1. Bodyswaps Help Centre
  2. Privacy, Security, and Compliance

Data use, privacy and security

How Bodyswaps collects, processes and stores data and its relation to privacy, security and legal requirements.

The intended audience are companies deploying Bodyswaps that wish to ensure their users data is processed lawfully and securely.  
 
Table of contents:

Executive Summary

Bodyswaps is a 3D immersive training application that runs on PC and standalone VR headsets, mobile devices and as a Windows application.
The Bodyswaps client application works as a player and a single application can host multiple training content. Content is built from discrete learning templates designed and produced by Bodyswaps.
The application communicates with several cloud services in order to provide aspects of its functionality.
Bodyswaps is GDPR compliant and data is processed and stored within specific regions that are set on a per customer basis.
 
 

How we use data

Data is generated by the learners activity in the app and is collected by our servers. This data is used to:
  • drive our dynamic roleplay scenarios and training modules
  • provide personalized feedback to the learner in the app and in downloadable reports 
  • allow users to pause/resume sessions across multiple devices
  • track learners progress for organisational records
  • improve our product

Privacy

Bodyswaps is a safe psychological space to learn and practice communication skills. It is not an assessment tool.
Unless explicit consent is given by the user within the app, for approved research purposes only, no personal data is shared with any third party or with the contracting organisation. This is to protect learners of our modules from being assessed, without their knowledge, outside of clearly marked assessment activities.
If and when assessment activities are added in the future, they will be clearly delineated and identified as such.
Outside of our legal responsibilities as a company, it is equally important to us that our users privacy is respected and that trust is not broken.  
 

What data we process

This section details the type of data we collect and process and why.

Customer Records

We store information internally relating to our customers (the organisation), for the purposes of billing (invoicing), contractual, communication and for development purposes.
Data Notes
Account holder business name, and key contact details. Required for billing and product notifications
Payment History Required for billing

Account & Licensing Data

‌Our app is protected via a licensing management system that ensures that our application is being used by our customers within the terms specified in our commercial agreements. The app sends device serial numbers and model information to our license server for validation. We can also remotely personalise the app experience for each customer (for example changing logos, updating privacy settings). We also log when content is launched inside the app for where billing is charged on a per session model.
 
Data Notes
Device unique identifier We store a unique hash of your device serial ID and network address. This uniquely identifies your device without requiring either data. 
Configuration Data Various settings that allow us to remotely configure the app on a per account basis
App Usage Each time a module is run in the Bodyswaps app we update our records for billing purposes.

Learner Records

‌As learners progress through the module we store the following data.
Data Notes
Device model and OS versions Used for licensing & quality assurance purposes
Module progress When the user passes a checkpoint their progress is saved and backed up online so it can be resumed at a later point either on the device or on another
Avatar Selection The learners avatar selection is stored so that they can recall it later.
Survey answers We ask the user to rate their confidence across a number of learning objectives both pre and post training. This data is aggregated to provide metrics regarding training effectives in the organisation dashboard.
Transcripts Transcripts are used to drive our simulations and provide personalised feedback.
Answers Responses to questions and quizzes are used to generate reports for clients.
Feedback metrics Metrics related to providing personalised feedback in our analytics panels are captured for product quality control purposes only. 
Dwell times Dwell times and use of skip forward are captured for product quality control purposes only. 

Speech Understanding

‌The app uses speech recognition technology to allow learners to talk to avatars. The app detects the speed the user is talking at, how much they use filler words and performs keyword/semantic analysis to infer intent which is fed back to the learner in the form of personalised tips. As part of this process the voice data from the microphone is encoded and sent to a third-party cloud service for processing. The user is always informed when the microphone is recording. The audio recording is not stored by us beyond its use in the app. 

Large Language Models

We also use LLM's to provide advance personalised feedback based on user transcriptions in a limited number of learning modules. We currently use OpenAI and Googles AI services, but reserve the right to change provider for qualitive, cost or logistical reasons in future. We do not send personal identifying information with these transcripts, however it is possible that users may inadvertently reveal personal information in these dialogs. Transcripts are not used to train AI models. AI features can be disabled on an per account basis but will significantly impact the functionality of the application.
 

Data movement & sub-processors

Bodyswaps like most modern SaaS platforms uses third party sub processors to deliver our service to you. This enables us to scale efficiently and offer best in class redundancy and security. We reserve the right to change our service providers in future and will notify customers of any changes.

Core service sub-processors

Processor Details Location
Microsoft Azure We use Microsoft Azure Speech to text processing service to translate user voices to transcripts. This is anonymous and powers our NLP and voice control features.  Options: US/UK/CA/EU
Google Cloud We use Google Cloud to host our main business logic that manages the interactions between the app and our back-end services that allows our clients to manage their Bodyswaps deployment. This includes the collection of learner personal data in our secure Firestore database

Options:

US/UK/CA/EU

Open AI

We use LLMs to analyse user anonymous transcripts for natural language processing and product features in select activities.

US

Mongo

We store anonymous AI inferences and prompts in our Mongo DB Atlas cluster for quality and control purposes

EU

Sendgrid

Automated notification emails are sent via Sendgrid to notify users of events such as registration and completion of activities

Options:

US/EU

Google Gemini

We use Google LLMs to analyse user anonymous transcripts for natural language processing and product features in select activities.

US

Support / commercial sub-processors

Processor Details Location
Hubspot We use Hubspot to manage support tickets and responses - these may include name, email addresses and email conversations. US
Slack 

Used internally at Bodyswaps, we may use Slack to discuss support requests and licensing queries.

US

Vitally

We use Vitally to manage our customer relations including key contact information and account statistics.

US

Notion

Used internally at Bodyswaps, we use Notion to track internal processes as well as projects and/or requests from prospective or active customers. 

US

Xero

We use Xero for customer invoicing services. 

US

Trumpet

We use Trumpet with prospective and active customers as an interactive information sharing tool. 

US

Zapier

Used internally at Bodyswaps, we may use Zapier to automate connections between our platforms.

US

Gong

We use Gong to record virtual meetings with prospective and active customers for training purposes.

US

Kajabi

We use Kajabi to host and manage our customer access to the Bodyswaps Academy, including key contact data and course progression data for any users of this course. 

US

 

 

 

Geographic locations

We support the following geographic regions EU, UK, US or Canada.

Data flow architecture

‌The following diagram shows how data is moved between our various services.
 

Data Processing Period & Retention

We process the data of active users during the period of the contract in order to provide our services to you.

Following expiry or termination of the contract, we retain your data for 90 days, after which personal information is deleted and then archived.

GDPR compliance

This is how we comply with GDPR law:
  • We conduct Data Protection Impact Assessment (DPIA) to identify potential risks and vulnerabilities associated with the processing of personal data. 
  • We implement appropriate technical and organizational measures to ensure confidentiality, integrity and availability of personal data such as encryption, access controls and backups. We conduct regular penetration tests, data is securely encrypted in transit and at rest (AES256) 
  • We obtain explicit consent from individuals before processing their personal data and provide them with clear and transparent information about how their data will be used through our End User Agreement and Privacy Policy.
  • We give individuals the right to access, correct, or delete their personal data, as well as the right to object to its processing or to withdraw their consent at any time. Requests can be sent in email to support@bodyswaps.co and will be processed in a timely fashion
  • We ensure that all data transfers to third parties, whether within or outside the EU, are conducted in compliance with GDPR requirements and that appropriate safeguards are in place.
  • We provide regular data protection training to employees and contractors who have access to personal data to ensure they understand their obligations and responsibilities under GDPR.
  • We have a clear data breach response plan that outlines how we detect, investigate, and report any data breaches to the relevant authorities (ICO) and affected individuals.
  • We conduct regular audits and reviews of your data protection policies and procedures to ensure they remain up-to-date and effective.

We are ISO 27001 certified.