XR Anatomy Privacy Policy

1. GENERAL INFORMATION

1.1 Applicability of the Privacy Policy

This Privacy Policy governs the processing of personal data collected from individual users and organizations through the mobile and extended reality applications "Understanding Heart Attack," "XR Heart Attack", "XR Heart Anatomy," "XR Anatomy," "3D Heart Anatomy," and "3D Osteology" (the "Application") and the related websites https://xranatomy.com and https://xrheartattack.com (the "Website") (collectively, "XR Anatomy"). This Privacy Policy does not apply to any third-party applications or software that integrate with XR Anatomy (the "Third Party Services"), or any other third-party products, services, or businesses.

1.2 About the Application

The Application is an Extended Reality (XR) and 3D mobile application. XR is an umbrella term that includes Augmented Reality (AR), Virtual Reality (VR), and Mixed Reality (MR). "XR Heart Attack" and "XR Heart Anatomy" are primarily Augmented Reality (AR) applications. The Application is designed to assist medical students, other individuals in the study of anatomy and other medical topics, and the general population. It may also be employed by professionals for educational purposes.

1.3 Responsible entity (data controller)

The entity that is responsible for processing personal data through XR Anatomy is XR Anatomy LTD, having a registered business address at 71-75 Shelton Street, London, England, WC2H 9JQ ("we," "us," and "our").

1.4 Definitions

In this Privacy Policy, you will encounter recurrent terms. For your convenience, we would like to explain what such terms mean:

• "Extended Reality (XR)" means an umbrella term that covers Augmented Reality (AR), Virtual Reality (VR), and Mixed Reality (MR) technologies.
• "Augmented Reality (AR)" means technology that overlays digital content and information onto the real world using a device such as a smartphone or tablet.
• "Virtual Reality (VR)" means technology that immerses users in a fully virtual environment, typically using a headset.
• "Mixed Reality (MR)" means technology that blends real and virtual environments, allowing physical and digital objects to interact in real time.
• "Consent" means a freely given, specific, informed, and unambiguous agreement to the processing of personal data;
• "Data controller" means the entity that determines the purposes and means of the processing of personal data;
• "Data processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller;
• "Personal data" means any information relating to a natural person who can be identified, directly or indirectly, by using such information (e.g., name, address, email, phone number, and IP address); and
• "Processing" means the use of personal data in any manner, including, but not limited to, collection, storage, erasure, transfer, and disclosure of personal data.

1.5 Applicable laws

We process personal data in accordance with the applicable data protection laws, including, but not limited to, the UK Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).

1.6 Term and termination

This Privacy Policy enters into force on the effective date indicated at the top of the Privacy Policy and remains valid until terminated or updated by us.

1.7 Your consent to the Privacy Policy

Your use of XR Anatomy is subject to this Privacy Policy. Before you start using the Application, we will ask you to review this Privacy Policy. We also encourage you to review the Privacy Policy before browsing the Website and submitting any personal data to XR Anatomy.

In some cases (where required by the applicable law), we may seek to obtain your consent for the processing of your personal data. For example, we may seek your prior consent for the following purposes:

• If we are required by law to do so;
• If we intend to collect other types of personal data that are not mentioned in this Privacy Policy;
• If we intend to use your personal data for purposes that are not indicated in this Privacy Policy;
• If we would like to disclose or transfer your personal data to third parties that are not indicated in this Privacy Policy; or
• If we significantly amend this Privacy Policy.

2. WHAT PERSONAL DATA DO WE COLLECT?

2.1 Types of personal data

The basic functionality of the Application can be used without submitting any personal data to us. We comply with data minimization principles and we collect only a minimal amount of personal data that is necessary for ensuring your use of XR Anatomy:

• When you sign up on the Website and opt-in for receiving marketing messages and participating in surveys, we collect your (i) email address, (ii) profession, and (iii) country of residence.
• When you contact us by email, we collect your (i) name, (ii) email address, and (iii) any information you decide to provide us.
• When you contact us through the contact form available on the Website, we collect your (i) email address and (iii) any information you decide to provide us in your message.
• When you use XR Anatomy, we collect your IP address.

2.2 Additional data

We may receive certain additional data when submitting XR Anatomy if you participate in a focus group, contest, activity, or event, request support, interact with our social media accounts, or otherwise communicate with us. Please note that the provision of such data is optional and you may choose what personal data you would like to share with us.

2.3 Sensitive Data

We DO NOT collect, under any circumstances, any special categories of personal data ("sensitive data") from you, such as your health information, opinion about your religious and political beliefs, racial origins, membership of a professional or trade association, or information about your sexual orientation.

2.4 Failure to provide personal data

If you fail to provide us with the personal data when requested, we may not be able to perform the requested operation and you may not be able to use the full functionality of XR Anatomy (e.g., you will not be able to participate in surveys, and get our special offers), receive the services provided through XR Anatomy, or get our response.

3. FOR WHAT PURPOSES DO WE USE PERSONAL DATA?

We respect strictest data protection principles. Thus, we process your personal data only for specified and legitimate purposes explicitly mentioned in this Privacy Policy. In short, we will use personal data only for the purposes of allowing you to use the full functionality of XR Anatomy, maintaining XR Anatomy, conducting research about our business activities, administrative purposes, sending you newsletters and marketing communication, and replying to your enquiries. The detailed description of the purposes and legal basis for processing of your personal data is provided below (the mandatory personal data is marked with *).

4. NON-PERSONAL DATA

4.1 Types of non-personal data

When you browse XR Anatomy, we may automatically collect certain technical non-personal data about your use of XR Anatomy. Such non-personal data does not allow us to identify you in any manner. The non-personal data collected by us includes information about:

• The buttons you click while using XR Anatomy;
• The features of XR Anatomy that you choose to use;
• The parts of the Application that you use during one session;
• Device attributes (operating system, hardware and software versions, platform, screen size, etc.);
• The country in which you reside;
• Network information; and
• Your other online behavior data.

Please note that de-identified personal data is also considered to be non-personal data.

4.2 Purposes of non-personal data

We will use non-personal data in furtherance of our legitimate interests in operating XR Anatomy, conducting our business activities, and developing new products. More specifically, we collect the non-personal data for the following purposes:

• To analyze what kind of users visit XR Anatomy;
• To identify the channels through which XR Anatomy is accessed and used;
• To examine the relevance, popularity, and engagement rate of the content available on XR Anatomy;
• To investigate and help prevent security issues and abuse;
• To develop and provide search, learning, and productivity tools and additional features to XR Anatomy; and
• To personalize XR Anatomy for your specific needs.

4.3 Aggregated data

In case your non-personal data is combined with certain elements of your personal data in a way that allows us to identify you, we will handle such aggregated data as personal data. If your personal data is aggregated or de-identified in a way that it can no longer be associated with an identified or identifiable natural person, it will not be considered personal data and we may use it for any business purpose.

5. MARKETING COMMUNICATION

5.1 Marketing messages

From time to time, if you sign up on the Website, we will send you messages, such as newsletters, brochures, promotions and advertisements informing you about our new services or requests to participate in surveys. Please note that you will receive such marketing messages and requests to participate in surveys only if:

• We receive your express ("opt-in") through the sign up form available on the Website; or
• We decide to inform you about our new services that are closely related to the services already used by you.

You can opt-out from receiving marketing messages and requests for surveys at any time free of charge by clicking on the "unsubscribe" link contained in any of the messages sent to you or contacting us directly.

5.2 Informational notices

From time to time, we may send you informational notices, such as service-related, technical or administrative emails, information about XR Anatomy, your privacy and security, and other important matters. Please note that we will send such notices on an "if-needed" basis and they do not fall within the scope of direct marketing communication that requires your prior consent.

6. RETENTION PERIOD

6.1 Retention of personal data

We will store your personal data in our systems only for as long as such personal data is required for the purposes described in this Privacy Policy, you opt out from receiving marketing communication and surveys, or until your user account is deleted - whichever comes first. After your personal data is no longer necessary for its purposes and there is no other legal basis for storing it (e.g., we are not obliged by law to store your personal data), we will immediately delete your personal data from our systems.

6.2 Retention of non-personal data

We may retain non-personal data pertaining to you for as long as necessary for the purposes described in this Privacy Policy. This may include keeping non-personal data after you have deactivated your account for the period of time needed for us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements.

6.3 Retention as required by law

Please note that, in some cases, we may be obliged by law to store your personal data for a certain period of time. In such cases, we will store your personal data for the time period stipulated by the applicable law and delete the personal data as soon as the required retention period expires.

7. HOW DO WE SHARE AND DISCLOSE DATA?

7.1 Sharing of personal data

In some circumstances, we disclose your personal data to third party service providers (data processors) and other third parties. For example, we may share your personal and non-personal data with entities that provide certain technical support services to us, such as web analytics, data processing, advertising, email distribution, and developing services, or if you explicitly request us to disclose the personal data. The disclosure of your personal data is limited to the situations when such data is required for the following purposes:

• Ensuring the operation of XR Anatomy;
• Ensuring the delivery of the services requested by you;
• Providing you with the requested information;
• Pursuing our legitimate business interests;
• Enforcing our rights, preventing fraud, and security purposes;
• Carrying out our contractual obligations;
• Law enforcement purposes; or
• If you provide your prior consent to such a disclosure.

7.2 Third parties with whom we share personal data

We will share your personal data only with the third parties that agree to ensure an adequate level of protection of personal data that is consistent with this Privacy Policy and the applicable data protection laws. The third parties (data processors) that may have access to your personal data include, but are not limited, to:

• Our hosting providers MailChimp;
• Our contact form service provider Sendgrid;
• Our business analytics service provider Unity; and
• Our newsletter service provider MailChimp.

7.3 Sharing of non-personal data

We may disclose or use non-personal data and de-identified data for any purpose. For example, we may share it with prospects or partners for business or research purposes, for improving XR Anatomy, or developing new products and services.

7.4 Legal requests

If necessary, we will respond to lawful requests from public authorities to disclose information about the users of XR Anatomy to the extent necessary for pursuing a public interest objective, such as national security or law enforcement.

7.5 Successors

In case our business is sold partly or fully, we will provide your personal data to a purchaser or successor entity and request the successor to handle your personal data in line with this Privacy Policy.

8. TRANSFER OF PERSONAL DATA OUTSIDE THE EU

Some of the third parties listed in Section 7 of this Privacy Policy are located outside the European Union (EU) and, if you reside in the EU, we may need to transfer your personal data to jurisdictions outside the EU. In case it is necessary to make such a transfer, we will make sure that the jurisdiction in which the recipient third party is located guarantees an adequate level of protection for your personal data (e.g., the country in which the recipient is located is white-listed by the European Commission or the recipient is a Privacy-Shield certified entity) or we conclude an agreement with the respective third party that ensures such protection (e.g., a data processing agreement based on the Standard Contractual Clauses provided by the European Commission).

9. SECURITY

9.1 Our security measures

We put our best efforts to keep your personal data safe and secure. We implement organizational and technical information security measures to protect your personal data from loss, misuse, unauthorized access, and disclosure. The security measures taken by us include secured networks, limited access to your personal data by our staff, and anonymization of personal data (when possible). In order to ensure the security of your personal data, we kindly ask you to use XR Anatomy through a secure network only.

9.2 Handling security breaches

Although we put our best efforts to protect your personal data, given the nature of communications and information processing technology and the Internet, we cannot be liable for any unlawful destruction, loss, use, copying, modification, leakage, or falsification of your personal data caused by circumstances that are beyond our reasonable control. In case a personal data breach occurs, we will inform the UK Information Commissioner's Office (ICO) without undue delay and immediately take reasonable measures to mitigate the breach, as required by the applicable law. Our liability for any security breaches will be limited to the highest extent permitted by the applicable law.

10. AGE LIMITATIONS AND MINORS

To the extent prohibited by applicable law, we do not allow anyone younger than 18 years old to use XR Anatomy. Thus, we do not knowingly collect personal data of persons below the age of 18. If you learn that anyone younger than 18 has unlawfully provided us with personal data and you are a parent or legal guardian of that person, please contact us and we will take immediate steps to delete such personal data.

11. YOUR RIGHTS REGARDING PERSONAL DATA

11.1 What rights do you have?

Individuals located in certain countries, including the EU, have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, you may ask us to:

• Get a copy of your personal data that we store;
• Get a list of purposes for which your personal data is processed;
• Rectify inaccurate personal data;
• Move your personal data to another processor;
• Delete your personal data from our systems;
• Object and restrict processing of your personal data;
• Withdraw your consent; or
• Process your complaint regarding your personal data. §

11.2 How to exercise your rights?

If you would like to exercise your rights listed above, please contact us by email at [email protected] and explain in detail your request. In order verify the legitimacy of your request, we may ask you to provide us with an identifying piece of information, so that we would be able to identify you in our system. We will answer your request within a reasonable timeframe but no later than 2 weeks. Your requests can be submitted free of charge once per calendar year. If you submit your requests more than once per year, we reserve the right to charge a small administrative fee for providing the requested information.

11.3 How to launch a complaint?

If you would like to launch a complaint about the way in which we handle your personal data, we kindly ask you to contact us first and express your concerns. After you contact us, we will investigate your complaint and provide you with our response as soon as possible. If you are a resident of the EU and you are not satisfied with the outcome of your complaint, you have the right to lodge a complaint with your local data protection authority.

13. FACE DATA (iOS-ONLY – ARKit / TrueDepth)

Scope. This clause applies to every XR Anatomy iOS app that uses ARKit—currently "XR Anatomy for iOS" and "XR Heart Attack".

What we receive. While an AR session runs on a TrueDepth- or LiDAR-equipped iPhone / iPad, the app receives real-time depth maps and 3-D mesh frames. It does not receive or store RGB images, audio, or facial templates.

Why we need it. We use depth frames only to (a) detect planes, (b) place and scale virtual anatomy accurately, and (c) calculate correct occlusion and lighting.

Storage & retention. Depth frames stay in device memory (RAM) and are discarded when you close the AR view. They are never written to disk, backed up, or logged.

Sharing. Depth/face data never leaves your device and is not shared with XR Anatomy Ltd or any third party. Apple's licence forbids sharing.

Legal basis. Processing is based on your consent, collected via the standard iOS camera-permission alert.

Your choice. You may deny camera access at any time in iOS Settings. Static 3-D assets remain available; AR placement will not work.

14. AMENDMENTS

The Privacy Policy may be changed from time to time to address the changes in laws, regulations, and industry standards. The amended version of the Privacy Policy will be posted on this page and, if we have your email address, we will send you a notice about all the changes implemented by us. We encourage you to review our Privacy Policy to stay informed. For significant material changes in the Privacy Policy or, where required by the applicable law, we may seek your consent. If you disagree with the changes to the Privacy Policy, you should cease using XR Anatomy.

The Privacy Policy was last amended on 3rd of May 2025.