Privacy Policy

1. Introduction & Who We Are

At VirtualSpeech Ltd., we are committed to protecting and respecting your privacy. This policy explains how we collect, use, and protect your personal data, and outlines your rights under the General Data Protection Regulation (GDPR). VirtualSpeech provides immersive learning experiences through virtual reality and AI-powered platforms. For the purposes of the GDPR, we process personal data to provide our services and act in compliance with applicable data protection laws.


2. Data Collection & Usage

We collect only the information necessary to provide our training services, enabling performance tracking and allowing administrators to monitor individual progress. This includes:

  • User Information: Email addresses and names provided by your organization. User details can be anonymized on request.
  • Performance Data: AI scores, speaking pace, and non-verbal communication metrics generated during exercises.
  • User Assets: Presentation slides, notes, questions, and CV/Resume data uploaded via the management portal.
  • Audio/Transcripts: Voice recordings are stored only if explicitly enabled by the user or organization through the 'Save/Upload' button.
  • System Logs: The last time the app was used and device user agent data.

3. Biometric Data & Privacy

VirtualSpeech does not collect or store facial recognition or biometric identifiers. We only track movement and posture if you are using the VR experience to give body language feedback.


4. AI & Sub-processors

We maintain strict privacy for AI-driven features and utilize the following subprocessors for essential service delivery:

  • OpenAI & Azure Integration: We use the OpenAI and Microsoft Azure APIs. No data submitted via the APIs is used by OpenAI or Microsoft to train or improve their models.
  • Amazon Web Services (AWS): AWS is used for the secure storage of performance data, voice recordings, uploaded assets, and learner data.

All sub-processors operate under strict data protection obligations and written contracts that impose GDPR-compliant safeguards.


5. European AI Act Compliance

Our platform is built to align with the transparency, fairness, and human oversight requirements of the European AI Act:

  • Purpose Restriction: VirtualSpeech’s AI functionalities are designed for training and educational purposes only. The platform must not be used to make decisions related to promotions, layoffs, salary adjustments, or any other employment-related determinations.
  • Transparency: Administrators and end-users are notified that they are speaking with an AI avatar.
  • Human Oversight: AI is used to assist in learning processes, but the platform does not make autonomous decisions; final interpretations are guided by human supervisors or trainers.

6. Data Security & Integrity

  • Encryption: Data is transferred between systems and locations via Secure Sockets Layer (SSL), with RSA 2048-bit encryption. Passwords are stored securely using the PBKDF2 algorithm with a SHA256 hash and random salts.
  • Access Control: Access is restricted based on the principle of least privilege, with multi-factor authentication (MFA) utilized for critical systems, including AWS.
  • Security Posture: VirtualSpeech is ISO 27001 and ISO 27701 aligned. We are not SOC 2 Type II certified. We provide our Data Processing Agreement (DPA) and this Privacy Policy to satisfy compliance and audit requirements.

7. Data Localization & Cross-Border Transfers

  • Hosting: Data is hosted on secure AWS servers.

8. Data Retention & Deletion

  • Retention: Personal Data is retained for up to six (6) years to enhance app development and performance, unless a deletion is requested.
  • Logs & Backups: Security and troubleshooting logs are retained for 90 days, while audit/compliance logs are held for 15 months. System backups are maintained daily and retained for 10 days.
  • Deletion: Users may request data deletion or the return of their data by contacting their account manager and info@virtualspeech.com. Deletion requests are processed within 7 days.

9. Data Subject Rights

Under the UK GDPR, data subjects have the right to request access, rectification, erasure, restriction, objection, and data portability regarding their personal data. VirtualSpeech will assist the Data Controller, insofar as possible, in fulfilling obligations to respond to these requests.


10. Breach Notification

In the event of a data breach, VirtualSpeech will notify the Data Controller without undue delay and no later than 72 hours after becoming aware of the breach. We will also assist in notifying the appropriate supervisory authority and affected data subjects where applicable.


Last Updated: 19 June 2026