Privacy Policy | Fourth Reality

Effective date: 7th of May 2026

Version: 2.0

Fourth Reality is committed to protecting and respecting your privacy. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over it.

This policy covers two related products:

Our consumer VR applications distributed on the Meta Quest Store ("the VR Apps").
The VR LMS Platform — a software-as-a-service product used by universities and other educational institutions to receive VR assessment results in their Learning Management System (Canvas, Moodle, etc.) ("the LMS Platform").

By using either product, you consent to the collection, storage and use of information as described below. If you do not agree, please do not use the products and (where relevant) uninstall the related app.

WHO WE ARE

Fourth Reality is the data controller of personal information collected through our consumer VR Apps, and a data processor (acting on behalf of your university) for student data flowing through the LMS Platform — see "Roles" below.

Trading entity: VR Media Studios Ltd T/A Fourth Reality

Data protection contact: Gary Pearson, Managing Director

Email: info@fourthreality.com

If you are an EU/EEA resident and have a complaint about how we handle your data, you also have the right to lodge it with the Irish Data Protection Commission, our lead supervisory authority (www.dataprotection.ie).

ROLES UNDER GDPR

For the consumer VR Apps, Fourth Reality is the data controller — we determine what data is collected and how it is used.

For the LMS Platform, the subscribing university is the data controller for any student personal data (e.g. email, student ID, quiz scores). The university decides which students are assessed and what scores mean. Fourth Reality acts as a data processor on the university's behalf, collecting student results in VR and forwarding them to the university's own LMS. This relationship is governed by a Data Processing Agreement (DPA) entered into between Fourth Reality and each subscribing university — available on request.

THE INFORMATION WE COLLECT FROM YOU

Consumer VR Apps. When you use one of our VR apps without selecting a university (i.e. as a consumer or self-directed learner), we may collect device and session data — device name, operating system version, app configuration, time and date of use, error reports, and similar diagnostic statistics. This data is collected via third-party crash and analytics tools.

If a VR app offers voice or microphone features, audio is processed locally during the session only and is not recorded or transmitted to our servers.

We do not collect your real name, address, payment information, or biometric data through the consumer VR apps.

LMS Platform — university administrators. When a university registers with the LMS Platform, we collect from each administrator: their email address (used as login identifier), the display name of the university, and LMS connection details (LMS type, base URL, and an API token). The API token is stored encrypted in our database and is never displayed in the portal after saving. Authentication is provided by Google Firebase Authentication; passwords are never stored on Fourth Reality's servers in any form.

LMS Platform — students. When a student uses a Quest VR app and selects their university, we process the following on the university's behalf:

An identifier of choice — either an email address or an institutional student ID. Whichever the student enters in the VR login screen.
Quiz interaction data — a record of each question attempt and final score, tagged with the chosen course identifier and a per-session unique ID.
Course-session timing — start and end timestamps used to compute course duration metrics for the university's analytics.

We deliberately do not collect student names (a name shown briefly in the VR UI never leaves the device), personal email contents, photos, biometric or audio data, or any information beyond what is strictly required to match a quiz result to the correct LMS gradebook entry.

For seat-tracking and rate-limiting, we store a one-way SHA-256 hash of the student identifier — the original identifier cannot be recovered from this hash.

HOW WE USE PERSONAL INFORMATION

Consumer VR Apps. Diagnostic logs are used to identify and fix crashes and improve the quality of the apps. We do not sell, rent or share consumer log data with third parties for advertising or marketing purposes.

LMS Platform. We process student data only to perform the contractual service the university has subscribed to: receiving VR assessment results, looking up the matching student in the university's LMS, and posting the grade to the correct assignment. We do not use student data for analytics, marketing, profiling or any other purpose.

University administrator data is used to provide and bill for the service: account access, transactional emails (login verification, trial expiry warnings, cancellation confirmations, payment receipts), and product support.

LEGAL BASIS FOR PROCESSING

Operating the VR Apps and collecting diagnostic data is based on our legitimate interest in maintaining and improving the apps.

Holding a university account on the LMS Platform is based on the performance of our contract with the university.

Processing student data on the LMS Platform is based on the performance of the contract between Fourth Reality and the controller (the university), under their instructions, in accordance with Article 28 of the GDPR.

Sending transactional emails to administrators is based on the performance of our contract and our legitimate interest in operating the service.

We do not rely on consent or send marketing communications to either group as part of the service.

SUB-PROCESSORS

We use the following sub-processors. Each is bound by data protection terms equivalent to those in our agreement with you, and each is located in the European Economic Area.

Google Firebase (Cloud Firestore, Cloud Functions, Authentication, Hosting) — account database, web portal hosting, server-side processing. Region: europe-west3 (Frankfurt, Germany).
Amazon Web Services (EC2 hosting our TRAX Learning Record Store) — storage of xAPI quiz statements during the 90-day retention window. Region: eu-west-1 (Dublin, Ireland).
Resend — transactional email delivery (welcome, trial warnings, token failure alerts, cancellation receipts). Region: eu-west-1.

We do not use any sub-processor located outside the EEA. If we ever add a non-EEA sub-processor, we will update this policy and where required implement appropriate safeguards (such as EU Standard Contractual Clauses) before doing so.

WHERE WE STORE YOUR PERSONAL INFORMATION

All personal data processed by the LMS Platform is stored on servers located in the European Economic Area, specifically Ireland and Germany. Data does not leave the EEA.

HOW LONG WE KEEP YOUR DATA

University accounts and subscription details are kept for the duration of the subscription, plus a 30-day grace period after expiry, then permanently deleted.

Stored LMS API tokens are auto-cleared the moment a subscription expires.

xAPI quiz statements (the raw event data) are kept on our LRS (TRAX) for a rolling 90 days and then automatically deleted.

The local quiz cache on the Quest device is kept for a maximum of 30 days and pruned automatically by the app.

Pre-aggregated analytics (per-course summaries) are refreshed daily; an administrator can wipe them at any time via the platform admin tools.

Student seat tracking records (anonymised hash, no PII) are kept on a rolling 90-day window from last submission.

Transactional email logs are retained according to our email provider's policy (Resend, typically 30 days).

Final grades posted to a university's LMS are kept by the university indefinitely — the university owns and controls these from that point onward, and they fall outside our retention scope.

DISCLOSURE AND SHARING

We do not sell, rent or trade personal data with third parties. We share data only with the sub-processors listed above (acting on our instructions) and, in the case of LMS Platform student grades, with the destination LMS chosen by the university (Canvas, Moodle, etc.).

We may disclose information if required to do so by law, court order or other lawful request from a competent authority.

YOUR RIGHTS

If you are an EU/EEA resident, you have the following rights under the GDPR:

The right to access the personal data we hold about you.
The right to rectification — to have inaccurate data corrected.
The right to erasure ("the right to be forgotten").
The right to restrict processing in certain circumstances.
The right to data portability — to receive your data in a structured, machine-readable format.
The right to object to processing based on legitimate interest.
The right to lodge a complaint with a supervisory authority. In Ireland this is the Data Protection Commission, www.dataprotection.ie.

To exercise any of these rights, email info@fourthreality.com. We will confirm receipt of your request within 10 days and respond substantively within 30 days. We may need to verify your identity before acting on a request.

For students of subscribing universities: your data is processed by Fourth Reality on behalf of your university. To exercise your rights, please contact your university administrator first; they may forward the request to us. You are also free to contact us directly.

CHILDREN

Our products are designed for use by adults and post-secondary education students. We do not knowingly collect personal data from children under the age of 16. If we become aware that a child has provided personal data without verifiable parental consent, we will delete that data promptly. Parents or guardians who believe a child has used the products without their consent can email info@fourthreality.com.

The LMS Platform web portal uses only the strictly necessary cookies required to authenticate logged-in users (set by Firebase Authentication). These are first-party, session-related, and are not used for tracking, analytics or advertising. We do not require a cookie banner because no non-essential cookies are set.

INFORMATION SECURITY

We take every reasonable precaution to protect against the loss, misuse or alteration of your personal information. Specific measures include:

Encryption in transit (TLS) for all network traffic.
Encryption at rest for data stored in Firestore.
LMS API tokens stored server-side only, never exposed to the browser after saving, and automatically cleared on subscription expiry.
Strict access controls — Fourth Reality staff access production data only when necessary to deliver or support the service.
Regular security review and patching of underlying infrastructure (operating systems, dependencies, the Firebase platform).

In the unlikely event of a personal data breach affecting your rights or freedoms, we will notify the relevant supervisory authority within 72 hours and inform you without undue delay where required by law.

INTERNATIONAL TRANSFERS

As stated above, all personal data is stored in the European Economic Area. We do not currently transfer personal data outside the EEA. Should this ever change, we will update this policy and rely on appropriate safeguards (such as EU Standard Contractual Clauses) before any such transfer.

CHANGES TO THIS PRIVACY POLICY

We keep this policy under regular review and may update it from time to time. Material changes will be flagged on the LMS Platform portal and, where you have an account with us, communicated by email at least 14 days before they take effect. The "Effective date" at the top of this policy reflects the latest revision.

HOW TO CONTACT US

For any question about this Privacy Policy, your data, or to exercise any of the rights described above, email:

info@fourthreality.com

Gary Pearson, Managing Director

Fourth Reality