Privacy Policy

Last updated: April 30, 2026

Summary. This policy explains what personal data ZeusXR collects, why, with whom we share it, how long we keep it, and the rights you have. It is written to comply with the EU/UK GDPR, the California CCPA/CPRA (and equivalent state laws in VA, CO, CT, UT, TX), Brazil's LGPD, México LFPDPPP, Colombia Ley 1581, Argentina Ley 25.326, Chile Ley 21.719, and similar laws. Where a stricter local rule applies, that rule prevails.

1Who is the data controller

The controller (EU/UK) and "business" (CCPA) responsible for processing your personal data is ZeusXR, Inc. ("ZeusXR," "we," "us," "our").

  • General privacy contact:
  • Data Protection Officer (DPO):
  • EU/EEA representative (GDPR Art. 27): available on request at the address above.
  • UK representative (UK GDPR): available on request.
  • Brazil DPO (Encarregado, LGPD Art. 41): reachable at the DPO email above.

2Personal data we collect

We only collect what is necessary to operate ZeusXR.

A. Data you provide

  • Account: email, password hash, display name, handle, avatar, banner, headline, bio, location, website.
  • OAuth identifiers (Google / LinkedIn / Apple sign-in): provider user ID, profile picture URL, email — never the password.
  • Content: posts, comments, reels, articles, photos, VR/XR videos, marketplace listings, direct messages.
  • Payments: processed by our payment service provider (Stripe). We store only transaction IDs and metadata, never full card numbers.

B. Data collected automatically

  • Technical: IP address, user-agent, device/OS, language, timezone, country (Cloudflare CF-IPCountry), referrer.
  • Session/auth: session tokens (HttpOnly cookies), CSRF tokens, fingerprint hash.
  • Performance/diagnostics: page-load metrics (Web Vitals), error logs, feature usage — only if you accept analytics in the cookie banner.
  • XR telemetry (when you use VR/XR features): playback events, quality switches, kiosk session state.

C. Data we do NOT collect by default

  • Raw biometric data from XR headsets (eye tracking, face tracking, hand pose) — collected only with separate explicit consent for specific features.
  • Precise GPS location.
  • Special categories of data (health, religion, etc.) unless you voluntarily publish them.

D. Data from third parties

  • OAuth profile data from Google / LinkedIn / Apple (only what you authorize).
  • Content moderation labels from OpenAI's moderation API, run automatically on content you post.

3Why we process your data and legal basis

PurposeLegal basis (EU/UK GDPR)
Provide the Service (account, sessions, content delivery)Contract — Art. 6(1)(b)
Security, anti-fraud, abuse prevention, content moderationLegitimate interest — Art. 6(1)(f); legal obligation — Art. 6(1)(c)
Comply with law (DMCA, tax, lawful requests)Legal obligation — Art. 6(1)(c)
Analytics, performance metricsConsent — Art. 6(1)(a)
Personalized advertisingConsent — Art. 6(1)(a)
Marketing emails / newslettersConsent — Art. 6(1)(a) (soft opt-in for existing customers where allowed)
AI moderation of user contentLegitimate interest + legal obligation

You can withdraw any consent at any time without affecting the lawfulness of processing carried out before withdrawal. Use the cookie panel (footer link "Cookies") or contact our DPO.

4Who we share your data with

We share data only with vetted processors strictly to operate the Service. Each is bound by a Data Processing Agreement.

ProcessorPurposeLocation
Cloudflare, Inc.Edge network, Workers, R2, D1, KV — core hostingGlobal (EU/US)
Google LLCOAuth sign-inUS (DPF + SCCs)
LinkedIn / MicrosoftOAuth sign-inUS (DPF + SCCs)
Apple Inc.Sign in with AppleUS (SCCs)
OpenAI, L.L.C.Content-moderation classificationUS (SCCs)
Postmark (ActiveCampaign LLC)Transactional email deliveryUS (SCCs)
RunPod / GPU compute providersVideo encoding pipelineUS/EU (SCCs)
Stripe, Inc.Payment processingUS/EU (SCCs)

We do not sell personal data. We do not share your data with third parties for their own marketing without your explicit opt-in.

We may disclose data to comply with legal process (court orders, law enforcement requests) when legally required, and we challenge overbroad requests when appropriate.

5International transfers

ZeusXR operates globally. When personal data leaves your jurisdiction (especially from the EU/UK to the US), we rely on:

  • The EU Commission's Standard Contractual Clauses (SCCs) 2021/914 (controller-to-processor and processor-to-processor modules).
  • The UK International Data Transfer Addendum where applicable.
  • The EU–US Data Privacy Framework (DPF) certification of vendors where available.
  • Brazil ANPD-approved transfer mechanisms under LGPD (SCCs / consent / contractual safeguards).
  • Latin American contractual safeguards aligned with each country's regulator (México INAI, Colombia SIC, Argentina AAIP, Chile Agencia).

Copies of the SCCs and our transfer impact assessments are available on request.

6How long we keep your data

CategoryRetention
Active account dataWhile your account is active
Account after deletionHard-deleted within 30 days, except where retention is legally required (invoices: 6–10 years depending on jurisdiction)
Session tokens / cookiesUp to 30 days; revoked when you sign out
Server logs (access / security)90 days
Analytics (only if accepted)Aggregated indefinitely; raw events 14 months
Moderation records / strikesUp to 3 years for safety and recidivism prevention
DMCA / legal recordsAs required by law
BackupsRolling 35-day window, then overwritten

7Your rights

You have meaningful control over your data. Below we list rights by jurisdiction; we honor the strictest applicable to you.

EU / EEA / UK (GDPR / UK GDPR)

  • Access — receive a copy of your data.
  • Rectification — correct inaccurate data.
  • Erasure ("right to be forgotten"), subject to legal exceptions.
  • Restriction of processing.
  • Portability — receive your data in a machine-readable format.
  • Objection to processing based on legitimate interest, including profiling.
  • Withdraw consent at any time.
  • Not be subject to solely automated decisions with legal or similarly significant effects without human review.
  • Lodge a complaint with your supervisory authority (e.g., AEPD in Spain, CNIL in France, BfDI in Germany, Garante in Italy, ICO in the UK, DPC in Ireland).

United States — California (CCPA / CPRA) and equivalent state laws (VA, CO, CT, UT, TX, etc.)

  • Right to know what personal information we collect, use, share, or "sell."
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell personal information; the link "Do Not Sell or Share My Personal Information" is available in our footer for completeness.
  • Right to limit use of sensitive personal information (CPRA).
  • Right to non-discrimination for exercising any of the above.
  • Authorized agents may submit requests on your behalf with valid documentation.

Categories of personal information collected in the past 12 months (CCPA): identifiers, internet/network activity, geolocation (approximate), professional information, audiovisual content (your uploads), inferences. Sources: directly from you and from device interaction. Business purposes: providing the Service, security, customer support, legal compliance.

Brazil (LGPD)

  • Confirmation of processing, access, correction, anonymization or deletion of unnecessary or excessive data, portability, information about sharing, withdrawal of consent, and complaint to the ANPD (Autoridade Nacional de Proteção de Dados).

México (LFPDPPP)

  • Derechos ARCO: Acceso, Rectificación, Cancelación, Oposición. Complaint authority: INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales).

Colombia (Ley 1581 / Decreto 1377)

  • Conocer, actualizar, rectificar, suprimir, revocar la autorización. Authority: SIC (Superintendencia de Industria y Comercio).

Argentina (Ley 25.326)

  • Derechos ARCO + portabilidad y oposición. Authority: AAIP (Agencia de Acceso a la Información Pública).

Chile (Ley 21.719)

  • Acceso, rectificación, oposición, supresión, portabilidad, bloqueo. Authority: Agencia de Protección de Datos Personales.

Other Latin American jurisdictions

  • We honor equivalent rights granted by Peru (Ley 29733 / APDP), Uruguay (Ley 18.331 / URCDP), Costa Rica (Ley 8968 / Prodhab), Panamá (Ley 81 / ANTAI), Ecuador (LOPDP), and others.

How to exercise your rights

Email with the subject "Privacy Request" and the right you want to exercise. We verify your identity and respond within the legal timeframe (1 month under GDPR, 45 days under CCPA, 15 days under LGPD, etc., extendable once where allowed). The service is free unless requests are manifestly excessive.

8Children's privacy

ZeusXR is not directed to children below the applicable digital-consent age:

  • United States (COPPA): under 13.
  • EU member states: 13–16 depending on the country (Spain 14; France/UK 13; Germany 16).
  • Brazil (LGPD): under 12 with explicit parental consent for any processing; 12–18 in best-interest framework.
  • México / Colombia / Argentina / Chile: age of digital consent generally 14–18; parental authorization required below.

We do not knowingly collect personal data from minors below the applicable age. If you believe a child has provided data, contact us and we will delete it. For minors above the consent age but under 18, parental/guardian consent may be required for certain features (uploading content, payments, XR features).

9Automated decisions and AI

We use automated systems for content moderation (text, images, video, audio) and abuse prevention. When an automated decision significantly affects you (account suspension, content takedown, demonetization), you can request human review by replying to the moderation notice or emailing .

We do not use your private content to train third-party AI models for commercial purposes outside the moderation pipeline. See our Terms § 8 for full details on AI and training.

10Security

We implement industry-standard technical and organizational safeguards: TLS in transit, encryption at rest, hashed passwords (Argon2/bcrypt), HttpOnly + Secure session cookies, CSRF protection, rate limiting, isolated edge perimeter, principle of least privilege, audit logging, and a vulnerability disclosure program. No system is 100% secure; if a breach affecting your data occurs, we will notify you and the relevant authority within 72 hours where required (GDPR Art. 33–34; LGPD Art. 48; CCPA breach-notification standards).

11Cookies

We use cookies and similar technologies. The complete list — names, purpose, duration, domain, and how to control them — is in our Cookie Policy. You can change your preferences at any time from the footer link "Cookies".

12Changes to this policy

We may update this Privacy Policy. Material changes are announced on the Service and the "Last updated" date is revised. If a change requires fresh consent under applicable law, we will ask you again before continuing.

13Contact

For any privacy question, request, or complaint:

  • General privacy:
  • DPO:
  • Postal mail: ZeusXR, Inc. — address provided on request.

You also have the right to lodge a complaint with your data protection authority. We strongly prefer to resolve concerns directly first.