PRIVACY POLICY
We appreciate the trust you place in VictoryXR and we are committed to respecting your privacy and the security of your personal information.
This privacy policy sets out how VictoryXR uses and protects any information that you give VictoryXR when you use this website. VictoryXR is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement. VictoryXR may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes.
Education Addendum (K-12)
This Addendum applies when VictoryXR provides products or services to schools, districts, or students.
A. Parental Rights (Under Age 13)
- Opt-in consent required: For children under 13, we collect Student Personal Information only with verifiable parental consent (or consent provided by the school acting as the parent’s agent under COPPA/FERPA).
- Parent controls: Parents/guardians may review, correct, delete, or withdraw consent for their child’s information at any time. To do so, contact the school or email privacy@victoryxr.com with the subject line “Parent Request.” We verify identity (and school relationship) before fulfilling requests.
- Opt-out of non-essential data: Parents may opt out of any non-essential data collection features that are not required for core educational use. Core safety, security, and service-function data may still be processed.
B. What We Collect
We collect only what’s needed to provide and support the educational service and only if parents opt-in.
When accounts or sign-ins are not used, or parents opt-out, a device ID is the only identifier gathered (used for internal operations).
1) Student Data (when personally identifiable accounts or sign-ins are used)
- Identifiers: Name, student ID (district-provided), school-issued email/username.
- Enrollment/Context: School/district, grade level, class/section, assigned teacher(s).
- Educational Content: Work created in the software (e.g., assignments, drawings, answers, recordings, uploads), scores, feedback, timestamps, progress.
- Support/Safety: Reports, flags, or moderation outcomes related to school conduct policies.
PII-Free: without parental consent, students do not log in and we do not collect names, emails, IDs, or other PII. Any work created is saved only locally/on school-controlled systems, or is stored de-identified so it cannot be tied to a specific student.
2) Educator & Administrator Data
- Identifiers & role: Name, school/district email, school name, job role.
- Class management: Rosters (as provided by the school), assignments created, grading/feedback activities.
- Support: Communications with VictoryXR for implementation or troubleshooting.
3) Automatically Collected Technical Data (all users)
- Device & network: IP address, device type, OS, browser, app version, language, time zone.
- Usage & diagnostics: Logins, session duration, page views, feature use, crash/error logs, and basic telemetry needed to ensure reliability, security, and performance.
- Cookies/Local Storage: Only those necessary for sign-in, security, settings, and (where allowed) privacy-respecting analytics. No third-party ad cookies.
C. How We Use Student Data (Educational Purposes Only)
Student Personal Information is used solely for educational purposes, including:
- Instruction & learning: Deliver lessons, content, assessments, and feedback.
- Academic planning & administration: Roster management, progress monitoring, reporting to educators/parents as directed by the school.
- School safety & wellbeing: Enforce school policies and community standards.
- Health & required reporting (if directed by the school): Support lawful state/federal reporting the school must perform.
- Operations & security: Ensure availability, integrity, authentication, fraud prevention, and compliance.
Where feasible, we use de-identified or aggregate data for analytics, quality, and product improvement.
D. Prohibited Uses (Bright-Line Rules)
- No targeted advertising: We never use Student Personal Information for targeted advertising or interest-based ad profiling, and we do not allow third-party ad tech to track students on our services.
- No selling data: We do not sell Student Personal Information, and we do not disclose it to data brokers.
- No marketing profiles: We do not build or augment marketing profiles about students.
- No unrelated purposes: We do not use Student Personal Information for purposes unrelated to education, school administration, safety, security, or legal compliance.
E. Sharing & Service Providers
- We share Student and Educator data only with contracted service providers (e.g., hosting, support, analytics strictly limited to our purposes) under agreements that prohibit selling, advertising use, or secondary use.
- We disclose data when required by law (e.g., valid legal process) or directed by the school.
- In a business transition (e.g., merger), the successor must honor these education privacy commitments or seek renewed consent from the school.
F. Access, Retention, and Deletion
- Access/Correction/Deletion: Parents and eligible students exercise rights through their school; educators may also contact us directly. We assist the school in fulfilling verified requests within legal timeframes.
- Retention: We retain Student Personal Information only as long as necessary for the school’s authorized educational purposes or as required by law/contract.
- Deletion on request/exit: Upon verified request from the school—or at the end of the contract—we delete or de-identify Student Personal Information within agreed timelines, subject to legal holds and backup cycles.
G. Security
We protect personal information with encryption in transit and at rest, role-based access, and least-privilege controls; we perform security testing and maintain an incident response plan. Suspected breaches are promptly investigated and, where required, we notify the school, families, and regulators.
H. Contact (Education Privacy)
- District/School requests: Please have your data protection lead email privacy@victoryxr.com.
- Parents/Guardians: Contact your school first; we will support the school’s verified request. You can also write to privacy@victoryxr.com (include school name and student initials).
WHAT WE COLLECT
We may collect the following information:
- Name
- Contact information including email address
- Demographic information such as postcode, preferences and interests
- other information relevant to customer surveys and/or offers
WHAT WE DO WITH THE INFORMATION WE GATHER
We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:
- Internal record keeping.
- We may use the information to improve our products and services.
- We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
- From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customize the website according to your interests.
SECURITY
We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
HOW WE USE COOKIES
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
LINKS TO OTHER WEBSITES
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
CONTROLLING YOUR PERSONAL INFORMATION
You may choose to restrict the collection or use of your personal information in the following ways:
- Whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes
- If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at info@victoryxr.com.
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.
You may request details of personal information which we hold about you under the Data Protection Act 1998. A small fee will be payable. If you would like a copy of the information held on you please write to 5200 SW 30th St. Davenport, IA 52802.
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.
PRIVACY OF CHILDREN ON OUR WEBSITE
Our Website is not intended for use by children under the age of 13, and we do not knowingly collect personal information from children under the age of 13
POLICY CHANGES
From time to time, we may use customer information for unanticipated uses not previously disclosed in our privacy notice. If our information practices change, we will post these changes on our Website. We encourage you to review our privacy policy periodically.
QUESTIONS OR COMMENTS?
Customers may direct any questions or inquiries with respect to the privacy principles outlined above or about our practices by contacting us at info@victoryxr.com.
Business Continuity, Disaster Recovery, and RTO/RPO Policy
Effective Date: [January 1, 2026]
Approved By: Executive Leadership
1. Purpose
This policy establishes VictoryXR’s Business Continuity (BC) and Disaster Recovery (DR) framework and defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) consistent with district procurement requirements for mission-critical educational technology systems.
VictoryXR is committed to maintaining operational resilience, protecting customer data, and restoring services within defined timeframes appropriate to system criticality.
2. Scope
This policy applies to:
VXRLabs immersive instructional platform
HoloTutor AI instructional platform
Device management integrations and supporting services
Administrative and customer-facing systems
All production cloud infrastructure supporting district implementations
3. System Tier Classification
VictoryXR classifies its systems according to district-defined recovery tiers.
Tier 1 — Critical Systems
Definition: Systems where downtime or data loss would immediately disrupt instruction, safety, or compliance.
For district deployments where VXRLabs or HoloTutor serve as core daily instructional platforms, VictoryXR designates these production environments as:
Declared Tier: Tier 1 – Critical System
Recovery Targets:
RTO: 4–8 hours
RPO: 15 minutes – 1 hour
Tier 2 — Important Systems
Definition: Systems that significantly impact operations but allow short-term workarounds.
Examples within VictoryXR environment:
Analytics dashboards
Reporting tools
Content management interfaces
Administrative portals
Declared Tier: Tier 2 – Important System
Recovery Targets:
RTO: 24 hours
RPO: Up to 24 hours
Tier 3 — Standard Systems
Definition: Systems where limited downtime or data loss is tolerable.
Examples:
Supplemental instructional content
Optional experimental features
Non-mission-critical applications
Declared Tier: Tier 3 – Standard System
Recovery Targets:
RTO: 72 hours
RPO: 24–48 hours
4. Business Continuity Strategy
VictoryXR maintains documented Business Continuity Plans (BCP) designed to ensure:
Continuity of instructional access
Protection of customer and student data
Communication with affected districts
Rapid restoration of production services
Escalation procedures and executive oversight
The BCP includes:
Incident response protocols
Defined roles and responsibilities
Communication trees
Vendor and cloud provider coordination
Manual workaround procedures where applicable
5. Disaster Recovery Architecture (High-Level)
VictoryXR’s disaster recovery architecture includes:
Cloud-hosted infrastructure in geographically redundant data centers
Automated failover capabilities
Load-balanced production environments
Segmented development, staging, and production environments
Encrypted data storage at rest and in transit
Production systems are architected to minimize single points of failure and to support rapid service restoration in the event of infrastructure disruption.
6. Backup Strategy and Frequency
VictoryXR maintains the following backup practices:
Automated database backups at intervals consistent with RPO targets
Snapshot backups of production systems
Redundant storage across availability zones
Encrypted backup storage
Retention schedules aligned with data protection standards
For Tier 1 systems:
Backup frequency supports RPO of 15 minutes to 1 hour.
For Tier 2 systems:
Daily backups with recovery support up to 24 hours.
For Tier 3 systems:
Scheduled backups supporting recovery within 24–48 hours.
Backup integrity is monitored and validated on a recurring basis.
7. Disaster Recovery Testing
VictoryXR conducts periodic disaster recovery testing to validate restoration capabilities and ensure compliance with defined RTO and RPO objectives.
Testing includes:
Backup restoration verification
Failover validation exercises
Tabletop incident simulations
Infrastructure redundancy checks
Testing occurs at least annually for Tier 1 systems and periodically for Tier 2 and Tier 3 systems. Results are reviewed by leadership and documented for continuous improvement.
8. Mandatory Vendor Disclosures (VictoryXR Declaration)
In compliance with district RFP requirements, VictoryXR provides the following disclosures:
Declared System Tier: Tier 1 – Critical (for core instructional deployments)
Defined RTO: 4–8 hours
Defined RPO: 15 minutes – 1 hour
Backup Strategy: Automated encrypted backups with frequency aligned to RPO requirements
Disaster Recovery Architecture: Cloud-based, geographically redundant, failover-enabled infrastructure
DR Testing Confirmation: Periodic testing conducted and documented
9. Continuous Improvement
VictoryXR reviews and updates its Business Continuity and Disaster Recovery plans annually or upon significant infrastructure changes to ensure ongoing alignment with:
District requirements
Regulatory standards
Industry best practices
Evolving cybersecurity threats
10. Contact for Compliance Inquiries
Districts may request additional documentation, including summaries of disaster recovery testing or architectural overviews, by contacting:
Security & Compliance Office
VictoryXR
security@victoryxr.com and info@victoryxr.com
VictoryXR remains committed to ensuring reliable, resilient access to immersive instructional technologies that support student learning without interruption.
Artificial Intelligence & Machine Learning Disclosure and Compliance Policy
Effective Date: January 1, 2026
Approved By: Executive Leadership
1. Purpose
VictoryXR is committed to transparency, student data privacy, and responsible AI practices. This policy outlines VictoryXR’s requirements for disclosure, use, governance, and control of artificial intelligence (AI) and machine-learning (ML) functionality within its products and services.
This policy ensures compliance with FERPA and other applicable federal and state privacy laws, as well as district procurement requirements.
2. Full Disclosure of AI Functionality
VictoryXR shall disclose all AI or machine-learning functionality embedded within its platforms, including but not limited to:
AI-driven tutoring or instructional agents
Adaptive learning systems
Automated content generation tools
Data analytics powered by machine learning
Conversational AI features
Predictive or recommendation engines
Disclosures will describe:
The purpose of the AI feature
The type of data processed
Whether student data is used in inference
Whether human oversight is involved
VictoryXR acknowledges that disclosure does not imply district approval and that districts reserve the right to evaluate, score negatively, or reject proposals based on disclosed AI practices.
3. Prohibition on Training Commercial or Generalized Models
VictoryXR strictly prohibits the use of District data to train generalized, public, or commercial AI models.
Specifically:
Student data, educator data, and district operational data will not be used to train foundation models or shared AI systems.
District data will not be incorporated into generalized commercial datasets.
Data processed for AI functionality is used solely to provide contracted services to the District.
Where third-party AI providers are used, VictoryXR ensures contractual safeguards prevent the use of district data for model training beyond the scope of the district’s services.
4. FERPA and Privacy Compliance
All AI and ML features comply with:
The Family Educational Rights and Privacy Act (FERPA)
Applicable state student data privacy laws
Applicable federal data protection regulations
VictoryXR treats student data as confidential education records and implements appropriate administrative, technical, and physical safeguards to protect such information.
AI systems are designed to:
Minimize data collection
Limit data retention
Restrict access to authorized personnel
Ensure secure transmission and storage
5. District Control and AI Disablement
VictoryXR recognizes the District’s authority over AI-enabled functionality.
Where applicable:
AI features can be disabled at the district or administrative level.
Districts may request configuration changes to limit or modify AI behavior.
AI functionality will not be activated beyond the scope agreed upon in the contract.
VictoryXR will provide documentation explaining how AI features may be enabled, configured, or disabled.
6. Non-Disclosure Consequences
VictoryXR understands that failure to fully disclose AI usage and its implications may result in:
Disqualification from consideration
Rejection of proposals
Negative scoring during evaluation
Determination of non-responsiveness
VictoryXR affirms its commitment to full transparency and compliance with all disclosure requirements.
7. Ongoing Review
This policy is reviewed periodically to ensure alignment with evolving regulatory standards, district expectations, and responsible AI best practices.
VictoryXR remains committed to ethical AI deployment that supports student learning while protecting privacy and maintaining district control.