FacilityVR
← Back to Home

Privacy Policy

Last Updated: 2nd June 2026

1. Introduction

Facility Labs ("Company", "we", "our", or "us") operates the FacilityVR platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using FacilityVR, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Personal Information

We collect information that you provide directly to us, including:

  • Email address (required for account creation)
  • Name (first and last name)
  • Organisation and role information
  • Payment information (processed securely through Stripe)

2.2 Training and Facility Information

For platform features, you may choose to provide:

  • Facility layout data (room dimensions, equipment placements, floor plans)
  • Training scenario configurations and pre-conditions
  • Learner performance results, scores, and completion records

2.3 AI Interaction Data

  • Conversations with AI layout generation features
  • Prompts, instructions, and AI-generated responses
  • AI-generated facility layouts and configurations

2.4 Usage Information

  • Log data (IP address, browser type, device information)
  • Usage statistics and feature interaction data
  • Credit consumption and billing transactions
  • VR session data including device pairing and spectator viewing activity

3. How We Use Your Information

We use the collected information for various purposes:

  • To provide, maintain, and improve our Service
  • To generate and refine AI-powered facility layouts
  • To process payments and manage subscriptions
  • To send you authentication codes and service-related communications
  • To track learner progress and generate performance reports
  • To improve AI model responses and accuracy
  • To monitor usage and prevent fraud or abuse
  • To comply with legal obligations

4. AI and Third-Party Services

4.1 AI Provider Integration

Our AI features are powered by large language models developed and maintained by providers such as Anthropic. When you interact with AI features, your prompts and facility information are sent to the provider's API to generate responses. Our LLM providers process this data according to their own privacy policy and data usage terms.

4.2 Stripe Payment Processing

Payment transactions are processed through Stripe. We do not store complete credit card information on our servers. Stripe maintains your payment details according to their privacy policy.

4.3 PostHog Analytics

Our public website uses PostHog to collect product-analytics data (such as page views and navigation paths) so we can understand and improve how visitors use the site. On the website this runs only with your consent (see Section 9). PostHog processes this data in the United States according to its own privacy policy.

5. Data Sharing and Disclosure

We may share your information in the following situations:

5.1 Service Providers

We share data with third-party service providers (Anthropic, Stripe, PostHog, email services) who help us operate our Service.

5.2 Legal Requirements

We may disclose your information if required by law or in response to valid requests by public authorities.

5.3 QR Code Verification

If your organisation enables QR Code verification, Statements of Attainment may include a QR code linking to a public verification page. This page displays your name, the organisation name, and a summary of your passed assessment results (scenario titles, dates, and scores). Your email address is not disclosed. You may opt out of this feature at any time through your account settings. When opted out, Statements of Attainment are generated without a QR code and your assessment results are not publicly accessible.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. We may retain certain information as required by law or for legitimate business purposes. Training session history and results are retained to provide continuity in learner progress tracking.

7. Data Security

We implement appropriate technical and organizational security measures to protect your information. However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Your Rights and Choices

You have the following rights regarding your personal information:

  • Access: You can access and review your account information at any time
  • Correction: You can update your personal information through Account Settings
  • Deletion: You can request deletion of your account and associated data
  • Export: You can request a copy of your data in a portable format
  • Opt-out: You can opt out of marketing communications (service emails are required)

9. Cookies and Tracking

We use essential session cookies to maintain your login state and operate the Service. These are always active and cannot be disabled while you use the Service. We do not use advertising cookies and do not sell your data to advertisers.

On our public website we also use PostHog, a product-analytics service, to understand how visitors navigate our pages so we can improve them (for example, page views, navigation paths, and aggregate traffic patterns). On the website, PostHog analytics run only with your consent: when you first visit, you are shown a banner and analytics cookies are set only if you click "Accept". If you click "Reject", or have not yet chosen, no PostHog analytics cookies are stored and no analytics events are collected. You can change your choice at any time by clearing your browser storage for our site, which re-displays the banner.

PostHog data for our public website is processed in the United States. See Sections 4 and 11 for more on third-party processors and international transfers. You can also disable cookies in your browser settings, but this may affect Service functionality.

10. Children's and Minors' Privacy

Learners using the Service may be under the age of 18. Where a learner is a minor, their organisation administrator or educator is responsible for obtaining appropriate parental or guardian consent before creating the learner's account. We collect only the minimum information necessary to provide the Service to minor learners (name, email, and learning performance data). We do not knowingly collect personal information from minors without oversight by their school or learning organisation. If you believe a minor's information has been collected without appropriate consent, please contact us immediately.

11. International Data Transfers

11.1 Where your data is processed

FacilityVR is operated by Facility Labs from Australia. Customer data (account details, training records, scenarios, layouts, application submissions) is stored on Microsoft Azure infrastructure. AI features are processed by Anthropic (United States) on a per-request basis; AI prompts and the immediate context required to fulfil them are sent to Anthropic and processed under their own data-handling terms. Email is delivered through Mailgun. Public-website analytics are processed by PostHog (United States), subject to the consent controls described in Section 9.

11.2 Australian customers

Where data is disclosed to overseas recipients (including AI processing in the United States), We take reasonable steps to ensure the recipient handles personal information in a manner consistent with the Australian Privacy Principles, in accordance with APP 8 of the Privacy Act 1988 (Cth). By using the Service, you also acknowledge and consent to your information being transferred to and processed in jurisdictions outside Australia, including the United States.

11.3 Singapore customers

Where data is transferred outside Singapore (including to Australia, where we are based, and to the United States for AI processing), the transfer is made on the basis of (i) your consent to such transfer through your acceptance of these terms and (ii) FacilityVR taking reasonable steps to ensure recipients are bound to a comparable standard of protection, consistent with section 26 of the Singapore Personal Data Protection Act 2012. You may withdraw your consent to such transfer at any time, but doing so will mean we can no longer provide the Service to you.

11.4 Malaysian customers

Where data is transferred outside Malaysia (including to Australia and the United States), the transfer is made on the basis of your express consent through acceptance of these terms, in accordance with section 129 of the Malaysian Personal Data Protection Act 2010. We take reasonable precautions to ensure that recipients of personal data outside Malaysia handle the data in line with the standards set by the Act. You may withdraw your consent at any time; doing so will mean we can no longer provide the Service to you.

11.5 Other jurisdictions

For users outside Australia, Singapore, and Malaysia, your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. By using our Service, you consent to such transfers and accept that the Service may not be specifically tailored for the law of your jurisdiction. Where local mandatory consumer-protection or privacy law provides rights that cannot be excluded by contract, those rights continue to apply.

12. Employer-Tier Data Handling

The Service includes an Employer tier whose customers receive personal information about candidates and learners through the Career Portals feature (job applications, event registrations, the Learner Directory). This Section sets out how that data flow works for the purposes of this Policy.

12.1 We remain a data processor / handler

We continue to process this data as part of operating the Service: storing it, making it available to authorised Employer-tier users, and providing access / correction / deletion mechanisms in accordance with this Policy and applicable law.

12.2 The Employer organisation is a separate controller

On receipt of an application, registration, or directory record, the Employer organisation handling that data becomes a separate data controller (or the equivalent term in the applicable jurisdiction — APP entity under Australian law, "organisation" under Singapore PDPA, "data user" under Malaysian PDPA). The Employer is responsible for its own privacy notice, retention policy, and security measures over data it has received. We require Employer-tier customers to commit to such obligations under our Terms of Service (Section 16.3).

12.3 Data-subject requests

Where you exercise an access, correction, or deletion right with us:

  • We will action the request against data held in our systems within a reasonable period (and within any timeframe required by applicable law).
  • For data already received by an Employer organisation in connection with an application or directory visibility you opted into, we will, on your request, notify the Employer of your request in good faith. However, the Employer is the controller of that copy and we cannot compel them to action your request. You may need to contact the Employer directly.

12.4 Limits on Employer use

Employers receiving data via the Service have agreed (in our Terms of Service) not to use that data for purposes other than evaluating the application or registration to which it relates, and not to sell or commercially disclose the data. We rely on this contractual undertaking. If you become aware of a misuse, you may report it to us at privacy@facilityvr.com and we will investigate and take appropriate action with the Employer concerned.

13. Career Portals and the Learner Directory

13.1 What's visible by default

By default, your training records, profile, and bio are visible only to your own organisation and to us. They are NOT visible to any external Employer organisation, to other learners, or to the public.

13.2 Opt-in directory visibility

Learners may opt in to either or both of the following visibility settings, separately and at any time through their account settings:

  • Visible to your organisation's industry partners: Employer-tier organisations that have an accepted industry-partnership relationship with your organisation can see your name, completed courses, and bio in their directory.
  • Visible to all employer-tier organisations: Any Employer-tier organisation on FacilityVR can see your name, completed courses, and bio in their directory.

Both settings default to OFF. Either setting can be turned off at any time. The Learner Directory does NOT display your email address, phone number, or any other contact detail. Employer-tier organisations contact candidates only through the platform's structured application and registration flows.

13.3 Applying to a job or registering for an event

When you apply for a job posted on FacilityVR or register for a career event:

  • Your name, email address, the answers you provide on the application form, and any attachments you upload are sent to the Employer that posted the role or event.
  • Your training history (completed courses and assessment outcomes from your FacilityVR records) is included with the application unless you indicate otherwise on the application form.
  • Once received, the Employer is a separate data controller (see Section 12.2) and handles your data under its own privacy notice and policies.
  • The status of your application or registration (e.g., reviewing, shortlisted, completed) is shared between you and the Employer through the platform.

13.4 Withdrawing an application

You may withdraw an application or cancel a registration at any time. Withdrawing removes the application from the active queue but does not automatically delete the copy already received by the Employer; you may contact the Employer directly to request deletion of their copy.

13.5 Children and minor learners on Career Portals

Where a learner is under 18, the directory and application features remain disabled by default. A school administrator or parent / guardian must explicitly enable these features for a minor's account. We do not knowingly facilitate Employer-tier access to a minor's profile or applications without such explicit consent. See also Section 10.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Facility Labs
Email: privacy@facilityvr.com

For data subject requests (access, deletion, export), please email: dataprotection@facilityvr.com