Legal
This Privacy Policy (“Policy”) describes how ORamaVR SA (“ORamaVR”, “Company”, “we”, “us”, or “our”) collects, uses, transfers, discloses, and protects Personal Data through the ORamaVR products and services (the “Services”), including:
This Policy applies to all natural persons whose Personal Data ORamaVR processes in connection with the Services, including Website visitors, prospects, account holders, End Users (Org Admin, Supervisor, Trainee), Authorised Channel Partner contacts, and other professional contacts.
This Policy is supplemented by: the VTC End Customer Terms (Exhibit B) and the Acceptable Use Policy; the Data Processing Agreement (Exhibit C); the JARIA Terms of Use and the JARIA Addendum (where issued); and the ORamaVR Cookie Policy. In the event of conflict between this Policy and any of the above on a matter within the scope of that document, the relevant document prevails.
The controller responsible for the Personal Data described in this Policy is:
ORamaVR SA
34 route de la Galaise, c/o FONGIT, CH-1228 Plan-les-Ouates, Geneva, Switzerland
Commercial register number CHE-478.871.980
For Personal Data that ORamaVR processes on behalf of an End Customer in the course of providing the VTC Platform (the Article 28 GDPR processing), the End Customer is the controller and ORamaVR is the processor; that processing is governed by the Data Processing Agreement (Exhibit C).
We collect Personal Data you knowingly provide, including: account information (name, email address, country, role/title, organisation name); account credentials (username, password stored as one-way hash); internal account identifiers; correspondence content (support, sales, forms, surveys, feedback); and where you use single sign-on, the authentication token and associated email address.
Lawful bases: performance of a contract (Art. 6(1)(b) GDPR); legitimate interests in operating, securing, and improving the Services (Art. 6(1)(f)); your consent for optional data you provide (Art. 6(1)(a)).
When you use the Services, we collect VTC Platform usage metadata, training-session analytics (completion time, scores, session counts, interactions), JARIA interactions (where JARIA is available and the End User has accepted the JARIA Terms of Use), and telemetry (feature-usage counters, performance counters, error logs).
Lawful bases: performance of a contract (Art. 6(1)(b)) for purposes directly required to deliver the Service; legitimate interests (Art. 6(1)(f)) for security operations, abuse prevention, and aggregated product improvement.
Publisher analytics. Where End Users access Publisher-Owned SIMs, ORamaVR derives anonymised, aggregated analytics and shares them with the relevant Publisher in quarterly usage reports (Publisher Agreement ORM-PUB-LIB-001 §11.2 and Exhibit B §11.3A). Minimum aggregation threshold: five distinct End Customer organisations. No Personal Data is shared with Publishers. Lawful basis: legitimate interests (Art. 6(1)(f)).
When you access the Website, Org-Admin Portal, customer portal, or support forum, we may automatically collect device and browser data, network data (IP address, inferred country/region), and access patterns (pages visited, referrer). Cookies are described in the ORamaVR Cookie Policy.
Lawful basis: legitimate interests (Art. 6(1)(f)) for site operation, security, and abuse prevention; consent (Art. 6(1)(a)) for cookies that require consent.
When ORamaVR processes Personal Data on behalf of an End Customer in the course of providing the VTC Platform, ORamaVR acts as Processor within the meaning of Article 4(8) GDPR and Article 28. That processing is governed by the Data Processing Agreement (Exhibit C). This Policy does not apply to ORamaVR's processing under Exhibit C as Processor.
Use of JARIA may involve processing of the End User's Prompts, JARIA's Outputs, and associated metadata. AI-specific processing through JARIA is out of scope of Exhibit C (per Exhibit C §1.3) and is governed by the JARIA Terms of Use and the JARIA Addendum (where issued). Until the JARIA Addendum is issued, AI-specific processing is provisionally subject to the obligations in Exhibit C and to this Policy.
ORamaVR sends marketing communications on the following basis:
You may unsubscribe at any time using the unsubscribe link in any marketing email or by writing to dpo@oramavr.com. We do not sell Personal Data to third parties for advertising or marketing purposes. We do not display advertising on the VTC Platform.
We engage sub-processors to provide infrastructure, support, and operational services. The current list of sub-processors authorised for Article 28 GDPR processing is published at the Sub-processor List URL: oramavr.com/legal/sub-processors. Sub-processor changes are subject to the 30-day notice mechanic in Exhibit C §5.5.
Where you reach the Services through an Authorised Channel Partner (Co-Marketing and Distribution Agreement) or a Reseller (the Reseller Agreement), the Partner or Reseller may process limited Personal Data (for example, Org Admin contact data) for its own commercial purposes and limited Org-Admin Portal activities. This dual role is described at Exhibit C §5.6.
Where End Users access Publisher-Owned SIMs through the VTC Platform, ORamaVR shares anonymised, aggregated analytics with the relevant Publisher in quarterly usage reports as described in §3.2 above. No Personal Data is shared with Publishers. Publishers are not sub-processors. The relationship is governed by Publisher Agreement ORM-PUB-LIB-001.
Within the End Customer's Client Tenant, certain Personal Data of an End User (username, role, training progress, Sub-Tenant assignment) is visible to other End Users in their assigned roles. The visibility model is configured by the End Customer's Org Admin and is described in Exhibit B §3.
We may disclose Personal Data where reasonably necessary to: (a) comply with a court order, lawful regulatory request, or other legal obligation; (b) enforce our agreements; (c) protect the rights, safety, or security of ORamaVR, End Customers, End Users, or the public; (d) detect, prevent, or address fraud, security incidents, or technical issues.
In the event of a merger, acquisition, reorganisation, asset sale, or similar transaction, Personal Data may be transferred to the acquiring party and will remain subject to this Policy or a successor policy providing an equivalent level of protection.
Personal Data described in this Policy is hosted and processed by default within the European Economic Area or Switzerland, in the Primary Region: Azure West Europe (Amsterdam, Netherlands). The legacy statement that ORamaVR maintains servers in the United States of America is superseded and no longer applies.
Where ORamaVR transfers Personal Data outside the EEA or Switzerland, ORamaVR ensures an appropriate safeguard under Articles 44 to 49 GDPR is in place. Safeguards used include: EU-Switzerland adequacy decision; 2021 Standard Contractual Clauses, Module Two (for EEA-to-third-country transfers); Swiss FDPIC supplemental clauses (where the transfer is also subject to the revFADP); and UK transfers addressed by a separate addendum on a per-customer basis.
The current cross-border transfers are documented in Exhibit C Annex 4 and include: (1) transfers to OpenAI L.L.C. (US) for LLM inference supporting JARIA, governed by EU-US DPF + 2021 SCCs Module 2; and (2) transfers to Microsoft Azure Speech (US) for speech-to-text and text-to-speech, governed by EU-US DPF + 2021 SCCs Module 2 + UK IDTA + FDPIC supplemental. OpenAI is a DPF-certified organisation and excludes customer data from model training under its standard API terms (since 1 March 2023).
We have implemented appropriate legal, organisational, technical, and administrative security measures designed to protect Personal Data from accidental loss and from unauthorised access, alteration, or disclosure. The technical and organisational measures are set out in Annex 2 of Exhibit C, and include: encryption in transit (TLS 1.2+) and at rest; role-based access control with MFA; logical isolation of Client Tenant data; access logging; daily backups + weekly archives; and annual third-party penetration testing.
We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected. The principal retention periods are:
| Category | Retention period |
|---|---|
| Active accounts | Duration of the subscription or Creator Solo eligibility. |
| Inactive accounts | 24 months from last login, after which the account is deactivated and Personal Data is deleted or anonymised. |
| Training-session analytics (End Customer's Client Tenant) | As specified in the End Customer's instructions under Exhibit C; on termination returned or deleted per Exhibit C §9. Default: 12 months after subscription end if no End Customer instruction is given. |
| Support correspondence | 36 months from closure of the support case. |
| Telemetry (identifiable) | 12 months from collection, subject to extension for active security investigations. |
| Anonymised aggregates | Indefinite. |
| Marketing engagement records | 24 months from last engagement. |
| Forum / community posts | Duration of account + 24 months. |
| VTC session records | Customer-defined; default 12 months after subscription end. |
| Marketing-communications consent records | Duration of consent plus 12 months following withdrawal. |
| Personal Data subject to legal hold | For the duration of the legal hold or active dispute. |
Subject to the conditions set out in the GDPR, the revFADP, and other applicable data protection law, you have the following rights in respect of Personal Data we hold about you as Controller: right of access (Art. 15); right to rectification (Art. 16); right to erasure (Art. 17); right to restriction of processing (Art. 18); right to object (Art. 21); right to data portability (Art. 20); right to withdraw consent (Art. 7(3)); and right to lodge a complaint (Art. 77).
Where ORamaVR processes Personal Data as Processor on behalf of an End Customer, Data Subjects should direct rights requests to the End Customer in the first instance. ORamaVR will assist the End Customer in accordance with Exhibit C §5.7.
You may also lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch, or with the data protection supervisory authority of your country of habitual residence.
The Services may include links to third-party websites. Those websites operate under their own privacy policies; ORamaVR does not accept responsibility for them.
ORamaVR may update this Policy from time to time. Where a change is material (change in lawful basis, cross-border transfer mechanism, new category of Personal Data, or new category of recipient), we will notify affected Data Subjects through reasonable means at least thirty (30) days before the change takes effect. This Policy is amended in accordance with the Standard-Form Document Amendments mechanism in the relevant Principal Agreement.
This Policy is governed by the laws of Switzerland, without prejudice to any mandatory provisions of EU data protection law (including the GDPR) that apply by virtue of the Data Subject's residence in the EEA or by other operation of law.
Where the GDPR applies to processing described in this Policy, ORamaVR maintains Personal Data in accordance with the principles of the GDPR. Where the revFADP applies, references in this Policy to the GDPR shall be read as references also to the corresponding revFADP provisions; references to supervisory authorities shall be read as including the FDPIC.
ORamaVR SA · CHE-478.871.980 · c/o FONGIT, Plan-les-Ouates, Geneva, Switzerland
ORM-PRV-001 · Version 1.0 · oramavr.com/legal/privacy-policy