Skip to content
English
Request Support
  • There are no suggestions because the search field is empty.

Data use, privacy and security

How Bodyswaps collects, processes and stores data and its relation to privacy, security and legal requirements.

 
 

Executive Summary

Bodyswaps is a 3D immersive training platform delivered via VR headsets, desktop and mobile devices.

We process learner data solely to deliver interactive training experiences, generate personalised feedback, and provide agreed organisational reporting.

For organisational deployments, the customer (e.g. employer or institution) acts as the Data Controller. Bodyswaps acts as the Data Processor, processing personal data only under documented instruction.

Data is hosted in customer-selected regions (US, UK, EU or Canada) and handled in accordance with GDPR and ISO 27001 standards.

We do not sell personal data and we do not use learner data for advertising.

 

How we use data

Service Delivery

  • Running simulations and dynamic roleplay scenarios
  • Generating personalised feedback within the app
  • Saving progress to allow pause/resume across devices
  • Managing user authentication and licensing

Organisational Reporting

  • Providing dashboards showing completion and engagement

  • Aggregated confidence metrics (pre- and post-training surveys)

  • Downloadable learner reports where contractually agreed

Product Quality & Improvement

  • Monitoring performance and stability

  • Analysing feature usage and dwell times

  • Improving learning effectiveness and system reliability

Commercial & Legal Obligations

  • Billing and contract management

  • Customer support

  • Compliance with applicable laws

We do not use learner data for advertising, behavioural profiling outside of training, or resale to third parties.
 

Privacy

Bodyswaps is designed as a psychologically safe training environment. By default, it is a training tool, not an assessment or surveillance tool.

Unless explicitly stated within a clearly labelled assessment module:

  • Learner interaction data is used only for training feedback and agreed reporting.

  • No hidden monitoring or covert evaluation occurs.

Where research participation is offered, explicit opt-in consent is required.

We apply data minimisation principles and collect only what is necessary to deliver the service.

 
 

What data we process

Customer (Organisation) Data

We process limited business contact information for:

  • Contract administration

  • Billing and invoicing

  • Account management

  • Service communications

Examples:

  • Organisation name

  • Key contact name and email

  • Payment records

 

Account & Licensing Data

To enforce licensing agreements and secure access, we process:

  • One-way hashed device identifiers (derived from device serial and network data; not reversible)

  • Device model and OS version

  • Configuration settings

  • Module usage counts (for billing and licence tracking)

This data is used solely for service operation and contractual compliance.

Learner Records

As learners use the platform, we may process:

  • Account identifiers (name, email where required by customer)

  • Module progress and checkpoint completion

  • Avatar selections

  • Survey responses (confidence ratings)

  • Responses to in-app questions or quizzes

  • Transcripts of learner speech within simulations

  • Engagement metrics (e.g. dwell time, skip usage)

Survey and engagement data are aggregated for organisational dashboards where applicable.

Speech Recognition

The platform uses speech recognition to enable natural conversation with virtual characters.

During use:

  • Audio is securely transmitted (encrypted in transit) to Microsoft Azure Speech Services for real-time transcription.

  • Audio recordings are not stored by Bodyswaps after transcription.

  • Only transcripts are retained where required to generate feedback or for learner review.

Learners are clearly informed when microphone access is active.

 

Large Language Models (LLMs)

In selected modules, we use Large Language Models (LLMs) to enhance personalised feedback and to drive avatar responses based on learner transcripts.

Current providers include Google and Open AI services. Providers may change to maintain quality, reliability, or cost efficiency.

Key safeguards:

  • We do not intentionally transmit direct personal identifiers with transcripts.

  • Transcripts are not used by us to train public AI models.

  • AI functionality can be disabled at account level (which may reduce functionality).

 

Data movement & sub-processors

Like most SaaS platforms, Bodyswaps uses carefully selected sub-processors to deliver secure and scalable services.

We conduct due diligence and ensure appropriate contractual safeguards are in place.

 

Core service sub-processors
Processor Details Region Options
Google Cloud Application hosting, backend services, Firestore database

US / UK / CA / EU
Microsoft Azure

Speech-to-text processing

Text-to-Speech processing

 US / UK / CA / EU
Google Gemini

LLM-based transcript analysis (selected modules)

US
Open AI

LLM-based transcript analysis (selected modules)

US
MongoDB Atlas

Storage of AI inferences and prompts

EU
Sendgrid

Automated service emails

US / EU

Support / commercial sub-processors
Processor Details Location
Hubspot Support ticketing and CRM. US
Slack 

Internal support coordination

US
Vitally

Customer account management

US
Notion

Internal project tracking

US
Xero

Invoicing. 

US
Trumpet

Customer information sharing 

US
Zapier

Workflow automation

US
Gong

Sales call recording.

US
Kajabi

Bodyswaps Academy course hosting. 

US

Where data is transferred outside the UK or EEA, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.

Customers are notified of material sub-processor changes in accordance with contractual terms.

Data Retention

We process personal data for the duration of the active contract.

Following contract termination:

  • Customer data remains accessible for 90 days.

  • After 90 days, personal data is deleted and other data is archived.

  • Archived backups are retained only as required for legal or regulatory purposes.

Retention periods may vary where required by law.

Security Measures

We implement technical and organisational safeguards including:

  • Encryption in transit (TLS 1.2+)

  • Encryption at rest (AES-256 where applicable)

  • Role-based access controls

  • Regular penetration testing

  • Secure key management

  • Backup and disaster recovery procedures

Bodyswaps is ISO 27001 certified.

GDPR Compliance & Data Subject Rights

We comply with GDPR and applicable UK data protection law.

Our commitments include:

  • Conducting Data Protection Impact Assessments (DPIAs) where required

  • Processing data only under documented controller instruction

  • Supporting data subject rights, including access, rectification, deletion, restriction, objection, and portability

  • Maintaining a documented breach response plan, including regulatory notification where required

  • Providing regular data protection training to staff

Data subject requests can be submitted to:

support@bodyswaps.co

Where Bodyswaps acts as Data Processor, requests will be directed to the relevant Data Controller (the organisation)