Effective date: April 13, 2026 Last updated: April 13, 2026
OwnXR Inc. ("OwnXR", "we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use our platform and services, accessible at ownxr.com.
Please read this policy carefully. By using OwnXR, you acknowledge that you have read and understood its terms.
1. Data Controller
The data controller for your personal information is:
OwnXR Inc.
For privacy-related requests or questions, contact us at: contact@ownxr.com
2. Categories of Personal Data We Collect
We collect personal data in the following categories:
2.1 Account and Authentication Data
When you register and use OwnXR, we collect your email address and user ID via our authentication provider (Supabase). This is required to create and maintain your account and to authenticate you on each visit.
2.2 Usage Events (With Your Consent)
After you provide explicit consent, we collect product usage events such as scene saves, scene publishes, asset operations, and navigation events. These are linked to your identified user profile and processed by our analytics provider.
2.3 Anonymous Page Metrics (No Consent Required)
Without any consent requirement, we collect anonymous, aggregate page view counts using ephemeral identifiers that are discarded when your browser tab closes. No persistent identifier is stored on your device and no profile is built across sessions. This applies to all visitors, including unauthenticated public scene viewers. It is statistically equivalent to server-access-log counting and does not constitute processing of personal data under GDPR.
2.4 Payment Information
When you subscribe to a paid plan, payment information (card details, billing address) is collected and processed directly by our payment processor, Stripe. OwnXR does not store full card details or payment credentials on our systems.
2.5 Uploaded Content and Assets
3D assets, media files, and scene data you upload are stored in encrypted form of data on cloud infrastructure operated on OwnXR's behalf. We access these data only to provide the service to you.
2.6 Voice Chat Input
If you use the Voice Chat feature, your voice input is streamed in real time to a third-party voice AI provider (OpenAI) to generate responses. OwnXR does not record, store, or retain your voice audio. Voice Chat is only activated after your explicit, in-session permission.
3. How We Use Your Data and Our Legal Basis (GDPR)
| Data type | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Anonymous ephemeral pageviews | Aggregate usage statistics | Legitimate interest — statistical analytics (Art. 6(1)(f)) |
| Identified user events (after consent) | Product improvement, feature analytics | Consent (Art. 6(1)(a)) |
| Supabase authentication session cookies | Authenticate users and maintain sessions | Contract performance (Art. 6(1)(b)) |
| Payment data (via Stripe) | Process subscription payments | Contract performance (Art. 6(1)(b)) |
| Uploaded assets and scene data | Provide and operate the service | Contract performance (Art. 6(1)(b)) |
| Voice chat audio | Provide real-time voice AI interaction | Consent, solicited per session (Art. 6(1)(a)) |
Why anonymous tracking does not require consent
OwnXR's analytics are configured with memory persistence — no data is written to localStorage or cookies for anonymous sessions. Each page load generates a fresh ephemeral identifier that is discarded when your tab closes. Events are aggregate-only statistics, and no personal data is collected or linked across sessions.
Under GDPR's ePrivacy interpretation, stateless analytics with no persistent identifiers and no cross-session profiling do not constitute processing of personal data and therefore do not require consent. This aligns with CNIL (France) guidance on analytics tools exempt from consent requirements.
Important: IP anonymisation is enabled in our analytics configuration.
4. Data Processors and Sub-processors
OwnXR uses the following third-party processors on your behalf. Each is bound by data processing agreements consistent with GDPR requirements.
| Processor | Role | Data Processed | Data Location |
|---|---|---|---|
| Microsoft Azure | Cloud infrastructure, encrypted asset storage, CDN, serverless functions | Uploaded 3D assets, media files, scene data | Region-specific (EU and US) |
| Supabase | Authentication and user database | Email address, user ID, session tokens | United States |
| PostHog | Product analytics | Anonymous pageviews (all users); identified usage events (consented users only) | United States (EU–US Data Privacy Framework + Standard Contractual Clauses) |
| Stripe | Payment processing and subscription billing | Billing information, payment card data | United States |
| OpenAI | Real-time voice chat processing | Voice audio (streamed in real time, not stored by OwnXR) | United States |
| Third-party AI content generation services | 3D asset generation and environment generation (optional features) | Text and image prompts, generation parameters (no personal data) | United States |
OwnXR does not sell your personal data to any third party.
5. International Data Transfers
OwnXR is incorporated in the United States. If you are accessing OwnXR from the European Economic Area (EEA), United Kingdom, or elsewhere, your data may be transferred to and processed in the United States.
We rely on the following transfer mechanisms:
- PostHog — EU–US Data Privacy Framework (DPF), in which PostHog enrolled in July 2024; Standard Contractual Clauses (SCCs) included in their DPA as a backup mechanism.
- Microsoft Azure — Azure's standard data protection addendum and SCCs, with region-specific data residency options.
- Supabase, Stripe, OpenAI — Standard Contractual Clauses (SCCs) with each provider.
6. Data Retention
| Data category | Retention period |
|---|---|
| Analytics events | PostHog default retention (currently 7 years) |
| Account authentication data | Duration of your account |
| Uploaded 3D assets and media | Until you delete them or your account is closed |
| Payment records | As required by applicable financial regulations |
| Voice chat audio | Not retained — processed in real time only |
| Anonymous analytics identifiers | Discarded on browser tab close (in-memory only) |
7. Cookies and Local Storage
| Key / Cookie | Purpose | Storage | Consent Required? |
|---|---|---|---|
sb-* (cookies) | Supabase authentication session | Session / configurable | No — essential for service |
oxr__c_v1_0 (localStorage) | OwnXR consent preference | Until manually cleared | No — functional preference |
oxr__a_su (sessionStorage) | Analytics session bootstrap — persists your user ID within a browser tab to avoid repeated identity events on page reloads | Tab session (cleared on tab close, sign-out, or consent withdrawal) | Yes — set only after consent accepted |
ph_* (localStorage) | PostHog identified user analytics | Persistent | Yes — set only after consent accepted |
| PostHog ephemeral ID (memory only) | Anonymous session analytics | Tab session only (in-memory, never written to storage) | No — no device storage used |
8. Your Rights Under GDPR (Articles 15–22)
If you are located in the EEA or UK, you have the following rights in relation to your personal data:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete data.
- Right to erasure — Request deletion of your personal data ("right to be forgotten").
- Right to restrict processing — Request that we limit how we use your data in certain circumstances.
- Right to data portability — Receive your personal data in a structured, machine-readable format.
- Right to object — Object to processing based on legitimate interests (including analytics).
- Right to withdraw consent — Withdraw your analytics consent at any time without affecting the lawfulness of prior processing.
In-app: You can withdraw analytics consent at any time by navigating to Settings → Account → Withdraw analytics consent.
By email: Submit requests to contact@ownxr.com. We will respond within 30 days. For complex requests, the response period may be extended by up to two months; we will notify you if this applies.
Supervisory authority: You have the right to lodge a complaint with your local data protection authority at any time.
9. Children and Young Users
9.1 Account Holders
OwnXR accounts are intended for individuals who are 18 years of age or older. We do not knowingly create accounts for anyone under 18. If we learn that an account belongs to an individual under 18, we may terminate the account without notice.
9.2 Public Scene Viewers
Published OwnXR scenes may be viewed by individuals of any age, including children. OwnXR does not collect personal data from scene viewers. Anonymous page metrics use ephemeral in-memory identifiers that are discarded when the browser tab closes — no cookies, no localStorage, no persistent identifiers, and no cross-session profiles are created. Because no personal data is collected from viewers, OwnXR’s public scene viewer does not trigger obligations under the US Children’s Online Privacy Protection Act (COPPA), the EU General Data Protection Regulation (GDPR), or equivalent child-privacy laws.
9.3 Educator and Creator Responsibility
Scene creators who publish content intended for children or educational audiences are responsible for ensuring their content is age-appropriate and complies with any applicable regulations, such as school policies or content standards.
9.4 Contact
If you believe we have inadvertently collected personal data from a child under 13, please contact us at contact@ownxr.com and we will delete it promptly.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we do, we will update the "Last updated" date at the top of this page. For material changes that significantly affect how we handle your data, we will provide advance notice (for example, via an in-app notification or email). Your continued use of OwnXR after changes take effect constitutes acceptance of the updated policy.
11. Contact
For any privacy-related questions, requests, or concerns:
Email: contact@ownxr.com