XRi Solutions — XR Applications on Meta Horizon OS
| Policy Owner | XRi Solutions (Pty) Ltd |
| Effective Date | 30/06/2026 |
| Last Updated | 30/06/2026 |
| Jurisdiction | Republic of South Africa (primary) | International users also covered |
| Contact | koos.debeer@xri.co.za |
1. Introduction and Scope
XRi Solutions (Pty) Ltd (“XRi”, “we”, “our”, or “us”) develops and operates XR (extended reality) training and simulation applications deployed on the Meta Quest platform via the Meta Horizon Store. This Privacy Policy describes how we collect, use, store, protect, and share personal information in connection with our applications and services.
This policy applies to all XRi applications, including but not limited to: ECG VR Training, Defib VR Training, Lab Safety Scenario VR Training, CT Head VR Training, Virtual Construction Site VR, Hazard Identification VR, and Composite Pack MR, as well as the XRi licensing and device management platform (the “XRi Platform”).
This policy applies to:
- End users who use our applications on Meta Quest devices
- Administrators (typically institutional IT or academic staff) who manage devices and user access via the XRi Administrator Portal
- Organisations (clients) that subscribe to and deploy our applications
1.1 Regulatory Framework
XRi is a South African company and our primary data processing obligations are governed by the Protection of Personal Information Act 4 of 2013 (POPIA) and its associated regulations. We also acknowledge and respect the data protection rights of international users, including those protected under the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable local laws.
As a developer on the Meta Horizon platform, we also comply with Meta Platforms Technologies’ Developer Data Use Policy and all applicable Meta developer terms and policies.
2. Who We Are — Information Officer
XRi Solutions (Pty) Ltd is the responsible party (“controller” in GDPR terminology) for personal information processed through our applications and platform.
| Registered Name | XRi Solutions (Pty) Ltd |
| Address | Pretoria, Gauteng, Republic of South Africa |
| Koos.debeer@xri.co.za |
| Website | https://xri.co.za |
| Information Officer | Koos de Beer | koos.debeer@xri.co.za |
3. Data We Collect and How
3.1 Data Obtained from Meta Horizon (“Meta Horizon User Data”)
When you access our applications through your Meta account, we receive limited data from Meta’s platform to authenticate you and authorise access to licensed applications. This data includes:
- Meta User ID (a unique, platform-assigned identifier — not your real name unless you have set your Meta profile name)
- Meta username or display name (as configured in your Meta account)
- Meta access tokens (used solely for authentication; not stored beyond the session)
We use Meta accounts as our identity layer. We do not build or maintain a separate user login system. We do not request or collect Meta passwords or login credentials.
3.2 Device and Application Data (“Device User Data”)
Our applications record activity data to measure training outcomes and support research studies conducted by our institutional clients. Data recorded depends on the specific application and is configured intentionally to serve defined learning outcomes. Data collected may include:
- Step completion events (whether a training step was completed, and in what sequence)
- Time-on-task per step or scenario
- Scenario outcomes (pass/fail, retry counts)
- Device identifier (to associate a session with a licensed device)
We do not collect biometric data such as eye tracking data, facial expression data, or body/hand tracking data. Our applications do not use these sensor APIs.
3.3 Data You or Your Organisation Provides (“Developer User Data”)
Administrators and subscribing organisations may provide the following when setting up and managing accounts on the XRi Platform:
- Organisation name, contact name, and email address
- Billing details (for subscription management — currently processed manually in ZAR; card processing will be added via a compliant payment gateway)
- List of Meta accounts authorised to access applications
4. How We Use Your Data
We process personal information only for the purposes described below. We rely on the following lawful bases under POPIA and, for international users, under the GDPR:
| Purpose | Data Used | Lawful Basis |
| Authenticate users and authorise access to licensed applications | Meta User ID, access token | Contractual necessity; legitimate interest |
| Record training activity to support institutional research studies | Step completion, time-on-task, device ID | Legitimate interest; consent (where required by institution) |
| Device licensing and subscription management | Device ID, organisation admin contact, billing details | Contractual necessity |
| Communicate with administrators about their subscriptions and accounts | Administrator email address and name | Contractual necessity; legitimate interest |
| Improve our applications and platform | Aggregated, de-identified usage analytics only | Legitimate interest |
| Comply with applicable laws and regulations | As required by law | Legal obligation |
4.1 What We Do NOT Do With Your Data
We are committed to the following restrictions on your data:
- We do not sell, rent, or licence your personal information to any third party
- We do not use your data for advertising or marketing purposes, or share it with advertising networks
- We do not use your data to build profiles for purposes unrelated to providing our training applications
- We do not combine your Meta Horizon User Data with Device User Data for re-identification purposes
- We do not attempt to identify you by name from anonymised data through AI, facial recognition, or any other means
- We do not collect or store Meta passwords or login credentials
5. Data Storage and Security
5.1 Where Your Data is Stored
All personal data processed by XRi is stored on virtual machine infrastructure hosted within the Republic of South Africa. We use South African cloud or hosting providers to ensure data remains within South African borders by default, in line with POPIA’s requirements regarding cross-border data transfers.
Application distribution and updates are handled via the Meta Horizon Store. Meta Platforms Technologies processes distribution-related data in accordance with their own privacy policy and terms.
5.2 International Data Transfers
Where data is transferred to or accessed from outside South Africa — for example, in cases where an international client or administrator accesses the XRi Administrator Portal — we ensure that appropriate safeguards are in place in compliance with section 72 of POPIA and, where applicable, the GDPR’s cross-border transfer requirements. These safeguards may include:
- Standard Contractual Clauses (SCCs) where required for EEA or UK data subjects
- Contractual protections in our client agreements
- Restricting access to jurisdictions that provide adequate data protection
In relation to Meta Horizon User Data received from Meta Platforms Ireland Limited (which applies to EEA users) and Meta Platforms, Inc. (which applies to UK users), we comply with the applicable Standard Contractual Clauses and UK International Data Transfer Addendum as required under Meta’s Developer Data Use Policy.
5.3 Security Measures
XRi implements and maintains administrative, physical, and technical safeguards to protect personal information from unauthorised access, disclosure, loss, alteration, or destruction. Our measures include:
- Encrypted data transmission (HTTPS/TLS) between applications, devices, and our platform
- Access controls limiting data access to authorised XRi personnel only, on a need-to-know basis
- Secure virtual machine hosting within South Africa
- No storage of Meta access tokens beyond the authenticated session
- Regular review of security practices
In the event of a data breach or security incident, we will notify affected parties and the relevant supervisory authority (the Information Regulator of South Africa) as required under POPIA and applicable law. We will also notify Meta using the required incident reporting channel as required under Meta’s Developer Data Use Policy.
6. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law or our contractual obligations.
| Data Type | Retention Period |
| Meta User ID and authentication data | Retained while the user’s account is active on a licensed device. Deleted upon account removal or subscription termination. |
| Application activity/training data | Retained for the duration of the client’s active subscription plus a reasonable period to allow for research study completion. De-identified for long-term research retention. Deleted upon client or user request, or at subscription end, whichever is earlier unless otherwise agreed in writing. |
| Organisation and administrator data | Retained for the duration of the contractual relationship and for a period of 5 years thereafter for legal and audit purposes, unless a shorter period is required by law. |
| Billing data | Retained for a minimum of 5 years as required under South African tax and financial records legislation. |
7. Sharing Your Data
XRi does not sell or commercially share your personal data. We may share data only in the following limited circumstances:
7.1 Within XRi
Personal data is accessible only to XRi personnel who require it to operate, maintain, and support our applications and platform.
7.2 With Your Organisation (Administrator Portal)
If you use our applications through an institutional subscription, your activity data (step completion, time-on-task) may be accessible to your institution’s administrator through the XRi Administrator Portal. Your organisation is responsible for how they use and communicate this data to you within their own environment. XRi provides raw activity data to institutional administrators; individual reporting to users is the responsibility of the subscribing institution.
7.3 Service Providers
We may engage third-party service providers (such as hosting infrastructure providers) who process data on our behalf. Any such provider is contractually bound to:
- Use data only to provide services to XRi on our behalf
- Not use the data for their own purposes
- Maintain adequate security safeguards
- Delete data when the service relationship ends
Current data processing takes place on South African-hosted virtual machine infrastructure. No third-party analytics or advertising services are used.
7.4 Legal Requirements
We may disclose personal information if required to do so by applicable law, court order, or lawful request by a government authority, to the minimum extent necessary to comply.
7.5 Meta Platforms Technologies
As a developer on the Meta Horizon platform, certain technical data (such as app usage metrics at an aggregate level) may be shared with Meta in accordance with Meta’s Developer Distribution Agreement and applicable policies. Individual user data is not separately sold or transferred to Meta beyond what is inherent in operating an application distributed via the Meta Horizon Store.
8. Your Rights
Subject to applicable law, you have the following rights in relation to your personal information held by XRi:
8.1 Rights Under POPIA (South African Users)
- Right of access — You may request confirmation of whether we hold personal information about you, and a copy of that information
- Right to correction or deletion — You may request that we correct inaccurate information or delete your personal information where we are no longer lawfully entitled to process it
- Right to object — You may object to the processing of your personal information on grounds relating to your particular situation
- Right to complain — You may lodge a complaint with the Information Regulator of South Africa: www.justice.gov.za/inforeg/
8.2 Additional Rights for EEA/UK Users (GDPR)
If you are located in the European Economic Area or the United Kingdom, you additionally have the right to:
- Data portability — Receive your personal data in a structured, commonly used, machine-readable format
- Restriction of processing — Request that we restrict processing of your data in certain circumstances
- Withdraw consent — Where processing is based on consent, withdraw that consent at any time
- Lodge a complaint with your local supervisory authority
8.3 How to Exercise Your Rights
To exercise any of the above rights, contact our Information Officer at:
| koos.debeer@xri.co.za |
| Subject Line | “Data Rights Request — [Your Name or Organisation]” |
We will respond to all requests within 30 days (or sooner where required by law). We may ask you to verify your identity before processing a request.
9. How to Request Deletion of Your Data
In accordance with Meta Horizon Store requirements and POPIA, we provide a clear pathway for data deletion requests.
To request deletion of your personal information held by XRi:
- Send an email to koos.debeer@xri.co.za with the subject line “Data Deletion Request”
- Include: your name or Meta username, the organisation you are associated with, and the application(s) concerned
- We will confirm receipt within 5 business days and complete deletion within 30 days, subject to any legal retention obligations
Note: If you are an end user accessing our applications through an institutional subscription, your organisation’s administrator may also request deletion on your behalf via the XRi Administrator Portal.
Where activity data forms part of an ongoing academic research study, de-identified data that cannot be re-linked to you may be retained for research integrity purposes. We will inform you if this applies to your request.
10. Institutional Clients — Additional Terms
Where XRi provides services to an institution (such as a university or training organisation) under a Service Level Agreement or development contract, the subscribing institution may act as an independent responsible party in respect of their employees’ or students’ personal information as processed through our applications.
In such cases:
- XRi acts as an operator (processor) of personal information on behalf of the institution
- The institution is responsible for ensuring appropriate consent or other lawful basis for processing has been obtained from their users
- Any research studies associated with our applications must comply with the institution’s ethics committee requirements and applicable research ethics frameworks
- The institution is responsible for communicating to their users how activity data is used in their research context
Our contractual agreements with institutions contain data processing provisions consistent with this Privacy Policy and applicable law.
11. Children’s Privacy
Our applications are designed for use by adult professionals in academic and training contexts. We do not knowingly collect personal information from individuals under the age of 18. Our applications are not intended for use by minors.
If you believe that a minor has used our applications and personal information has been collected, please contact us at privacy@xri.co.za and we will take steps to delete the information promptly.
12. Meta Horizon Platform — Compliance Acknowledgements
As a developer on the Meta Horizon platform, XRi acknowledges and confirms the following in relation to Meta’s Developer Data Use Policy:
- We use Meta Horizon User Data (including Meta User IDs and access tokens) solely to authenticate users and authorise access to licensed applications
- We do not sell, licence, rent, or otherwise transfer Meta Horizon User Data to any third party
- We do not use Meta Horizon User Data for advertising, profiling, or marketing purposes
- We do not combine Meta Horizon User Data with other data sources for re-identification or tracking
- We do not collect or store Meta user login credentials
- We do not use Device User Data (sensor data from the Meta Quest headset, including hand tracking, eye tracking, or facial expression data) — our applications do not activate these APIs
- We provide users with an accessible data deletion mechanism (see Section 9)
- We will notify Meta of any security incidents affecting Meta Horizon User Data via the required reporting channel
- We comply with the Standard Contractual Clauses and UK International Data Transfer Addendum as incorporated by reference into Meta’s Developer Data Use Policy for EEA and UK data subjects respectively
13. Cookies and Tracking Technologies
Our Meta Quest applications operate on a closed platform and do not use browser cookies. Our Administrator Portal (web-based) may use session cookies solely to maintain your authenticated session. We do not use tracking cookies, advertising pixels, or third-party analytics tools on our web interfaces.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the services we provide. We will post the updated policy on our website at https://xri.co.za/privacy and update the effective date at the top of the document.
For material changes that may affect your rights, we will notify institutional administrators via email. Continued use of our applications after any such change constitutes your acceptance of the updated policy.
We maintain archived copies of all previous versions of this Privacy Policy and will provide them on request.
15. Contact Us
For any questions, concerns, or requests in relation to this Privacy Policy or your personal information, please contact us:
| XRi Solutions (Pty) Ltd | Information Officer |
| koos.debeer@xri.co.za |
| Website | https://www.xri.co.za |
| Address | Pretoria, Gauteng, Republic of South Africa |
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa:
| Information Regulator | www.justice.gov.za/inforeg/ | inforeg@justice.gov.za | Tel: 010 023 5207 |
This Privacy Policy was last reviewed in June 2026. It is published at https://xri.co.za/privacy and linked in all XRi application listings on the Meta Horizon Store.