PRIVACY POLICY

Last updated March 6, 2026

Thank you for choosing Immersh, LLC ("Immersh," "Company," "we," "us," or "our"). We are committed to protecting your personal information and your right to privacy. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use the Immersh platform, including our website at https://immersh.com, our education platform, and related services (collectively, the "Platform").

If you have questions or concerns about this policy, please contact us at privacy@immersh.com.

WHO WE ARE AND WHAT WE DO
INFORMATION WE COLLECT
HOW WE USE YOUR INFORMATION
EDUCATIONAL RECORDS AND FERPA
ARTIFICIAL INTELLIGENCE AND AUTOMATED PROCESSING
THIRD-PARTY SERVICE PROVIDERS (SUBPROCESSORS)
DATA SHARING AND DISCLOSURE
COOKIES AND TRACKING TECHNOLOGIES
THIRD-PARTY AUTHENTICATION
DATA RETENTION
DATA SECURITY
DATA RESIDENCY AND INTERNATIONAL TRANSFERS
YOUR PRIVACY RIGHTS
CALIFORNIA PRIVACY RIGHTS
CHILDREN'S PRIVACY
BREACH NOTIFICATION
DO-NOT-TRACK SIGNALS
CHANGES TO THIS POLICY
CONTACT US

1. WHO WE ARE AND WHAT WE DO

Immersh is a drill-based skill platform for teaching skills through interactive video lessons and adaptive assessments. The Platform supports subject domains including music (theory, ear training, notation, instruments) and code (JavaScript/TypeScript).

The Platform is used by educational institutions, instructors, and students. It integrates with learning management systems (LMS) via LTI 1.3 Advantage, supports Single Sign-On (SAML 2.0 and OIDC), and provides automated user provisioning via SCIM 2.0.

When Immersh is used by an educational institution through an LTI integration or institutional agreement, Immersh acts as a "school official" under FERPA with a legitimate educational interest in the student data necessary to provide the educational services.

2. INFORMATION WE COLLECT

Information you provide directly

Account information: Email address, name, and password when you create an account
Profile information: Any optional profile details you choose to add
Educational content: Lessons, courses, assignments, and other content created by instructors
Student responses: Answer attempts, assignment submissions, and drill practice data
AI interactions: Questions and messages you send through AI-powered features
Support communications: Emails or messages you send to our support team
Billing information: Subscription and plan details managed through our billing provider. We do not collect or store payment card numbers; all payment card processing is handled by a PCI DSS Level 1 certified payment processor.

Information received from educational institutions

When you access Immersh through an LTI integration with your institution's learning management system:

Identity information: Name, email address (or a synthetic identifier if your institution chooses PII-free operation), and institutional role
Course context: Course and section identifiers, enrollment status
Grade data: Grades may be sent back to your LMS through LTI Assignment and Grade Services

When your institution uses SSO (SAML 2.0 or OIDC), we receive the identity attributes your institution's identity provider sends during authentication. When your institution uses SCIM 2.0 provisioning, we receive user profile data as configured by your institution's IT administrator.

Information collected automatically

Log data: IP address, browser type, operating system, referring URL, pages visited, and timestamps
Device data: Device type, screen resolution, and browser settings
Error data: Application error reports, which may include technical context such as user identifiers and IP addresses
Analytics data: User interaction events including sign-in events and feature usage
Session data: Authentication tokens stored in secure cookies

3. HOW WE USE YOUR INFORMATION

We use the information we collect to:

Provide the Platform: Deliver interactive lessons, grade assessments, track progress, and sync grades with your institution's LMS
Manage accounts: Create and maintain user accounts, authenticate users, and enforce role-based access controls
Improve the Platform: Analyze usage patterns, diagnose errors, and develop new features
Communicate with you: Send transactional emails (password resets, account notifications, course invitations)
Process payments: Manage subscriptions and billing
Ensure security: Monitor for suspicious activity, enforce rate limiting, and maintain audit logs
AI-powered features: Generate lesson content from video transcripts and provide AI-assisted learning interactions via OpenAI
Comply with legal obligations: Respond to lawful requests and fulfill contractual obligations with educational institutions

4. EDUCATIONAL RECORDS AND FERPA

When Immersh is used through an institutional agreement or LTI integration, student data is protected under the Family Educational Rights and Privacy Act (FERPA).

What constitutes an educational record

The following student data is classified as FERPA-protected educational records: grades and scores, answer attempts, lesson progress, drill and practice history, course enrollment records, and AI conversation data tied to educational activities.

How we protect educational records

Access controls: Students can only access their own records. Instructors can access records only for students enrolled in their course sections. Administrators can access records only within their organization.
Data minimization: We collect only the data necessary to provide educational services. LTI launches support PII-free operation when an institution chooses not to send identifying information.
No commercial use: Student educational records are never used for advertising, marketing, or any purpose other than providing the educational services.
Institutional ownership: All data created by or about an institution's students, instructors, and courses remains the intellectual property of the institution.
Grade passback: Student grades are shared with the student's own LMS via LTI Assignment and Grade Services only.

Institutional data requests

Institutions may request a full data export of all data associated with their organization at any time. Data is provided in standard JSON format.

5. ARTIFICIAL INTELLIGENCE AND AUTOMATED PROCESSING

Immersh uses AI-powered features provided by OpenAI to enhance the educational experience:

Lesson action generation: AI can generate lesson overlays, highlights, notation, and code snippets from video transcripts
AI conversations: Students can interact with AI for learning assistance

How AI handles your data

What is sent: Lesson content and student prompts are sent to OpenAI for processing. We do not send student names, email addresses, or other direct PII to OpenAI.
Data retention by AI provider: Per our agreement with OpenAI, data submitted through the API is not used for model training.
Storage: AI conversation data is stored in our database and classified as a FERPA-protected educational record when associated with a student account.

6. THIRD-PARTY SERVICE PROVIDERS (SUBPROCESSORS)

We use the following third-party service providers to operate the Platform. All subprocessors store data in the United States and maintain SOC 2 Type II certification (or equivalent).

Provider	Purpose	Data Categories
Amazon Web Services (AWS)	Application hosting and infrastructure	All application data
Tigris (Fly.io)	File storage	Uploaded media files
SendGrid (Twilio)	Email delivery	Email addresses
Chargebee	Subscription billing	Billing and subscription data
Stripe	Payment processing	Payment card data (PCI DSS Level 1; card data never touches Immersh servers)
Sentry	Error monitoring	Error diagnostics and technical context
Segment (Twilio)	Analytics	Usage events
OpenAI	AI content generation	Lesson content and prompts
Google	Authentication (OAuth 2.0) and bot prevention (reCAPTCHA)	Account identity, IP address
Microsoft	Authentication (Azure AD / OIDC)	Account identity
Vimeo	Video hosting	Video content and transcripts
GitHub	Development infrastructure and CI/CD	Source code

We maintain Data Processing Agreements (DPAs) with our subprocessors as required. If you are an institutional customer and would like a copy of our subprocessor list or DPA, please contact privacy@immersh.com.

We will notify institutional customers before adding new subprocessors that process personal data.

We do not sell your personal information. We share your data only in the following circumstances:

With your institution: If you access Immersh through an LTI integration or institutional account, your educational records (including grades) may be shared with your institution's LMS as part of the educational service.
With service providers: We share data with the subprocessors listed in Section 6, solely for the purposes described.
For legal compliance: We may disclose information in response to a court order, subpoena, or other lawful governmental request. Where permitted by law, we will notify affected users or institutions before disclosure.
Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred. Institutional data ownership transfers with the institution, not with Immersh.
To protect rights and safety: We may disclose information when we believe it is necessary to prevent fraud, enforce our terms, or protect the safety of our users or the public.

8. COOKIES AND TRACKING TECHNOLOGIES

Immersh uses the following cookies and similar technologies:

Authentication cookies: Secure cookies containing signed authentication tokens. These are essential for Platform functionality.
Session state: Minimal user metadata is stored in the browser for Platform operation.
Analytics: We collect usage events in production for Platform improvement.

We do not use advertising cookies or interest-based tracking. We do not engage in cross-site tracking.

You can control cookies through your browser settings. Disabling essential authentication cookies will prevent you from using the Platform.

9. THIRD-PARTY AUTHENTICATION

Immersh offers authentication through the following providers:

Google OAuth 2.0: When you sign in with Google, we receive your name, email address, and profile picture from your Google account.
Microsoft (Azure AD): When you sign in with Microsoft, we receive your name and email address from your Microsoft account.
Institutional SSO (SAML 2.0 / OIDC): When your institution configures SSO, we receive the identity attributes your institution's identity provider sends during authentication.
LTI 1.3: When you launch Immersh from an LMS, we receive identity information per the LTI specification. Your institution may configure PII-free launches, in which case a synthetic identifier is generated.

We use information from these providers only for authentication and account creation. We do not access your contacts, files, or other data from these providers beyond what is listed above.

10. DATA RETENTION

We retain your data for the periods described below. When a retention period expires, data is permanently deleted.

Data Category	Retention Period
Active user accounts	Indefinite while active
Student educational records	Duration of enrollment + 1 year after last activity
LTI deployment data	Duration of institution contract
Application logs	90 days
Error telemetry (Sentry)	90 days
Session data	Short-lived automatic expiry
Audit logs	2 years
Database backups	Regular automated snapshots with appropriate retention

Account deletion: When you delete your account, all associated data is permanently removed, including all answer attempts, lesson progress, drill data, course enrollments, AI conversations, and the account itself. Deletion is permanent and unrecoverable.

Institution offboarding: When an institutional contract ends, data is retained for 30 days to allow the institution to export data. After 30 days, all institution data is permanently deleted and written confirmation is provided.

Business wind-down: In the event Immersh ceases operations or retires the Platform, customers will have at least 90 days to export their data and migrate.

11. DATA SECURITY

We implement technical and organizational security measures to protect your information:

Encryption

In transit: All data is transmitted over TLS 1.2 or higher. HSTS is enforced. WebSocket connections use TLS. LTI communication uses cryptographically signed tokens over TLS.
At rest: All database, cache, and file storage uses AES-256 encryption at rest.
Field-level: Sensitive fields (MFA secrets, signing keys, SSO credentials, billing identifiers) are additionally encrypted at the application layer before being written to the database.
Passwords: User passwords are cryptographically hashed and are never stored in plaintext or reversible form.

Access controls

Role-based access: Granular role-based access controls (Administrator, Instructor, Student) with server-side enforcement on every request
Multi-factor authentication: MFA with encrypted backup codes
Account lockout: Automatic lockout after repeated failed login attempts
Rate limiting: Per-endpoint rate limits on authentication and sensitive routes
Audit logging: All administrative and instructor actions are logged with actor identification and request metadata

Infrastructure

Database and cache servers reside in private subnets with no publicly routable IP addresses
Web application firewall with managed rule groups for common attack patterns
Cloud-native threat detection and continuous vulnerability scanning
Static application security testing (SAST) on every code change
Dynamic application security testing (DAST) on a regular schedule
Automated dependency vulnerability scanning

Despite these measures, no system is perfectly secure. If you discover a vulnerability, please report it to security@immersh.com per our vulnerability disclosure policy at /.well-known/security.txt.

12. DATA RESIDENCY AND INTERNATIONAL TRANSFERS

All production data is stored in the United States. Database backups remain within the same region.

Static assets (images, stylesheets, scripts) may be cached at edge locations globally for performance, but these assets do not contain personal data.

If you access the Platform from outside the United States, your data will be transferred to and processed in the United States. By using the Platform, you consent to this transfer. For institutional customers requiring a Data Processing Agreement with Standard Contractual Clauses for international transfers, please contact privacy@immersh.com.

13. YOUR PRIVACY RIGHTS

Depending on your location and applicable law, you may have the following rights:

Right to access: View all your personal data through the Platform interface
Right to data portability: Export a complete copy of your data in JSON format from your Profile page. The export includes your profile, answer attempts, lesson progress, drill data, skills, enrollments, assignment scores, AI conversations, owned lessons, and instructed course sections.
Right to erasure: Permanently delete your account and all associated data from your Profile page. Instructors with active course sections or lessons must transfer ownership before deletion.
Right to rectification: Update your profile information through the Platform interface
Right to object: Contact us to object to specific processing activities

For EEA, UK, and Swiss residents

If you believe we are unlawfully processing your personal information, you have the right to complain to your local data protection supervisory authority. EEA authorities can be found at https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. The Swiss authority is at https://www.edoeb.admin.ch/edoeb/en/home.html.

For institutional users

If you access Immersh through an institutional account, your institution is the data controller for your educational records. Please contact your institution's IT or privacy office for requests related to institutional data. We will cooperate with your institution to fulfill data subject requests.

To exercise your rights, contact us at privacy@immersh.com.

14. CALIFORNIA PRIVACY RIGHTS

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights:

Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to delete: You may request deletion of your personal information, subject to certain exceptions.
Right to correct: You may request correction of inaccurate personal information.
Right to opt-out of sale or sharing: We do not sell your personal information or share it for cross-context behavioral advertising.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected: Identifiers (name, email), internet activity (log data, usage events), education information (grades, progress), and professional information (institutional role).

Categories of personal information disclosed for a business purpose: Identifiers and education information are disclosed to the subprocessors listed in Section 6 for the business purposes described in Section 3.

To exercise your rights, contact us at privacy@immersh.com or use the self-service controls on your Profile page.

If you are under 18, reside in California, and have a registered account, you may request removal of content you have publicly posted. Contact us at privacy@immersh.com.

15. CHILDREN'S PRIVACY

Immersh is an education platform and may be used by students under 13 when access is provided through an educational institution's LTI integration or institutional agreement. In such cases:

The educational institution provides the consent required under the Children's Online Privacy Protection Act (COPPA) as part of their institutional agreement with Immersh.
We collect only the information necessary to provide the educational services.
Student data is never used for advertising, marketing, or commercial purposes unrelated to the educational service.
LTI launches support PII-free operation, allowing institutions to minimize the personal information shared with Immersh.

Immersh does not knowingly collect personal information from children under 13 outside of an institutional agreement. If you believe a child under 13 has created an individual (non-institutional) account, please contact us at privacy@immersh.com and we will promptly delete the account.

16. BREACH NOTIFICATION

In the event of a confirmed security breach affecting personal data:

Institutional notification: We will notify affected educational institutions within 72 hours of confirming a breach involving student educational records, consistent with FERPA requirements and GDPR Article 33.
Individual notification: We will coordinate with affected institutions on notification to individual users. For non-institutional users, we will notify affected individuals as required by applicable law.
Written incident report: We will provide a detailed written incident report to affected institutions within 7 calendar days of the breach notification.

Our full incident response plan follows the NIST SP 800-61 Rev. 2 framework.

17. DO-NOT-TRACK SIGNALS

We do not currently respond to Do-Not-Track (DNT) browser signals, as no uniform standard for handling DNT signals has been adopted. We do not engage in cross-site tracking.

18. CHANGES TO THIS POLICY

We may update this privacy policy from time to time. The updated version will be indicated by an updated "Last updated" date. If we make material changes, we will notify institutional customers by email and post a prominent notice on the Platform at least 30 days before the changes take effect.

We encourage you to review this policy periodically.

19. CONTACT US

If you have questions about this privacy policy or our data practices:

Privacy inquiries: privacy@immersh.com
Security concerns: security@immersh.com
General support: help@immersh.com

Immersh, LLC Email: privacy@immersh.com