Last updated: March 2026
1. Introduction
This Data Processing Addendum (“DPA”) forms part of the agreement between ImmerseMe Limited (“ImmerseMe”, “we”, “us”, “our”) and the customer (“Institution”, “you”, “your”).
This DPA applies where ImmerseMe processes Personal Data on behalf of the Institution in connection with the use of the ImmerseMe platform (“Platform”).
This DPA reflects the parties’ agreement regarding the processing of Personal Data in accordance with applicable data protection laws, including GDPR, UK GDPR, and relevant education privacy laws such as FERPA.
2. Definitions
For the purposes of this DPA:
- Personal Data means any information relating to an identified or identifiable individual
- Processing means any operation performed on Personal Data
- Data Controller means the entity determining the purposes and means of processing
- Data Processor means the entity processing data on behalf of the Controller
- Subprocessor means a third party engaged by the Processor
- Applicable Laws means all relevant data protection and privacy laws
3. Roles of the Parties
- The Institution is the Data Controller
- ImmerseMe is the Data Processor
ImmerseMe will process Personal Data:
- Only on documented instructions from the Institution
- Only for the purpose of delivering the Platform
4. Scope and Purpose of Processing
Purpose
Processing is carried out to:
- Provide language learning services
- Deliver analytics and insights
- Support educational outcomes
- Maintain and improve the Platform
Categories of Data Subjects
- Students
- Teachers and educators
- Administrators
Categories of Personal Data
- Basic identifiers (e.g. name, email)
- Educational data (e.g. class, progress)
- User-generated content (e.g. speech recordings, text responses)
- Technical and usage data
5. Processor Obligations
ImmerseMe shall:
- Process Personal Data only on documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Assist the Institution with data subject rights requests
- Assist with compliance obligations under applicable laws
- Notify the Institution of any Personal Data Breach (see Section 10)
- Delete or return Personal Data upon termination (see Section 11)
6. Student Data Protections
ImmerseMe commits that:
- Student data is used only for educational purposes
- Student data is never sold
- Student data is not used for advertising, profiling, or marketing
- Student data is processed in accordance with institutional instructions
7. AI Data Processing
Where AI features are used:
- AI is used solely to support educational functionality
- Personal Data is minimised before being processed by AI systems
- Limited data may be transmitted to trusted AI service providers
- Identifiable student data is not used to train general-purpose AI models
- AI outputs are assistive and subject to human oversight
8. Subprocessors
ImmerseMe may engage Subprocessors to support the Platform.
ImmerseMe shall:
- Maintain a current list of Subprocessors
- Ensure Subprocessors are contractually bound to data protection obligations
- Ensure Subprocessors implement appropriate safeguards
- Remain fully responsible for Subprocessor performance
Subprocessor Changes
ImmerseMe will notify the Institution of material Subprocessor changes at least 14 days in advance, where required by applicable law.
9. International Data Transfers
Where Personal Data is transferred internationally, ImmerseMe will ensure appropriate safeguards, including:
- Standard Contractual Clauses (SCCs)
- Transfers to jurisdictions with adequacy decisions
- Secure processing infrastructure
10. Data Breach Notification
In the event of a Personal Data Breach:
- ImmerseMe will notify the Institution within 48 hours of becoming aware of the breach
- Notification will include:
- Description of the breach
- Categories of data affected
- Likely consequences
- Mitigation steps taken
ImmerseMe will cooperate with the Institution to support compliance with regulatory obligations.
11. Data Retention and Deletion
Upon termination of services:
- Personal Data will be deleted or anonymised within 30 days
- Backup systems may retain data for up to 90 days before permanent deletion
Data may be retained where required by law.
12. Data Subject Rights
ImmerseMe will assist the Institution in responding to requests relating to:
- Access
- Rectification
- Erasure
- Restriction
- Data portability
- Objection
13. Security Measures
ImmerseMe implements appropriate technical and organisational measures, including:
- Encryption in transit
- Access controls and authentication safeguards
- Secure cloud infrastructure
- Monitoring and logging
- Vendor due diligence
Security practices are regularly reviewed and improved.
14. Audits and Compliance
Upon reasonable request, ImmerseMe will provide information necessary to demonstrate compliance with this DPA.
This may include:
- Documentation
- Security summaries
- Compliance responses
15. FERPA Alignment
Where applicable:
- ImmerseMe acts as a school official with legitimate educational interest
- Student data is used only for authorised educational purposes
- Data is not redisclosed except as permitted by the Institution or required by law
16. Term and Termination
This DPA remains in effect for the duration of the agreement.
Upon termination:
- Processing ceases
- Data is handled in accordance with Section 11
17. Governing Law
This DPA is governed by the same law as the Terms of Use, unless otherwise agreed.
18. Contact
For questions regarding this DPA:
19. Final Statement
ImmerseMe is committed to protecting personal data and supporting institutions in meeting their privacy and compliance obligations globally.