or Android Ad ID); and a checksum of all the data that gets sent to verify that it transmitted correctly. For details, please refer to Unity’s own privacy documentation.

Photon Fusion and Photon Voice (multiplayer and voice communication)
Our application integrates Photon Fusion and Photon Voice for multiplayer interaction and voice communication functionalities. These services are provided by Exit Games GmbH, located at Hongkongstr. 7, 20457 Hamburg, Germany (hereinafter referred to as "Photon"). This section outlines the nature, scope and purpose of data processing within our app in relation to Photon's services, in compliance with the General Data Protection Regulation (GDPR).

Photon Fusion and Photon Voice, as components of our app, involve the processing of data on servers managed and operated by Photon. The data processing is carried out on the basis of a Data Processing Agreement (DPA) between us and Photon, in accordance with Article 28 GDPR.

Location and transfer of data: Photon’s server infrastructure is globally distributed to ensure minimal latency and optimal performance. Personal data processed through Photon services may be transferred to, and stored at, a destination outside the European Economic Area (EEA). Photon takes all steps reasonably necessary to ensure that your data is treated securely and in accordance with GDPR standards.

To participate with other users in multiplayer, your chosen player name will be shared with other participants. As you require the same galleries to view them together, the gallery names, the number of content files and potential file paths on the local device may be shared internally in the app for synchronization. Common album titles will be displayed on each client. It will be shared which app version you use and how many galleries you have on your system. An admin status can be exchanged between users to control the multiplayer experience.

We do not share your plain Meta User ID with other users. Where identifiers are used for technical multiplayer coordination, they are limited to what is necessary for this purpose.

Meta
Name and address of controller pursuant to Article 26 of the GDPR (joint responsibility for platform processing):
Meta Platforms Ireland Ltd. ("Meta")
4 Grand Canal Square
Grand Canal Harbour
Dublin 2
Ireland

OpenStreetMap usage in immerGallery, immerGallery Demo and immerGallery Business
In order to provide you with a dynamic map image from your image's metadata or settings you used in the corresponding .immerVR files, we may use the services from the map image provider OpenStreetMap. In order to generate the dynamic map, information like GPS data from the image content or GPS data mapped to certain tiles in a zoomable map might be transmitted. To be able to receive image data, the IP address of the client needs to be used.

The privacy policy (e.g. regarding GDPR) of OpenStreetMap can be found here: https://wiki.osmfoundation.org/wiki/GDPR_Privacy_Statement and https://wiki.osmfoundation.org/wiki/Privacy_Policy.
The OpenStreetMap Foundation is located at St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom.

Pastebin usage in immerGallery, immerGallery Demo and immerGallery Business
Services from Pastebin may be used to allow you to access information posted from yourself or others directly inside our app. For example, if you want to send yourself a URL that is long to type, you can instead type it on a PC with a keyboard, paste it to Pastebin and then recover the URL in immerGallery.

Pastebin collects data as explained in their Privacy Statement: https://pastebin.com/doc_privacy_statement.
Much of Pastebin is public-facing. If your content is public-facing, third parties may access and use it in compliance with Pastebin's Terms of Service. Pastebin does not sell that content; it is yours. However, Pastebin does allow third parties, such as research organizations or archives, to compile public-facing Pastebin information, excluding user personal information, per Pastebin's Terms and Agreements: https://pastebin.com/doc_terms_of_service.

Furthermore, Pastebin states that your personal information, associated with your content, may be gathered by third parties in these compilations of Pastebin data. If you do not want your personal information to appear in third parties’ compilations of Pastebin data, please do not make your personal information publicly available on Pastebin.

Pastebin is located at 3000 C St Ste 301, Anchorage, Alaska, 99503, United States.

No obligation to provide and consequences of non-provision
The provision of personal data is not legally or contractually prescribed and you are not obliged to provide data. We will inform you in the course of any input process if the provision of personal data is required for the relevant service (e.g. by calling it a “mandatory field”). In the case of necessary data, non-provision means that the service in question cannot be provided.

Storage time of your data
We process your personal data, where necessary, for the duration of the business relationship and as long as it is necessary for the aforementioned purposes, as well as in accordance with the statutory retention and documentation obligations arising in particular from the Fiscal Code and the Commercial Code, which usually amount to up to 10 years.

In addition, personal data may be stored for as long as the data is relevant to pending judicial or administrative proceedings in which the controller has a party status.

Your rights
(1) You have the following rights with regard to personal data concerning you:
• the right to information,
• the right to rectification or erasure,
• the right to restrict processing,
• the right to object to the processing,
• the right to data portability.
(2) You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us. In Bavaria, this is, for example, the Bavarian Data Protection Authority (see www.lda.bayern.de). If you need help in exercising your rights, please contact us.

Objection
You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation. Please send this in writing by email or by post to the address of immerVR GmbH. We kindly point out that the exercise of your rights may, in individual cases, be subject to certain legal conditions.

Ensuring data security and data protection
To ensure the protection and security of your personal data, we implement a number of technical and organisational security measures, the effectiveness of which we regularly review and adapt to the state of the art.

19 November 2025