Therapy withVR
Educational Use Policy
Version | 2.0.0 |
Effective date | 30 days after notice is sent to existing users |
Company | withVR BV |
Registered address | Jozef Hebbelynckstraat 21, Merelbeke 9820, Belgium |
VAT / company number | BE-0790.909.294 |
Governing law | Belgian law |
Jurisdiction | Courts of Ghent, Belgium |
Contact | hello@withvr.app | legal@withvr.app |
This Educational Use Policy explains how Therapy withVR may be used in schools, school districts, universities, and other educational settings. It describes withVR BV's commitments regarding student data, supervised use, applicable regulations, and the agreements available to educational institutions.
This policy applies to all educational users of the Therapy withVR platform, including the Web App and the VR App on Meta Quest headsets. It should be read alongside the Privacy Policy, Terms of Service, and EULA, all available at withvr.app.
What Therapy withVR is: Therapy withVR is a customizable virtual reality tool for speech-language professionals, educators, and researchers. It does not provide therapy, clinical assessment, diagnosis, or treatment of any kind. It is not a medical device. All educational and clinical decisions remain the sole responsibility of the supervising professional. |
1. Supervised Use
Therapy withVR is a professional tool for adults. The Platform is intended for use by educators, speech-language professionals, and researchers who are 18 years of age or older.
The Platform may be used with students of any age, including minors, provided the following conditions are met:
- All sessions are operated under the supervision and control of a qualified adult professional at all times
- The supervising professional creates and manages the account - students do not create accounts
- Students do not enter any personal information into the Platform directly
- No student names, student identifiers, or personally identifiable information about students is entered into the Platform
- Appropriate parental or guardian consent is obtained before the Platform is used with a minor, in accordance with applicable law and institutional policy
Account creation: Only the supervising professional creates and holds a Therapy withVR account. Students, minors, and the individuals inside the VR headset do not create accounts, log in, or submit any personal data to the Platform directly. |
Note: Meta Quest headsets have a platform-level minimum age requirement of 10 years. This is a Meta policy, not a withVR BV policy, and applies regardless of professional supervision.
2. Student Data Commitments
withVR BV makes the following commitments with respect to student data:
Commitment | Detail |
No student PII collected | The Platform does not collect personally identifiable information directly from students. Student names, dates of birth, contact details, and similar identifiers are never required or requested by the Platform. |
No student educational records processed | The Platform is not designed to receive, store, or process student educational records as defined under FERPA or equivalent applicable law. Session data consists of configuration settings and text labels - not student records. |
No advertising to students | The Platform does not serve advertising of any kind. Student data is never used for advertising, behavioral targeting, or profiling. |
No sale of student data | withVR BV does not sell, rent, trade, or otherwise disclose student data to any third party for commercial purposes. |
No cross-context behavioral tracking | The Platform does not track users across third-party websites or services for advertising or marketing purposes. |
Data minimization | Only data that is strictly necessary to operate the Platform is collected. withVR BV does not collect data beyond what is required for the educational use of the service. |
Supervised data management | All account data, session configurations, and profile labels are created and managed by the supervising professional, not by students. |
3. Regulatory Frameworks
3.1 FERPA (US)
FERPA (Family Educational Rights and Privacy Act) obligations rest with educational institutions, not with withVR BV directly. The Platform is designed to support FERPA-compliant use.
The Platform is not designed to receive or process student educational records. Session data does not constitute an educational record as defined under FERPA. The supervising professional is responsible for ensuring that no FERPA-protected data is entered into the Platform.
withVR BV will work with institutions to address specific FERPA requirements on request. A Data Processing Agreement is available - see Section 7.
3.2 COPPA (US)
COPPA (Children's Online Privacy Protection Act) applies to online services that collect personal information from children under 13. The Platform is not directed at children and does not collect personal information directly from any user, including children.
When the Platform is used with children under 13 in a school context, the school acts as the account holder under COPPA's school official exception - students do not interact with the Platform directly as users. Educational institutions using the Platform with children under 13 are responsible for ensuring their use is consistent with COPPA requirements and their own data governance policies.
3.3 GDPR and UK GDPR (EU and UK)
withVR BV processes personal data in accordance with GDPR and UK GDPR. For educational use in the EU and UK, the following applies:
- The digital consent age for data processing by online services varies by EU member state, typically between 13 and 16 years. This applies to the individual's own consent over their personal data processing. Since students do not create accounts or submit personal data to the Platform directly, this threshold applies to the supervising professional's account, not to the student's participation in a session.
- The supervising professional is responsible for compliance with any parental consent requirements applicable to the use of technology with minors in their jurisdiction.
- The ICO Children's Code (UK) requires services likely to be accessed by children to implement appropriate age assurance and privacy protections. The Platform is a professional tool not directed at children; students participate in sessions under adult supervision and do not independently access the service.
3.4 State and regional education privacy laws
In addition to FERPA and COPPA, various US states have enacted student privacy laws imposing additional requirements on educational technology vendors, including laws in California (SOPIPA), New York (Education Law 2-d), Colorado, Texas, and others. withVR BV's commitments in Section 2 are designed to support compliance with these frameworks.
Institutions in jurisdictions with specific student privacy requirements beyond those described in this policy are encouraged to contact legal@withvr.app to discuss their specific needs. A Data Processing Agreement or supplementary agreement can be arranged where required.
4. Data Storage and Security
The following technical and organizational measures are in place to protect data processed through the Platform in educational settings:
Measure | Detail |
Data location | All Platform data stored on Google Cloud / Firebase servers in Frankfurt, Germany (EU). No personal data stored outside the EEA by withVR BV’s own infrastructure. All data at rest is encrypted using AES-256, managed by Google Cloud’s default encryption infrastructure. |
Profile name encryption | Profile labels (names) are encrypted at the application level using AES-256 with unique initialization vectors per record, providing an additional layer of protection beyond infrastructure-level encryption. |
No session recordings | No audio or video from sessions is ever recorded or stored. Session data consists of text labels and timestamps only. Nothing the student inside VR says is captured. |
Encryption in transit | All data transmitted between the Web App and Firebase encrypted using TLS 1.2 or higher. |
Access controls | Administrative access to the Firebase project is restricted to a single individual (the founder). No other personnel or third parties have direct access to the production database or infrastructure. |
Authentication | Passwords managed by Firebase Authentication. withVR BV never has access to user passwords. |
5. AI Features in Educational Settings
The Platform includes AI-powered features. In educational settings, the following applies.
5.1 Avatar voices
All avatar speech inside VR is generated using Google Text-to-Speech. This is always active - the student inside VR hears a synthesized voice, not a human recording. Only the text of the avatar's speech is sent to Google for synthesis; no student data is transmitted.
5.2 Optional OpenAI features
The following features are optional and off by default. They must be deliberately activated by the supervising professional:
Feature | What it does |
Sentence translation | Translates conversation sentences between languages |
Text generation | Generates suggested conversation text from a topic or prompt |
Autocorrect | Corrects spelling and grammar in text entered by the professional |
Whisper speech recognition | Converts spoken words to text during session setup |
Speaker grammar | Adjusts gendered grammar to match the avatar's voice |
Formality adjustment | Adjusts the formality level of AI-generated text |
Emotional speech | Adjusts avatar voice characteristics to match the avatar's set emotion |
When these features are used, text entered by the supervising professional is sent to OpenAI for processing. Under OpenAI's API data usage policy, API inputs are not used to train OpenAI's models by default. Student names and student identifiers must not be entered into any AI-powered field.
5.3 Institutional AI governance
Educational institutions with specific AI governance policies - for example, policies restricting the use of generative AI tools with students, or requirements for parental disclosure of AI use - are responsible for applying those policies to their use of the Platform's optional AI features. All optional features can be disabled. The supervising professional retains full control over which features are active in any session.
EU AI Act - Article 50 disclosure: Avatar voices are AI-synthesized using Google Text-to-Speech. When optional OpenAI features are activated, text is processed by an AI system. Supervising professionals are responsible for ensuring that students and parents are informed of AI involvement where required by institutional policy or applicable law. |
6. No Advertising, No Tracking, No Data Selling
Commitment | Detail |
No advertising | The Platform does not display advertisements of any kind. No advertising networks have access to Platform data. |
No behavioral tracking | The Platform does not track users across third-party websites or apps for advertising, marketing, or analytics purposes. Google Analytics is used only on the withvr.app marketing website, not inside the Web App or during sessions. |
No data selling | withVR BV does not sell, rent, or transfer personal data to any third party for commercial purposes. |
No profiling | No automated profiling or decision-making that produces legal or significant effects is performed on any user's data. |
No targeted marketing to students | Student data is never used for targeted marketing or advertising to students or their families. |
7. Agreements for Educational Institutions
withVR BV offers the following agreements to educational institutions:
Agreement | When to request it |
Data Processing Agreement (DPA) | Required by many school districts and universities for GDPR compliance. Defines withVR BV as a data processor and sets out data protection obligations. A standard template is available at withvr.app. Contact legal@withvr.app to initiate. |
FERPA agreement / Student Data Privacy Agreement | Required by many US school districts before adopting educational technology. withVR BV will review your institution’s standard FERPA or student data privacy agreement, including the Student Data Privacy Consortium (SDPC) National DPA where applicable, and work with you to find an appropriate path: signing as presented where the terms are workable, proposing amendments where needed, or providing a withVR template instead. Contact legal@withvr.app. |
Custom supplementary agreement | If your institution has specific requirements not covered by the standard DPA or FERPA agreement - for example, state-specific student privacy law requirements - contact legal@withvr.app to discuss. |
Procurement teams: If your school district or university requires vendor documentation for technology procurement review - including security questionnaires, data privacy impact assessments, or sub-processor lists - contact legal@withvr.app. The Sub-processor List and Data Processing Agreement are available at withvr.app. |
8. Data Retention and Deletion
Data retention periods for educational use are governed by the Privacy Policy and, where a Data Processing Agreement is in place, by that agreement. The following summary applies:
Category | Retention period |
Account and subscription data | 5 years after the end of the subscription |
Session and profile data | 3 years after the end of the subscription |
Billing records | 7 years (Belgian accounting law) |
The supervising professional may delete profiles and session data at any time within the Platform. Institutions may also request deletion of all data associated with their account by contacting legal@withvr.app. Deletion requests will be fulfilled within 30 days, except where retention is required by law.
9. Data Breach Notification
In the event of a personal data breach affecting data processed under an educational institution's account, withVR BV will:
- Notify the affected institution without undue delay, and in any event within 72 hours of becoming aware of the breach
- Notify the Belgian Data Protection Authority (GBA) as required under GDPR
- Notify the ICO (for UK institutions) as required under UK GDPR
- Provide information about the nature of the breach, data affected, and steps taken to address it
The institution remains responsible for notifying affected parents, eligible students, and any other parties as required by FERPA, applicable state law, or other applicable regulation. withVR BV will cooperate with the institution's breach response process and provide all relevant technical information to support that notification.
10. Changes to This Policy
withVR BV may update this Educational Use Policy from time to time. If we make material changes, we will notify existing users at least 30 days before the changes take effect, by email and/or in-Platform notification.
The version number and effective date at the top of this document identify the version in force. Previous versions are available on request.
11. Contact
For questions about this policy, to request a Data Processing Agreement or FERPA agreement, or to discuss your institution's specific requirements:
withVR BV Jozef Hebbelynckstraat 21, Merelbeke 9820, Belgium General enquiries: hello@withvr.app Legal, data protection, agreements: legal@withvr.app Technical support: support@withvr.app |
withVR BV | Jozef Hebbelynckstraat 21, Merelbeke 9820, Belgium | legal@withvr.app | withvr.app