Privacy Policy

Introduction

At Floreo Inc. (“Floreo,” “we,” “our,” and/or “us”), your privacy is important to us. This privacy policy (“Privacy Policy”) explains what information we collect, how we use and share that information, and the choices available to you. Floreo provides proprietary digital solutions consisting of immersive virtual reality software, mobile applications, and related content delivered through our websites and services (collectively, the “Floreo Service(s)”).

This Privacy Policy applies to all Floreo Services, including products offered for educational, therapeutic, clinical, and general wellness purposes, regardless of whether they are used through schools, clinics, or direct consumer purchase. Certain Floreo Services are offered for general wellness or skill-building purposes and are not intended to diagnose, treat, cure, or prevent any medical condition unless expressly identified as a regulated medical device.

In general, users of the Floreo Services include: (i) End-users, who are typically organizations, clinicians, educators and parents that create and manage accounts for the Floreo Services; and (ii) Learners (users of our Services (“Learners”)), who are mixed-age users that access the Services under the supervision of End-users when participating in interactive virtual reality sessions.

We take strong measures to protect any personal information you provide to us. We use established business practices and technical, administrative, and organizational security safeguards designed to keep personal information private and to ensure it is used only as described in this Privacy Policy. This policy is intended to demonstrate our commitment to transparency, responsibility, and accountability in how we handle personal information.

We promise that any personal information we collect and maintain will be: (i) used fairly and honestly; (ii) used only for specific and clear purposes and not for anything else; (iii) limited to the amount that is relevant and necessary; (iv) accurate and kept up to date; and (v) kept safe from unauthorized or unfair use and protected from accidents such as loss or damage.

Who This Policy Is For

This Privacy Policy applies to personal information collected, generated, or otherwise processed by Floreo in connection with the use of our Services and our websites.

The policy covers personal information relating to adult End-users, such as parents, legal guardians, educators, clinicians, authorized institutional representatives, and prospective or current customers who create accounts, manage access to the Services, communicate with us, or otherwise interact with Floreo.

This Privacy Policy also applies to personal information associated with Learners, which is collected only in connection with supervised use of the Services by children or teens under the direction of a parent, legal guardian, school, or clinic, as described in this policy.

In addition, this policy governs personal information collected from individuals who visit Floreo’s websites, including www.floreovr.com (“website”), communicate with us through our websites, or otherwise interact with Floreo outside of an active Learner session. It explains how we collect, use, and disclose such information, including through cookies and similar technologies, as further described below.

How Floreo Acts Depending on Context (Roles and Responsibilities)

Floreo’s role with respect to personal information depends on how the Services are used.

When parents or guardians use Floreo directly at home, Floreo generally acts as a data controller and determines how and why personal information is processed in connection with the Services.

When schools, districts, clinics, or other institutional customers use Floreo, Floreo typically acts as a data processor or service provider and processes personal information on behalf of and under the instructions of the relevant institution, as set out in applicable agreements and required by law.

In healthcare contexts, Floreo may act as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and applicable state laws and will process Protected Health Information only as permitted by law and by the applicable Business Associate Agreement.

Certain Floreo services may be subject to regulation as digital health products or medical devices. In these contexts, Floreo may process information as necessary to support safety, effectiveness, quality assurance, regulatory compliance, and related obligations.

Definitions

For purposes of this Privacy Policy, the following definitions apply.

Personal Information means information that identifies, relates to, describes, or could reasonably be linked to an identifiable individual. This may include, for example, names, contact information, account details, information about use of the Services, and, in certain contexts, health-related information.

Personally Identifiable Information (PII) means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information. In educational contexts, this term may include information protected under education privacy laws.

End-user means an adult account holder, such as a parent, guardian, educator, clinician, or authorized institutional representative who creates or manages access to the Services.

Learner means mixed-age users, including a child or teen, who uses the Services under the supervision of an End-user.

Lesson-play metadata means information automatically generated when a lesson is played, such as lesson start and completion status, progress through content, task responses and scores, timestamps, and limited technical information required to deliver lessons and generate reports.

Protected Health Information or PHI has the meaning given under the Health Insurance Portability and Accountability Act (HIPAA) when Floreo acts as a Business Associate.

De-identified or aggregated data means data that has been processed to remove or obscure personal identifiers so that it cannot reasonably be used to identify an individual.

Age Requirements, Eligibility, and Supervision

The Services are designed for use by adults and institutions and for authorized use by children and teens in accordance with applicable law. Only adults aged 18 or older may create accounts and act as End-users.

Learners may not create accounts or use the Services independently. Learner use must occur under the authorization of a parent or legal guardian, school, or clinic. For Services offered directly to consumers, individuals age 13 and older may use the Services under an adult account or other legally permitted authorization, while use by children under the age of 13 requires verifiable parental consent.

Where a school or clinic creates a Learner profile, Floreo relies on the institution’s authorization and representations that appropriate notices and permissions have been provided to parents or guardians as required by law.

Certain hardware platforms or third-party services used to access the Services may impose additional age restrictions or account requirements. End-users are responsible for complying with those requirements, which are described where applicable in this Privacy Policy.

Children’s Privacy and Information for Parents

Floreo is designed to be used by children and teens only under the supervision of a responsible adult, such as a parent, legal guardian, educator, or clinician. Children may not create accounts or use the Services independently. All Learner access occurs through an adult account or through an account created by a parent, school or clinic on the Learner’s behalf.

For Floreo Services offered directly to consumers for general wellness or self-directed use, individuals under the age of 13 may access the Services only after Floreo has obtained verifiable parental consent, which may include confirmation through email or other legally permitted methods. Parents or legal guardians may manage or withdraw consent through the account at any time.

For parents and guardians using Floreo at home, we want to be clear about what happens when your child uses the Services. When a Learner plays a lesson, Floreo automatically collects limited information about that lesson interaction, such as whether the lesson was started or completed, progress through the lesson, task responses, scores, and the time and duration of use. This information is required to provide the Services, including progress tracking, reporting, and educational or therapeutic insights, and cannot be disabled.

Floreo does not collect Learner email addresses, phone numbers, or independent login credentials. We do not sell Learner personal information, use Learner data for advertising, or market directly to children. Learner data is used only to provide and improve the Services, support reporting, and meet legal or contractual obligations.

Optional Generative AI Interactive Features

Certain Floreo features may include interactive content powered by generative artificial intelligence technologies. These features are optional and are not required to access or complete core lesson content.

For Learners under the age of 13, generative AI interactive features are disabled by default. Floreo will enable these features only after obtaining verifiable parental consent, which may include confirmation through email or other legally permitted methods.

Where enabled, generative AI interactive features may process audio, text, or other inputs provided during use of the Services in order to deliver the requested functionality. Parents or legal guardians may withdraw consent for these features at any time. Withdrawal of consent will disable generative AI features but will not affect access to non-AI lesson content.

When Floreo is used by schools, the policy continues to rely on school-provided consent under COPPA, consistent with FERPA practices. In clinic settings, the clinician ensures that the parent or legal guardian has provided appropriate authorization for the use of interactive AI features.

Certain additional features, such as surveys, feedback tools, or research participation, may also involve optional data collection and are offered on an opt-in basis where required by law.

Information We Collect

Account Creation, Age Requirements, and Registration Information

Age Requirements for All Users.
The Services are designed and intended for use by adult End-users who are at least 18 years old and for supervised use by Learners of mixed ages. By using our websites or Services, you affirm that you are at least 18 years of age, or, if you are under 18, that you have obtained the required parental or legal guardian consent to use the Services. Learners may not create accounts or use the Services independently. Parents or legal guardians of Learners under the age of 18 must agree to these terms on the Learner’s behalf when creating a Learner account or profile. Where a school, clinic, or other authorized organization creates a Learner account, Floreo treats such creation as confirmation that appropriate parental or legal guardian consent has been obtained and relies on the organization’s authorization as evidence of that consent.

Inquiries, Registration, and Profile Information.
We may collect name, contact information, email address, and any other information provided when an individual makes an inquiry, contacts us by phone, mail, or through our websites, or signs up to receive communications. When you create an account, we collect an email address and password and may allow you to create and manage one or more Learner profiles associated with your account. When creating a Learner profile, we request a limited text identifier and the Learner’s date of birth solely for identification, age-appropriate content delivery, and reporting purposes. We do not request contact information for Learners and do not permit Learners to create independent login credentials. We do not collect Learner email addresses.

Information collected from or provided by adult End-users may include:

• the End-user’s name, phone number, physical address, or other contact information;
• any disclosed medical information, diagnosis, or clinical notes voluntarily provided in connection with use of the Services;
• any health plan or payor information you choose to provide, where applicable; and
• any information submitted in response to surveys or feedback requests.

Floreo Mobile App Subscription. Your website subscription may also provide access to the Full Access level of our mobile apps. If you choose to download any such app and log into it using your website subscription username and password, we collect limited usage information in connection with user logins in order to monitor subscription compliance. This information is maintained in accordance with this Privacy Policy. If you have purchased your subscription in-app, we do not collect payment information directly.

Push notifications on mobile apps. We may send Floreo mobile app push notifications from time to time in order to update you on news, events, or promotions. You may turn these notifications off at the device level if you no longer wish to receive them. If you choose to receive push notifications, we collect certain device-level information, such as operating system information, device identifiers, and notification tokens, in order to ensure notifications are delivered properly. We also collect the user’s time zone, which is set on the device, to ensure notifications are sent at an appropriate time of day. We do not combine this information with other personal information.

Mobile analytics on mobile apps. We use mobile analytics software to better understand the functionality and usage of our mobile apps. This software may record information such as how often users use the apps, events that occur within the apps, aggregated usage data, performance data, and the source from which the apps were downloaded. While this information may be linked to an adult End-user account, we do not link this information to Learner profiles or to personal information submitted by Learners within the mobile apps.

While Using Certain Generative AI Interactive Content. If you opt in to using certain interactive content, including content powered by generative artificial intelligence technologies, you may provide audio recordings (“Audio Recordings”) or submit text, video, or images in the context of using the Services. Audio Recordings or other inputs may contain the personal information of third parties. Before using these features, you are responsible for ensuring that you have obtained any necessary permissions or consent from such third parties. As used here, third parties include anyone other than the subscription holder, such as a Learner or other individuals who may be present during use of the Services. If you provide Audio Recordings, Floreo may convert such Audio Recordings into transcripts. We may use de-identified transcripts or de-identified text inputs to generate lesson recommendations or to improve the accuracy or personalization of the Services, as described elsewhere in this Privacy Policy. These features are optional and subject to applicable consent requirements.

Portal. We may collect information pertaining to End-users’ use of our client portal, such as duration and frequency of use, and information pertaining to the device used to access the portal, including device attributes (operating system, hardware version, browser type), language, and time zone.

Device Information. We receive information from devices used to access the Services, including IP address, web browser type, mobile operating system version, phone carrier and manufacturer, application installations, device identifiers, and push notification tokens.

• Usage Information.
  To help us understand how users interact with our Services and to improve functionality, we automatically receive information about interactions with the Services, such as the account used, lessons viewed, progress through lessons, tasks completed, task scores, progress on certain skills, pages or other content viewed, searches conducted, content posted where applicable, and dates and times of use.
• Mobile Device Management.
  We may utilize mobile device management (“MDM”) solutions to help ensure the security and proper functioning of mobile devices used to access the Services. This may involve monitoring or managing devices to enforce security policies, install or update software, and protect against unauthorized access or data breaches. By accessing the Services through an MDM-enabled device, you consent to the use of such solutions as necessary to protect personal information and maintain system security.
• Head Mounted Displays.
  If you use the Services through a head-mounted display (“HMD”) device, such as Meta Quest or Pico, we may collect certain technical and usage information to optimize the user experience and improve the Services. This may include data related to interactions within virtual environments, device usage metrics, and technical information about the HMD device. We use this information in accordance with this Privacy Policy to provide and enhance the Services and for analytics and research purposes. End-users are required to comply with the hardware manufacturer’s own privacy policies and should review those policies to understand how data is handled by the manufacturer.

Website and Social Media

Technical Information. When you visit our websites, we may collect, using electronic means such as cookies, technical information. This information may include information about your visit to our websites, including the IP address of your computer and which browser you used to view our websites, your operating system, resolution, language settings in browsers, time and duration of use, device attributes (such as operating system, hardware version, browser type), language settings in browsers, time zone, third-party information such as from partner advertisers or social media sites as detailed in the Social Media section of this Privacy Policy, the site you came from, keywords searched (if arriving from a search engine), the number of page views, information you entered and advertisements you have seen. This data is used to improve the effectiveness of our websites or enhance the experience for customers. For instance, it may be used to ensure that the products advertised on our websites are available in your area or that we are not showing you the same ads repeatedly. We treat this information as personal information when it is associated with your account or contact information.

• Information from Cookies and Similar Technologies. We may collect information using cookies or similar technologies. Cookies are small text files containing a string of alphanumeric characters. We may use both session cookies and persistent cookies. A session cookie disappears after you close your browser or app. A persistent cookie remains after you close your browser or app and may be used by your browser or app on subsequent visits to the Service. We do not use cookies to collect Learner personal information, and we do not use cookies for behavioral advertising based on Learner data. Learn how to manage cookies by activating the settings in your browser. To learn more about cookies and how to manage or delete them, look in the Tools or Help section of your web browser or visit allaboutcookies.org. Please review your browser’s “Help” file to learn the proper way to modify your cookie settings. If you delete or block cookies, you may not be able to utilize the features of our Services to their fullest potential.
• Analytics. We use Google Analytics, Meta Pixels, and other similar analytics providers to collect and process certain analytics data on website activities, including page views, source and time spent on our websites. This information is de-identified or aggregated and is displayed in a manner that cannot be reasonably linked back to individual users. Google provides additional privacy disclosures at www.google.com/policies/privacy/partners/ regarding Google Analytics’ cookies. We do not collect cross-website browsing history across third-party websites for advertising purposes. However, if a customer navigates to our website via a search, their web browser may automatically provide the search term used. Our website does not honor “do not track” signals transmitted by web browsers, so we encourage you to visit the following links if you would like to opt out of certain tracking: http://www.networkadvertising.org/choices or http://www.aboutads.info/choices/. Note that if you wish to opt out, you will need to do so separately for each device and each web browser you use.
• Third Parties. This Privacy Policy applies to the Services and information collected by Floreo. Other websites that may be accessible through Floreo websites have their own privacy policies and data collection, use, and disclosure practices. We encourage you to familiarize yourself with the privacy statements provided by all third parties prior to providing them with information or taking advantage of an offer or promotion.
  We may use third-party service providers, such as analytics providers, to help us understand user interactions with our websites. These providers may collect information such as device identifiers, IP addresses, or usage data automatically and directly. If you wish to opt out of third-party cookies, you may do so through your browser settings as described above.
• Satisfaction Survey. When you visit our websites, you may from time to time be invited to participate in a satisfaction survey. If you choose to participate, we may collect your postal code, email address, or other information deemed important to complete the survey. We will only use this information for quality assurance purposes.
• International Visitors to our Websites. In some countries, we are not permitted to send cookies to the browser of a user without prior consent of the affected user. In such cases, we will seek consent as required by applicable law. This section assumes either that the use of cookies is not restricted by applicable law or that the individual has explicitly consented to the use of cookies.

How We Share the Information We Collect

Floreo shares personal information only as described in this Privacy Policy and only to the extent necessary to provide and support the Services, comply with legal obligations, and protect users and the integrity of the Services.

With Health Professionals
Where Floreo is used in a clinical or therapeutic context, we may provide reports or records to a referring healthcare provider at the direction of the End-user or covered entity. This may include sharing reports through a client portal or other secure means to support treatment, care coordination, or healthcare operations, consistent with applicable law and any Business Associate Agreement in place.

With Schools and Clinics
When Floreo is used by schools, districts, clinics, or other institutional customers, we share information with those institutions as directed by them and in accordance with applicable agreements and laws. In these contexts, Floreo acts as a service provider or data processor and does not use Learner or patient data for its own independent purposes.

With Vendors and Service Providers
We may engage third-party service providers and subprocessors to perform services on our behalf, such as hosting, analytics, customer support, security monitoring, and payment processing. These providers receive only the information necessary to perform their services and are contractually required to protect the information, use it only for authorized purposes, and not disclose it to others. A list of our third-party subprocessors is available at: https://floreovr.com/privacy/third-party-subprocessors .

With Content Providers
Under certain licensing agreements, we may share video engagement, usage metrics, or similar statistics with third-party content providers. Any information shared for these purposes is provided only in aggregated or de-identified form and does not identify individual End-users or Learners.

Learner Content Shared at Your Direction
End-users may choose to share Learner-generated content, such as recorded sessions or Learner-driven curriculum, with other authorized End-users. If you choose to share content, limited profile information (such as a profile photo or display name) may be visible to those recipients.

De-identified and Aggregated Data
Where legally permitted, we may share de-identified or aggregated information that cannot reasonably be used to identify an individual. This information may be used for product and service improvement, analytics, research, publications, or to better understand educational or pediatric behavioral health trends. We take steps to ensure that such data is processed in a manner designed to prevent re-identification.

With Regulators and Oversight Bodies
We may share information with regulators or oversight bodies, including the U.S. Food and Drug Administration (FDA), the U.S. Department of Health and Human Services, Institutional Review Boards (IRBs), or similar authorities, where required or appropriate to support regulatory compliance, research oversight, safety monitoring, or audits.

As Required by Law
We may disclose information if required to do so by law, regulation, court order, subpoena, or other legally valid request. In such cases, we make reasonable efforts to disclose only the information legally required and to protect the interests of our users. We may also disclose information to protect the rights, property, or safety of Floreo, our users, or others, or to investigate and prevent fraud or misuse of the Services.

Business Transactions
In the event of a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of the transaction, subject to applicable privacy laws and appropriate protections. If a transaction is not completed, we require that any shared information be returned or deleted.

With Your Consent
We may share personal information with third parties when you provide consent or direct us to do so.

Information We Do NOT Collect or Use

• We do not collect, use or share PII other than as described in our privacy policy, or with the consent of a parent or legal guardian as authorized by law, or otherwise as directed by an applicable district or school or as required by contract or by law.
• In no event shall we use, share or sell any Learner PII for advertising or marketing purposes.
• Third Parties. Our Services may contain links to other websites, products, or services that we do not own or operate. We are not responsible for the privacy practices of these third parties. Please be aware that this Privacy Policy will not apply to your activities or any information you disclose to these third parties.

How We Store, Process, and Protect Your Information

Floreo maintains administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. We regularly review and update our security practices to support the confidentiality, integrity, and availability of the information we process.

Information is stored and processed in secure, monitored environments. Our primary systems are hosted in data centers located in the United States, and information may be backed up to secure, off-site locations for business continuity and disaster recovery purposes.

We apply industry-standard encryption technologies to protect information in transit and at rest. Access to systems and data is restricted based on role and business need, and only authorized Floreo personnel may access personal information when necessary to provide and support the Services.

We maintain governance policies and access controls designed to ensure that information associated with each customer, school, or clinic is logically separated and that users can access only the information they are authorized to access.

Floreo follows documented procedures for secure software development, configuration management, patching, and change management. We periodically review our security controls and practices, including audits and assessments, to help maintain the effectiveness of our safeguards.

While no system can be guaranteed to be completely secure, we maintain incident response, data breach, and disaster recovery procedures designed to promptly investigate and address security incidents. Where required by law or contract, we will notify affected customers, schools, clinics, or other parties of a data breach and coordinate notification to affected individuals or families when appropriate.

Subprocessors and Contractors

Floreo may engage subprocessors or contractors that require access to personal information to perform services on our behalf. Such subprocessors are required to enter into appropriate confidentiality and data protection agreements and may use personal information only as necessary to perform the services they are engaged to provide.

Upon termination of their engagement, subprocessors are required to return or securely delete personal information in accordance with contractual requirements and applicable law.

School and Educational Institution Data (FERPA, COPPA, and State Student Privacy Laws)

Floreo works with schools, districts, and educational institutions to provide supervised educational and skills-based experiences for Learners. When Floreo is used in a school setting, we act as a service provider and, where applicable, as a “school official” with a legitimate educational interest under the Family Educational Rights and Privacy Act (FERPA).

Under our agreements with schools and districts, Floreo performs services that the institution would otherwise use its own employees to perform and is subject to the direct control of the institution with respect to the use and maintenance of education records. We use student data only for authorized educational purposes and do not re-disclose education records except as permitted by law or expressly authorized by the institution.

For purposes of the Children’s Online Privacy Protection Act (COPPA), schools may provide consent on behalf of parents for the collection and use of students’ personal information when Floreo is used solely for educational purposes and for the benefit of the school. Floreo relies on the school’s authorization and representations that appropriate notices and permissions have been provided to parents where required.

Floreo complies with applicable state student privacy and data protection laws incorporated into our school agreements, including laws governing data security, data minimization, breach notification, and restrictions on secondary use of student data. Student data remains under the control of the school or district, and access, correction, or deletion requests are handled in accordance with the institution’s policies and applicable law.

Clinic and Healthcare Data (HIPAA and Rx Context)

Floreo may be used by clinics, healthcare providers, and health systems to support therapeutic, clinical, or care-related activities. In these contexts, Floreo may act as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and applicable state health privacy laws.

When acting as a Business Associate, Floreo uses and discloses Protected Health Information (PHI) only as permitted by law and by the applicable Business Associate Agreement (BAA) in place with the covered entity. PHI may include lesson-play data, progress information, and related reporting where such information is linked to an identifiable patient and used for treatment, healthcare operations, or related purposes.

Lesson-play information collected in clinical contexts is used to support treatment, care delivery, operational reporting, quality assurance, and system integrity. This information is required to provide the Service and support its intended clinical or therapeutic use.

Certain Floreo services may be subject to regulation as medical devices or digital health products. In these cases, Floreo may collect and retain information as necessary to support safety, effectiveness, regulatory compliance, post-market monitoring, and audit obligations. Such processing is conducted in accordance with applicable laws, regulatory requirements, and contractual obligations.

Patients, caregivers, or their authorized representatives may exercise applicable rights with respect to their information through the covered entity or as otherwise permitted by law and the applicable BAA.

Meta Quest Devices – Required Notice

This section applies only to the extent that a Learner or a parent or guardian of a Learner uses a Meta Quest device to access the Floreo Service.

Use of the Floreo Service on a Meta Quest device is subject to the terms, policies, and age restrictions imposed by Meta Platform Technologies (“Meta”). Meta’s terms prohibit the use of Meta Quest devices by children under the age of 10.

Parents or legal guardians of Learners aged 10–12 years old may create a Meta account for the Learner and permit the Learner to use a Meta Quest device, subject to Meta’s requirements. Learners aged 13 years and older may create a Meta account and use a Meta Quest device without parental consent, subject to Meta’s terms.

Floreo does not control Meta accounts or Meta’s data practices. To understand Meta’s data collection, use, and sharing practices, please review Meta’s Supplemental Privacy Policy and Supplemental Terms of Service, which apply upon Meta account creation and device use.

Cookies, Analytics, and Online Tracking

When you visit our websites or use our applications, we may use cookies and similar technologies to operate the Services, enhance functionality, and understand how the Services are used. Cookies are small text files stored on your device that allow us to recognize your browser or device.

We use cookies and analytics tools primarily to support core functionality, security, performance monitoring, and aggregated usage analysis. These tools help us understand which features are used, identify technical issues, and improve the overall user experience.

Floreo does not use cookies or tracking technologies to engage in behavioral advertising based on Learner data. We do not use Learner data for targeted advertising, and we do not sell personal information.

Where required by law, you may be given choices regarding the use of certain non-essential cookies. You may also adjust your browser or device settings to manage cookies; however, disabling cookies may limit certain features of the Services.

Legal Bases for Processing (GDPR / UK GDPR)

For individuals located in the European Economic Area or the United Kingdom, Floreo processes personal data only where a lawful basis applies.

We process information required to deliver lessons and generate reports on the basis of performance of a contract. This includes lesson-play metadata and related reporting information that is necessary to provide the Service requested by the user or institution.

We process certain information on the basis of our legitimate interests, such as maintaining the security and integrity of our systems, preventing fraud or misuse, ensuring service reliability, and improving our Services, provided that these interests are not overridden by the rights and freedoms of individuals.

Where required by law, we rely on consent for optional features, such as certain enhanced analytics, generative AI interactions, or audio or video recordings. Consent may be withdrawn at any time, subject to legal or contractual limitations, and withdrawal may limit access to the specific optional feature but not core lesson functionality.

When processing special categories of personal data, such as health-related information, we rely on explicit consent, processing necessary for the provision of health or social care or treatment, or other lawful bases permitted under applicable data protection laws, including processing under a Business Associate Agreement or similar contractual framework.

When Floreo acts as a data processor for schools or clinics, we process personal data only on the documented instructions of the relevant controller and in accordance with applicable contracts and data protection laws.

International Data Transfers

Floreo is headquartered in the United States, and personal information may be processed and stored in the United States or other countries where Floreo or its service providers operate.

For individuals located in the European Economic Area or the United Kingdom, we implement appropriate safeguards for international transfers of personal data, such as standard contractual clauses approved by relevant authorities or other lawful transfer mechanisms.

Our subprocessors are required to adhere to equivalent data protection and security standards, and onward transfers are subject to contractual safeguards.

Data Retention

We retain personal information only for as long as necessary to provide the Services, fulfill the purposes described in this Privacy Policy, comply with legal or regulatory obligations, resolve disputes, and enforce our agreements.

Lesson-play data and related reporting information are retained in accordance with service requirements, contractual obligations with schools or clinics, and applicable laws. Retention periods may vary depending on how the Services are used and the applicable regulatory context.

When personal information is no longer required, it is securely deleted, anonymized, or de-identified in accordance with our data retention and destruction policies.

Regulated Medical Device Data

Certain Floreo Services may be subject to medical device or digital health regulations. Where Floreo provides a regulated medical device product, we may retain certain information for periods required by applicable law or regulation, including to support product safety, quality management, adverse event reporting, post-market surveillance, and regulatory compliance. These retention obligations may override a general request for deletion where required by law.

Security Safeguards

Floreo implements administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, loss, misuse, or alteration.

These safeguards include access controls, encryption of data in transit and at rest, secure system architecture, regular monitoring, and periodic security assessments. Access to personal information is limited to authorized personnel who require it to perform their job responsibilities.

While we strive to protect personal information, no system can be guaranteed to be completely secure.

Data Breach Notification

Floreo maintains incident response and breach notification procedures designed to promptly investigate and respond to suspected security incidents.

In the event of a data breach involving personal information, we will notify affected customers, schools, clinics, or other relevant parties as required by law or contract. Where appropriate, we will coordinate with institutions to support notification to affected individuals or families.

Your Rights and Choices

Parents and guardians may request access to, correction of, or deletion of personal information associated with their child, subject to applicable laws and institutional requirements. Where a school or clinic controls the data, requests may need to be directed through that institution.

Adult account holders may access and update certain account information through their account settings and may contact us for additional requests. Please note that certain information may be retained as required by applicable law, including requirements related to regulated medical device products.

Individuals located in the European Economic Area or the United Kingdom have rights under the GDPR or UK GDPR, including the right to access, rectify, erase, restrict, or object to processing of personal data, and the right to data portability, subject to applicable limitations.

U.S. State Privacy Rights

California and other U.S. state residents may have additional rights under applicable privacy laws, including the right to request access to or deletion of personal information, subject to verification requirements and legal exceptions.

Where applicable, individuals may submit requests through the contact information provided below. We may need to verify the requester’s identity to protect privacy and security. We do not sell personal information and do not discriminate against individuals for exercising their privacy rights.

International Visitors

The Floreo Services are operated from the United States. If you access or use the Services from outside the United States, please be aware that your personal information may be transferred to, processed, and stored in the United States or other jurisdictions where Floreo or its service providers operate.

Data protection laws in these jurisdictions may differ from those in your country of residence. Where required by applicable law, we implement appropriate safeguards to protect personal information transferred internationally, as described in this Privacy Policy.

Third-Party Services and Links

The Services may contain links to third-party websites, platforms, or services that are not owned or controlled by Floreo. This includes, for example, hardware platforms, app stores, or external content providers.

Floreo is not responsible for the privacy practices, content, or data handling practices of third parties. We encourage you to review the privacy policies and terms of service of any third-party services you access in connection with the Floreo Services.

This Privacy Policy applies only to information collected by or on behalf of Floreo.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations.

When we make material changes to this Privacy Policy, we will post the updated version on our website and, where appropriate, provide additional notice through the Services or by other reasonable means. The “Last Updated” date at the top of the Privacy Policy indicates when it was most recently revised.

Your continued use of the Services after an updated Privacy Policy becomes effective constitutes acceptance of the revised policy, to the extent permitted by law.

How to Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at:

Floreo Inc.
5425 Wisconsin Avenue, Suite 600
Chevy Chase, MD 20815, USA
Email: privacy@floreo.com
Phone: +1 (240) 244-9473

If you wish to report a security concern or suspected data breach, please contact us at:
Email: security@floreovr.com

Controller Contact

Floreo Inc.
5425 Wisconsin Avenue, Suite 600
Chevy Chase, MD 20815, USA
Email: info@floreovr.com

Data Protection Representative

Pursuant to Article 27 of the General Data Protection Regulation (“GDPR”), Floreo has appointed GDPR Local Ltd. as its Data Protection Representative in the European Union. Individuals located in the European Union may contact the representative directly regarding all requests related to data protection and privacy matters:

GDPR Local Ltd.
Email: contact@gdprlocal.com

Pursuant to Article 27 of the GDPR, Floreo has appointed Instant EU GDPR Representative Ltd. as its EU Representative. You may contact them directly regarding all requests related to data protection and privacy matters at:

Instant EU GDPR Representative Ltd.
Office 2, 12A Lower Main Street
Lucan, Co. Dublin
K78 X5P8
Ireland
Email: contact@gdprlocal.com
Tel: +353 1 554 9700

Pursuant to Article 27 of the UK GDPR, Floreo has appointed GDPR Local Ltd. as its UK Representative. You may contact them directly regarding all requests related to data protection and privacy matters at:

GDPR Local Ltd.
1st Floor Front Suite
27–29 North Street
Brighton
England
Email: contact@gdprlocal.com
Tel: +44 1772 217800

• On February 25, 2020, to update privacy and security procedures and to describe FERPA compliance for school customers in various states.
• On July 7, 2020, to update privacy and security procedures to include compliance with Canadian FIPPA privacy requirements.
• On March 21, 2022, added the ability to request deletion of collected data.
• On May 22, 2024, to update managing information preferences, software and hardware descriptions, technical information, descriptions of data collected, data retention processes, FERPA notice requirements, and California CCPA compliance requirements, and to align with the iKeepSafe Safe Harbor Program.
• On October 30, 2024, to add details regarding how information is collected and shared when using optional generative AI interactive content.
• On January 17, 2025, to clarify that websites and Services are for account holders over 18 years of age and that intended use involves supervised or coached experiences with mixed-age Learners.
• On November 18, 2025, to add information regarding GDPR and UK GDPR rights and procedures and to rephrase sections describing how information is used to improve readability.
• On January 2, 2026, to comprehensively restructure and rewrite the Privacy Policy to support use by parents at home, schools, clinics, and direct-to-consumer users; clarify required versus optional data collection (including lesson-play metadata); address parental consent requirements for children under 13; align with EU and UK GDPR requirements; and support current and future general wellness, digital health, and regulated medical device offerings.