Where Therapy withVR sits in relation to laws, standards, and frameworks

At a glance

Detail and source citations for each row appear in the sections below, organized under the nine categories of the Technology Checklist for SLPs.

A note on structure. The sections below mirror the nine categories of our public Technology Checklist for SLPs - the same framework we recommend clinicians use to evaluate any technology, including this one. This page is the worked example for our own product.

1. Data Privacy & Compliance

GDPR and UK GDPR

withVR BV is the data controller for personal data processed through Therapy withVR. All platform data is hosted on Google Cloud / Firebase in Frankfurt, Germany (europe-west1) - within the EEA. Personal data is processed lawfully under GDPR Article 6 on the bases of contract performance, legitimate interests, legal obligation, and consent (for marketing communications). UK personal data is processed under UK GDPR with equivalent legal bases. UK transfers to third countries are governed by the UK IDTA or UK Addendum to EU SCCs, as applicable. Data subjects have full rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent under GDPR Articles 15-22.

Source: Privacy Policy §3, §7, §9 · Terms of Service §11

HIPAA - outside scope by design

Therapy withVR is not a HIPAA covered entity and does not function as a Business Associate under HIPAA. The platform is architected so that Protected Health Information (PHI) does not enter the system - no clinical records, diagnoses, patient identifiers, or health records are stored. For US healthcare settings, the platform falls outside the scope of Business Associate Agreement requirements by design. A vendor not having a BAA does not necessarily mean non-compliance; in our case it means the architecture avoids PHI by design. Users in US healthcare settings are responsible for ensuring no PHI is entered into the platform.

Source: Privacy Policy §12 · ToS §11.1

FERPA - outside scope by design

FERPA obligations rest with educational institutions, not with vendors. Therapy withVR is not directly subject to FERPA. The platform is designed so that student educational records do not need to enter the system - session data consists of configuration settings and text labels only, which do not constitute educational records as defined under FERPA. The supervising professional is responsible for ensuring no FERPA-protected data is entered. For US school districts, withVR BV will review your institution's standard FERPA agreement or the Student Data Privacy Consortium (SDPC) National DPA and work with you to find an appropriate path - signing as presented where the terms are workable, proposing amendments where needed, or providing a withVR template instead. Contact legal@withvr.app to start the conversation.

Source: Educational Use Policy §3.1, §7 · Privacy Policy §13

COPPA

COPPA applies to online services that collect personal information from children under 13. Therapy withVR is not directed at children and does not collect personal information directly from any user, including children. When the platform is used with children under 13 in a school context, the school acts as the account holder under COPPA's school official exception - students do not interact with the platform directly as users. Educational institutions are responsible for parental-consent procedures appropriate to their jurisdiction.

Source: Educational Use Policy §3.2

State and regional student-privacy laws

Various US states have enacted student privacy laws beyond FERPA - including California (SOPIPA), New York (Education Law 2-d), Colorado, Texas, and others. The architectural commitments above (no PII collection, no advertising to students, no data selling, no behavioral tracking, no profiling) are designed to support compliance with these frameworks. Institutions in jurisdictions with specific requirements beyond what is described here can request supplementary agreements from legal@withvr.app.

Source: Educational Use Policy §3.4

Data hosting, transfers, and sub-processors

All platform data hosted on Google Cloud / Firebase in Frankfurt, Germany. Transfers to OpenAI (United States, optional AI features only) are governed by EU Standard Contractual Clauses 2021 under GDPR Article 46(2)(c). Stripe transfers operate under SCCs and EU-US Data Privacy Framework participation where applicable. The full sub-processor list with each provider's role, location, and transfer mechanism is published at withvr.app/sub-processor-list; at least 30 days' advance notice is given before adding any new sub-processor.

Source: Privacy Policy §5, §7 · Sub-Processor List

Data we do not collect

No audio or video recordings of sessions. No speech samples from the person inside VR. No biometric data from VR headset sensors. No PHI. No student educational records. No precise location data. No financial payment data (Stripe handles cards). No special-category data under GDPR Article 9. Profile names are encrypted at the application level using AES-256 with unique initialization vectors per record.

Source: Privacy Policy §2.6, §8

Retention

Account and subscription data: 5 years after subscription end (Belgian commercial limitation period). Session and profile data: 3 years after subscription end. Research data under a Research Agreement: 24 months after end of project. Billing records: 7 years (Belgian accounting law). Early deletion can be requested at any time at legal@withvr.app and is fulfilled within 30 days, except where law requires longer retention.

Source: Privacy Policy §6

2. AI & Transparency

EU AI Act classification

Therapy withVR has been formally assessed against the EU AI Act and is not classified as a high-risk AI system under Article 6 or Annex III. It does not evaluate learning outcomes, monitor student behavior, score assessments, perform clinical decision-making, or assist medical-device functions. Even if any feature were considered to touch an Annex III category, the Article 6(3) exemptions would apply (narrow procedural tasks, improving the outcome of a previously performed human activity, not replacing human assessment). No conformity assessment, EU database registration, or CE marking is required.

Source: EU AI Act Statement §2

Article 5 - prohibited practices

Reviewed and confirmed: no prohibited practices under Article 5 are present. No subliminal techniques, no exploitation of vulnerabilities, no social scoring, no real-time remote biometric identification, no emotion recognition in employment or education contexts.

Source: EU AI Act Statement §2.4

Article 4 - AI literacy

In force since February 2025. Compliant. withVR BV provides live onboarding training to all users covering AI feature usage, limitations, and responsible use. AI feature documentation is included in the platform documentation. Institutions are responsible for ensuring their own staff have a sufficient level of AI literacy; our onboarding supports this obligation.

Source: EU AI Act Statement §3

Article 50 - transparency for AI-synthesized voices and AI-generated text

Applicable from 2 August 2026. Preparing. Disclosure is already present in the EULA, ToS, Privacy Policy, and the EU AI Act Compliance Statement. In-platform disclosure will be confirmed compliant before the 2 August 2026 deadline. Avatar voices in every session are AI-synthesized using Google Text-to-Speech; when optional OpenAI features are activated, text entered into AI fields is processed by an AI system. Supervising professionals are responsible for informing the people they work with where required by professional or institutional obligations.

Source: EU AI Act Statement §5

AI features: provider, data, training stance

Always-active: avatar voice synthesis (Google Text-to-Speech). Only the text of avatar speech is sent for voice synthesis; no user, client, or participant data. Optional, off by default: sentence translation, text generation, autocorrect, Whisper speech recognition, speaker grammar, formality adjustment, emotional speech (all OpenAI API). Under OpenAI's API data usage policy, API inputs are not used to train OpenAI's models by default. No client names, session recordings, or PII about people you work with are sent to either provider as part of normal operation. Users are explicitly instructed not to enter PII into AI-powered text fields.

Source: Privacy Policy §4 · Sub-Processor List

3. Informed Consent

The supervising professional is responsible for obtaining informed consent from the people they work with, in accordance with their professional code, institutional policy, and applicable law. To support this, withVR provides a free VR Informed Consent Template, a free plain-language VR handout for clients and families, and the EU AI Act Compliance Statement with disclosure language ready to incorporate into your own consent documents. AI involvement (synthetic voices and any activated OpenAI features) should be disclosed where required by your professional standards or applicable law.

Source: Acceptable Use Policy §2 · EU AI Act Statement

4. Language & Accessibility

WCAG 2.2 Level AA

Marketing site (withvr.app): Self-assessment against WCAG 2.2 AA completed April 2026. Lighthouse Accessibility 100/100 on desktop and mobile across the priority pages. Automated pa11y + axe-core scans show all hard failures resolved. Web App: in progress against WCAG 2.2 AA, with known partial gaps documented honestly in the Accessibility Statement (browser zoom, formal screen-reader testing, formal contrast audit). VR App: hand tracking supported as alternative to controllers; physical accessibility of VR is a clinical decision for the supervising professional.

Source: Accessibility Statement §1, §4, §5

VPAT / ACR

VPAT v2.5 (International Edition) completed March 2026, covering WCAG 2.0/2.1/2.2, Section 508, and EN 301 549 for platform v4.0.0. Available on request from legal@withvr.app.

European Accessibility Act, EN 301 549, Section 508

EAA in force June 2025. Therapy withVR is primarily a B2B professional platform; applicability of the EAA to B2B tools is being monitored as Belgian implementing guidance develops. Accessibility improvements target EN 301 549 / WCAG 2.2 AA regardless of EAA applicability. Section 508: partial alignment via the WCAG 2.2 AA work; no formal Section 508 assessment completed.

Source: Accessibility Statement §3, §7

Languages

Web App interface available in 59 languages. 52 avatar language-region voice combinations. Marketing site available in 11 locales (English plus Dutch, French, German, Norwegian, Italian, Czech, Spanish, Portuguese, Greek, Arabic, Turkish), with correct lang attribute and RTL support for Arabic.

5. Cultural & Clinical Fit

All scenarios, sentences, and conversation content are configurable by the supervising professional - cultural and contextual relevance is determined by the user, not by us. Customizable speaking environments and a freely-configurable empty room support practice that reflects the individual's real-world context. Peer-reviewed studies using Therapy withVR or withVR-developed scenarios are cataloged in the Evidence Hub with full citation, plain-language summary, and certainty rationale for each. The platform makes no clinical-effectiveness claim of its own; evidence comes from the literature.

Source: Evidence Hub · Scenarios

6. Security & Breach Notification

Encryption and storage

All data at rest in Google Cloud Firestore is encrypted using AES-256 (Google Cloud default infrastructure encryption). Profile names are additionally encrypted at the application level using AES-256 with unique initialization vectors per record. All data in transit is encrypted using TLS 1.2 or higher. Passwords are managed entirely by Firebase Authentication - withVR BV never has access to user passwords.

Source: Privacy Policy §8 · DPA §6 (on request)

Patch management

Critical patches (CVSS 9.0+, zero-days, vulnerabilities affecting Firebase auth or storage): within 48 hours. High (CVSS 7.0-8.9): within 7 days. Medium (CVSS 4.0-6.9): within 30 days or next release. Identification via vendor bulletins, NVD/CVE, GitHub Dependabot. Aligned with GDPR Article 32 obligations and Belgian NIS2 implementation.

Source: Patch Management Policy §4 (on request)

Breach notification

Personal data breach notification to the Belgian Data Protection Authority (GBA) within 72 hours of becoming aware (GDPR Article 33). UK ICO notification under UK GDPR. Affected users notified without undue delay where the breach is likely to result in high risk. Institutional clients with a signed DPA are notified within 72 hours per the DPA terms.

Source: Privacy Policy §10 · ToS §11.3 · DPA §11 (on request)

Service availability and resilience

Hosted on Google Cloud Firebase (Frankfurt) under Google's 99.95% uptime SLA. Multi-zone data replication within the EU region. Firestore point-in-time recovery with 7-day window. Daily backups retained 30 days, weekly backups retained 98 days. Incident response priorities (P1 full outage / data breach within 2 hours; P2 partial outage within 4 hours; P3 minor degradation next business day). Web App operates independently of the marketing website, and the VR App operates independently of the Meta Quest Store distribution channel after install.

Source: Business Continuity & Disaster Recovery Summary (on request)

Independent security certifications

Honest position: withVR BV does not currently hold independent SOC 2 Type II or ISO 27001 certifications. The platform's infrastructure inherits these from Google Cloud / Firebase, which maintains both. Independent certifications will be considered as the platform matures. Scheduled penetration testing is not currently in place; this will also be considered as the platform matures.

Source: Patch Management Policy §9 · BCDR §8.2 (on request)

Administrative access

Honest position: withVR BV is operated by a single individual (the founder). Administrative access to the Firebase project is restricted to that individual. No other personnel or third parties have direct access to the production database or infrastructure. Multi-factor authentication on administrative accounts is planned. The platform's underlying infrastructure runs on managed Google Cloud services that operate independently of withVR BV's day-to-day involvement, mitigating single-person dependency at the infrastructure level. Founder-unavailability scenarios are addressed in the Business Continuity Summary.

Source: Privacy Policy §8 · BCDR §5 (on request)

Audit logging

Google Cloud Audit Logs are enabled across the production project, providing a tamper-resistant trail of every administrative action and every customer-data operation. Always-on Admin Activity logs capture every configuration change. Admin Read, Data Read, and Data Write logs are enabled for Cloud Firestore (where customer data lives), the Cloud Storage for Firebase API (rules and configuration), and Google Cloud Storage (file operations - upload, download, delete). Logs are retained per Google Cloud's default retention policy (400 days for data access logs, 400 days for admin activity) and are used solely for security incident investigation and compliance verification. This forms part of withVR BV's GDPR Article 32 technical and organizational measures.

Source: Google Cloud Audit Logs (Firebase project) · BCDR §6 (on request)

Network requirements (for institutional IT)

All withVR BV traffic uses HTTPS on port 443. The Web App requires withvr.app, firestore.googleapis.com, firebasestorage.googleapis.com, texttospeech.googleapis.com, and (only when AI features are enabled) api.openai.com. The VR App does not connect to OpenAI. Meta Quest hardware additionally requires Meta platform domains - institutions running restricted networks (especially schools) should ensure these are not blocked. Full domain, port, browser, and operating-system list is on the Compatibility page.

Source: Compatibility page · BCDR §8.1 (on request)

7. Working with Children & in Schools

Account holders must be 18+. The platform may be used with minors only under direct supervision and control of a qualified adult professional. Students never create accounts, log in, or submit any personal data to the platform directly. No student names, identifiers, or PII may be entered into the platform. The Meta Quest hardware has a separate minimum age of 10 years set by Meta - this is Meta's policy, not ours, and applies regardless of professional supervision.

Three thresholds may apply at once: the platform's age policy, applicable privacy law (e.g. COPPA's 13, GDPR Article 8's 13-16 by member state), and clinical consent (typically under 18). The highest threshold wins. The supervising professional is responsible for parental or guardian consent in their jurisdiction.

For US schools, a FERPA agreement, Student Data Privacy Agreement, or the SDPC National DPA is available - see Section 8 (Available agreements) below.

Source: Educational Use Policy §1, §3 · EULA §8

8. Organizational Readiness

Medical-device certification

Therapy withVR is not a medical device. Not CE marked under EU MDR. Not FDA regulated. Not UKCA marked. The platform does not diagnose, treat, score, measure, or make clinical decisions. All clinical decisions remain the sole responsibility of the supervising professional. AI features generate content suggestions only and do not constitute clinical advice or assessment.

Source: EULA §1 · AUP §1 · EU AI Act Statement §2

SLA and uptime

withVR BV does not offer a separate uptime guarantee, but the platform inherits Google Cloud's 99.95% uptime SLA for the underlying infrastructure. Scheduled maintenance is communicated in advance where possible. Unplanned downtime is communicated by email and on the website.

Source: ToS §12.2 · EULA §11

Pricing and tax

Standard subscription €49/month per seat (ex. VAT, when billed annually). Multi-year discounts available, up to 5 years. As many seats as needed. Quotes on letterhead, purchase-order billing, and supplementary procurement documentation available on request. We can speak directly with IT, procurement, or data-protection teams to clear vendor-onboarding requirements.

Source: ToS §6 · Refund Policy

Consumer protection (EU)

Statutory 14-day right of withdrawal under EU Consumer Rights Directive 2011/83/EU and Belgian implementing law. Belgian law / Ghent jurisdiction. EU consumers retain the right to bring proceedings in their place of habitual residence; the European Online Dispute Resolution platform is available at ec.europa.eu/consumers/odr (opens in new tab).

Source: ToS §6.4, §16 · Refund Policy §2, §9

9. Peer Validation

Therapy withVR is used in active peer-reviewed research at universities and hospitals across many countries. The Evidence Hub catalogs every published study, with full citation, plain-language summary, and certainty rating. Universities, NHS trusts, and school districts that have already completed their own institutional approval processes are happy to be approached as references - request via hello@withvr.app.

Available agreements

Request from legal@withvr.app:

• Data Processing Agreement (DPA) - required by many institutions for GDPR. withVR BV is the Processor. A standard template is available; we are also happy to review your institution's own DPA and work with you on an agreed version.
• FERPA agreement / Student Data Privacy Agreement - required by many US school districts. We will review your institution's standard agreement (including the SDPC National DPA) and work with you to find an appropriate path: signing as presented where the terms are workable, proposing amendments where needed, or providing a withVR template instead.
• Research Agreement - for academic research use. Defines research-data ownership (the institution's), withVR BV's limited operational rights, publication freedoms, and 24-month research-data retention after end of project.
• Custom supplementary agreement - for state-specific, institution-specific, or jurisdiction-specific requirements not covered above.
• Data Protection Impact Assessment (DPIA) documentation - supporting documentation for institutional DPIAs under GDPR Article 35.
• VPAT v2.5 (March 2026) - accessibility conformance report covering WCAG 2.0/2.1/2.2, Section 508, EN 301 549.
• Business Continuity & Disaster Recovery Summary - for institutional procurement review.
• Patch Management Policy - for institutional security review.

Documents

All public-facing documents are linked from withvr.app/legal:

• Privacy Policy
• Terms of Service
• End User License Agreement
• Acceptable Use Policy
• Educational Use Policy
• EU AI Act Compliance Statement
• Accessibility Statement
• Cookie Policy
• Refund and Return Policy
• Sub-Processor List

What we don't claim

Transparency about limits is part of the design:

• We do not claim to be a medical device of any kind.
• We do not claim to be HIPAA compliant - we are outside HIPAA's scope by design.
• We do not claim independent SOC 2 Type II or ISO 27001 certifications. We inherit both from Google Cloud at the infrastructure layer; independent certifications will be considered as the platform matures.
• We do not claim a completed independent WCAG audit. We have a self-assessment, automated scans, the VPAT v2.5, and a Lighthouse 100/100 score on the marketing site. A formal commissioned audit is planned when funding permits.
• We do not claim NIS2 compliance - we claim alignment with Belgian NIS2 implementation via the Patch Management Policy.
• We do not claim AI replaces clinical judgment. Every AI feature is optional, off by default, and reviewable. Avatar voices are always disclosed as AI-synthesized.

Contact

Procurement, vendor questionnaires, security reviews, and agreement requests: legal@withvr.app. Our Technology Checklist for SLPs is the public version of the framework this page is structured around - feel free to use it on us, or on any other tool you are evaluating.

withVR BV · Jozef Hebbelynckstraat 21, Merelbeke 9820, Belgium · BE-0790.909.294 · last reviewed 2026-04-25