Privacy Policy for Spacious Music, LLC

Last updated – April 19, 2025

Spacious Music, LLC ("Spacious Music", "we", "our", or "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our virtual‑reality application Spacious Places (the "App") and any related services or websites we control (collectively, the "Services"). It is intended to meet the privacy‑policy requirements of the Meta Horizon Store and all applicable laws, including the EU/UK GDPR and the California CCPA/CPRA.

1. Information We Collect

We collect only the data necessary to operate and improve the App (data minimization):

• Account & Identity – Meta account ID, display name, headset‑linked email (hashed), and age range.
• Device Information – headset model, OS version, unique device identifier, IP address, language, and region.
• Usage & Gameplay – session length, interactions with in‑app objects, achievement progress, and anonymized analytics events.
• Purchase Data – in‑app purchase (IAP) receipts, SKU, price, currency, transaction timestamp (no full payment details).
• User‑generated Content – instrument positions, personalized settings, and any text or audio you actively choose to share.
• Crash & Performance Logs – error reports and diagnostics automatically supplied by the Meta XR Platform SDK.
• Website Cookies & Analytics (when visiting our marketing site) – standard HTTP logs, analytics cookies (Google Analytics 4), and preference cookies.

We do not intentionally collect sensitive personal data (e.g., racial or ethnic origin, biometric templates beyond headset‑tracking data processed locally in real‑time).

2. How We Use Information

We process the data above to:

• Provide core VR functionality and synchronize gameplay across sessions.
• Validate purchases and unlock premium content.
• Personalize audio, visual, and accessibility settings.
• Monitor performance, detect bugs, and improve stability.
• Generate aggregated, anonymized analytics to guide future development.
• Comply with legal obligations and Meta’s Developer Data Use Policy.

3. Legal Bases (for EEA/UK users)

Our processing rests on:

• Contractual necessity – to deliver the Services you request.
• Legitimate interests – to develop and secure the App (balanced against your rights).
• Legal obligation – to keep financial records and prevent fraud.
• Consent – for optional marketing communications or analytics cookies (website only).

4. Sharing & Disclosure

We never sell your personal data. We share it only:

• With Meta Platforms as required for platform services (e.g., authentication, cloud backups).
• With service providers who host servers, process crash logs, or provide analytics (currently: Unity Analytics, Google Cloud Platform). All providers are bound by confidentiality and process data solely on our instructions.
• When legally required (e.g., a valid court order) after review by our legal counsel and following our Legality Review & Challenge Process (see Section 9).
• During a business transfer (e.g., acquisition), subject to protective conditions.

5. Third‑Party Services

The App may link to external websites (e.g., support articles). Your interactions with those sites are governed by their own policies.

6. Storage & Retention

Gameplay and purchase data are stored in secure Google Cloud datacenters located in the United States. We retain:

• Gameplay analytics for 24 months, then keep only aggregated statistics.
• Purchase records for seven years (tax/accounting).
• User‑generated settings until you delete them or 18 months of account inactivity.

7. Security

We safeguard your data through layered technical and organizational measures:

• Encryption in transit (TLS 1.3) and encryption at rest for all production databases.
• Role‑Based Access Control (RBAC) and least‑privilege IAM policies.
• Multi‑Factor Authentication (MFA) and VPN segmentation for backend access.
• Automated vulnerability scanning, monthly patching, and annual third‑party penetration tests.
• An incident‑response plan that includes user notification within 72 hours of any confirmed data breach.

8. International Transfers

Our servers are located in the United States, and some of our external partners operate worldwide. If you reside outside the U.S., your data may be transferred to and processed in the U.S. or other jurisdictions that may not have the same data‑protection laws as your home country. We rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other approved mechanisms to safeguard such transfers.

9. Your Rights & Choices

You may have the following rights, subject to verification and legal limitations:

• Access – request a copy of the personal data we hold.
• Correction – rectify inaccurate or incomplete data.
• Deletion – request erasure of certain data.
• Restriction/Object – limit or oppose certain processing.
• Portability – obtain data in a structured, machine‑readable format.
• Opt‑out – for CCPA/CPRA “sale” or “sharing” of personal information.

Email privacy@spaciousplaces.ai or use the in‑app Privacy & Data menu. We will respond within 30 days (45 days for CCPA requests).

10. Children

The App is intended for users aged 13 and older (or the minimum age required in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us for deletion.

11. Data Deletion Requests

You can request deletion by:

1. In the App: Settings › Privacy & Data › Delete My Data, or
2. Emailing privacy@spaciousplaces.ai with the subject "Data Deletion Request" and your Meta account ID.

We will erase your data unless retention is legally required (e.g., tax records) or technically necessary to complete an ongoing transaction.

12. Legality Review & Challenge Process

All governmental or legal requests for user data are logged in our Request Register and reviewed by external counsel within 24 hours. If a request appears unlawful, over‑broad, or lacks proper authority, we will challenge or seek clarification before any disclosure. Non‑emergency disclosures require a valid subpoena, warrant, or court order.

13. Documentation of Requests

We maintain auditable records of each request, including:

• Requesting agency, legal basis, and scope
• Internal decision and counsel opinion
• Data categories disclosed (if any)
• Date fulfilled or refused

Records are retained for 10 years and reviewed annually.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced in‑app and on our website at least 15 days before taking effect, and the Last updated date will be revised.

15. Contact Us