1. Introduction
Simulanis Solutions Pvt. Ltd. ("Simulanis", "we", "our" or "us") is a multi‑award‑winning Indian XR (extended reality) technology company that creates augmented‑reality, virtual‑reality and mixed‑reality training and education products for manufacturing and industrial sectors. We develop digital learning content, simulators and collaboration tools for clients in pharmaceuticals, FMCG, automotive, engineering, oil & gas and other industries. This privacy policy explains how we collect, use, share and protect the personal data of users of our websites, mobile applications, XR applications, learning modules, software‑as‑a‑service platforms and any other services that link to or reference this policy (collectively, the Services).
Simulanis complies with the data protection laws of India (including the Information Technology Act 2000, the SPDI Rules 2011 and India’s Digital Personal Data Protection Act 2023 as operationalised by the Digital Personal Data Protection Rules 2025, the European Union General Data Protection Regulation ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the CCPA/CPRA), the US Children’s Online Privacy Protection Act ("COPPA") and other applicable laws. Where we refer to Data Principals we mean individuals whose personal data we process under India’s DPDP Act; Data Subjects refer to individuals under GDPR and UK GDPR; Consumers refers to California residents under the CCPA.
This policy aims to be transparent, comprehensive and future‑proof. It is not a contract and does not create any legal rights or obligations beyond those imposed by applicable law. We may update this policy from time to time and will notify you of material changes as described below.
1.1. Scope and Applicability
This policy applies to personal data that we collect in the course of running our business, including:
1.1.1 Websites and web‑based portals: Our corporate site (simulanis.com), content libraries and client dashboards.
1.1.2 Mobile and desktop applications: Apps published by Simulanis on iOS/Android/Windows for training, simulation or collaboration.
1.1.3 Extended‑Reality (XR) experiences and hardware: AR/VR/MR applications, including real‑time audio or video functionality and sensors.
1.1.4 Software development services: Custom software or content we build for clients.
1.1.5 Third‑party platforms: Applications distributed through our learning management systems, app stores or hardware providers.
Please read this policy carefully before using our Services. By accessing or using the Services you acknowledge you have read and understood this policy. If you do not agree, please refrain from using the Services.
1.2. Definitions
1.2.1 Personal Data/Personal Information means any information relating to an identified or identifiable individual. Examples include your name, email address, phone number, user ID, IP address, and in some jurisdictions voice or biometric identifiers.
1.2.2. Sensitive Personal Data or Information (SPDI)/Sensitive Personal Information (SPI) means more sensitive categories of data, such as passwords, financial information, health data, precise geolocation or biometric identifiers (including voiceprints or face geometry), that may require heightened protections.
1.2.3 Processing means any operation performed on personal data, such as collection, storage, use, disclosure, transfer or deletion.
1.2.4 Data Fiduciary (India) is an entity, such as a company or organization who determines the purpose and means of processing personal data (similar to a "data controller" under GDPR).
1.2.5 Data Principal (India), Data Subject (EU/UK), Consumer (California) are individuals whose personal data is processed.
1.3. Types of Personal Data we collect
The specific data collected depends on how you interact with our Services. Generally, we collect:
1.3.1 Identity and Contact Data: Name, job title, company, telephone number, postal address and email address you provide when registering for an account, subscribing to our newsletter or contacting support.
1.3.2 Account Credentials: Usernames, passwords and authentication tokens that you create or provide to access the Services.
1.3.3 Professional/Employment Data: Information about your role, training progress and certifications, including scores or assessments for training modules.
1.3.4 Audio Data: Voice and audio communications captured during real‑time sessions in our XR applications (see Section XI).
1.3.5 Device and Technical Data: IP address, device identifiers, browser type, operating system, device motion and accelerometer data, VR/AR headset identifiers, network information, log files, app version and usage statistics automatically collected when you use our Services.
1.3.6 Usage Data: Interactions with our websites or apps (pages viewed, features used, time spent), crash reports and performance data.
1.3.7 Payment and Transaction Data: Billing address, transaction dates and amounts, and partial payment card details when you make purchases.
"Payments are processed by third‑party providers and we do not store full payment card numbers."
1.3.8 Customer Content: Any information you upload or input into our Services, such as training materials, messages, feedback, queries, photos or attachments.
1.3.9 Location Data: Approximate location derived from your IP address or device settings; we do not request precise geolocation unless explicitly necessary for a feature and with your consent.
1.3.10 Other Data: Information required to fulfil legal obligations, respond to grievances or provide requested services, including communications and support tickets.
We do not intentionally collect biometric identifiers such as fingerprints or retina scans. We treat voice recordings (real‑time audio) as personal data and do not derive voiceprints or voice embeddings
(see Section XI).
1.4 How we collect Personal Data
1.4.1 Directly from you: When you create an account, fill out a form, purchase a product, request information, upload content or communicate with us (via email, chat, phone or in‑app messaging), you voluntarily provide personal data.
1.4.2 Automatically through the Services: We collect technical and usage data through cookies, pixel tags, SDKs and similar technologies when you browse our websites or use our apps. We also collect sensor data (e.g., motion, orientation) and limited audio data when you use XR features (see Section XI).
1.4.3 Through third parties: We receive data from partners such as distributors, resellers, learning management systems, payment processors and analytics providers. If you sign up through a social login or federated identity provider, we may obtain your name, email and profile information from that provider. We ensure such third parties are authorised to share your data with us.
1.4.4 From clients/employers: When your employer or educational institution purchases our Services for training, they may provide your contact information and role so that we can create your user account. We process such data strictly according to the contract with the client.
2. Purpose and Legal Basis for Processing
We process personal data only when we have a lawful basis under applicable law.
2.1 To provide and operate the Services:
Create and manage user accounts
Identity and contact data
Contract performance:
Processing is necessary to enter into or fulfil a contract with you or your employer
Authenticate users
Account credentials
Legitimate interests
Deliver training modules
Usage data
Consent
Maintain XR experiences
Customer content
Purpose
Data Categories
Legal Basis/Justification
Process orders
Payment data device
Provide customer support
Technical data
Personalise learning content
Manage accounts
2.2 To communicate with you:
Respond to questions
Identity and contact data
Consent for marketing communications (you can unsubscribe at any time)
Send administrative messages
Communication Data
Contract performance
Send marketing newsletters where permitted
Usage data
Legitimate interests for service messages
Purpose
Data Categories
Legal Basis/Justification
Provide updates or security notices
2.3 To develop, monitor and improve the Services:
Troubleshoot
Device and technical data
Legitimate interests: To understand how our Services are used, improve them and ensure security, provided these interests are not overridden by your rights
Measure performance
Usage data
Consent: Non‑essential cookies/analytics where required
Analyse usage patterns
Analytics
Conduct research
Aggregated or anonymised data
Purpose
Data Categories
Legal Basis/Justification
Enhance user experience
2.4 To ensure safety and integrity:
Protect against fraud, abuse or misuse
Any relevant data necessary to verify identity, monitor sessions or investigate misuse
Legitimate interests:
Preventing fraud and ensuring security
Enforce our terms
Legal obligation: Retain logs or report breaches
Comply with law
Consent: Where required
Maintain logs and investigate incidents
Purpose
Data Categories
Legal Basis/Justification
Perform audits
2.5 To process payments:
Collect payment for subscriptions or purchases through third‑party processors
Payment and transaction data
Contract performance: To provide paid Services
Issue invoices
Identity and contact data
Legal obligation: Tax or regulatory compliance
Manage refunds
Purpose
Data Categories
Legal Basis/Justification
2.6 To comply with legal obligations:
Meet requirements under the DPDP Act, GDPR/UK GDPR, CCPA/CPRA and other applicable laws
Any data subject to a lawful request or obligation
Legal obligation: We must comply with laws, respond to court orders, and cooperate with regulators
Respond to lawful requests from authorities
Protect our rights
Purpose
Data Categories
Legal Basis/Justification
2.7 To facilitate business transfers:
If we sell, merge or transfer our business, personal data may be transferred to successor entities subject to appropriate safeguards
All relevant data
Legitimate interests: conducting business transactions, with appropriate confidentiality and due diligence
Purpose
Data Categories
Legal Basis/Justification
3. Use of Sensitive Personal Information
We do not intentionally collect or process sensitive personal data such as financial account numbers, government identifiers, health data or precise geolocation unless necessary to provide a requested service (e.g., processing payments). If we need to collect sensitive data, we will seek your explicit consent and use the data only for the disclosed purpose.
We do not use voice data to create biometric identifiers or voiceprints. Although voice recordings can be used to identify individuals, such biometric identifiers include retina or iris scans, fingerprints, voice prints and scans of facial geometry. Simulanis does not derive biometric templates from your voice or otherwise use your voice for authentication.
3.1 Children’s Privacy and Use in Educational Settings
We are aware that our XR and educational tools may be used by minors. Protecting children’s privacy is a priority and we comply with COPPA, GDPR/UK GDPR, India’s DPDP Act and other relevant laws.
3.1.1 Age limits and parental consent. Our Services are generally intended for users aged 18 and above. However, some training programs or educational modules may involve learners under 18. Where our Services are used by children.
3.1.2 Under 13 (United States). We do not knowingly collect personal data from children under 13 without verifiable parental consent as required by COPPA. The FTC’s 2025 COPPA amendments allow operators to collect a child’s voice to respond to the child’s request without parental consent only if the recording is used solely for that purpose, is not used for any other purpose and is deleted immediately thereafter. We abide by this limited exception: real‑time voice commands or audio interactions from children are processed only to fulfil the request and are not retained or used for other purposes.
3.1.3 Under 16 (EU/UK). Under GDPR Article 8, parental consent is required to process personal data of children under 16 (member states may set a lower age down to 13). We will obtain verifiable parental or guardian consent before collecting personal data from minors under the applicable age threshold.
3.1.4 Under 18 (India). India’s DPDP Act treats minors under 18 as children. We will obtain consent from a parent, lawful guardian or the school/educational institution acting as the guardian before processing a child’s personal data.
3.1.5 Limited data collection. We collect only the information necessary for the educational purpose, such as the learner’s first name or alias, course progress and performance. We do not collect sensitive personal data about minors unless required and with explicit consent. We never use minors’ data for marketing or behavioural advertising.
3.1.6 Child‑friendly notices. When our Services are directed to minors, we provide information in a clear, age‑appropriate manner so that young users and their guardians can understand how their data is used. The UK Children’s Code notes that online services likely to be accessed by children must consider the Code’s 15 standards, including providing high privacy by default and discouraging ‘nudge’ techniques that encourage children to provide more data. We endeavour to comply with these standards by designing our interfaces to protect children’s best interests.
3.1.7 Parental rights. Parents and guardians can review, correct or request deletion of their child’s information and revoke consent at any time by contacting us (see Section XV).
3.1.8 Educational institutions. For ed‑tech services used in schools, the UK Children’s Code may apply to the provider (not the school). Where we act as a processor on behalf of a school or employer, we process personal data solely under their instructions and require them to obtain all necessary consents from parents or guardians.
3.2 Audio Data and Real time Communications
Our XR products and some mobile or desktop applications allow you to use voice commands, audio chat or recorded narration. We treat audio data with particular care:
3.2.1 Microphone permission. We will only access your device’s microphone after you grant permission in the app or device settings. Without permission, voice‑based features will not function.
3.2.2 Real‑time processing. Voice and audio streams are processed in real time for the sole purpose of delivering the requested functionality (e.g., transmitting your voice to other participants or interpreting a voice command). We do not store or listen to these communications except temporarily in memory to facilitate the service. We do not analyse audio to identify you or derive biometric data.
3.2.3 Limited retention. We do not retain audio recordings unless explicitly required for a feature you have opted into (e.g., recording a training session for later review). When a recording is made, we will clearly inform participants and obtain their consent (and parental consent for minors) before recording. Recorded audio is stored securely and deleted once no longer needed for the specified purpose.
3.2.4 Children’s voices. If a child under 13 uses a voice feature, we invoke the COPPA limited exception by processing the audio only to fulfil the request and deleting it immediately. We do not use children’s voices for any other purpose and we will not retain recordings without verifiable parental consent.
3.2.5 Security. Voice streams are encrypted in transit to prevent eavesdropping. We maintain strict access controls and technical safeguards to protect audio data from unauthorised access.
3.3 Cookies and Tracking Technologies
We use cookies, local storage, device identifiers and similar technologies to recognise you and customise your experience. Cookies may be "session cookies" (deleted when you close your browser) or "persistent cookies" (stored until they expire or you delete them). We use:
Strictly necessary cookies to authenticate users and enable secure navigation of our Services.
Performance and analytics cookies to understand usage patterns and improve functionality. These are subject to your consent where required (e.g., in the EU/UK under e‑Privacy rules). You can withdraw your consent at any time by adjusting cookie settings.
Functional cookies to remember preferences and settings (e.g., language choice).
Advertising cookies: we currently do not run targeted advertising or retargeting campaigns. If we introduce such cookies in the future, we will update this policy and obtain required consent.
For more details on the cookies we use, please refer to our Cookie Notice.
3.4 How we share our Personal Data
We do not sell personal data. We may share your data with third parties only for the purposes described in this policy and subject to appropriate safeguards. Categories of recipients include:
3.4.1 Service providers and processors: Companies that provide services on our behalf, such as hosting, content delivery networks, cloud infrastructure, payment processing, analytics, customer support, marketing, identity verification and security. These providers process personal data only under our instructions and are contractually obligated to implement reasonable security measures and confidentiality commitments.
3.4.2 Business partners and resellers: if you purchase our Services through a reseller or partner, we may share your contact information, usage data and billing information with that partner to enable account management, technical support and licence compliance. The partner’s privacy policy will apply to their own processing of your data.
3.4.3 Professional advisers: lawyers, auditors, accountants and insurers who assist us in running our business and complying with legal obligations, subject to confidentiality obligations.
3.4.4 Academic or research institutions: where we collaborate on anonymised research projects to improve XR technologies or learning efficacy; any published results will be aggregated and will not identify you.
3.4.5 Corporate transactions: if we are involved in a merger, acquisition, financing, reorganisation or sale of all or part of our business, personal data may be transferred as part of that transaction but will remain subject to the promises in this policy.
3.4.6 Authorities: regulators, courts, government agencies or law enforcement when required to comply with a legal obligation, respond to lawful requests or protect the rights, property or safety of Simulanis, our users or others. The DPDP Rules 2025 require data fiduciaries to report personal data breaches within 72 hours; we may need to share certain data in such reports.
We do not allow third parties to collect personal data about your online activities across different websites for their own purposes (i.e., we do not permit third‑party behavioural tracking). We also prohibit our service providers from using personal data for any purpose other than to provide services to us.
3.5 International Data Transfers
Simulanis is based in India but operates globally. We may transfer your personal data to jurisdictions outside your home country including to the United States, the European Economic Area and the United Kingdom where our servers, affiliates or service providers are located.
3.5.1 DPDP Act (India). The DPDP Act applies to processing of digital personal data within India and extraterritorially to processing outside India when it relates to offering goods or services to individuals in India. We will ensure that cross‑border transfers comply with any government notifications and deemed consents under the DPDP Rules 2025.
3.5.2 GDPR/UK GDPR. When transferring personal data from the EU/EEA or UK to countries that have not been deemed to provide an adequate level of protection, we use approved mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) or rely on an adequacy decision. We will implement supplementary measures when necessary to protect your data.
3.5.3 CCPA/CPRA. We do not sell or share personal data for cross‑context behavioral advertising. If we engage in a "sale" or "sharing" of personal data as defined under California law, we will provide a clear opt‑out mechanism and will not transfer sensitive personal data outside the scope of the law.
We will take appropriate technical and organisational measures to ensure your data receives an adequate level of protection consistent with applicable privacy laws.
4. Data Security
We implement reasonable and appropriate security measures to protect personal data from unauthorised access, disclosure, alteration or destruction. These include:
Encryption in transit and at rest for sensitive data, use of secure protocols (HTTPS/TLS) for data transmission.
Access controls such as role‑based permissions, least‑privilege access, multi‑factor authentication and secure password management.
Segmentation and pseudonymisation of data where practicable.
Regular security assessments, penetration testing and vulnerability scanning.
Incident response procedures to detect, investigate and respond to data breaches, under DPDP Rules 2025 we will report personal data breaches to the Data Protection Board and affected individuals within 72 hours.
Training and awareness for employees and contractors on data protection and information security.
Contractual obligations requiring our processors to implement security measures equal to or greater than ours.
Despite our efforts, no method of transmission or storage is completely secure. If we learn of a security breach affecting your personal data, we will notify you in accordance with applicable laws.
4.1 Data Retention
We retain personal data for only as long as necessary to fulfil the purposes for which it was collected or as required by law, including:
4.1.1 Account data: Retained for the lifetime of your account and archived for a limited period after closure to allow reactivation or to resolve disputes.
4.1.2 Transaction records: Retained to comply with tax, accounting and audit obligations.
4.1.3 Training results and certifications: Retained until your employer or educational institution removes your access or requests deletion; aggregated for analytics.
4.1.4 Log files and security data: Retained for at least one year as required by DPDP Rule 6 for logs of unauthorised access and for a reasonable period for security investigations.
4.1.5 Audio data: not retained unless you consent to a recording, recordings are deleted after the specified purpose has been fulfilled.
We may retain anonymised or aggregated data (which can no longer identify you) for research or statistical purposes indefinitely.
5. Your Rights and Choices
5.1 Rights under India’s DPDP Act
As a Data Principal under the DPDP Act, you have the following rights:
Right to access and confirmation: obtain a summary of your personal data processed by us and the processing activities.
Right to correction and erasure: correct inaccurate or incomplete personal data and request deletion of data that is no longer required or for which consent has been withdrawn. We may retain data as required by law or to defend legal claims.
Right to grievance redressal: raise complaints with our Grievance Officer and, if unsatisfied, appeal to the Data Protection Board.
Right to designate a consent manager: appoint a consent manager to manage your consents.
We will facilitate these rights as provided under the DPDP Rules 2025.
5.2 Rights under the EU/UK GDPR
If you are in the European Economic Area or UK, you have the following rights regarding your personal data (subject to conditions and exemptions):
Right to be informed: receive clear information about how we use your personal data.
Right of access: obtain a copy of your personal data and information about our processing.
Right to rectification: request correction of inaccurate or incomplete data.
Right to erasure: request deletion of your data when there is no lawful reason to continue processing ("right to be forgotten").
Right to restrict processing: request that we limit processing of your data in certain circumstances.
Right to data portability: receive your data in a structured, commonly used and machine‑readable format and transmit it to another controller.
Right to object: object to processing based on legitimate interests or for direct marketing.
Right not to be subject to automated decision‑making: object to decisions based solely on automated processing that significantly affect you.
We will respond to data subject requests within one month and may extend the period by two additional months where necessary, informing you of the reason for the delay. We will not charge a fee unless requests are manifestly unfounded or excessive. You also have the right to lodge a complaint with your local supervisory authority.
5.3 Rights under California’s CCPA/CPRA
If you are a California resident, you have the following rights:
Right to know. Request that we disclose the categories or specific pieces of personal information we have collected about you, the categories of sources, business purposes, categories of third parties and whether we disclose or sell that information.
Right to delete. Request deletion of personal information we collected from you, subject to certain exceptions.
Right to opt out of sale or sharing. Direct us not to sell or share your personal information with third parties. Simulanis does not sell personal information; if this changes, we will pro
vide a “Do Not Sell or Share My Personal Information” link.
Right to correct. Request correction of inaccurate personal information.
Right to limit use and disclosure of sensitive personal information. Direct us to use sensitive personal information only for necessary purposes. We do not process sensitive personal information beyond what is required to provide the Services.
Right to non‑discrimination. We will not deny services, charge different prices or provide a different level of quality if you exercise your CCPA rights.
Notice at collection. You have the right to be informed, at or before the point of collection, of the categories of personal information we collect and the purposes. This policy serves as that notice.
We will honor verified consumer requests within 45 days as required by California law (or inform you if additional time is needed). You may exercise your CCPA rights through our online request form, by emailing connect@simulanis.com. You may also use an authorised agent to submit requests, provided the agent has written permission.
5.4 How to Exercise your Rights
To submit a request to access, correct, delete or port your data, or to object to or restrict processing, please contact us using the details in Section XVI. In the request, please specify what right you are exercising and provide sufficient information to verify your identity. For California residents, if you use an authorized agent, we may require proof of authorization. We will acknowledge your request promptly and respond within the timeframes required by law.
6. Contact Information and Grievance Officer
We have appointed a Grievance Officer to oversee compliance and address queries. Please contact us at:
Grievance & Data Protection Officer
Shivam Krishnam (Senior Legal Counsel)
Simulanis Solutions Pvt. Ltd.
260, Defense Colony, Flyover Market, Delhi
Email: shivamkrishnam@simulanis.com
If you have concerns about how we handle your personal data, we encourage you to contact us first. You also have the right to lodge a complaint with your local data protection authority:
India: Data Protection Board of India.
EU: Your national supervisory authority.
UK: Information Commissioner’s Office (ICO).
California: California Privacy Protection Agency (CPPA) or Attorney General.
Data Controller and Processor Roles
Simulanis may act as a data controller when we determine the purposes and means of processing (e.g., for our own marketing, analytics or account administration) and as a data processor when we process personal data on behalf of clients (e.g., when a company uses our platform to train its employees). When acting as a processor, we process personal data only under the client’s instructions and our contractual terms.
Third Party Sites and Services
Our Services may contain links to websites, products or services operated by third parties (e.g., partner training platforms, payment gateways, social media). This policy does not apply to those third parties. We encourage you to review the privacy policies of any third‑party services before providing them with your personal data. We are not responsible for the privacy practices of third parties.
Changes to the Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. Material changes will be highlighted by revising the "Last updated" date at the top of the policy and, where appropriate, by providing additional notice (such as sending a notification email, posting a banner on our website or obtaining consent). For California residents, the Attorney General advises that businesses should not rely solely on updating the policy but should provide a conspicuous notice of any material change. Your continued use of the Services after the effective date of the revised policy constitutes acceptance of the changes. We maintain previous versions of this policy for your review upon request.
Publication and Accessibility
We will publish this privacy policy prominently on all digital platforms where personal data is collected:
Corporate website and microsites: A link labelled “Privacy Policy” will appear in the footer of every page. A cookie notice will also link to this policy.
Mobile and desktop apps: The privacy policy will be accessible within the app settings, during account registration, and in the app store listing.
XR applications and VR/AR devices: An abbreviated privacy notice will appear during the initial setup explaining data collection (microphone, sensors) and linking to the full policy on our website.
Third‑party platforms: Where our services are offered through our LMS, a partner’s platform or our hardware platform, we will ensure the partner displays or links to our privacy policy.
Email communications: A link to this policy will be included in marketing emails and newsletters.
When we update the policy, we will send email notifications to registered users and display a banner or pop‑up within our apps informing users of the change. We will also maintain an archive of previous policy versions and indicate the effective date of each version.
Simulanis Privacy Policy
Join leading enterprises leveraging Simulanis to redefine training, boost productivity, and scale immersive learning across teams.
Empower Your Workforce
with the Future of XR
Redefining learning and performance across industries.
2025 @ simulanis. All rights reserved.
India Office - AMCO TOWER, Ground Floor, A-5, 6, 7, Sector 9, Noida, UP, 201301
Global HQ, UK Office - Rose Villa, 42 Glebe street, Loughborough, UK, LE11 1JR
ADDRESS
Join leading enterprises leveraging Simulanis to redefine training, boost productivity, and scale immersive learning across teams.
Empower Your Workforce
with the Future of XR
2. Purpose and Legal
Basis for Processing
We process personal data only when we have a lawful basis under applicable law.
2.1 To provide and operate the Services:
Create and manage user accounts
Identity and contact data
Contract performance:
Processing is necessary to enter into or fulfil a contract with you or your employer
Authenticate users
Account credentials
Legitimate interests
Deliver training modules
Usage data
Consent
Maintain XR experiences
Customer content
Purpose
Data Categories
Legal Basis/Justification
Process orders
Payment data device
Provide customer support
Technical data
Personalise learning content
Manage accounts
2.2 To communicate with you:
Respond to questions
Identity and contact data
Consent for marketing communications (you can unsubscribe at any time)
Send administrative messages
Communication Data
Contract performance
Send marketing newsletters where permitted
Usage data
Legitimate interests for service messages
Purpose
Data Categories
Legal Basis/Justification
Provide updates or security notices
2.3 To develop, monitor and
improve the Services:
2.4 To ensure safety and integrity:
Troubleshoot
Device and technical data
Legitimate interests: To understand how our Services are used, improve them and ensure security, provided these interests are not overridden by your rights
Measure performance
Usage data
Consent: Non‑essential cookies/analytics where required
Analyse usage patterns
Analytics
Conduct research
Aggregated or anonymised data
Purpose
Data Categories
Legal Basis/Justification
Enhance user experience
Protect against fraud, abuse or misuse
Any relevant data necessary to verify identity, monitor sessions or investigate misuse
Legitimate interests:
Preventing fraud and ensuring security
Enforce our terms
Legal obligation: Retain logs or report breaches
Comply with law
Consent: Where required
Maintain logs and investigate incidents
Purpose
Data Categories
Legal Basis/Justification
Perform audits
2.5 To process payments:
Collect payment for subscriptions or purchases through third‑party processors
Payment and transaction data
Contract performance: To provide paid Services
Issue invoices
Identity and contact data
Legal obligation: Tax or regulatory compliance
Manage refunds
Purpose
Data Categories
Legal Basis/Justification
Meet requirements under the DPDP Act, GDPR/UK GDPR, CCPA/CPRA and other applicable laws
Any data subject to a lawful request or obligation
Legal obligation: We must comply with laws, respond to court orders, and cooperate with regulators
Respond to lawful requests from authorities
Protect our rights
Purpose
Data Categories
Legal Basis/Justification
2.7 To facilitate business transfers:
If we sell, merge or transfer our business, personal data may be transferred to successor entities subject to appropriate safeguards
All relevant data
Legitimate interests: conducting business transactions, with appropriate confidentiality and due diligence
Purpose
Data Categories
Legal Basis/Justification
2.6 To comply with legal obligations:
3. Use of Sensitive
Personal Information
We do not intentionally collect or process sensitive personal data such as financial account numbers, government identifiers, health data or precise geolocation unless necessary to provide a requested service (e.g., processing payments). If we need to collect sensitive data, we will seek your explicit consent and use the data only for the disclosed purpose.
We do not use voice data to create biometric identifiers or voiceprints. Although voice recordings can be used to identify individuals, such biometric identifiers include retina or iris scans, fingerprints, voice prints and scans of facial geometry. Simulanis does not derive biometric templates from your voice or otherwise use your voice for authentication.
3.1 Children’s Privacy and Use in Educational Settings
We are aware that our XR and educational tools may be used by minors. Protecting children’s privacy is a priority and we comply with COPPA, GDPR/UK GDPR, India’s DPDP Act and other relevant laws.
3.1.1 Age limits and parental consent. Our Services are generally intended for users aged 18 and above. However, some training programs or educational modules may involve learners under 18. Where our Services are used by children.
3.1.2 Under 13 (United States). We do not knowingly collect personal data from children under 13 without verifiable parental consent as required by COPPA. The FTC’s 2025 COPPA amendments allow operators to collect a child’s voice to respond to the child’s request without parental consent only if the recording is used solely for that purpose, is not used for any other purpose and is deleted immediately thereafter. We abide by this limited exception: real‑time voice commands or audio interactions from children are processed only to fulfil the request and are not retained or used for other purposes.
3.1.3 Under 16 (EU/UK). Under GDPR Article 8, parental consent is required to process personal data of children under 16 (member states may set a lower age down to 13). We will obtain verifiable parental or guardian consent before collecting personal data from minors under the applicable age threshold.
3.1.4 Under 18 (India). India’s DPDP Act treats minors under 18 as children. We will obtain consent from a parent, lawful guardian or the school/educational institution acting as the guardian before processing a child’s personal data.
3.1.5 Limited data collection. We collect only the information necessary for the educational purpose, such as the learner’s first name or alias, course progress and performance. We do not collect sensitive personal data about minors unless required and with explicit consent. We never use minors’ data for marketing or behavioural advertising.
3.1.6 Child‑friendly notices. When our Services are directed to minors, we provide information in a clear, age‑appropriate manner so that young users and their guardians can understand how their data is used. The UK Children’s Code notes that online services likely to be accessed by children must consider the Code’s 15 standards, including providing high privacy by default and discouraging ‘nudge’ techniques that encourage children to provide more data. We endeavour to comply with these standards by designing our interfaces to protect children’s best interests.
3.1.7 Parental rights. Parents and guardians can review, correct or request deletion of their child’s information and revoke consent at any time by contacting us (see Section XV).
3.1.8 Educational institutions. For ed‑tech services used in schools, the UK Children’s Code may apply to the provider (not the school). Where we act as a processor on behalf of a school or employer, we process personal data solely under their instructions and require them to obtain all necessary consents from parents or guardians.
3.2 Audio Data and Real time Communications
Our XR products and some mobile or desktop applications allow you to use voice commands, audio chat or recorded narration. We treat audio data with particular care:
3.2.1 Microphone permission. We will only access your device’s microphone after you grant permission in the app or device settings. Without permission, voice‑based features will not function.
3.2.2 Real‑time processing. Voice and audio streams are processed in real time for the sole purpose of delivering the requested functionality (e.g., transmitting your voice to other participants or interpreting a voice command). We do not store or listen to these communications except temporarily in memory to facilitate the service. We do not analyse audio to identify you or derive biometric data.
3.2.3 Limited retention. We do not retain audio recordings unless explicitly required for a feature you have opted into (e.g., recording a training session for later review). When a recording is made, we will clearly inform participants and obtain their consent (and parental consent for minors) before recording. Recorded audio is stored securely and deleted once no longer needed for the specified purpose.
3.2.4 Children’s voices. If a child under 13 uses a voice feature, we invoke the COPPA limited exception by processing the audio only to fulfil the request and deleting it immediately. We do not use children’s voices for any other purpose and we will not retain recordings without verifiable parental consent.
3.2.5 Security. Voice streams are encrypted in transit to prevent eavesdropping. We maintain strict access controls and technical safeguards to protect audio data from unauthorised access.
3.3 Cookies and Tracking Technologies
We use cookies, local storage, device identifiers and similar technologies to recognise you and customise your experience. Cookies may be "session cookies" (deleted when you close your browser) or "persistent cookies" (stored until they expire or you delete them). We use:
Strictly necessary cookies to authenticate users and enable secure navigation of our Services.
Performance and analytics cookies to understand usage patterns and improve functionality. These are subject to your consent where required (e.g., in the EU/UK under e‑Privacy rules). You can withdraw your consent at any time by adjusting cookie settings.
Functional cookies to remember preferences and settings (e.g., language choice).
Advertising cookies: we currently do not run targeted advertising or retargeting campaigns. If we introduce such cookies in the future, we will update this policy and obtain required consent.
For more details on the cookies we use, please refer to our Cookie Notice.
3.4 How we share our Personal Data
We do not sell personal data. We may share your data with third parties only for the purposes described in this policy and subject to appropriate safeguards. Categories of recipients include:
3.4.1 Service providers and processors: Companies that provide services on our behalf, such as hosting, content delivery networks, cloud infrastructure, payment processing, analytics, customer support, marketing, identity verification and security. These providers process personal data only under our instructions and are contractually obligated to implement reasonable security measures and confidentiality commitments.
3.4.2 Business partners and resellers: if you purchase our Services through a reseller or partner, we may share your contact information, usage data and billing information with that partner to enable account management, technical support and licence compliance. The partner’s privacy policy will apply to their own processing of your data.
3.4.3 Professional advisers: lawyers, auditors, accountants and insurers who assist us in running our business and complying with legal obligations, subject to confidentiality obligations.
3.4.4 Academic or research institutions: where we collaborate on anonymised research projects to improve XR technologies or learning efficacy; any published results will be aggregated and will not identify you.
3.4.5 Corporate transactions: if we are involved in a merger, acquisition, financing, reorganisation or sale of all or part of our business, personal data may be transferred as part of that transaction but will remain subject to the promises in this policy.
3.4.6 Authorities: regulators, courts, government agencies or law enforcement when required to comply with a legal obligation, respond to lawful requests or protect the rights, property or safety of Simulanis, our users or others. The DPDP Rules 2025 require data fiduciaries to report personal data breaches within 72 hours; we may need to share certain data in such reports.
We do not allow third parties to collect personal data about your online activities across different websites for their own purposes (i.e., we do not permit third‑party behavioural tracking). We also prohibit our service providers from using personal data for any purpose other than to provide services to us.
3.5 International Data Transfers
Simulanis is based in India but operates globally. We may transfer your personal data to jurisdictions outside your home country including to the United States, the European Economic Area and the United Kingdom where our servers, affiliates or service providers are located.
3.5.1 DPDP Act (India). The DPDP Act applies to processing of digital personal data within India and extraterritorially to processing outside India when it relates to offering goods or services to individuals in India. We will ensure that cross‑border transfers comply with any government notifications and deemed consents under the DPDP Rules 2025.
3.5.2 GDPR/UK GDPR. When transferring personal data from the EU/EEA or UK to countries that have not been deemed to provide an adequate level of protection, we use approved mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) or rely on an adequacy decision. We will implement supplementary measures when necessary to protect your data.
3.5.3 CCPA/CPRA. We do not sell or share personal data for cross‑context behavioral advertising. If we engage in a "sale" or "sharing" of personal data as defined under California law, we will provide a clear opt‑out mechanism and will not transfer sensitive personal data outside the scope of the law.
We will take appropriate technical and organisational measures to ensure your data receives an adequate level of protection consistent with applicable privacy laws.
4. Data Security
We implement reasonable and appropriate security measures to protect personal data from unauthorised access, disclosure, alteration or destruction. These include:
Encryption in transit and at rest for sensitive data, use of secure protocols (HTTPS/TLS) for data transmission.
Access controls such as role‑based permissions, least‑privilege access, multi‑factor authentication and secure password management.
Segmentation and pseudonymisation of data where practicable.
Regular security assessments, penetration testing and vulnerability scanning.
Incident response procedures to detect, investigate and respond to data breaches, under DPDP Rules 2025 we will report personal data breaches to the Data Protection Board and affected individuals within 72 hours.
Training and awareness for employees and contractors on data protection and information security.
Contractual obligations requiring our processors to implement security measures equal to or greater than ours.
Despite our efforts, no method of transmission or storage is completely secure. If we learn of a security breach affecting your personal data, we will notify you in accordance with applicable laws.
4.1 Data Retention
We retain personal data for only as long as necessary to fulfil the purposes for which it was collected or as required by law, including:
4.1.1 Account data: Retained for the lifetime of your account and archived for a limited period after closure to allow reactivation or to resolve disputes.
4.1.2 Transaction records: Retained to comply with tax, accounting and audit obligations.
4.1.3 Training results and certifications: Retained until your employer or educational institution removes your access or requests deletion; aggregated for analytics.
4.1.4 Log files and security data: Retained for at least one year as required by DPDP Rule 6 for logs of unauthorised access and for a reasonable period for security investigations.
4.1.5 Audio data: not retained unless you consent to a recording, recordings are deleted after the specified purpose has been fulfilled.
We may retain anonymised or aggregated data (which can no longer identify you) for research or statistical purposes indefinitely.
5. Your Rights and Choices
5.1 Rights under India’s DPDP Act
As a Data Principal under the DPDP Act, you have the following rights:
Right to access and confirmation: obtain a summary of your personal data processed by us and the processing activities.
Right to correction and erasure: correct inaccurate or incomplete personal data and request deletion of data that is no longer required or for which consent has been withdrawn. We may retain data as required by law or to defend legal claims.
Right to grievance redressal: raise complaints with our Grievance Officer and, if unsatisfied, appeal to the Data Protection Board.
Right to designate a consent manager: appoint a consent manager to manage your consents.
We will facilitate these rights as provided under the DPDP Rules 2025.
5.2 Rights under the EU/UK GDPR
If you are in the European Economic Area or UK, you have the following rights regarding your personal data (subject to conditions and exemptions):
Right to be informed: receive clear information about how we use your personal data.
Right of access: obtain a copy of your personal data and information about our processing.
Right to rectification: request correction of inaccurate or incomplete data.
Right to erasure: request deletion of your data when there is no lawful reason to continue processing ("right to be forgotten").
Right to restrict processing: request that we limit processing of your data in certain circumstances.
Right to data portability: receive your data in a structured, commonly used and machine‑readable format and transmit it to another controller.
Right to object: object to processing based on legitimate interests or for direct marketing.
Right not to be subject to automated decision‑making: object to decisions based solely on automated processing that significantly affect you.
We will respond to data subject requests within one month and may extend the period by two additional months where necessary, informing you of the reason for the delay. We will not charge a fee unless requests are manifestly unfounded or excessive. You also have the right to lodge a complaint with your local supervisory authority.
5.3 Rights under California’s CCPA/CPRA
If you are a California resident, you have the following rights:
Right to know. Request that we disclose the categories or specific pieces of personal information we have collected about you, the categories of sources, business purposes, categories of third parties and whether we disclose or sell that information.
Right to delete. Request deletion of personal information we collected from you, subject to certain exceptions.
Right to opt out of sale or sharing. Direct us not to sell or share your personal information with third parties. Simulanis does not sell personal information; if this changes, we will pro
vide a “Do Not Sell or Share My Personal Information” link.
Right to correct. Request correction of inaccurate personal information.
Right to limit use and disclosure of sensitive personal information. Direct us to use sensitive personal information only for necessary purposes. We do not process sensitive personal information beyond what is required to provide the Services.
Right to non‑discrimination. We will not deny services, charge different prices or provide a different level of quality if you exercise your CCPA rights.
Notice at collection. You have the right to be informed, at or before the point of collection, of the categories of personal information we collect and the purposes. This policy serves as that notice.
We will honor verified consumer requests within 45 days as required by California law (or inform you if additional time is needed). You may exercise your CCPA rights through our online request form, by emailing connect@simulanis.com. You may also use an authorised agent to submit requests, provided the agent has written permission.
5.4 How to Exercise your Rights
To submit a request to access, correct, delete or port your data, or to object to or restrict processing, please contact us using the details in Section XVI. In the request, please specify what right you are exercising and provide sufficient information to verify your identity. For California residents, if you use an authorized agent, we may require proof of authorization. We will acknowledge your request promptly and respond within the timeframes required by law.
6. Contact Information and
Grievance Officer
We have appointed a Grievance Officer to oversee compliance and address queries.
Please contact us at:
Grievance & Data Protection Officer
Shivam Krishnam (Senior Legal Counsel)
Simulanis Solutions Pvt. Ltd.
260, Defense Colony, Flyover Market, Delhi
Email: shivamkrishnam@simulanis.com
If you have concerns about how we handle your personal data, we encourage you to contact us first. You also have the right to lodge a complaint with your local data protection authority:
India: Data Protection Board of India.
EU: Your national supervisory authority.
UK: Information Commissioner’s Office (ICO).
California: California Privacy Protection Agency (CPPA) or Attorney General.
Data Controller and Processor Roles
Simulanis may act as a data controller when we determine the purposes and means of processing (e.g., for our own marketing, analytics or account administration) and as a data processor when we process personal data on behalf of clients (e.g., when a company uses our platform to train its employees). When acting as a processor, we process personal data only under the client’s instructions and our contractual terms.
Third Party Sites and Services
Our Services may contain links to websites, products or services operated by third parties (e.g., partner training platforms, payment gateways, social media). This policy does not apply to those third parties. We encourage you to review the privacy policies of any third‑party services before providing them with your personal data. We are not responsible for the privacy practices of third parties.
Changes to the Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. Material changes will be highlighted by revising the "Last updated" date at the top of the policy and, where appropriate, by providing additional notice (such as sending a notification email, posting a banner on our website or obtaining consent). For California residents, the Attorney General advises that businesses should not rely solely on updating the policy but should provide a conspicuous notice of any material change. Your continued use of the Services after the effective date of the revised policy constitutes acceptance of the changes. We maintain previous versions of this policy for your review upon request.
Publication and Accessibility
We will publish this privacy policy prominently on all digital platforms where personal data is collected:
Corporate website and microsites: A link labelled “Privacy Policy” will appear in the footer of every page. A cookie notice will also link to this policy.
Mobile and desktop apps: The privacy policy will be accessible within the app settings, during account registration, and in the app store listing.
XR applications and VR/AR devices: An abbreviated privacy notice will appear during the initial setup explaining data collection (microphone, sensors) and linking to the full policy on our website.
Third‑party platforms: Where our services are offered through our LMS, a partner’s platform or our hardware platform, we will ensure the partner displays or links to our privacy policy.
Email communications: A link to this policy will be included in marketing emails and newsletters.
When we update the policy, we will send email notifications to registered users and display a banner or pop‑up within our apps informing users of the change. We will also maintain an archive of previous policy versions and indicate the effective date of each version.