Therapy withVR
Sub-processor List
Version | 1.0.0 |
Last updated | March 2026 |
Company | withVR BV |
Registered address | Jozef Hebbelynckstraat 21, Merelbeke 9820, Belgium |
VAT / company number | BE-0790.909.294 |
Governing law | Belgian law |
Jurisdiction | Courts of Ghent, Belgium |
Contact | hello@withvr.app | legal@withvr.app |
This document lists all third-party sub-processors used by withVR BV in the operation of the Therapy withVR platform. A sub-processor is any third party that processes personal data on behalf of withVR BV.
This list is maintained in accordance with GDPR Article 28(2) and is referenced in the withVR Privacy Policy, Data Processing Agreement, and Cookie Policy. withVR BV will provide at least 30 days' advance notice before engaging any new sub-processor.
No data selling: withVR BV does not sell personal data to any third party. Sub-processors listed here are engaged solely to operate and deliver the Therapy withVR platform service. |
1. Current Sub-processors
The following sub-processors are currently engaged by withVR BV. All sub-processors are bound by data processing agreements or equivalent contractual terms that require them to implement appropriate technical and organizational measures to protect personal data.
Sub-processor | Category | Purpose | Data processed | Location | Transfer mechanism | DPA / terms |
Google Cloud / Firebase | Infrastructure | Platform database, authentication, hosting, and backend functions. Cloud Audit Logs (Admin Activity, Admin Read, Data Read, Data Write) are part of the standard Google Cloud service scope; retained per Google Cloud's default policy (400 days) and used solely for security incident investigation and compliance verification under GDPR Article 32. | Account data, session data, profile data, app version and activity data | Frankfurt, Germany (EU) | Adequacy - data remains in EEA | Google Cloud Data Processing Addendum (firebase.google.com/support/privacy) |
Google Text-to-Speech | AI / voice synthesis | Converts avatar speech text to synthesized audio for delivery inside VR | Text strings for voice output. No personal data about users or clients in normal operation. | Google Cloud (EU processing terms) | Google EU Data Processing Terms | Google Cloud Data Processing Addendum |
OpenAI | AI / language processing | Optional AI features: sentence translation, text generation, autocorrect, Whisper speech recognition, speaker grammar, formality adjustment, emotional speech (all user-activated, off by default) | User-entered text in AI-powered fields. Not client names or PII. API inputs not used for model training by default. | United States | Standard Contractual Clauses (EU SCCs 2021) under GDPR Art. 46(2)(c) | OpenAI Data Processing Addendum (openai.com/policies/data-processing-addendum) |
Stripe | Payment processing | Processes subscription payments and manages billing | Billing data (name, email, payment method). Card details held and processed by Stripe directly - withVR BV does not store card data. | EU / United States | SCCs + EU-US Data Privacy Framework participation | Stripe Data Processing Agreement (stripe.com/legal/dpa) |
MailerLite | Email communications | Sends transactional and marketing emails, manages newsletter subscriptions | Email address, name, email engagement data (opens, clicks) | European Union | Adequacy - data remains in EEA | MailerLite Data Processing Agreement (mailerlite.com/legal/data-processing-agreement) |
Google Analytics | Analytics | Anonymous website usage analytics on withvr.app only. Not used inside the Web App or during sessions. | Anonymized and aggregated usage data (page views, traffic sources, browser type). No personal data, no session data. | Google Cloud | Google Analytics Terms of Service with data processing addendum | Google Ads Data Processing Terms (policies.google.com/privacy) |
2. Scope and Limitations
This list covers sub-processors that process personal data as defined under GDPR. The following clarifications apply:
Topic | Detail |
OpenAI features | All OpenAI features are optional and off by default. Data is only transmitted to OpenAI when a user deliberately activates one of these features in the Platform settings. Users who do not activate any OpenAI features have no data transmitted to OpenAI. |
Google Text-to-Speech | Used in all sessions to synthesize avatar voices. Only the text content of avatar speech is transmitted - no user account data, no profile data, and no information about the person inside VR. |
Google Analytics | Used only on the withvr.app marketing website - not inside the Therapy withVR Web App or during any platform session. Data is anonymized before transmission. Only set after cookie consent is given. |
No PHI or special category data | The Platform is not designed to receive or process Protected Health Information (PHI), student educational records, or special category data under GDPR Article 9. No sub-processor receives such data as part of normal Platform operation. |
No audio or video | No audio or video from sessions is ever recorded or stored by withVR BV or transmitted to any sub-processor. Session data consists entirely of text labels and timestamps. |
3. Platform Dependencies
The following third party is a required platform dependency for the Therapy withVR VR App. It is listed here for transparency and procurement due diligence purposes. It is not a sub-processor under GDPR - it does not process personal data on withVR BV's behalf. The user has a direct relationship with this provider under that provider's own terms of service and privacy policy.
Provider | Dependency | Relationship | Availability impact |
Meta Platforms, Inc. | Meta Quest headset and Meta account required to run the VR App | Direct relationship between the headset owner and Meta. withVR BV has no data processing agreement with Meta and does not control Meta's data practices. Meta processes headset owner data under Meta's own terms of service and privacy policy. | If Meta experiences an outage or discontinues the Meta Quest platform, the Therapy withVR VR App will be unavailable until service is restored. The Web App is not affected by Meta outages. |
Note: Users are responsible for reviewing and agreeing to Meta's terms of service and privacy policy independently of their use of Therapy withVR. Meta's privacy policy is available at privacy.meta.com. |
4. Notification of Changes
withVR BV will provide at least 30 days' advance written notice before:
- Engaging any new sub-processor
- Making any material change to the purpose or scope of processing by an existing sub-processor
- Replacing an existing sub-processor with a different provider
Notifications will be sent to the primary contact email address on the account, and posted on withvr.app. Customers with a signed Data Processing Agreement may object to a new sub-processor in accordance with the terms of that agreement.
To request advance notification by email or to object to a sub-processor change, contact legal@withvr.app.
5. Changelog
This section records all changes to the sub-processor list since its initial publication.
Version | Date | Change type | Detail |
1.0.0 | March 2026 | Initial publication | Sub-processor list published. Six sub-processors listed: Google Cloud / Firebase, Google Text-to-Speech, OpenAI, Stripe, MailerLite, Google Analytics. Platform dependency noted: Meta Platforms, Inc. |
6. Contact
For questions about this sub-processor list, to request a Data Processing Agreement, or to object to a sub-processor change:
withVR BV Jozef Hebbelynckstraat 21, Merelbeke 9820, Belgium General enquiries: hello@withvr.app Legal and data protection: legal@withvr.app |
withVR BV | Jozef Hebbelynckstraat 21, Merelbeke 9820, Belgium | legal@withvr.app | withvr.app