Privacy Policy – Next World

Effective Date: 5, November, 2025.
Legal Entity: Next World Enterprises PTY LTD (ABN: 70 631 284 547 ) (“Next World”, “we”, “us”, “our”)
Privacy Contact: support@nextworldxr.com

 

 

1. Scope and Roles

 

1.1 Scope. This Policy governs personal information processed through:
a) our websites and web apps;
b) the Next World – VR Training Analytics Platform (the “Platform”); and
c) related products, support, and services (together, the “Services”).

 

1.2 Controller / Processor.
a) We act as data controller for website activity, account administration, and most customer relationship data.
b) For Platform use provided to your employer or training provider (the “Customer”), we act as a data processor under the Customer’s instructions. The Customer’s privacy policy may also apply.

 

1.3 Applicable laws. We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also adhere to relevant provisions of the EU/UK General Data Protection Regulation (GDPR/UK-GDPR) and the California Consumer Privacy Act / Privacy Rights Act (CCPA/CPRA) to ensure equivalent protection for international users.

 

 

2. What We Collect

 

2.1 Account & Organisation Data (Admins/Managers).
a) Company name and company logo;
b) User name, role/title, and email (Admin/Manager email required);
c) Access level/permissions;
d) Subscription/billing metadata (plan, seats, renewal settings).

 

2.2 Learner/Training Data (Trainees).
a) Name and (optional) email;
b) Role in the company (where provided);
c) Training assignments/enrolments;
d) VR training completion results, attempts, timestamps;
e) Performance metrics;
f) Training certificates and certificate identifiers;
g) Learning event audit logs.

 

2.3 Payments & Invoicing.
a) Company name and company address;
b) Billing contact (name, email, phone, address);
c) Payment details collected via Stripe (we do not store full card numbers);
d) Invoice and payment status records maintained in Xero.

 

2.4 Technical & Usage Data.
a) Device, OS, app version;
b) IP address and coarse geolocation (derived from IP);
c) Diagnostic, crash, and analytics logs;
d) Cookies and similar technologies (see Section 15).

e) VR Device and Sensor Data (Quest, Pico and similar headsets). This may include headset model and identifier, controller tracking and motion data used only to support core VR interactions and performance diagnostics. We do not store raw positional or environmental mapping data beyond what is required for in-session operation.

 

2.5 Support & Communications.
a) Support tickets, email/chat transcripts;
b) Feedback and survey responses;
c) Contact preferences.

 

2.6 Sensitive & biometric data. We do not seek to collect biometric identifiers or special categories of personal data (e.g., health, racial/ethnic origin). We do not use facial recognition or collect raw headset camera/microphone/eye-tracking data for identification, the data is processed locally on the device for interaction purposes and is not transmitted to Next World servers or stored after use.

​

​

3. Sources of Personal Information

​

3.1 Directly from you or your organisation (the Customer).

3.2 Automatically through your use of the Services.

3.3 From service providers (e.g., payment confirmations from Stripe; invoice status from Xero).

 

 

4. Why We Use Personal Information (Purposes & Legal Bases)

 

4.1 Service delivery. Provide, operate, and support the Platform and VR training content; manage users/roles; record completions, performance, and certificates; administer subscriptions; process payments and invoicing.
a) Legal bases: contract; legitimate interests; legal obligations (tax/accounting).

 

4.2 Security & integrity. Detect/prevent fraud, abuse, and security incidents; protect accounts; ensure service reliability.
a) Legal bases: legitimate interests; legal obligations.

 

4.3 Support & communications. Respond to requests; service notifications (changes, outages, policy updates).
a) Legal bases: contract; legitimate interests.

 

4.4 Improvement & diagnostics. Troubleshooting, analytics, and product development.
a) Legal bases: legitimate interests; consent where required (cookies/analytics).

b) We do not sell, share, or use analytics data for advertising purposes and no third-party ad tracking occurs within our VR applications.

 

4.5 Compliance. Accounting, tax, audits, and lawful requests.
a) Legal bases: legal obligations.

4.6 No spam/ads. We do not use personal information for spam or third-party advertising.

 

 

5. Hosting and International Transfers

 

5.1 Primary hosting. User data is hosted on Amazon Web Services (AWS) in Sydney, Australia.
 

5.2 International transfers. Some service providers may process data in other countries (e.g., US, EU/UK). We ensure appropriate safeguards are in place for these transfers, including the use of Standard Contractual Clauses approved by the European Commission and measures consistent with APP 8 of the Australian Privacy Principles.

 

 

6. Retention

 

6.1 We retain personal information only as long as necessary for the purposes in Section 4.
 

6.2 Active subscription: account, learning, and invoicing data are retained to deliver the Services.
 

6.3 Cancellation: data is archived.
 

6.4 Deletion on request: we delete personal information upon verified request from you or your organisation’s admin, except where retention is required by law (e.g., financial records).
 

6.5 Illustrative periods: training records per the Customer’s compliance policy; invoices and financial records typically 7 years (or as otherwise required).

 

 

7. How We Share Personal Information

 

7.1 No sale. We do not sell personal information.
 

7.2 Your organisation (Customer). Admins/Managers may view learner performance and certificates for compliance/training management.
 

7.3 Service providers (sub-processors). Bound by contract and confidentiality; used only to provide the Services, including:
a) AWS – hosting and storage (primarily Sydney, AU);
b) Stripe – payment processing (stores card data/tokens; see Section 13);
c) Xero – invoicing/accounting (see Section 14);
d) Email delivery, customer support, analytics, and security vendors as needed.

 

7.4 Legal & safety. Disclosures to comply with law, enforce agreements, or protect rights, property, or safety.
 

7.5 Business transfers. In a merger, acquisition, or asset sale, information may transfer subject to this Policy.

 

 

8. Your Rights

 

8.1 Subject to law and our role (controller/processor), you may have rights to:
a) Access your personal information;
b) Correct inaccurate data;
c) Delete personal information;
d) Object to or restrict processing;
e) Data portability;
f) Withdraw consent (for cookies/optional communications).
 

8.2 How to exercise: contact support@nextworldxr.com. If we process your data for your organisation, we will direct/assist your organisation to fulfil your request.
 

8.3 We respond within timeframes required by law.

 

 

9. Children

 

9.1 Our Services are intended for professional training environments and are not directed to children under 16. We do not knowingly collect personal information from children.

 

 

10. Automated Decision-Making

 

10.1 We do not use automated decision-making that produces legal or similarly significant effects. Training scores/certificates are generated from learning performance for reporting/compliance—not employment decisions made by Next World.

 

 

11. Security (General)

 

11.1 We implement technical and organisational measures appropriate to risk, including TLS encryption in transit, role-based access controls, logging/monitoring, least-privilege access, backups, and staff training.
 

11.2 No system is 100% secure; we work to mitigate risks and address incidents promptly.

 

11.3 We apply security measures proportionate to the sensitivity of the information and continuously review their effectiveness.

 

​

12. Breach Notification

 

12.1 Assessment and response. Upon becoming aware of a suspected personal information breach, we promptly investigate, contain, and remediate.
 

12.2 Notification. Where required by law, we will notify:
a) Affected individuals without undue delay (and in any event within legally required timeframes);
c) Customers (controllers) where we act as processor, to enable them to meet their own obligations.
 

12.3 Content of notice. Notifications will include: nature of the breach, categories of data affected, likely consequences, measures taken or proposed, and contact details for further information.
 

12.4 Record-keeping. We maintain an internal register of personal information security incidents and our assessments.

 

 

13. AWS Data Privacy & Security (Shared Responsibility)

 

13.1 Shared responsibility model. AWS secures the cloud infrastructure; Next World secures what we configure within AWS and how we handle data in our applications.
 

13.2 AWS infrastructure protections (high-level):
a) Physical security of data centres and environmental controls;
b) Network and perimeter protections;
c) Independent compliance attestations (e.g., ISO/IEC 27001, SOC 1/2/3, PCI DSS applicability to relevant services).
 

13.3 Next World controls on AWS:
a) Data residency: primary hosting in Sydney, Australia;
b) Encryption in transit (TLS) and, where implemented, encryption at rest;
c) Identity and access management (least privilege, role-based access, MFA for admins);
d) Monitoring, logging, backups, and disaster recovery;
e) Segregation of environments (e.g., prod/non-prod) and secure configuration baselines.
 

13.4 International transfers. Where AWS or integrated services process data outside Australia, we apply safeguards described in Section 5.2.

 

 

14. Stripe (Payment Processing)

 

14.1 Collection. Payment details are entered on Stripe-controlled pages/forms. Next World does not store full card numbers; we receive tokens and transaction results.
 

14.2 Independent processing. Stripe may act as an independent controller for fraud prevention, compliance, and its services.
14.3 More information. Refer to Stripe’s privacy notice for details on data categories, retention, and international transfers.

 

 

15. Xero (Invoicing & Accounting)

 

15.1 Collection. We store invoicing contact details and invoice/payment records in Xero.
 

15.2 Independent processing. Xero may act as an independent controller for accounting/compliance.
1

5.3 More information. Refer to Xero’s privacy notice for details on data handling, retention, and international transfers.

 

 

16. Cookie Policy

We use cookies and similar technologies on our websites to improve functionality and measure engagement. Next World VR applications do not use cookies, but may use in-app analytics subject to consent as described in Section 4.4. Users can manage cookie preferences via browser settings or opt-out links.

 

16.1 What are cookies? Cookies and similar technologies (e.g., local storage, pixels) store or access information on your device to operate and improve our Services.
 

16.2 How we use them.
a) Strictly necessary (required): authentication, session management, security;
b) Preferences: remember settings (e.g., language);
c) Performance/analytics: measure usage and improve features;
d) Limited marketing/attribution: measure campaign effectiveness (no third-party ad sales; no spam).
 

16.3 Legal basis.
a) Strictly necessary cookies: legitimate interests/contract;
b) Others (preferences/analytics/marketing): consent where required (e.g., EU/UK).

c) In VR applications where cookies are not used, consent for optional analytics or telemetry is obtained through in-app consent screens or settings before any optional data collection occurs.
 

16.4 Your choices.
a) Manage cookies in your browser (block/delete);
b) Use our cookie banner/controls (where presented) to opt in/out of non-essential cookies;
c) “Do Not Track” (DNT) is not consistently supported; we treat it as a preference where technically feasible.
 

16.5 Retention.
a) Session cookies expire when you close your browser;
b) Persistent cookies remain until their set expiry or you delete them.
 

16.6 Cookie disclosures. On request, we can provide an up-to-date list of key cookies and their purposes, or publish a cookie table covering name, provider, purpose, and duration.

 

 

17. Data Deletion, Export, and Account Closure

 

17.1 Deletion. On verified request, we delete personal information unless retention is legally required (e.g., financial records). Card details stored by Stripe can be deleted via Stripe’s mechanisms; associated invoices may be retained as required by law.
 

17.2 Export. Admins/Managers may request exports of user and training data; individuals can request exports directly or through their organisation.
 

17.3 Cancellation. Upon cancellation, data is archived and subsequently deleted per our retention schedule and legal obligations.

 

 

18. International Users

 

18.1 If you are outside Australia, your information may be transferred to Australia and other countries where our providers operate. We use safeguards described in Section 5.2.

 

 

19. Complaints and Regulatory Contacts

 

19.1 Contact us first: support@nextworldxr.com.
A

19.2 Australia: You may contact the Office of the Australian Information Commissioner (OAIC).
 

19.3 EU/UK: You may contact your local Data Protection Authority.
1

9.4 We will cooperate with authorities and, where we act as processor, with your organisation.

 

 

20. Changes to This Policy

 

20.1 We may update this Policy periodically. We will post the updated Policy with a new Effective Date and provide additional notice for material changes (e.g., email or in-app notice to admins).

 

 

21. Platform-Specific Summary (Quick Reference)

 

21.1 We store (Platform):
a) Company name and company logo;
b) User name, role in the company, and email (Admin/Manager email required; Trainee email optional);
c) VR training completion results, performance metrics, training certificates;
d) Invoicing: company name, company address, billing contact details;
e) Hosting: AWS Sydney, Australia.
 

21.2 On cancellation: data is archived.
 

21.3 Deletion: all user data can be deleted on request, subject to legal retention (e.g., invoices/financial records).
 

21.4 No spam/ads: We do not use data for spam or third-party advertising.

 

21.5 VR Data Overview: Next World processes limited VR interaction data (headset ID, controller input, and session events) to deliver training experiences. No camera, microphone, eye-tracking, or biometric data is stored by Next World. Meta, Pico and other headset manufacturers may collect device-level data under their own privacy policies.