🖨️ Click here to download in PDF format (304 KB)

PRIVACY POLICY

Last updated: March 2026

1. Introduction

ImmerseMe is committed to protecting the privacy and security of students, educators, and institutions globally.

This Privacy Policy explains how we collect, use, store, and protect personal information when you use our platform, website, and services (“Platform”).

🔍 In Summary

  • We use data only to support learning

  • We never sell student data

  • We do not use student data for advertising or profiling

  • Schools and institutions control their data

  • We apply strong security and privacy protections

We align with global standards including:

  • 🇺🇸 FERPA (Family Educational Rights and Privacy Act)

  • 🇺🇸 COPPA (Children’s Online Privacy Protection Act)

  • 🇪🇺 GDPR (General Data Protection Regulation)

  • 🇬🇧 UK GDPR / Data Protection Act

  • 🇦🇺 Australian Privacy Principles

  • 🇳🇿 Privacy Act 2020

This Privacy Policy should be read alongside our Terms of Use, Acceptable Use Policy, and AI Terms of Use, which together form our broader framework for platform use, safety, and data protection.

2. Roles and Responsibilities

For most educational customers:

  • The Institution (school, district, university) is the Data Controller

  • ImmerseMe is the Data Processor

For individual users subscribing directly, ImmerseMe may act as the Data Controller.

3. Student Data Commitment (Core Principles)

We are committed to protecting student data:

  • Student data is used only for educational purposes

  • We do not sell personal data

  • We do not use student data for advertising, marketing, or profiling

  • We minimise the data we collect

  • Institutions retain ownership and control of their data

4. Data Ownership

All student and institutional data remains the property of the Institution.

ImmerseMe processes this data solely to provide the Platform and does not acquire ownership rights over it.

5. Information We Collect

5.1 Student Data

  • Name (or partial identifier)

  • Email address

  • Class, school, and year level

  • Student ID (optional)

  • Learning data (audio recordings, transcriptions, written responses, performance and progress data)

5.2 Educators and Subscribers

  • Name

  • Email address

  • Organisation details

  • Billing information (processed via secure third-party providers)

5.3 Usage and Technical Data

  • IP address

  • Device and browser information

  • Platform usage and interaction data

6. How We Use Data

We use personal data to:

  • Provide and operate the Platform

  • Deliver learning insights and analytics

  • Support educators and institutions

  • Improve the Platform using aggregated or anonymised data

  • Communicate with users

We never use student data for marketing purposes.

7. FERPA Compliance

Where ImmerseMe processes student data on behalf of an Institution:

  • ImmerseMe acts as a “school official” with legitimate educational interest

  • We process education records only for authorised educational purposes

  • We do not disclose student data except:

    • to the Institution

    • as directed by the Institution

    • as required by law

We do not use or redisclose student data for non-educational purposes.

8. US State Privacy Laws

ImmerseMe complies with applicable United States state privacy laws, including those relating to student data protection and consumer privacy (such as the California Consumer Privacy Act (CCPA/CPRA) and similar state laws).

Where these laws apply:

  • We do not sell personal data

  • We do not use student data for targeted advertising

  • We process personal data only for authorised educational purposes

  • We support applicable rights requests (such as access, deletion, and correction)

For educational institutions, our practices are designed to align with state student privacy requirements in addition to FERPA.

9. AI and Automated Processing

ImmerseMe uses AI technologies to support language learning, including:

  • Speech recognition

  • Pronunciation feedback

  • Conversational simulations

We ensure:

  • AI is used only as a learning support tool

  • Outputs are assistive, not authoritative

  • Data minimisation is applied when interacting with AI systems

  • Identifiable student data is not used to train general-purpose AI models

10. Data Sharing

We may share data with:

  • Institutions (for student progress and reporting)

  • Trusted service providers (hosting, analytics, communications, AI infrastructure)

  • Legal or regulatory authorities where required

All third parties are contractually required to:

  • protect data

  • use it only for specified purposes

  • comply with applicable privacy laws

11. Subprocessors

We use trusted subprocessors to operate the Platform.

A current list of subprocessors is provided below and maintained on our website.

Sub-processor Categories of Personal Data Location of Processing Security Measures
Cloudflare Location of user, Device type, Operating System Customer traffic is processed globally at the data center closest to the end user Certifications and Compliance Resources
Google Analytics Location of user, Device type, Operating System Customer traffic is processed globally at the data center closest to the end user Data privacy and security
Google Cloud Platform All personal data stored in user account (First name, Last name, Email, Password, etc) Sydney, Australia Google Privacy Terms & Security Measures
OpenAI No personal identifiable data shared unless provided by the student USA Security & Trust
Usersnap (opt-in) Email, First name Europe (Germany or Ireland) Privacy and Security
SendGrid Email, First name USA Twilio Security and Privacy

We ensure all subprocessors:

  • Are contractually bound to data protection obligations

  • Implement appropriate safeguards

  • Only process data for defined purposes

Subprocessor Changes

We will notify institutional customers of any material changes to subprocessors at least 14 days in advance, where required by applicable law.

12. International Data Transfers

Personal data may be processed in countries outside the user’s location.

Where this occurs, we ensure appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)

  • Transfers to jurisdictions with adequacy decisions

  • Secure infrastructure controls

New Zealand is recognised by the European Commission as providing adequate protection.

13. Security and Compliance

We implement strong technical and organisational measures, including:

Infrastructure

  • Secure cloud hosting (e.g. Google Cloud Platform)

  • Regional hosting (e.g. Australia)

Data Protection

  • Encryption in transit (HTTPS/TLS)

  • Encryption at rest where appropriate

  • Access controls and authentication safeguards

Operational Security

  • Role-based access control

  • Monitoring and logging

  • Regular updates and patching

Vendor Management

  • Due diligence on subprocessors

  • Contractual security obligations

We continuously review and improve our security practices in line with industry standards.

14. Data Breach Notification

In the event of a Personal Data Breach:

  • We will notify affected Institutions within 48 hours of becoming aware of the breach

  • We will provide:

    • a description of the breach

    • categories of data affected

    • likely impact

    • mitigation steps taken

We will support Institutions in meeting their regulatory obligations.

15. Data Retention

We retain personal data:

  • While accounts are active

  • As required by law

  • In accordance with institutional agreements

Upon termination of services:

  • Personal data will be deleted or anonymised within 30 days

  • Backup systems may retain data for up to 90 days before permanent deletion

16. Your Rights

Depending on your location, users may have rights to:

  • Access their data

  • Correct inaccuracies

  • Request deletion

  • Restrict or object to processing

  • Data portability

Parents or guardians may exercise these rights on behalf of children where permitted.

17. Children’s Privacy (COPPA)

For users under 13:

  • Schools may provide consent on behalf of parents where permitted

  • Data collection is limited strictly to educational purposes

If you believe data has been collected without appropriate consent, please contact us.

18. Cookies

We use cookies to:

  • Enable essential platform functionality

  • Analyse usage and improve performance

Where required by law:

  • We obtain user consent for non-essential cookies via a cookie consent mechanism

Users can manage preferences through browser or platform settings.

19. GDPR Representative

Name: Karl Fitzpatrick
Email: karl.fitzpatrick@outlook.com

20. Data Processing Addendum (DPA)

For institutional customers:

The DPA governs:

  • processing instructions

  • security obligations

  • data subject rights

  • subprocessors

  • breach notification

21. Changes to This Policy

We may update this Privacy Policy from time to time.

Where changes are material, we will provide reasonable notice to users and institutions.

22. Contact

If you have any questions or requests:

📧 hello@immerseme.com

23. Final Statement

ImmerseMe is committed to maintaining the highest standards of privacy, security, and trust for educators, students, and institutions worldwide.