Privacy Policy

Privacy Policy

Last updated: May 2026

This Privacy Policy explains how Immersive Edge Limited (“Immersive Edge”, “we”, “us”, “our”) collects and uses personal data, and the rights available to you under UK data protection law. It applies to our website at , to people and organisations who enquire about or buy our business simulations and related services, to people who receive our marketing, and to participants in our simulations.

1. Who we are

Immersive Edge Limited is a company registered in Scotland (Company Number SC558738), with its registered office at 5 South Charlotte Street, Edinburgh, Scotland, EH2 4AN.

For any privacy matter – including to exercise your rights – you can contact us at:

  • Email: [email protected]
  • Post: Data Protection, Immersive Edge Limited, 5 South Charlotte Street, Edinburgh, EH2 4AN
  • Phone: +44 (0)131 376 0050

We are registered with the Information Commissioner’s Office (ICO) under registration reference ZA758396.

2. When we are a controller, and when we are a processor

This distinction matters, because it determines who is responsible for your data.

We act as a controller (we decide why and how data is used) for: visitors to our website; people who enquire about or purchase our services; the personnel of our customers and partners whom we deal with to deliver services; and recipients of our marketing. This Policy describes that processing.

We act as a processor (we handle data on a customer’s instructions) when we deliver simulations and process participant data on behalf of a customer or delivery partner who is the controller. In that case, the controller is the organisation that engaged us (for example your employer, or the partner running the session), and you should consult that organisation’s privacy notice for how they use your data. Our handling of participant data in that role is governed by the data processing terms in our General Terms and Conditions and by our agreement with the relevant customer, not by this Policy. We have included a short summary of how we look after participant data in Section 9 for transparency.

3. The personal data we collect

Depending on your relationship with us, we may collect:

  • Identity and contact data – name, job title, employer, email address, postal address, telephone number, and where relevant social media account names.
  • Account data – log-in identifiers and access records for our platform (for users of the hosted services).
  • Transaction and billing data – billing address, the services purchased, invoice and payment records. We do not store full card details; card payments are handled by our payment provider (see Section 6).
  • Enquiry and correspondence data – the content of messages, enquiries and support requests you send us.
  • Marketing data – your preferences for receiving marketing and your engagement with it.
  • Participant data (handled as processor – see Sections 2 and 9) – the limited personal data and in-session responses generated when you take part in a simulation.
  • Technical and usage data – IP address, device and browser information, and how you use our website, collected via cookies and similar technologies (see Section 10).

We collect this data directly from you, from your organisation, from your use of our website and services, and occasionally from public sources such as company websites and professional networks.

4. How we use your data, and our lawful bases

Under UK GDPR we must have a lawful basis for each use of your data. The bases we rely on are set out below.

  • To provide our services and perform our contract with you or your organisation – administering accounts, delivering simulations and professional services, processing orders, and providing support. Lawful basis: performance of a contract; legitimate interests where the contract is with your organisation rather than you personally.
  • To take payment and keep accounting records. Lawful basis: performance of a contract; compliance with a legal obligation (tax and accounting law).
  • To respond to enquiries and correspondence. Lawful basis: legitimate interests (responding to people who contact us).
  • To send business-to-business marketing about our services to existing and prospective business contacts. You can opt out at any time. Lawful basis: legitimate interests; consent where required by the Privacy and Electronic Communications Regulations (PECR).
  • To operate, secure and improve our website and services, including analytics and protecting against fraud and misuse. Lawful basis: legitimate interests; consent for non-essential cookies.
  • To comply with legal and regulatory obligations and to establish, exercise or defend legal claims. Lawful basis: legal obligation; legitimate interests.

Where we rely on legitimate interests, we have considered and balanced those interests against your rights, and you can ask us about that assessment using the contact details above.

5. Marketing and your choices

We will only send you marketing where we are permitted to do so. You can opt out at any time by using the unsubscribe link in any marketing email, or by contacting us. Opting out of marketing does not affect service-related communications that we need to send you (for example about your account, orders, or changes to our terms).

6. Who we share your data with

We share personal data only where necessary, with:

  • Service providers (processors) who act on our behalf, such as our hosting and platform infrastructure provider, payment provider, email and communications providers, and professional advisers. These providers may only use the data to provide services to us and are bound by contract to keep it secure and confidential.
  • Our customers and delivery partners, where you are a participant in a simulation they have commissioned (see Sections 2 and 9).
  • Authorities, regulators or third parties where we are required to do so by law, or to establish, exercise or defend legal rights.
  • A buyer or successor, in the event of a sale, reorganisation or transfer of our business, subject to appropriate confidentiality protections.

We do not sell your personal data.

A current list of our key sub-processors is available on request from [email protected].

7. International transfers

We are based in the UK and aim to keep personal data within the UK or the European Economic Area (EEA). Where personal data is transferred outside the UK – for example because a service provider hosts or supports data elsewhere – we ensure an appropriate safeguard recognised under UK GDPR is in place. This means one of: the country benefits from UK “adequacy” regulations; or the transfer is made under the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with any additional measures needed to protect the data.

You can ask us for details of the safeguards applying to a particular transfer using the contact details above.

8. How long we keep your data

We keep personal data only for as long as we need it for the purposes set out in this Policy, and then delete or anonymise it. In general:

  • Customer, contract and billing records are kept for the duration of the relationship and then for 6 years to meet legal, tax and accounting requirements.
  • Enquiry and prospect data is kept for 12 months unless you ask us to delete it sooner.
  • Marketing data is kept until you opt out, and then only as needed to record your preference.
  • Participant data handled as processor is retained and deleted in accordance with our agreement with the relevant controller (see Section 9).

Specific retention periods are set out in our internal retention schedule, available on request.

9. Participant data (where we act as processor)

When you take part in one of our simulations, the organisation that engaged us – your employer, client, or the delivery partner running the session – is the controller of your personal data, and we act as their processor. In that role:

  • we only process participant data on that organisation’s documented instructions and to deliver the simulation and any agreed reporting;
  • we do not use participant data for our own marketing or other independent purposes;
  • we apply appropriate technical and organisational security measures (see Section 11);
  • we keep and delete participant data in line with our agreement with that organisation; and
  • if you wish to exercise your data protection rights over participant data, you should contact the commissioning organisation, although you may also contact us and we will assist them.

10. Cookies and similar technologies

Our website uses cookies and similar technologies to make the site work, to remember your preferences, and (with your consent) to measure usage. Non-essential cookies are only set where you have consented, and you can manage your preferences through our cookie banner or your browser settings.

11. How we keep your data secure

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure. These include encryption of data in transit and at rest, access controls and authentication (including multi-factor authentication where available), and the use of hosting infrastructure operated to recognised security standards (our data centre provider maintains ISO 27001 certification). No system can be guaranteed completely secure, but we work to protect your data and to meet our legal obligations.

12. Your rights

Under UK data protection law you have the right to:

  • access the personal data we hold about you;
  • request rectification of inaccurate or incomplete data;
  • request erasure of your data in certain circumstances;
  • request restriction of our processing in certain circumstances;
  • object to processing based on our legitimate interests, and to object to direct marketing at any time;
  • request portability of certain data; and
  • where we rely on consent, withdraw that consent at any time (without affecting processing already carried out).

You can exercise these rights by contacting us using the details in Section 1. We will respond within one month, though we may extend this by up to two further months for complex or numerous requests, and we will tell you if we do. There is normally no charge; we may only charge a reasonable fee, or decline to act, where a request is manifestly unfounded, excessive or repetitive, or for additional copies. We may need to verify your identity before acting on a request.

13. Complaints

If you have a concern about how we handle your personal data, please contact us first so we can try to resolve it. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority, at any time:

14. Children

Our services are designed for use by organisations and their personnel and are not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in our processing or in the law. The current version is always available at /privacy-policy/, and we will indicate the date it was last updated at the top of this page. Where changes are significant, we will take reasonable steps to bring them to your attention.