Legal
Privacy Policy
Volta Connect Studio — Early Access Programme
Last updated: 9 March 2026
1. Who We Are
Volta XR Ltd ("Volta", "we", "us") is the data controller for personal data collected through Volta Connect Studio and its associated services. We are a company registered in England and Wales. You can contact our data privacy contact at privacy@volta-xr.com.
This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Platform, and describes your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data We Collect
2.1 Account Data
When you sign in, we collect your email address. We use a passwordless magic-link system — we do not store passwords. We may also record timestamps of when your account was created and last accessed.
2.2 Usage Data
We collect information about how you use the Platform, including: pages and features accessed, experiences created or modified, template usage, WebSocket connection events, and error logs. This data is collected through server-side logs and application telemetry.
2.3 User-Generated Content
The Platform enables you to create and publish experiences. Any content you upload or submit — including images, text, drawings, and configuration data — is stored by us as part of the service. Where content is submitted through audience-facing templates (e.g. audience image uploads or text responses), that content may also include data submitted by your audience members.
2.4 Audience Member Data
When audience members participate in experiences you create (e.g. by scanning a QR code and submitting a response), they interact with the Platform directly. The data they submit (text, images, sensor data) is associated with their session and your experience layout, not with a named audience member account. We do not knowingly collect personal data from audience members beyond the content they voluntarily submit.
If you use the Platform to collect personal data from audience members, you may be acting as a data controller in respect of that data. See Section 9 (Data Processing Agreement) for further information.
2.5 Technical and Device Data
We automatically collect IP addresses, browser type, operating system, and request headers as part of standard HTTP server logs. This data is used for security, debugging, and infrastructure purposes.
2.6 Communications
If you contact us by email or through feedback channels, we retain those communications and any personal data they contain.
3. How and Why We Use Your Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Providing the Platform (authentication, saving experiences, WebSocket connections) | Account data, usage data, UGC | Performance of contract (UK GDPR Art. 6(1)(b)) |
| Sending magic-link sign-in emails | Email address | Performance of contract |
| Content moderation (automated screening of UGC) | UGC (text, images) | Legitimate interests (protecting users, audiences, and Volta from harmful content) |
| Security, fraud prevention, and abuse detection | Technical data, usage data | Legitimate interests |
| Platform improvement and debugging | Usage data, error logs | Legitimate interests |
| Communicating programme updates, important notices | Email address | Legitimate interests / consent where required |
| Compliance with legal obligations | Any relevant data | Legal obligation (UK GDPR Art. 6(1)(c)) |
4. Who We Share Data With
We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary:
4.1 Sub-processors
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure (compute, database, storage, API). Primary region: eu-west-2 (London) | United Kingdom | Data processed within UK; AWS Data Processing Addendum |
| Resend | Transactional email delivery (magic-link sign-in emails) | United States | International Data Transfer Agreement (IDTA) / Standard Contractual Clauses |
| Stream (GetStream.io) | Automated content moderation of user-generated text and images | United States | IDTA / Standard Contractual Clauses |
| Cloudinary | Image upload, processing, storage, and delivery | United States | IDTA / Standard Contractual Clauses |
4.2 Legal Disclosures
We may disclose personal data where required by law, court order, regulatory authority, or to protect the rights, property, or safety of Volta, our users, or others.
4.3 Business Transfers
If Volta is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will provide notice before data is transferred and becomes subject to a materially different privacy policy.
5. International Data Transfers
The majority of your personal data is stored and processed within the United Kingdom (AWS eu-west-2). However, some sub-processors (Resend, Stream, Cloudinary) are based in the United States. Transfers to these processors are made in reliance on the International Data Transfer Agreement (IDTA) or Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), which provide equivalent protections to those within the UK.
6. Data Retention
| Category | Retention period |
|---|---|
| Account data (email, session tokens) | Until you delete your account, plus 30 days for backup recovery |
| Experiences and UGC you create | Until you delete them or your account |
| Audience submission data | Until the associated experience is deleted, or 90 days from submission, whichever is sooner |
| Content moderation records | 90 days (operational), up to 7 years where required for legal or compliance purposes |
| Server access logs | 90 days |
| Email correspondence | 3 years |
7. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure: ask us to delete your data in certain circumstances.
- Restriction: ask us to limit how we process your data.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests, including direct marketing.
- Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, email privacy@volta-xr.com. We will respond within one calendar month. We may ask you to verify your identity before acting on a request.
8. Automated Decision-Making
Our content moderation systems make automated decisions about whether to allow or flag content submitted through the Platform. These systems use machine learning classifiers and are not infallible. Where a decision to block or remove your content has a significant effect on you, you have the right to request human review. Contact us at privacy@volta-xr.com to do so.
9. Data Processing Agreement
If you are a business user and your use of the Platform involves the collection or processing of personal data from third parties (such as your audience members), you may be a data controller and Volta may be acting as your data processor in respect of that data. In such cases, a Data Processing Agreement is required under UK GDPR Article 28. Please contact privacy@volta-xr.com to request a DPA or review our standard DPA at volta-xr.com/legal/dpa.
10. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. However, no method of transmission or storage is 100% secure and we cannot guarantee absolute security.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.
11. Cookies
The Platform uses a small number of strictly necessary cookies and session tokens to maintain your authenticated session. We do not currently use cookies for tracking or advertising purposes. If this changes, we will update this policy and seek your consent where required.
12. Complaints
If you are unhappy with how we have handled your personal data, please contact us first at privacy@volta-xr.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
ICO website: ico.org.uk — ICO helpline: 0303 123 1113
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email or in-Platform notice. The "Last updated" date at the top indicates when the policy was last revised. Continued use of the Platform after changes take effect constitutes acceptance of the revised policy.