Effective date: August 30, 2019 (updated December 3, 2025)
Wonda Inc and Wonda SAS (“Wonda”, “we” or “us”) operate the wonda.pro website and the pro.wondavr.com platform, which together provide Wonda’s immersive learning authoring and publishing software and associated web applications.
This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.
We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from help.wondavr.com
Your privacy protection is important to us. This is why we have adopted the EU’s General Data Protection Regulation 2016/679 (“GDPR”), UK General Data Protection Regulation (“UK GDPR”) and the California Consumer Privacy Act 2018 (“CCPA”). This privacy notice relates to all personal data we process and addresses the legislation mentioned.
‘Personal data’, in this privacy notice, means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Useful Resources
We remain committed to building a secure learning platform that protects the privacy and security of learners' and employees’ data. We provide all users with the tools to ensure that their data, information and operations are secure and protected.
Privacy features embedded with the Wonda platform are GDPR compliant and adhere to local privacy legislation requirements. However, some responsibility for compliance and safety rests with the organisation that controls how the Wonda platform is used.
We encourage institutions and organisations to implement security measures for their Wonda installation and:
Provide students/employees/clients with specific privacy policy notice about the data they collect using Wonda so that they can be completely transparent with their learners, educators and anyone who visits their site on how they collect, use or disclose their data;
protect digital minors with age-of-consent checks and manage access for minors who require parental agreement to access their learning management system;
enable users to easily request access to their data, to see the policies they’ve agreed to and appoint a Privacy officer role to manage subject access/deletion requests from such users centrally.
We have also included some useful resources for your use in engaging with Wonda:
Our standard Data Processing Agreement (DPA) that covers all of our products and services in a concise and comprehensive Schedule 1.
Cross Border Standard Contract Clauses (SCCs) that will allow us to contract with you to ensure protection of any personal data required to be transferred outside the EEA.
Our General Principles
To provide you with our services or to communicate with you, we may need to collect and use certain personal data. We do so while adhering to the highest standards of privacy and data protection, including compliance with the European General Data Protection Regulation (GDPR).
Our general principles and legal basis defined by the GDPR for controlling or processing personal data are:
Consent (Article 6.1(a) GDPR): You provide informed consent to us or have a reasonable expectation that we will use your information in a certain way – for example, to engage in our community discussions, or to hear about new services or offers.
You can withdraw your consent at any time either by selecting ‘delete my data’ within the specific service or by request to privacy@wondavr.com;Contract (Article 6.1(b) GDPR): Providing our services and fulfilling our obligations to you, usually relating to a terms of service or partnership agreement;
Legal Obligation: (Article 6.1(c) GDPR): The necessity to meet compliance with our legal obligations; and/or
Legitimate Interest (Article 6.1(f) GDPR): We (or a third party) have a legitimate interest in processing that is not overridden by your data protection rights.
We only rely on legitimate interests after assessing both our interests and your rights.
Some purposes we consider our legitimate interests include:Improving and securing our platform (e.g., analyzing usage to improve features, or processing data to detect fraud or security incidents).
Communicating with our existing customers about product updates or features (within reasonable expectations and not in a privacy-intrusive way).
Internal administrative purposes (for example, transferring data within the Wonda corporate group if applicable, for centralized services).
If we rely on legitimate interests and you object to the processing, we will review that objection seriously. Note that if you object, and we cannot demonstrate compelling legitimate grounds, we will stop the processing in question.
We may process special categories of personal data (GDPR Article 9) only in very limited scenarios and with additional safeguards:
Wonda generally does not seek to collect special category data about users. However, users might themselves input such data into the platform (e.g., a learner might mention their health condition or political opinion in an open text response).
In such cases, we treat it with high security and it remains under the control of the data controller (the institution). We do not use this data for any purpose except to provide the service (e.g., store it as part of the simulation record).For our own employees, we may hold special category data (like health data for sick leaves or biometric data if any for security access) as allowed by employment laws. This is processed in accordance with applicable law and not shared externally.
If we ever need to process special category data on behalf of a client (for example, if an educational customer designs a simulation specifically collecting health information), we would ensure it’s processed in line with Article 9 GDPR (e.g., explicit consent or under an educational exemption if applicable).
We also would include such processing in our DPA and assist the client in conducting any needed Data Protection Impact Assessment (DPIA).
If you would like more details about which data and how we and our subprocessors use it, please refer to our Register of GDPR Information by Sub Processors.
How We Collect Personal Data
Wonda collects personal data from you when you interact with us. This can be through our websites, over the phone, in person, including, without limitation, when you:
create an individual or corporate user account;
request support;
register for or participate in an online class, exam, certification, training, webcast or other event;
request information or materials;
participate in surveys or evaluations;
participate in promotions, contests or giveaways;
make a purchase through our online payment system;
apply for employment;
submit questions or comments; or
submit content or posts on our forums or other interactive webpages
create or upload content on Wonda (for instance, building a simulation, or posting on a discussion forum within the platform), we collect the data you input. This can include text, images, audio/video recordings of your voice or likeness (if you choose to record media in the platform), etc. This content is stored on our servers as part of providing the service to you and your organization.
In addition, when you use Wonda (or browse our websites), certain data gets collected automatically including:
Usage and Device Information: We collect information about how and when you access the service. This includes device information (such as device type, operating system version, browser type, screen resolution for VR or web), log information (such as IP address, timestamps of actions, pages or features accessed, and in-app events like “user started simulation X”), and referral information (how you arrived at our site).
Cookies and similar technologies: We use cookies on our websites and application. These can be essential cookies (for login sessions, preferences), as well as analytics cookies. Cookies allow us to remember your session (so you don’t have to log in repeatedly) and to understand usage patterns. We don’t use cookies for advertising purposes to unrelated third parties. You have the ability to manage cookie preferences via our cookie banner or your browser settings.
Telemetry and Diagnostics: If the app encounters an error or crash, we may collect a crash report or error log which helps us diagnose the issue. These reports typically include technical details like device state and codes, not user content, except possibly a user ID to correlate with a session.
In some cases, we receive personal data from third-party sources:
Enterprise or Education Clients: If your use of Wonda is provisioned by an organization (e.g., your employer or school), they may give us a roster or list of authorized users. For example, an administrator might provide a list of student emails to pre-create accounts or invite users to the platform.
Single Sign-On (SSO) Providers: If you log in via SSO (Google OAuth, Microsoft Azure AD, etc.), we get basic account info from that provider (like your verified email and name) to create or sync your profile. The exact data shared by SSO depends on what your identity provider releases to us (often it’s just name and email, sometimes an ID and group membership if configured).
Partners and Resellers: If you were referred to us by a partner or signed up through a reseller, we might receive your contact information from them (they should have obtained your permission to share it with us). We use this to onboard you to Wonda.
Social Media or Other Accounts: If you interact with our social media pages (like our LinkedIn or Twitter) or participate in an online event/webinar, we may receive your information via those platforms under their privacy settings.
In general, we strive to limit third-party data to only what’s needed to serve you. For instance, we don’t buy marketing lists from data brokers. And whenever we combine data from third parties with data you gave us, we treat it all according to this Privacy Policy.
How We Use Personal Data
We use the personal data we collect for the following purposes:
To provide and maintain our Service: This includes using data to set up your account, host your content, run simulations, and ensure the platform functions as intended. For example, if you upload a video into Wonda, we process that video so it can be streamed to participants in a simulation; if you create a quiz, we store and retrieve the questions and answers during sessions.
To personalize your experience: We might use data like your role (e.g., teacher vs. student) or past activity to tailor what you see. For instance, an instructor sees an “admin” dashboard that a learner does not; or we might remember where you left off in a simulation and return you to that point when you log back in.
To improve the Service: Understanding usage patterns helps us make Wonda better. We analyze aggregated data on which features are used most, where users might get stuck, or how simulations perform. If we see many users dropping off at a certain step, we investigate if the UI needs improvement. We also use user feedback and support inquiries to identify areas for enhancement.
To communicate with you: We use contact information (email, possibly phone) to send necessary communications.
These include:Service and account messages: We may email you to verify your email address when you sign up, to alert you of important account activity (like password changes or login from a new device), or to inform you of critical service updates (like scheduled maintenance or security alerts).
Customer support responses: When you reach out with a question or issue, we will use your contact info to respond and guide you.
Announcements and newsletters: With your consent or as permitted, we might send newsletters, invites to webinars, or product announcements. You can opt out of these at any time (each such email has an “unsubscribe” or settings link).
To ensure security and prevent abuse: We may use data (like IP addresses, log-in attempts, and user-agent strings) to detect and mitigate fraudulent or malicious activity. For example, we might detect that multiple accounts are being created from one IP in a short time, which could signal a bot, and then employ a CAPTCHA or block that IP temporarily. We also keep logs to investigate breaches or misuse. In an enterprise context, we can provide admin users with audit logs of their team’s activities (like who accessed which simulation and when) to help them maintain proper use.
To comply with legal obligations: This includes using data for compliance purposes, such as maintaining accurate financial records, honoring user data requests under privacy laws, or disclosing information when lawfully required by authorities (after verifying the legitimacy of such requests).
We do not use personal data for any purposes that are incompatible with the above, and we do not sell personal data to third parties.
If we ever consider a new use of your data (for example, some new analytics that require broader use of data), we will update this policy and, if necessary, request your consent or give you an opt-out option.
Disclosure of Personal Data
We treat personal data as confidential, and it is our policy not to disclose your personal data to third parties except in the following circumstances:
Service Providers (Subprocessors): We share data with third-party companies that we engage to perform services on our behalf (referred to as subprocessors).
These include cloud hosting providers, email delivery services, customer support software, analytics services, AI service providers (as described in other documents), etc. These subprocessors only receive the data necessary for their function and are contractually obligated to protect it and use it only for our instructed purposes. We maintain an up-to-date list of our subprocessors (see the list of the Wonda platform Subprocessors).
Notable examples: Google Cloud (which hosts our databases and files), Intercom (our customer support and documentation platform, which would have your email and support chat history if you use our help widget), Mailjet (which sends invitation or notification emails), and others.Within a corporate group: If Wonda has affiliates or subsidiaries involved in providing the service, we may share data with them. For instance, if we ever establish a data center in another region operated by a Wonda subsidiary, user data might be processed there. Any such intra-group sharing is covered by internal agreements ensuring the same level of protection.
Legal Requirements: We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). Before disclosing any information, we will verify the request’s legitimacy and scope and ensure that only the necessary data is provided. When permitted, we would inform the affected user or client of such a request.
Business Transfers: If Wonda is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal data may be transferred as part of that transaction. We would ensure that the new owner or successor entity either honors this Privacy Policy or provides you notice and opportunity to exercise your rights if the policy changes.
Enforcing Our Rights or Safety: We may disclose personal data if necessary to enforce our terms and conditions or other agreements, or to investigate potential violations of those terms. We may also share information as necessary to protect the rights, property, or safety of Wonda, our users, or others. For example, exchanging information with other companies and organizations for fraud protection or to report threats and content that violates the law.
We take steps to ensure any third-party disclosure is done securely. For example, when we share data with subprocessors, it’s transmitted securely and we choose reputable firms with strong security track records.
We do not sell personal data to marketers or other unrelated third parties. We also do not share personal data with third parties for their own direct marketing purposes unless you have separately consented to that sharing.
For certain features of our Service, we rely on specialized third-party processors. For example, if you use Wonda’s AI-powered functions – such as having speech transcribed into text, or generating feedback via a conversational AI – the relevant data (your audio or text input) is sent securely to our AI technology providers (currently OpenAI and ElevenLabs) for processing.
These providers are not permitted to use your data for any purpose other than delivering the requested service, nor to retain it longer than necessary.
This means content you submit to these AI features is not used to train the providers’ models and is not stored by them once the AI output is returned to Wonda.
If such processing involves transferring personal data outside of your region (for instance, to servers in the United States), we rely on appropriate safeguards (including Standard Contractual Clauses) to protect your privacy.
If you would like more details about which data we collect and how our subprocessors use it, please refer to our Register of GDPR Information, which provides further specifics on data categories and processing purposes.
How We Store Personal Data
We maintain physical, organizational, and technical safeguards to protect all personal data we hold. We endeavor to keep your information accurate and up-to-date, and not keep it longer than necessary.
Storage locations: The personal data we collect is primarily stored on secure servers in the European Union (we currently use Google Cloud’s EU datacenters for primary storage).
Some data may be duplicated in other regions if a client specifically uses a service hosted elsewhere or for backup redundancy, but by default production data is in the EU.Security measures for storage: All personal data is stored in encrypted form when at rest. For example, our databases use encryption, and our file storage buckets encrypt files on disk. Access to these storage systems is limited to authorized personnel and services (protected by network restrictions and access controls). We also implement measures like regular security audits and penetration tests to ensure our storage remains safe.
Retention periods: We keep personal data only for as long as it is necessary to fulfill the purposes for which it was collected, or as required by law or legitimate business purposes.
For instance:
Account information (like your profile details) is kept as long as you have an account with us. If you delete your account, we will delete or anonymize that information (unless required to retain it for legal reasons).
Content you create on Wonda (simulations, responses, etc.) is stored until you or your organization deletes it. If your organization’s contract with Wonda ends, they will have an opportunity to export their data, and then we will delete it according to our contract.
Logs and backups are retained for a limited time and routinely purged. For example, basic server logs might be kept for 7 days for backup and up to 30 days for logsa few weeks for security analysis, and then they are automatically deleted or anonymized.
If you participated in an event or a marketing mailing list and then unsubscribed, we might keep a minimal record of your request to avoid contacting you again (as permitted by law).
Deletion and anonymization: Once the retention period is over, or if we receive a valid deletion request, we will either securely delete the personal data or anonymize it (so it can no longer be associated with a person). Anonymized data (which might be aggregated usage statistics, for instance) may be retained for analytical purposes, since it no longer constitutes personal data.
Ongoing protection: We continually update and patch our systems and storage to address new security threats. In the unlikely event of a security breach, we have incident response plans (as detailed below under “Your rights...notification of data breaches”) to promptly address and mitigate any issues.
In summary, we aim to store your data securely and only for the duration needed. If you have questions about specific data retention (for example, “How long do you keep X type of data?”), you can contact us using the information at the end of this notice.
Marketing
We have no interest in collecting any data beyond what is needed to ensure our services work for you. We do not sell or rent your personal data to any third party for marketing purposes.
If we intend to use your personal data for any marketing or promotional communications, we will either do so based on your prior consent or in accordance with applicable law (for instance, some jurisdictions allow us to send product updates to existing customers, but we always provide an opt-out).
Examples of marketing communications:
if you explicitly sign up for our newsletter on our website, we will send you occasional emails about product news, new features, or industry insights. These emails will contain an easy way to unsubscribe (for instance, a link at the bottom of the email).
If you are an existing customer using Wonda, we might send you information about related services or upgrades that could be of interest. We strive to keep these communications infrequent and relevant. You can opt out if you prefer not to receive them.
We respect your choices. If you opt out of marketing emails, we will stop sending them. Opting out of marketing communications will not affect your receipt of important service-related communications (we may still email you about password resets, critical updates, etc., as those are not marketing but rather necessary for using our service).
To summarize, our stance is that your data is used to serve you, not to serve us advertisements. Any marketing we do is meant to be helpful and is typically only directed to those who have indicated interest. And you always have the choice to say “no thanks.”
Your Rights When We Process Your Personal Data
At any point while we are in possession of or we process your personal data, you have the following rights:
right to withdraw consent;
right of access;
right of rectification;
right to erasure;
right of data portability;
right to restrict processing;
right to object;
right to object to automated processing, including profiling;
right to know;
right to opt out of the sale of your personal information, although we do not sell your data;
right to judicial review: in the event that we refuse your request under rights of access, we will provide you with a reason as to why;
right to be free of discrimination if you exercise your rights;
notification of data breaches; and/or
the right to lodge a complaint with a supervisory authority.
Where we are your Data Controller, please make your request directly to the Data Protection Officer at privacy@wondavr.com. We will always respond within one month.
However, if we are processing your data on behalf of your Data Controller (your university or your employer) you should contact them directly.
Notification of data breaches: In line with the GDPR and other applicable laws, if the Wonda platform experiences a personal data breach (meaning a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data) that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay. We would inform you of the nature of the breach, the likely consequences, the measures we have taken or propose to take, and offer guidance on steps you may need to take to protect yourself. We sincerely hope never to have to send such a notice, but we want you to know that we take these obligations seriously.
Privacy notices of other websites
Our Service may contain links to other websites or services that are not operated by us. For example, in our Help Center articles we might link to an external resource, or users in a simulation might embed a YouTube video or a link to an external site.
This Privacy Policy applies only to Wonda and the processing we do. We have no control over the content or privacy practices of external sites.
If you click on a third-party link or access a third-party service (even one that’s integrated with Wonda, like an LTI-linked tool), we strongly advise you to review the privacy policy of that third party. We are not responsible for the privacy policies or practices of any third-party sites or services.
That said, if you integrate Wonda with a third-party system (like connecting Wonda to Slack or another app via our API), the data that flows to that third party is governed by your arrangement with that third party. We will of course ensure any transfer from our side is done securely and only at your initiation.
Children and Personal Data
Here at Wonda we understand the importance of protecting the personal data of children under the age of 16. It is not our intention to collect personal data from a child. If you believe that a child has disclosed personal data or that we hold personal information about a child, please email us at privacy@wondavr.com.
Verification
When you exercise your privacy rights, we need to verify your identity to prevent unauthorized requests.
For example:
If you request a data export or deletion, we may perform identity verification by requiring you to send the request from the email associated with your account and confirming an action through a logged-in session.
For sensitive requests (like access to personal data or account deletion), we might ask for additional information if we have doubts — such as asking you to confirm some profile info we have on file, or in rare cases, providing a piece of identification. We only do this to ensure that someone else isn’t trying to impersonate you in order to get your data.
If an authorized agent is making the request on your behalf (as allowed under some laws like CCPA), we will require proof of that agent’s authority (for example, a written permission from you). We will also verify the agent’s identity and potentially directly confirm with you that you permit the request.
We will use information provided in a verification request solely to verify and to log that verification occurred. This might involve storing a notation like “Verified identity via email on [date]” along with your request.
Amendments to Our Privacy Notice
We update our privacy notice when necessary or in response to:
feedback from our community, customers, relevant authority, industry or other stakeholders;
changes in our products or services; and/or
data processing or policy changes.
The “last updated” date at the top of this privacy notice reflects when the most recent changes were made. We encourage you to periodically review this privacy notice for any amendments. Continued use of the Service after any modifications to the Privacy Policy will signify your acknowledgment of the changes and consent to abide by the updated terms, to the extent permitted by law.
How to Contact Us
If you have any questions about our privacy notice, please contact us by email at privacy@wondavr.com, or by mail at:
Wonda VR Inc (Attn: Data Protection Officer)
C/O Constantin 20 W 55TH ST FL 7
New York, NY 10019
Wonda VR SAS (Attn: Data Protection Officer)
16 rue du Caire
75002 Paris, France
We will respond to your inquiries as promptly as possible. If you contact us by mail, please allow additional time for us to receive and process the letter. In any correspondence, please include your contact information and a detailed description of your question or request. This will help us route your inquiry to the right team and get back to you with an accurate answer.