Vport, LLC Privacy Policy

Version: 2.0.0
Effective Date: December 6, 2025
Last Updated: December 6, 2025

Vport, LLC ("Vport," "we," "us," or "our") is committed to protecting the privacy and security of your Personal Data. This Privacy Policy ("Policy") describes how we collect, use, disclose, and protect Personal Data in connection with your use of our websites, mobile applications, spatial computing applications (specifically for Apple Vision Pro and compatible devices), creator tools, APIs, SDKs, and related services (collectively, the "Services").

Please read this Policy carefully. By accessing or using the Services, you acknowledge the data practices described herein.

1. DEFINITIONS

To ensure clarity and legal precision, the following terms are defined as follows:

• "Biometric Information" means data generated from measurements of an individual's biological characteristics, such as face geometry, retina or iris scans, voiceprints, or hand geometry, which can be used to uniquely identify an individual.
• "Controller" means the entity which determines the purposes and means of the processing of Personal Data.
• "Personal Data" (or "Personal Information") means any information that relates to an identified or identifiable individual.
• "Processor" (or "Service Provider") means an entity that processes Personal Data on behalf of the Controller.
• "Spatial Data" means data regarding a user's environment, head pose, gaze, hand gestures, or physical surroundings, processed primarily for the purpose of rendering immersive content.

2. SCOPE AND APPLICABILITY

This Policy applies to all users of the Services globally, including Viewers (Normal Customers), Artists, Venues, Promoters, and Administrators (Admins).

• Vport as Controller: Vport acts as the Data Controller for user account data, identity data, and public interactions on the platform.
• Vport as Processor: Vport acts as Processor for event footage commissioned by Venues/Promoters under signed Data Processing Addendums (DPAs).

3. DATA COLLECTION

We collect Personal Data from the following sources:

3.1. Information You Provide Directly

• Account Registration: Name, email address, username/handle, password (hashed and salted), date of birth (for age verification to confirm 18+ eligibility), profile photograph, and self-selected user type.
• Creator/Venue Financial Information: Business name, physical address, tax identification numbers (W-9/W-8BEN), and banking details for payout processing.
• User Content: Videos, audio tracks, 3D assets, comments, captions, and metadata uploaded to the Services. For information on how we handle copyright infringement and DMCA takedowns, please refer to our Terms of Service.
• Communications: Data provided in support tickets, feedback forms, and IP notices.

3.2. Information Collected Automatically

• Device & Log Data: Internet Protocol (IP address) (collected for rights management and fraud prevention), unique device identifiers, crash reports, and system performance logs.
  Note: Error logs are transient, and device identifiers collected for security are not stored long-term beyond the active session or security window.
• Usage Data: Pages viewed, duration of sessions, buttons clicked, and interaction timestamps.
• Location Data: Approximate location derived solely from IP address for rights management (geo-fencing). We do not collect precise GPS coordinates.
• OS/Browser Data: We collect Operating System (OS) version and browser type via our analytics Service Providers (see Section 5.1).

3.3. Information from Third Parties

• Authentication Partners: If you access the Services via "Sign in with Apple" or Google, we receive basic profile information (name, email) authorized by you.
• Payment Processors: We receive transaction status and tokenized payment credentials (e.g., from Stripe). Vport does not store raw credit card numbers.

4. PURPOSES OF PROCESSING AND LEGAL BASES

We process Personal Data only where we have a lawful basis to do so (GDPR Art. 6):

| Processing Activity | Legal Basis | |---------------------|-------------| | Service Provision: Account creation, content hosting, stream delivery. | Performance of Contract | | Platform Security: Fraud detection, network security, rights management. | Legitimate Interests | | Spatial Rendering: Processing inputs to display immersive content. | Performance of Contract | | Analytics: Analyzing usage trends to optimize Services. | Legitimate Interests (Consent where required) | | Legal Compliance: Tax reporting, DMCA compliance. | Legal Obligation | | Marketing: Newsletters and promos. | Consent (Opt-in) |

5. DISCLOSURE OF PERSONAL INFORMATION

Vport maintains strict controls over data disclosure. We do not sell Personal Data.

5.1. Service Providers (Data Processors)

We engage third-party vendors to perform services on our behalf. These vendors are contractually bound to maintain confidentiality.

• Hosting & Infrastructure: Google Cloud (US Central 2), Bunny (CDN), Cloudflare (CDN/Security).
• Analytics: Amplitude, Google Firebase. Note on "Sale/Sharing": Vport configures these services to limit data usage where possible. However, under the broad definitions of the CPRA, the use of certain analytics trackers may constitute "sharing" for cross-context behavioral advertising. We provide a "Do Not Sell or Share My Personal Information" control in your settings to opt-out of this specific practice.
• Payment Processing: Stripe, PayPal.
• Customer Support & Communications: Chatwoot (Customer Support Ticketing), SendGrid (Email), Twilio (SMS).
• Marketing Communications: We provide a functional, easy unsubscribe in every marketing email and honor requests without undue delay. You have the right to object to direct marketing at any time (GDPR Art. 21(2)).
• Consent for Non-Essential Tracking: In the EU/UK, we obtain consent for non-essential cookies and SDKs in line with ePrivacy Directive Art. 5(3) and UK PECR Reg. 6; you can withdraw consent at any time through in-app settings.
• Subprocessor List: For a continuously updated list of our subprocessors, please visit VPORT - Immersive VR Concerts & Live Music Events.

5.2. Aggregated Data to Creators

We provide Partners (Venues, Labels) solely with Aggregated Statistics (e.g., "500 total views"). We do not share PII.

5.3. Public Disclosure

Your username, profile photo, and public comments are visible to other users.

5.4. Legal Requirements

We may disclose data if required by law (subpoena) or to protect Vport's rights/safety.

6. SPATIAL COMPUTING & IMMERSIVE FEATURES

We rely on local, on-device processing for all sensitive spatial data.

• No Raw Camera Access: Vport does not access, record, or transmit raw video feeds from device pass-through cameras.
• Local Processing: Calculations for hand tracking, eye gaze, and room mapping are performed locally by the OS (e.g., visionOS). Vport receives only derived interaction events (e.g., "Select Event") necessary to render the app.
• No Tracking: Vport does not use Spatial Data for tracking, advertising, or building user profiles.
• Surroundings Data: Room geometry data is processed in volatile memory (RAM) and purged within 30 seconds of feature deactivation.
• Opt-Out Preference Signals: Where required, we automatically process recognized opt-out preference signals, including Global Privacy Control (GPC) (California; 11 CCR §7025) and the Universal Opt-Out Mechanism (UOOM) recognized by the Colorado Attorney General (4 CCR 904-3).

7. BIOMETRIC INFORMATION POLICY

Vport does not collect, capture, or store Biometric Identifiers (as defined by 740 ILCS 14/10).

• No Derived Biometrics: We do not infer biometrics from Spatial Data.
• Hardware Isolation: Biometric authentication (e.g., Optic ID) occurs entirely at the hardware/OS level; Vport never accesses the template.
• Note: Since we do not possess biometric data, we do not maintain a BIPA retention schedule. Our transparency regarding biometric practices is provided for your awareness, not because BIPA requirements are triggered by our data practices.

8. INTERNATIONAL DATA TRANSFERS

Vport is based in the United States (Servers: US Central 2). Data from EEA/UK users is transferred to the US under:

• Standard Contractual Clauses (SCCs): Transfers rely on the EU Standard Contractual Clauses (2021) (typically Module 2 Controller→Processor and Module 3 Processor→Processor, as applicable), along with supplementary measures (e.g., encryption in transit/at rest, access controls, data minimization) consistent with EDPB guidance.
• EU-U.S. Data Privacy Framework (DPF): We are actively preparing for DPF self-certification and will update this Policy upon completion to reflect our adherence to the DPF Principles.
• Article 27 Representative: If our processing of EEA/UK data is not occasional, involves regular monitoring, or otherwise triggers GDPR Article 27 requirements, we will appoint an EU/UK representative and update this Policy accordingly.

9. RETENTION OF DATA

We adhere to Storage Limitation and Data Minimization principles.

• Account Information: Lifetime of account + 24 months (audit/reactivation).
• Transaction Records: 7 years (Tax/Accounting).
• Metric Data (User-level Analytics): Retained for thirty (30) days via providers like Amplitude/GA, then aggregated or deleted.
• Technical Logs (IP, Device Data): Retained for thirty (30) days (Security/Debugging).
• Spatial Interaction Data: 0 seconds retention (processed in-memory).

We determine retention periods based on legal obligations, the nature and sensitivity of the data, security and fraud-prevention needs, and the potential for disputes.

Vport maintains Records of Processing Activities (RoPA) in compliance with GDPR Article 30, documenting all categories of processing activities carried out on behalf of Controllers.

10. SECURITY & BREACH NOTIFICATION

We implement NIST 800-53 Rev. 5 controls (AES-256 encryption, RBAC).

• Breach Notification: We will notify affected individuals and, where required, regulators without unreasonable delay and consistent with applicable law. California: For incidents discovered on or after January 1, 2026, we notify affected residents within 30 calendar days of discovery or notification of a reportable breach and, if a single breach requires notification to more than 500 California residents, submit a sample notice to the Attorney General within 15 calendar days of notifying affected residents. Colorado: we recognize applicable timelines under the Colorado Privacy Act and related rules.
• Where permitted by law, we may delay notification if a law-enforcement agency determines that notice would impede an investigation or jeopardize national or public security.

11. YOUR PRIVACY RIGHTS

You have rights to Access, Correct, Delete, Restrict Processing (GDPR Art. 18), Data Portability (GDPR Art. 20 / VA § 59.1-577(A)(4)), and Opt-Out. Restrict Processing and Data Portability are available to users located in the EEA/UK (and where local law provides).

11.1 Data Portability

You may request a portable copy of certain Personal Data that you have provided to us in a structured, commonly used, and machine-readable format.

11.2 California-Specific Rights

California residents have additional rights to:

• Opt-out of the sale or sharing of personal information
• Correct inaccurate personal information
• Limit the use and disclosure of sensitive personal information
• Designate an authorized agent to exercise privacy rights on their behalf

To exercise these rights, California residents may:

• Submit requests through our in-app "Privacy & Data Controls" menu (Profile > Settings > Privacy & Data) or email [email protected]
• Designate an authorized agent (with proof of agency and user verification)
• Verify their identity through:
  • Account authentication for standard requests
  • Additional verification steps for sensitive requests or authorized agent submissions

We provide the Notice at Collection at or before the point of collection (11 CCR §7012). If we Sell or Share personal information, we will display a clear "Do Not Sell or Share My Personal Information" link and the required Notice of Right to Opt-Out (11 CCR §7013). If we use Sensitive Personal Information beyond permitted purposes, we will provide the "Limit the Use of My Sensitive Personal Information" link and Notice of Right to Limit (11 CCR §7014).

11.3 Targeted Advertising and Profiling Opt-Outs

Where required by law (e.g., California – "sharing" for cross-context behavioral advertising; Colorado/Connecticut/Virginia – targeted advertising; Colorado/Virginia – profiling in furtherance of decisions that produce legal or similarly significant effects), you can opt out via Settings → Privacy & Data Controls or recognized signals (see below).

11.4 EU/UK Information

• Right to Lodge a Complaint: EEA/UK users may lodge a complaint with their local supervisory authority.
• EU/UK Representative: If our processing triggers GDPR Art. 27, we will appoint an EU/UK representative and update this Policy with contact details.

11.5 General Response Timelines

We respond to verified requests within 45 days (CPRA; extendable once) and within one month (GDPR; extendable by two additional months for complex requests).

U.S. State Opt-Outs (CA/VA/CO/CT/UT): You may opt out of Targeted Advertising and Profiling.

Exercise Rights: Email [email protected] or use the in-app "Privacy & Data Controls" menu.

GPC & Other Signals: Where required, we automatically process recognized opt-out preference signals, including Global Privacy Control (GPC) (California; 11 CCR §7025) and the Universal Opt-Out Mechanism (UOOM) recognized by the Colorado Attorney General (4 CCR 904-3).

11.6 Data Deletion (Technical)

Upon a verified deletion request, we cease processing for analytics/marketing within one (1) hour. Permanent deletion from production occurs within seven (7) days.

12. NOTICE TO CALIFORNIA RESIDENTS (CCPA/CPRA)

12.1. Notice at Collection

We collect: Identifiers (IP, Email), Commercial Info (Trans history), Internet Activity (Logs, OS/Browser via analytics), and Sensory Data (Content).

Purpose: Service delivery, security, analytics.

Recipients: Service Providers (Cloud, Analytics, Payment, Support).

We provide the Notice at Collection at or before the point of collection (11 CCR §7012). California residents also have a Right to Know the categories of personal information we collect, the sources, the purposes, and the categories of third parties to whom we disclose it, as described in our Notice at Collection and Section 5.

12.2. Sale and Sharing

Vport does not sell Personal Information for monetary value. Vport may "share" Personal Information (as defined by California Civil Code §1798.140(ah)(1)) solely for the purpose of analytics and performance measurement. We provide the "Do Not Sell or Share My Personal Information" link and the required Notice of Right to Opt-Out (11 CCR §7013) in the app settings to give you control over this.

12.3. Sensitive Personal Information

We do not use Sensitive Personal Information for purposes other than providing the Service (security, verification).

If we use Sensitive Personal Information beyond permitted purposes under the CPRA, we will provide the "Limit the Use of My Sensitive Personal Information" link and Notice of Right to Limit (11 CCR §7014).

12.4. Financial Incentives

Vport does not offer financial incentives, differential pricing, or loyalty programs in exchange for the collection, sale, or sharing of your Personal Information. We do not discriminate against consumers who exercise their privacy rights.

12.5. California Response & Verification Procedures

As required by CPRA regulations, we:

• Accept requests from authorized agents with proper verification documentation
• Employ a multi-step verification process proportional to request sensitivity
• Limit disclosure of specific pieces of sensitive information while still fulfilling the request
• Provide notice if we cannot verify a request or must deny access to specific data categories

13. COOKIES & TRACKING

We use necessary cookies and analytics SDKs (Amplitude, Google Analytics).

In the EU/UK, we obtain consent for non-essential cookies and SDKs in line with ePrivacy Directive Art. 5(3) and UK PECR Reg. 6; you can withdraw consent at any time through in-app settings.

App Tracking Transparency (ATT): We do not use Apple's ATT framework as we do not track users across third-party apps for advertising. If our practices change, we will request ATT permission per Apple policy.

14. CHILDREN'S PRIVACY & AGE ASSURANCE

Vport is intended exclusively for users aged 18 and older. We do not knowingly collect data from children under 13.

• Age Verification: Neutral DOB picker used at signup. Accounts are blocked for users who do not meet the 18+ age requirement.
• If we ever Sell/Share Personal Information, we will obtain opt-in consent for users under 18 (or their guardians where required), as mandated by California law.

15. AUTOMATED DECISION MAKING

Automated decisions affecting account status (e.g., bans) include human review. You may appeal decisions via [email protected]. We do not use User Content to train Generative AI models. We may use usage data to train internal recommendation algorithms to improve content discovery.

For residents of Colorado and Virginia, if we decline to act on a verified rights request, you may appeal our decision through the same channels listed above; we will respond within the timeframe required by applicable law.

16. CONTACT INFORMATION

Vport, LLC
Email: [email protected]
Address: 369 Arc Court, Hayward, CA 94544, USA

Data Protection Officer: We have not appointed a DPO; all privacy inquiries should be directed to [email protected].

17. CHANGES TO THIS POLICY

We may update this Policy. Material changes will be notified via email or in-app alerts.

18. APPLE ECOSYSTEM NOTICE

When using Vport on Apple devices (e.g., Vision Pro, iPhone):

• Camera/Microphone: Access is never granted to Vport for raw recording.
• Voice Commands: Audio is processed on-device by the OS for intent recognition only; Vport does not receive raw audio.
• Restricted Data: Vport does not request access to HealthKit, Photos Library, or Contacts.
• Location: Access is limited to IP-derived region; we do not request GPS permissions.

19. APPLE PRIVACY MANIFEST (VISIONOS)

Vport's Apple Vision Pro app includes a PrivacyInfo.xcprivacy manifest declaring:

• NSPrivacyAccessedAPITypeUserDefaults: Declared (Code CA92.1) for storing local user preferences (volume, theme) only.
• NSPrivacyTracking: Set to false. Vport does not use data for cross-context behavioral advertising or data broker sharing.
• Data Categories: We declare collection of Usage Data (Product Interaction) and Diagnostics (Crash Data) linked to User ID for app functionality and analytics.