PRIVACY POLICY

1.1. SpillVR, a private venture operating as SpillVR ("SpillVR", "we", "us", "our"), is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services (collectively, the "Service").

1.2. This Privacy Policy applies to all users of the Service and is incorporated into and subject to our Terms of Service. By accessing or using the Service, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal information as described in this Privacy Policy.

1.3. We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation in Canada.

1.4. If you do not agree with this Privacy Policy, please do not access or use the Service.

2.1. Information You Provide to Us

We collect information you voluntarily provide when using the Service, including:

• Account Information: When you create an account, we collect your email address, username, and password.
• Profile Information: Any additional information you choose to add to your profile, such as a display name, bio, or avatar.
• User Content: Reviews, ratings, comments, and other content you submit to the Service.
• Communications: Information you provide when you contact us for support or other inquiries.

2.2. Information Collected Automatically

When you access the Service, we automatically collect certain information, including:

• Log Data: IP address, browser type, operating system, referring URLs, pages viewed, and access times.
• Device Information: Information about the device you use to access the Service.
• Usage Information: How you interact with the Service, including search queries and features used.
• Cookies and Similar Technologies: See Section 7 for details on cookies.

2.3. Information from Third Parties

We may display publicly available information about VR groups, players, and worlds from third-party VR platforms (such as VRChat) that users submit to our Service. This information may include usernames, profile descriptions, group names, and other publicly shared content.

2.4. Data Minimization

SpillVR is designed to collect as little personal information as possible. We do not collect real names, phone numbers, physical addresses, or any personally identifying information beyond what is strictly necessary for account authentication. The only personal information we require is an email address, which is used solely for login and account recovery purposes.

3.1. We use the information we collect for the following purposes:

• Provide the Service: To operate, maintain, and improve the Service, including displaying reviews, search results, and user profiles.
• Account Management: To create and manage your account, authenticate users, and provide account-related functionality.
• Communication: To respond to your inquiries, send service-related announcements, and provide customer support.
• Personalization: To personalize your experience and deliver content relevant to your interests.
• Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.
• Analytics: To understand how users interact with the Service and to improve our offerings.
• Enforce Terms: To enforce our Terms of Service and other policies.

3.2. We will only use your personal information for the purposes for which it was collected, unless we reasonably consider that we need to use it for another reason compatible with the original purpose.

4.1. Data Storage

Your personal information and data are stored on secure servers provided by Microsoft Azure, a leading cloud computing platform. Microsoft Azure maintains robust security certifications and complies with international security standards, including:

• ISO 27001 (Information Security Management)
• SOC 1 and SOC 2 Type II compliance
• PIPEDA compliance for Canadian data

4.2. Security Measures

We implement reasonable and appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: Data is encrypted in transit using TLS/SSL protocols.
• Access Controls: Access to personal information is restricted to authorized personnel only.
• Password Security: User passwords are hashed using industry-standard algorithms and are never stored in plain text.
• Regular Updates: We regularly update our systems and software to address security vulnerabilities.
• Monitoring: We monitor our systems for potential security threats and unauthorized access attempts.

4.3. Security Limitations

While we take reasonable precautions to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee the absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials and for any activity that occurs under your account.

4.4. Cloud Provider Access

Your data is hosted on infrastructure provided by cloud computing platforms such as Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). These providers may have theoretical access to data stored on their servers as a consequence of how cloud infrastructure operates. However, these providers are bound by their own data processing agreements, privacy policies, and contractual obligations that prohibit them from accessing, using, or disclosing customer data for their own purposes. SpillVR employees and authorized third-party contractors may have access to stored data as necessary to operate and maintain the Service, and they do so under confidentiality agreements and data protection obligations. While legal and contractual protections exist to prevent unauthorized access or exfiltration of data, no protection is absolute. This is one reason we deliberately minimize the personal information we collect — we cannot lose what we do not have.

5.1. We Do Not Sell Your Data

SpillVR does not sell your personal information to any third party. We do not participate in data brokerages or sell user data for advertising or marketing purposes.

5.2. Limited Sharing

We may share your information only in the following limited circumstances:

• With Your Consent: We may share your information when you explicitly consent to such sharing.
• Public Content: User Content you post (such as reviews) is publicly visible to other users of the Service. Your username and profile information may be displayed alongside your content.
• Service Providers: We may share information with trusted third-party service providers who assist us in operating the Service (such as hosting providers), subject to confidentiality obligations. Currently, this includes Microsoft Azure for hosting and data storage.
• Legal Requirements: We may disclose information if required by law, legal process, or governmental request, or to protect the rights, property, or safety of SpillVR, our users, or others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.
• Aggregate Data: We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you.

5.3. No Third-Party Advertising

We do not share your personal information with third-party advertisers. We do not use your personal information to serve targeted advertising from third parties.

5.4. Email Address Protection

Your email address is used exclusively for account authentication and essential service communications (such as password resets). We do not share, sell, or disclose email addresses to any third party. We do not send marketing emails from third parties, and we do not include your email in any mailing list that is accessible to external parties.

6.1. VR Platform Information

We may display publicly available information from VR platforms (such as VRChat, Resonite, and others). This information includes public profile data, group information, and world details that users submit to our Service. We do not access private or non-public information from these platforms.

6.2. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.

6.3. Service Providers

We use the following categories of service providers:

• Cloud Hosting: Microsoft Azure (data storage and hosting)
• Analytics: Google (website analytics and performance monitoring)
• Email Services: For transactional emails and communications

7.1. What Are Cookies

Cookies are small text files stored on your device when you visit a website. They help the website recognize your device and remember certain information about your visit.

7.2. How We Use Cookies

We use cookies and similar technologies for the following purposes:

• Essential Cookies: Required for the Service to function properly, including user authentication and session management.
• Preference Cookies: To remember your preferences and settings.
• Analytics Cookies: To understand how users interact with the Service and to improve our offerings.

7.3. Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or to alert you when cookies are being sent. However, disabling cookies may affect the functionality of the Service.

7.4. Do Not Track

Some browsers offer a "Do Not Track" feature. We do not currently respond to Do Not Track signals, as there is no industry standard for handling these requests.

8.1. Under PIPEDA and applicable privacy laws, you have certain rights regarding your personal information:

• Right of Access: You have the right to request access to the personal information we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal information.
• Right to Deletion: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Withdraw Consent: Where we rely on consent to process your information, you have the right to withdraw that consent at any time.
• Right to Data Portability: You may request a copy of your personal information in a structured, commonly used format.
• Right to Complain: You have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada or applicable provincial privacy commissioner.

8.2. Exercising Your Rights

To exercise any of these rights, please contact us using the contact information provided in Section 13. We will respond to your request within the timeframes required by applicable law (generally within 30 days).

8.3. Account Settings

You can access, update, or delete certain information directly through your account settings. If you wish to delete your account entirely, please contact us.

9.1. The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13.

9.2. If you are between 13 and 18 years of age, you may only use the Service with the consent and supervision of a parent or legal guardian.

9.3. If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly.

9.4. If you believe we have collected information from a child under 13, please contact us immediately using the contact information in Section 13.

10.1. SpillVR is based in Ontario, Canada. Our primary data storage is on Microsoft Azure servers, which may be located in Canada or other jurisdictions.

10.2. If you access the Service from outside Canada, please be aware that your information may be transferred to, stored, and processed in Canada or other countries where our service providers operate.

10.3. By using the Service, you consent to the transfer of your information to Canada and other jurisdictions, which may have different data protection laws than your country of residence.

10.4. We take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy when transferred internationally.

11.1. We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

11.2. When determining retention periods, we consider the amount, nature, and sensitivity of the information, the purposes for which we process it, and whether we can achieve those purposes through other means.

11.3. Account Information: We retain your account information for as long as your account is active. If you delete your account, we will delete or anonymize your personal information within a reasonable timeframe, except as required by law.

11.4. User Content: Reviews and other User Content may be retained even after account deletion, but will be anonymized or attributed to a deleted user.

11.5. Log Data: We retain log data and analytics information for a limited period for security and analytical purposes.

12.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

12.2. If we make material changes to this Privacy Policy, we will notify you by posting the updated policy on the Service and updating the "Last Updated" date. For significant changes, we may also notify you by email or through a prominent notice on the Service.

12.3. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12.4. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

13.1. If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

13.2. We will respond to privacy-related inquiries within 30 days or as required by applicable law.

13.3. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.