Privacy Policy for the “Immerzed Companion” Mobile App

1. Introduction & Applicability

The protection of your personal data is important to us. This Privacy Policy explains what data we process when you use the Immerzed Companion app (iOS and Android), why we do so, and what rights you have. The app is currently available exclusively in Germany.

This statement applies to the use of our mobile apps (hereinafter referred to as “Services”). Any associated websites or portals – if applicable – are governed by separate terms.

2. Data Controller & Contact Information

Data controller as defined by the GDPR:

Immerzed GmbH
Streekweg 32a
22359 Hamburg
Germany

Email: kontakt@immerzed.com
Data Protection Officer: not appointed

Competent supervisory authority:
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI)
Ludwig‑Erhard‑Str. 22, 20459 Hamburg, Germany

3. Terminology

“Personal data” means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR). “Processing” means any operation or set of operations performed on personal data (Art. 4(2) GDPR).

4. Data Categories, Purposes, and Legal Bases (Overview)

We process the following categories of personal data for the purposes stated, based on the legal grounds specified in the GDPR:

  1. Registration & Account

  • Data: Email address, first name, last name, password

  • Purpose: Account creation, authentication, user account management, provision of app features

  • Legal basis: Article 6(1)(b) of the GDPR (contract or pre-contractual relationship)

  1. App usage (display of VR simulation data)

  • Data: usage and performance data generated in the VR simulation (e.g., exercise results, timestamps, scenario metadata, checklist/log values) – specifically depending on the feature

  • Purpose: Retrieval/visualization of training and usage data generated for the user

  • Legal basis: Article 6(1)(b) of the GDPR

  1. QR Code Login on VR Headsets

  • Data: Short-lived login tokens/session IDs; association with the user account

  • Purpose: Easy login on VR devices

  • Legal basis: Article 6(1)(b) of the GDPR

  • Security: Tokens are time-limited; OTP/Magic Link tokens expire after 1 hour by default (configurable).

  1. Corporate visibility (voluntary memberships)

  • Data: Email, First Name, Last Name

  • Purpose: To make this information visible to companies/organizations that the user has voluntarily joined (e.g., employers, training providers)

  • Legal basis: Article 6(1)(b) of the GDPR (provision of the join/team feature); additionally, Article 6(1)(f) of the GDPR (the organization’s legitimate interest in being able to assign users internally)

  • Note: Access is granted only within the context of the respective organization.

  1. Technical Logs & IT Security

  • Data: IP address, timestamp, requested resources/endpoints, device/app information (e.g., app version, operating system), error messages

  • Purpose: Operations, error analysis, detection of misuse and attacks, traceability of security-related events

  • Legal basis: Article 6(1)(f) of the GDPR (legitimate interest in secure and stable operations); Article 32 of the GDPR (security of processing)

  • Retention period: 30 days, followed by deletion or anonymization

  1. Support Communication (optional)

  • Data: Email address, details of your inquiry, metadata (date/time), attachments (if any)

  • Purpose: To process and document your inquiry

  • Legal basis: Article 6(1)(b) of the GDPR (contractual basis) and/or Article 6(1)(f) of the GDPR (legitimate interest in providing efficient support)

  • System: IONOS Mailbox

  1. Optional content in Profile/Features (if available)

  • Data: e.g., profile picture, additional information

  • Purpose: Convenience features/Customization

  • Legal basis: Article 6(1)(b) of the GDPR; voluntary

No social logins: Registration or sign-in via social media services (Facebook, Apple, Google, etc.) is not currently available.

No advertising or marketing without consent: We do not send marketing emails. Transactional emails (e.g., registration, password reset) are necessary for the performance of the contract.

No special categories (Article 9 of the GDPR): No health data is processed. The VR simulation data consists of performance- and interaction-related training data that has no medical significance.

5. Data sources

We typically receive data directly from you (registration/login, app usage). VR simulation data comes from the Immerzed systems you use and is associated with your account.

6. Recipients & Data Processors

We use service providers (Art. 28 of the GDPR) to provide our services. These service providers process data exclusively in accordance with our instructions:

  • Supabase (Auth, Database/Storage) – Data Processor
    Region: EU (eu-central-1, Frankfurt)
    Agreement/DPA: Supabase Data Processing Addendum, including appropriate safeguards (Standard Contractual Clauses), where required.

  • Email delivery (transactional messages only: registration, confirmation, password reset): IONOS (Germany/EU) – data processor. No promotional or marketing emails.

  • Crash/error reports & monitoring: currently not in use.

  • Other IT/cloud service providers:

Where required by law or necessary for the enforcement of legal obligations, data may be disclosed to government authorities, courts, or legal advisors (Art. 6(1)(c) and (f) of the GDPR).

7. Transfers to Third Countries

We prefer to store and process data within the EU/EEA. However, if data is transferred to third countries (e.g., because a service provider is based there or relies on subprocessors), we ensure appropriate safeguards are in place (in particular, EU Standard Contractual Clauses, Article 46 of the GDPR, and additional measures where necessary).

8. Retention period

  • Account data: for the duration of the user relationship; subsequently deleted or anonymized after 30 days (backups)

  • VR simulation data in the app: generally stored indefinitely (as needed for users/companies). You may request deletion at any time; if you delete your account, any data associated with that account will be deleted.

  • Log data: up to 7 days in the Supabase dashboard (depending on the plan); longer retention available via external log exports (“Log Drains”) if needed.

  • Support communications: Processed via support@immerzed.com; stored until the request is resolved, for a maximum of 24 months (or longer if required by law).

  • Support communications: 24 months or until the request is resolved, up to the statutory limitation period if legally relevant

  • Legal retention requirements: generally 6–10 years under the German Commercial Code (HGB) and the German Fiscal Code (AO), where applicable

9. Data Processing Security

We implement technical and organizational measures in accordance with Article 32 of the GDPR (including encryption in transit and – where available – at-rest encryption, access restrictions/access rights policies, logging, and backup/recovery processes). QR login tokens are short-lived and single-purpose.

10. Minors

Our services are not intended for children under the age of 16. Registration by minors requires the consent of their legal guardians (Art. 8 GDPR), where applicable.

11. Cookies, SDKs, and Similar Technologies (Mobile Apps)

In our mobile apps, we use only technically necessary components (e.g., the Supabase SDK) for authentication, data synchronization, and operations. We do not currently use analytics, crash reporting, or marketing SDKs.

Push notifications: planned (via platform services, e.g., Apple Push Notification Service “APNs” / Firebase Cloud Messaging “FCM”). Once enabled, we will notify you within the app and, where necessary, obtain your consent in advance.

If optional tracking or analytics features are added in the future, we will obtain your consent in advance (Art. 6(1)(a) GDPR) and update this policy.

12. Rights of data subjects

Rights of Data Subjects
Subject to the legal requirements, you have the following rights: the right of access (Art. 15), the right to rectification (Art. 16), the right to erasure (Art. 17), the right to restriction of processing (Art. 18), the right to data portability (Art. 20), and the right to object (Art. 21 of the GDPR).
You may exercise these rights by contacting support@immerzed.com. You also have the right to lodge a complaint with a data protection supervisory authority, in particular in your Member State or at the location of the controller (see above).

13. Obligation to provide

Providing registration information is required to use the app’s features. Without this information, you cannot create an account or use key features (such as retrieving VR data or QR login).

14. No automated decision-making on a case-by-case basis

No automated decision-making, including profiling, takes place in individual cases within the meaning of Article 22 of the GDPR.

15. Changes to this Privacy Policy

We may update this policy if there are changes to features, legal requirements, or service providers. The effective date will be updated. We will notify you of any significant changes within the app (e.g., via a notification or pop-up) and will obtain the necessary consent again.

As of: October 3, 2025

Immerzed home

Follow us on social media:

Linkedin Instagram Youtube Tiktok