Legal information

Skillsive / EHS VR Privacy Policy

Important policies for using Skillsive services, privacy settings, and account safety on public pages.

Public policyLast updated: April 17, 2025

Introduction

This Privacy Policy (hereinafter referred to as the "Policy") describes how BHP VR SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Warsaw (hereinafter referred to as "BHP VR", "we", "us", "our") collects, uses, protects, and shares personal data through the online platform available at skillsive.com and ehsvr.com and its associated virtual reality (VR) applications and other services (collectively referred to as the "Service" or "Platform").

We are committed to protecting your privacy and processing personal data in accordance with applicable laws, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – "GDPR").

Key Roles in Data Processing: It is important to understand that BHP VR's role in processing personal data differs depending on the context:

  • BHP VR as Data Controller: We are the data controller for the personal data of our Clients' representatives (e.g., contact persons, billing information) and visitors to our websites.
  • BHP VR as Data Processor: We act as a data processor with respect to the personal data of End Users (e.g., students, employees) that is entered and managed on the Platform by our Clients (Organizations) for the purpose of conducting VR training. In this case, the Data Controller of the End Users' data is the Client (Organization).

This Policy complements the Skillsive / EHS VR Terms of Service ("Terms"). Using the Service signifies that you have familiarized yourself with this Policy. Where we process End User data on behalf of the Client, the legal basis and detailed rules for such processing are also governed by a separate Data Processing Agreement (DPA) concluded between BHP VR and the Client.

1 Definitions

Terms used in this Policy shall have the following meaning:

  1. Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.
  2. Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  3. Data Controller: The entity which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of Client representative data, the Controller is BHP VR. In the context of End User data entered by the Client, the Controller is the Client (Organization).
  4. Data Processor: The entity which processes personal data on behalf of the Data Controller. BHP VR is the Data Processor for End User data on behalf of the Client.
  5. Data Subject: A natural person whose personal data is processed (e.g., Client Representative, End User, website visitor).
  6. Client / Organization: A business entity, educational institution, or other organizational unit that uses the Service based on an agreement with BHP VR.
  7. Client Representative: A natural person acting on behalf of the Client (e.g., contact person, contract manager, account administrator).
  8. End User / Student: A natural person (e.g., employee, student, trainee) authorized by the Client to use the VR Applications within the Client's Subscription.
  9. Platform / Service: The SaaS system available online at skillsive.com and ehsvr.com and associated VR Applications and other services provided by BHP VR.
  10. VR Applications: Software designed for use on VR Devices, offering interactive training and simulations.
  11. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  12. Sub-processor: A third-party service provider engaged by BHP VR that may process personal data to help deliver the Service (e.g., hosting provider, AI service provider).
  13. Cookies: Small text files stored on a user's device when visiting a website. Details in the Cookie Policy.

2 Data Controller & Processor Information

  1. The Data Controller for the Personal Data of Client Representatives and visitors to skillsive.com and ehsvr.com is: BHP VR SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ ul. Ludowa 2 / 20, 00-780 Warszawa, Poland KRS: 0000775079, NIP (Tax ID): 7551935718, REGON (Business ID): 382887375

  2. The Data Processor for the Personal Data of End Users on behalf of the Client (who is the Controller of this data) is: BHP VR SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (details as above).

  3. For any matters concerning the processing of personal data by BHP VR, including exercising your rights, you can contact us via email: [email protected] or in writing to the registered office address provided above.

3 What Personal Data We Collect

We collect and process various categories of personal data, depending on your interaction with our Service:

  1. Organization (Client) and Client Representative Data (as Controller):

    • Identification and contact details of Client representatives: name, surname, email address, phone number, position.
    • Company data: Organization Name, Organization ID, address, Tax ID (if applicable).
    • Billing data: Information necessary for invoicing and payment processing.
    • Account information: Login credentials for Client representatives to the Platform, account preferences.
    • Data regarding GDPR consent management for Students within the organization: Student GDPR data processing status, Accepted GDPR document URL.
    • Correspondence and contact history with BHP VR.
  2. End User (Student) Data (as Processor on behalf of Client):

    • Identification data entered by the Client: Nickname.
    • Optional contact or identification data entered by the Client: Email address (can be null/empty), Phone number (can be null/empty), Employee ID number (can be null/empty). Important: The Client (Controller) decides if providing this data is necessary for their training purposes and is responsible for the legal basis for its processing.
    • Access data: Sign-in code.
    • Account information: Country ID, Language ID, Activity Status.
    • GDPR Consent Information (managed by Client): Consent Type (e.g., CorporateConsent), Accepted Document URL, Consent Status, Creation/Update Timestamps, Created By/Updated By Information.
    • Training activity data: Training results, Progress monitoring data, VR application usage statistics, Device usage data related to licenses.
  3. Platform Account/User Data (Client Representatives, BHP VR Admins):

    • Email addresses.
    • Basic account information.
    • Authentication data.
    • Session information.
    • User role permissions.
  4. Communication Data:

    • Content of email communications (e.g., via SendGrid for support, notifications).
    • Notification preferences.
    • System notifications.
  5. Technical Data (collected automatically):

    • Device IDs (including VR devices linked to subscriptions).
    • IP Addresses.
    • Browser and device information.
    • Session tokens, Authentication tokens.
    • System logs (may contain technical identifiers).
    • Data collected via Cookies and similar technologies (details in Cookie Policy).
  6. AI Interaction Data:

    • Input data (e.g., text, queries) provided to integrated AI services, such as OpenAI, to enable specific Platform features.
    • Data (potentially voice) processed by speech synthesis services, such as ElevenLabs, if such features are used. This processing aims to enable functionality; details regarding data storage by these services are governed by their own policies and DPAs.

Important Note on Optional End User Data: We emphasize that providing an email address, phone number, or employee ID for an End User is optional from the Platform's perspective. It is the Client (as Data Controller) who decides on the necessity of collecting this data for their purposes and is responsible for ensuring an appropriate legal basis (e.g., End User consent, if required). The absence of this data might limit certain functionalities (e.g., direct communication with the End User via the Platform or password recovery methods if login were email-based).

4 How We Collect Personal Data

We collect personal data in several ways:

  1. Directly from the Client (Organization) or its Representatives: During account registration, contract negotiation, Subscription purchase, Platform configuration, contact with our support (e.g., contact details, company data, billing information).
  2. Directly from the Client (Organization) about End Users: When the Client enters their employees' or students' data into the Platform (e.g., nicknames, optional contact info, IDs).
  3. Directly from End Users during Service Use: Through interactions with the Platform and VR Applications (e.g., generating training results, course progress, use of sign-in codes, activity data). Consent information might also be collected via the Platform if the Client configures such a process.
  4. Automatically during Service Use: When you interact with our Platform or VR Applications, we automatically collect certain technical data (e.g., IP address, device ID, browser type, system logs, usage data) using cookies and similar technologies (see our Cookie Policy).

5 Legal Bases for Processing Data (Art. 6 GDPR)

We process your personal data based on the following legal grounds under the GDPR:

  1. Performance of a Contract (Art. 6(1)(b) GDPR): This is the primary basis for processing Client Representative data and End User data necessary to provide the Service according to the concluded agreement (Terms and Subscription agreement). This includes managing accounts, providing Platform and VR Application functionality, processing training results, managing Subscription limits, handling payments, and providing technical support.
  2. Legitimate Interests of the Controller (Art. 6(1)(f) GDPR): We process certain data based on our legitimate interests, provided they do not override your rights and freedoms. Our legitimate interests include:
    • Ensuring Platform security, preventing fraud and abuse (e.g., monitoring logins, IP addresses, device limits).
    • Analyzing and improving the Service (e.g., analyzing aggregated, anonymized usage data to enhance functionality and user experience).
    • Direct marketing of our own similar products or services to existing Clients (always with an easy opt-out option).
    • Establishing, exercising, or defending legal claims.
    • Enforcing the Terms of Service.
  3. Consent (Art. 6(1)(a) GDPR): In some cases, we may ask for your consent to process data, e.g.:
    • For the use of certain cookies (analytical, functional – details in the Cookie Policy).
    • For receiving marketing information if you are not our Client.
    • For End Users: The Client (as Data Controller) is responsible for obtaining any necessary consents from their End Users for processing their personal data via the Platform, especially if collecting optional data (email, phone, employee ID) or processing data for purposes other than direct training delivery. BHP VR provides tools that can assist the Client in managing consents, but the legal obligation rests with the Client.
    • Potentially for processing data within specific, optional features (e.g., related to AI) if they go beyond contract performance or legitimate interest and require separate consent.
  4. Legal Obligation (Art. 6(1)(c) GDPR): We may process personal data when necessary to comply with legal obligations binding on us (e.g., tax laws, accounting regulations, responding to requests from competent authorities).

6 Purposes of Data Processing

We process your personal data for the following purposes:

  1. Providing and Managing the Service:
    • Enabling registration and management of the Client account.
    • Authenticating users and providing access to the Platform and VR Applications.
    • Delivering Platform functionalities, including managing End Users, courses, Subscriptions, and device limits.
    • Processing and storing data from completed VR trainings (results, progress).
    • Enabling and verifying the use of the offline mode for VR Applications.
    • Handling payments and billing for Subscriptions.
  2. Communication:
    • Sending important information regarding the Service (e.g., notifications about changes, technical downtimes, security updates).
    • Responding to inquiries and technical support requests.
    • Sending marketing and commercial information (with consent or based on legitimate interest with opt-out).
  3. Security and Compliance:
    • Monitoring Platform security, detecting and preventing threats, fraud, abuse (e.g., verifying compliance with device limits, analyzing unusual login patterns).
    • Enforcing the Terms of Service.
    • Fulfilling legal, regulatory, and reporting obligations.
    • Managing GDPR consents and documenting their status.
  4. Service Analysis and Development:
    • Analyzing how the Platform and VR Applications are used (often using aggregated or anonymized data) to understand user needs.
    • Improving existing functionalities and enhancing user experience.
    • Developing new features and services (see also 12).
  5. Enabling Specific Features:
    • Processing data (e.g., text) by integrated AI services (e.g., OpenAI) to deliver specific Platform functionalities.
    • Processing data (potentially voice) by speech synthesis services (e.g., ElevenLabs) to implement voice features.

7 Data Sharing & Third Parties

We do not sell your personal data. We may share personal data in the following situations:

  1. Client Access to End User Data: The Client (Organization) has access to the personal data of their own End Users that they process via the Platform, as they are the Controller of this data.
  2. Sub-processors: We use trusted third-party service providers (Sub-processors) who process personal data on our behalf to enable the provision of the Service. We have entered into appropriate Data Processing Agreements (DPAs) with them. Our main sub-processors include:
    • Microsoft Azure: Cloud infrastructure provider (hosting, databases, file storage). Data is primarily stored in data centers in the Western Europe (Netherlands/Germany) region.
    • SendGrid (Twilio): Email delivery service provider (system notifications, communication). Data may be processed in the USA.
    • OpenAI: Provider of artificial intelligence services used in certain Platform features. Data may be processed in the USA.
    • ElevenLabs: Provider of speech synthesis services, if these features are used. Data may be processed in the USA and/or EU.
    • Other providers: We may use other service providers (e.g., payment processors, analytics tools), and we will inform you as required by law.
  3. Legal Requirements: We may disclose personal data if required by law, e.g., upon request from a court or other competent authority.
  4. Business Transfers: In the event of a merger, acquisition, reorganization, or sale of some or all of our assets, personal data may be transferred to the successor entity, subject to the commitments made in this Policy and applicable laws.

International Transfers: As indicated above, some of our Sub-processors (SendGrid, OpenAI, ElevenLabs) may process data outside the European Economic Area (EEA), primarily in the United States. In such cases, we ensure an adequate level of protection for the transferred data by using mechanisms approved by the European Commission, primarily Standard Contractual Clauses (SCCs), supplemented where necessary by additional technical and organizational measures, in accordance with GDPR requirements and the case law of the Court of Justice of the EU (e.g., Schrems II ruling).

8 Data Storage, Security & International Transfers

  1. Data Storage Location: We primarily store Platform data, including personal data, on Microsoft Azure servers located in the Western Europe (Netherlands/Germany) region.
  2. Data Security: We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, among others:
    • Data encryption in transit (SSL/TLS) and at rest (e.g., database, storage encryption).
    • Access control mechanisms (authentication, role-based authorization).
    • Regular software and system updates.
    • Security monitoring and incident response.
    • Ensuring logical data segregation between different Organizations (multi-tenant architecture).
    • Employee training and confidentiality obligations.
  3. International Transfers: We confirm that primary data storage occurs within the EEA. However, the use of certain Sub-processors (listed in 7) may involve transferring data outside the EEA (mainly to the US). We ensure such transfers comply with the GDPR, based on appropriate safeguards like Standard Contractual Clauses (SCCs), and we conduct transfer risk assessments, implementing additional protective measures as needed.

9 Data Retention Period

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with the principles of data minimization and storage limitation:

  1. Client Representative Data: Retained for the duration of the contract with the Client and, after its termination, for the period necessary to comply with legal obligations (e.g., tax, accounting) or to establish/defend legal claims (usually until the statute of limitations expires).
  2. End User Data (processed as Processor): Processed for as long as required by the Client (Controller) under an active Subscription and according to the provisions of the Data Processing Agreement (DPA). Upon termination of the contract or explicit instruction from the Client, End User data is deleted or anonymized according to the procedures defined in the DPA (e.g., after an agreed grace period).
  3. Training Data: May be retained as needed by the Client (e.g., for certification purposes, H&S documentation), within the retention period for End User data, according to the Client's policy and the DPA.
  4. System Logs and Technical Data: Retained for a limited period necessary for security purposes, troubleshooting, and fulfilling legal obligations.

We may retain data in an anonymized form (preventing identification of individuals) for statistical or analytical purposes for a longer period.

10 Your Data Protection Rights (Data Subject Rights)

Under the GDPR, you have specific rights regarding your personal data. How you can exercise them depends on whether BHP VR acts as a Controller or Processor:

  1. Rights available to data subjects:

    • Right of access (Art. 15 GDPR): The right to obtain confirmation as to whether we process your data and to obtain a copy.
    • Right to rectification (Art. 16 GDPR): The right to request correction of inaccurate data.
    • Right to erasure ('right to be forgotten') (Art. 17 GDPR): The right to request deletion of data in specific cases (e.g., data no longer necessary, consent withdrawn, objection lodged).
    • Right to restriction of processing (Art. 18 GDPR): The right to request restriction of processing in certain situations (e.g., accuracy contested, processing unlawful).
    • Right to data portability (Art. 20 GDPR): The right to receive data you provided to us in a structured format and to transmit it to another controller (if processing is based on consent or contract and carried out by automated means).
    • Right to object (Art. 21 GDPR): The right to object to processing based on our legitimate interests (including profiling) and to processing for direct marketing purposes.
    • Right to withdraw consent (Art. 7(3) GDPR): If processing is based on consent, you have the right to withdraw it at any time (withdrawal does not affect the lawfulness of processing before withdrawal).
    • Rights related to automated decision-making: We inform you that, as a rule, we do not make decisions based solely on automated processing, including profiling, that produce legal effects. If such mechanisms are implemented (e.g., in AI features), we will inform you and ensure appropriate rights.
    • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): You have the right to lodge a complaint with the Polish Data Protection Authority (UODO) if you believe that the processing of your data infringes GDPR.
  2. How to exercise your rights:

    • If you are a Client Representative (and wish to exercise rights regarding your data for which BHP VR is the Controller): Please contact us directly using the contact details provided in 2.
    • If you are an End User (Student) (and wish to exercise rights regarding your data processed by BHP VR on behalf of your Organization): Please direct your request directly to your Organization (the Client), which is the Controller of your data (e.g., to the HR department, supervisor, training manager). As the Data Processor, we will cooperate with your Organization to assist them in responding to your request, as required by GDPR (Art. 28) and the DPA.

11 Cookies and Similar Technologies

Our Platform uses cookies and similar technologies (such as local storage) to ensure the proper functioning of the Service, analyze traffic, and improve user experience. Some of these technologies are essential for the site to function, while others (e.g., analytical, functional) require your consent.

Detailed information about the types of technologies used, their purposes, duration, and how you can manage your preferences (including giving and withdrawing consent) can be found in our separate Cookie Policy.

12 System Development & Future Data Collection

Our Platform and Services are constantly evolving as we strive to improve user experience and introduce new functionalities. This development may involve collecting and processing new categories of personal data or using existing data for new purposes in the future, always with the goal of enhancing the Service for our Clients and End Users.

We remain committed to the principles of data minimization and purpose limitation. Should we introduce changes that materially alter the way we process your personal data or require a new legal basis (such as consent), we will update this Privacy Policy and provide prior notification through appropriate channels (e.g., email, platform notification). We will not collect significantly more data or use it for unrelated purposes without ensuring transparency and compliance with applicable data protection laws.

13 Changes to this Privacy Policy

We reserve the right to update this Privacy Policy periodically, e.g., due to changes in legislation or changes in our Service. The date of the last update is indicated at the beginning of the document.

We will notify you of significant changes via email or a notification on the Platform. Continued use of the Service after changes are implemented (and notification provided) constitutes acceptance thereof to the extent permitted by law.

14 Contact Information

If you have any questions regarding this Privacy Policy or how we process personal data, please contact us:

  • Email: [email protected]
  • Postal Address: BHP VR SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, ul. Ludowa 2 / 20, 00-780 Warszawa, Poland.

Last updated: April 17, 2025