Privacy Statement

Updated: 10 Aug 2023


Below you find the Privacy Policy for our services. These are split in Privacy Policy specific to our online presence, and secondly our XR Applications.

0. Glossary

Data Controller”
has the meaning defined in article 4 (7) GDPR.

Data Processor
has the meaning defined in article 4 (8) GDPR.

Regulation 2016/679 f the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

End Client
the company who purchases our products or services.

End User
the natural person who uses our products or services, for example the employee who uses our application to train him/herself.

Indirect User
natural person who gains access to the Product or Solution through a Customer and in that context discloses Personal Data to OneBonsai.

Personal Data
has the meaning defined in article 4 (1) GDPR.

Privacy Statement
refer to the privacy statement stipulated in this document.

the public website of OneBonsai available under the domain

XR Applications
refer to the applications we build that run on Virtual and Augmented Reality devices.

Capitalised terms not defined in the Privacy Statement are defined in the Terms and Conditions available at the following url:

1. Who are you?

1.1. This Privacy Policy describes OneBonsai’s (“we”, “our”) practices for handling your personal information when you use our XR Applications.

1.2. If you have problems understanding anything in this document, do not hesitate to contact us at [email protected].

2. What will I find in this document?

2.1. Below you will learn why, to what extent, for what purpose, and for how long we process your personal data. You will also learn who will have access to your personal data and what your rights are in relation to the processing of the personal data.

2.2. We respect your right to privacy and, despite the fact that we try to process as much information as possible as anonymised or pseudonymised data, we want you to know that your data is safe with us.


For our website

1. Scope of application

1.1. Protecting the Personal Data of its Customers is of paramount importance to OneBonsai. OneBonsai recognizes that when a customer chooses to provide OneBonsai with personal information, the Customer places confidence in our ability to handle Customer privacy in a responsible manner.

1.2. This Privacy Statement applies to the processing of Personal Data provided by Customer to OneBonsai for the purposes of providing the services under an Agreement.

1.3. Modifications to the Privacy Statement shall be notified to the Customer. The new version of the Terms and Conditions shall become applicable in the absence of any opposition from the Customer at the latest one (1) month after this notification.

2. Responsibilities

2.1. In order to provide the services to its customers, OneBonsai collects following Personal Data:

  • contact details and billing information;
  • username of authorised users and IP addresses
  • company information;
  • payment information.Administrative users are required to submit this Personal Data to create user accounts. With regard to this processing, OneBonsai is a Data Controller.

2.2. The Customer acknowledges that it acts in the capacity of Data Controller with regard to the Personal Data of Indirect Users that it uses or submits in or through the Product or Solution. The Customer decides alone which Personal Data of Indirect Users is being collected. In this context, the Customer understands that OneBonsai merely acts as a Data Processor.

2.3. Notwithstanding the above, OneBonsai may have access to a limited stream of technical data related to the use of the Product or Solution. OneBonsai ensures, upon the deployment of the Product or Solution, that such technical data is pseudonymised and encrypted prior to transmission to OneBonsai. This technical data, which includes VR/AR tracking data, is processed by OneBonsai to improve the services offered to the Customer. By agreeing with these Terms and Conditions, the Customer consents with the transmission of this data to OneBonsai.

3. Purposes and legal basis for processing

3.1. OneBonsai collects the Personal Data of Customers for the sole purpose of offering a safe and optimised user experience. Technical data is collected to detect, prevent and mitigate technical issues.OneBonsai also uses Personal Data to keep Customers informed, and invite them to participate in, Product or Solution offerings. The Customer expresses consent to these notifications via an opt-in.

3.2. OneBonsai processes Personal Data on the following legal grounds:

  • on the basis of the execution of the Agreement concluded with the Customer or the execution of pre-contractual steps taken at the request of potential Customers;
  • on the basis of compliance with legal or regulatory provisions with regard to the management of the contractual relationship, invoicing in particular;
  • on the basis of the Customer’s consent;
  • articles 6 (1) (a) to (c) and (f) of the GDPR.

4.  Disclosure of personal information

4.1. OneBonsai may engage third-party service providers for technical, hosting and support purposes. OneBonsai commits itself to only select third-party service providers giving sufficient guarantees to implement appropriate technical and organisational measures relating to the processing of Personal Data.To the extent that the third-party service provider acts as a Data Processor and processes Personal Data on OneBonsai’s behalf, OneBonsai will enter into a data processing agreement before any processing activity is carried out.

4.2. In the course of using a Product or Solution, Customers may be invited to share Personal Data with third-party applications, for example when they choose to access a Product or Solution through such an application. OneBonsai is not responsible for how these third parties process such data.

5. Storage and retention

5.1. OneBonsai has adopted reasonable security measures on a technical and organisational level to avoid the loss, unwanted modification, non-authorised access or the accidental communication of Personal Data to third parties, as well as its non-authorised processing.

5.2. The Personal Data of a Customer is stored only for as long as necessary for the performance of the Agreement. The retention depends on the nature of the Personal Data and the storage technology. It is therefore not possible to specify a specific time frame for the deletion of the Personal Data of Customers.

6. Rights of the Customer

6.1. As data subject, the Customer has the following rights with regard to the Personal Data processed by OneBonsai: right of access (article 15 GDPR), right to rectification (article 16 GDPR), right to erasure (article 17 GDPR), right to restriction of processing (article 18), right to data portability (article 20 GDPR), right to object (article 21 GDPR), and right to withdraw consent (article 7 (3) GDPR).

6.2. With regard to Personal Data of Indirect Users made available through Customers, the rights listed above are fulfilled by the Data Controller.

6.3. Inquiries relating to the exercise of the rights described under this article should be addressed to: [email protected].

7. Cookies

7.1. OneBonsai uses cookies and similar tracking technologies to track the activity on the Website, Product or Solution.

7.2. Cookies are used to offer personalised user experience, remember technical choices and detect and correct technical error which might be present on the Website, Product or Solution.

7.3. When navigating to the Website, the visitor is asked for his consent to the cookies used on the Website. The same goes for an Indirect User when using a Product or Solution. While cookies may be refused or blocked, this may affect the proper functioning of the Website, Product or Solution.

7.4. You may have the right to request that we erase your personal data. For
example, if you think that your personal data are no longer needed for
the purpose for which they have been processed or if you believe that
your personal data are processed by us illegally, you may demand that we
erase your personal data. Erasure or modification requests can be forwarded to the address mentioned under 1.2.

8. Supervisory authority

8.1. Belgian law governs the processing activities conducted by OneBonsai.

8.2. The Belgian Data Protection Authority is competent to control the compliance of the processing activities of OneBonsai with the applicable regulation on Personal Data.


For our XR Applications

1. What personal data do you collect and why?

1.1. So that you can use our XR Applications and we are able to repair and improve the applications, we collect the following data about the End User: identification data (avatar, nickname or user pincode under which you are registered); data concerning the use of our XR Application (when and how and how successfully you completed the application’s goals). Additionally, we gather technical data (data about your device etc.), which can only identify the device, but not the End User.

We only use these personal data for the three below-specified purposes: to enable the functioning of the XR Application, to create anonymized statistics contributing to the improvement of the game and reviewing general usage, and to generate reports and dashboards for our corporate clients to review use and training outcomes.

1.2. Firstly, we need personal data of the person using the XR Application described above (identification data, technical data and game use data) so that the XR Application is functional, including leaderboards etc. The reason for such processing is based on the necessity to fulfil the agreement between the end client and us. For people in the EU and United Kingdom under the age of majority (under 18 years in most EU countries) who have a limited ability to enter into an enforceable contract, the reason for such processing is based on our legitimate interests.

1.3. We need to process some of the personal data of the End User for our statistical purposes. These include either purely technical data (i.e. information not containing any personal data at all) or the other above-described data in pseudonymised form, that is, data to which we assign a special number so that nobody except for us is able to match the data to the existing identifier using the given number. This processing is based on our legitimate interest, which is the continuous improvement of the XR Application. The End Client and End User have the right to object to this processing in the manner described below.

2. How will you process my personal data?

2.1. Our application will require the personal data to be able to track performance for an individual using the application. Furthermore, the personal data is used to provide aggregate and personal dashboards and reporting for the end client and end user.

2.2 Aside from the above reasons, we shall process the information (especially statistics) in aggregated (non-identifiable) form as much as possible, and where this is not possible, we shall process the information in pseudonymised form as much as possible. 

3. Do you need my consent for the processing? 

3.1. In fact, we do not need your consent under GDPR as for all forms of processing, we have other legitimate reasons (because this is necessary for fulfillment of agreement or it is in our legitimate interest).

4. For how long will you retain my personal data?

4.1. We will keep your personal data for as long as it is necessary to fulfill the purposes for which it was collected as described above and in accordance with applicable law. When the license expires or is terminated, the data will be destroyed within 30 days. Only backups of the data can remain, which are stored in an encrypted at-rest state.

5 Do I have to give my personal data to you? Do you have to process them?

5.1. If you want to use our XR Applications, you will have to share some personal data as per paragraph 1 above. However, our applications also allow anonymous use, but in such case it will not be possible to track the performance of individual users.

6. To whom do you transfer my personal data?

6.1. We have personal data in our possession for the whole time. The data is stored in a database specific to the End Client. Some aggregated data can be stored in our central database.

6.2. Apart from us, however, personal data is also processed by some of the platforms that are used to run the application. Then, such personal data will be processed in accordance with the relevant platform’s privacy notice: Oculus.

6.3. Furthermore, we use the following tools and services to further enhance your experience, or to provide functionality:

  • Contabo: hosting of the databases (EU)
  • Sentry: incident monitoring (EU)
  • Runcloud: maintenance of our web infrastructure
  • Epic Games: Connect 2 or more users together in a multi-user session
  • Cloudflare: securing our web infrastructure

7. What rights do I have?

You may assert all of the rights in writing at the below-given postal addresses or by email at [email protected].

7.1. You have the right to access the processed personal data concerning you.

7.2. We only need to process your accurate personal data. You may have the right to the rectification of your personal data that is inaccurate or incomplete.

7.3. You may have the right to request that we erase your personal data. For example, if you think that your personal data are no longer needed for the purpose for which they have been processed or if you believe that your personal data are processed by us illegally, you may demand that we erase your personal data. However, it is not always possible to erase the personal data provided by you, for instance, because of the fact that if we erased them, you would no longer be able to use the XR Applications. In such case, we will ask permission from you as a user, and then proceed with erasure of the data. Note that after erasure, all our XR Applications will seize to function.

7.4. Another right that you may assert is the right to data portability based on which we will hand over the personal data provided by you in a commonly used, structured and machine-readable format or, if you require, we will transfer them to another controller of your own choice, where such transfer is technically feasible.

7.5. If you believe that your personal data processed by us are incorrect, you may have the right to demand that we restrict the processing of your personal data for a period necessary to verify the accuracy of your personal data and to rectify them if needed. You also have this right if the processing of your personal data is illegal, but you do not wish for your personal data to be erased; if we no longer need your personal data for the above-specified processing purposes, but you demand that your personal data are preserved for the purposes of the determination, exercise or defense of your legal claims; or if you have objected to the processing of your personal data on the basis of our legitimate interest.

7.6. With regard to the fact that some of your personal data we process on the basis of our legitimate interest, you may have the right to object to this processing. Based on the objection, we will consider whether it really is in our interest to process your personal data for the given purpose. If we conclude that we do not have any significant legitimate reasons that prevail over your interests, rights, or freedoms, we will terminate the processing of and destroy such personal data. However, it needs to be stressed that such objection should be well-founded. Therefore, we recommend you first obtain all of the necessary information at the above-mentioned email address.

7.8. To make a complaint about our handling of your information, please write to us at [email protected]. You may also raise the matter with your local data protection regulator. Additional information for filing complaints can be found at paragraph 8 below.

8. Contact information

For European region residents (including residents of the United Kingdom)

8.1. The data controller responsible for your information is NorthStone NV which you can contact online or by post at:

NorthStone NV
ATTN: Privacy Operations
8 Verbrande Poort
3000 Leuven

You may also contact the Data Protection Officer for NorthStone NV.

The Belgian Data Protection Authority is competent to control the compliance of the processing activities of OneBonsai with the applicable regulation on Personal Data.