Privacy Policy
How XR Designer collects, uses, shares, and protects your personal data — and the rights you have under the EU General Data Protection Regulation (GDPR) and the Brazilian Lei Geral de Proteção de Dados (LGPD).
Last updated: 23 June 2026
This Privacy Policy explains how personal data is handled when you visit our websites (xrdesigner.app and xrdesigner.com.br) and when you use the XR Designer studio and the experiences published with it (together, the “Service”). We are committed to processing personal data lawfully, fairly, and transparently in line with the GDPR (Regulation (EU) 2016/679) and the LGPD (Law No. 13.709/2018).
1. Who we are (data controller)
XR Designer (“XR Designer”, “we”, “us”, “our”) is currently operated by an individual and is not yet incorporated as a company. We act as the data controller (controlador) for the personal data described in this Policy. For any privacy question or to exercise your rights, contact us at contact@xrdesigner.app.
2. What data we collect
- Information you provide — when you create an account: your name, email address, and password; optional profile details; billing information (handled by our payment processor); the 3D scenes, assets, and experiences you create or upload; and the content of any messages you send us.
- Information collected automatically — device and browser type, IP address, pages viewed, referring source, language, and timestamps, gathered through standard server logs and, within the studio, product analytics.
- Information from third parties — confirmations from our payment processor and, if you choose to sign in through a third-party provider, basic authentication details from that provider.
3. Cookies and similar technologies
Our marketing website uses only strictly necessary technical storage; it does not set advertising or cross-site tracking cookies. The XR Designer studio uses cookies and local storage that are necessary to keep you signed in and to remember your preferences, and may use privacy-respecting analytics to improve the product. Where the law requires it, we ask for your consent before placing non-essential cookies. You can manage or block cookies in your browser settings; some features may not work without essential cookies.
4. Why we use your data, and our legal bases
We process personal data for the purposes below. The applicable legal bases under the GDPR (Art. 6) and the LGPD (Art. 7) are:
| Purpose | GDPR basis | LGPD basis |
|---|---|---|
| Provide and operate the Service (accounts, building, hosting and serving your published experiences) | Performance of a contract — Art. 6(1)(b) | Execution of a contract — Art. 7, V |
| Process payments and prevent fraud | Contract & legal obligation — Art. 6(1)(b),(c) | Contract & legal/regulatory obligation — Art. 7, II, V |
| Security, debugging, abuse prevention and server logs | Legitimate interests — Art. 6(1)(f) | Legitimate interest — Art. 7, IX |
| Improve and analyse the product | Legitimate interests or consent — Art. 6(1)(f)/(a) | Legitimate interest or consent — Art. 7, IX/I |
| Send marketing or product emails (where applicable) | Consent — Art. 6(1)(a) | Consent — Art. 7, I |
| Comply with legal obligations | Legal obligation — Art. 6(1)(c) | Legal/regulatory obligation — Art. 7, II |
Where we rely on consent, you can withdraw it at any time without affecting processing carried out before withdrawal.
5. How we share data
We do not sell your personal data. We share it only with service providers (operators/processors) that act on our behalf and under contract, including: hosting and content-delivery providers (for example, Vercel and CDNs that serve the site), a payment processor, email and communications providers, and analytics or error-monitoring providers. We may also disclose data when required to comply with the law, enforce our terms, or protect the rights, safety, and security of our users and others.
6. International data transfers
Our providers may process personal data in countries outside your own, including the European Economic Area, the United States, and Brazil. When we transfer personal data internationally, we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses and the international-transfer mechanisms recognised under the LGPD and by the Brazilian National Data Protection Authority (ANPD).
7. How long we keep data
We keep personal data only for as long as necessary for the purposes set out above — to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Account data is kept while your account is active and for a reasonable period afterwards; you can ask us to delete it sooner, subject to any retention the law requires.
8. Your rights
If the GDPR applies to you (for example, you are in the EU/EEA), you have the right to: access your data; rectify inaccurate data; erase data (“right to be forgotten”); restrict or object to processing; data portability; withdraw consent; and lodge a complaint with your local supervisory authority.
If the LGPD applies to you (for example, you are in Brazil), Article 18 gives you the right to: confirmation that processing exists; access to your data; correction of incomplete, inaccurate, or outdated data; anonymisation, blocking, or deletion of unnecessary or excessive data or data processed unlawfully; data portability; deletion of data processed with your consent; information about entities with which we have shared your data; information about the possibility of refusing consent and its consequences; and revocation of consent. You may also petition the ANPD (Autoridade Nacional de Proteção de Dados).
To exercise any of these rights, email contact@xrdesigner.app. We respond within the timeframes required by law (for example, within one month under the GDPR). We may need to verify your identity before acting on a request.
9. Security
We use reasonable technical and organisational measures — such as encryption in transit and access controls — to protect personal data against loss, misuse, and unauthorised access. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
10. Children
The Service is not directed to children under 13, and we do not knowingly collect their personal data. Under the LGPD, the personal data of children and adolescents receives special protection and is processed in their best interest. If you believe a child has provided us personal data, contact us and we will delete it.
11. Published experiences and third-party links
Experiences published with XR Designer may collect data from their viewers (for example, camera access). For that viewer data, the person who publishes the experience normally acts as the controller, and XR Designer acts as a processor where applicable. Websites and services we link to are governed by their own privacy policies.
12. Changes to this Policy
We may update this Policy from time to time. We will post the revised version here with a new “Last updated” date and, for material changes, provide a more prominent notice where appropriate.
13. Contact
For any privacy question, request, or complaint — including matters that would fall to a Data Protection Officer — contact us at contact@xrdesigner.app.