Privacy Policy

Last Updated: May 12, 2026

SpatialReal Inc. ("SpatialReal", "we", "us", or "our") is a Delaware corporation that operates the SpatialReal Platform — an AI service enabling real-time human-AI interactions through photorealistic digital avatars, including our website at spatialreal.ai, the Studio at app.spatialreal.ai, the AvatarKit SDK for third-party developers, and our API.

Registered Address: 131 Continental Drive, Suite 305, Newark, DE 19713, United States
Contact: legal@spatialreal.com

1. Introduction

This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you:

• Visit spatialreal.ai or use our Live Demo (collectively, the "Consumer Service")
• Use third-party applications that integrate the AvatarKit SDK ("Developer App")
• Register as a developer for our SDK or API (the "Developer Service")

2. Important Notice: Controller vs. Processor

Note: The AvatarKit SDK does not collect, transmit, or process end-user video, voice, or audio data. Avatar rendering occurs locally on the end user's device.

3. Personal Information We Collect

3.1 Consumer Service (Website and Live Demo)

Information You Provide:

• Contact data: name, email, professional title, company (e.g., when you submit our contact form)
• Account data: username, password, profile details; third-party authentication via Google or GitHub
• Communications data: messages and inquiries you send to us
• Payment data: order information processed via Stripe; raw card numbers are not stored on our systems
• Marketing preferences: your opt-in choices for emails and other communications

Audio and Interaction Data (Live Demo Only):

• Voice input is captured to enable real-time AI conversation, processed through Automatic Speech Recognition (ASR)
• Raw audio is deleted immediately upon transcription completion
• Text transcripts may be retained by our real-time communications provider for up to 30 days, then permanently deleted
• Synthetic voice is analyzed for avatar lip-sync; user biometric facial geometry is not collected during the Live Demo

Automatically Collected Data:

• Device data (operating system, browser, device type, resolution, IP address, language)
• Usage data (pages visited, session duration, navigation paths, access times)
• Communication interaction data (email open and click tracking, where applicable)
• Coarse geolocation data (city or country level, derived from IP address)

3.2 SDK Integrations (Developer Apps)

The AvatarKit SDK processes only AI-generated synthesized audio for lip-sync and animation computation. It does not:

• Collect, record, or transmit end-user voice or audio input
• Process end-user biometric data
• Retain end-user personal information

Technical logs (crashes, errors) are retained for 30 days for debugging purposes.

3.3 Developer Accounts

• Contact data (name, email, company)
• API usage and technical logs
• Payment and billing information

3.4 Developer Avatar Generation (Image Uploads)

Where developers upload photographs to generate custom avatars, we collect and retain:

• Source photographs uploaded by developers
• Generated 3D avatar model files produced from those photographs

These materials are retained for the duration of the account plus 30 days after deletion.

Developer Responsibility: Developers must obtain explicit, informed consent from every individual depicted in an uploaded photograph before submission. SpatialReal disclaims liability for any developer's failure to obtain such consent.

4. Biometric Information Notice

4.1 Scope

We process data that may constitute biometric information under applicable law:

• Live Demo: audio data processed via ASR (which may be classified as a "biometric identifier" under laws such as the Illinois Biometric Information Privacy Act, "BIPA")
• Developer Avatar Generation: facial photographs used for 3D avatar creation

All such data is treated as sensitive personal information regardless of local law.

4.2 Purpose and Consent

By using the Live Demo and providing voice input, you consent to audio processing for the sole purpose of generating an immediate AI response. Consent may be withdrawn by ceasing use. Where required by law, we obtain explicit prior consent before any biometric processing begins.

4.3 No Voiceprint Database

SpatialReal does not maintain searchable voiceprint or facial geometry databases. We do not sell, lease, or trade biometric data to third parties.

4.4 Retention

• Audio data: deleted immediately upon ASR completion
• SDK integrations: no end-user audio data collected

5. How We Use Your Personal Information

AI Model Improvement: Aggregated and anonymized usage data (session metadata, interaction patterns — not raw conversation transcripts) may be used to benchmark and improve our AI models.

Trust and Safety: We may analyze inputs to detect violations of our Acceptable Use Policy.

6. Tracking Technologies

We use cookies, web beacons, and similar technologies:

• Essential cookies: authentication (Google, GitHub), session management, and payment fraud prevention (Stripe)
• Analytics cookies: product analytics via PostHog
• Marketing cookies: interest-based advertising, where used and with your consent

You can manage cookies via your browser settings or via any cookie preferences link we make available on the website.

Do Not Track: We do not currently respond to DNT signals. Manage your preferences via cookie settings.

Global Privacy Control (GPC): We are working to recognize GPC signals. California residents may opt out of sale or sharing by contacting legal@spatialreal.com.

7. How We Share Your Personal Information

We do not sell personal information. We share data with:

• Service providers: hosting and infrastructure providers, real-time communications providers, ASR providers, analytics providers (including PostHog), email delivery providers, and Stripe for payments — all bound by data processing agreements
• Authentication providers: Google and GitHub, where used (handled under their respective privacy policies)
• Developer App operators: anonymized error logs or usage statistics for debugging purposes
• Professional advisors: lawyers, auditors, and insurers for professional services
• Authorities: law enforcement or government bodies pursuant to valid legal process
• Business transferees: in connection with a merger, acquisition, or asset sale (with notification)
• With your consent: third parties you explicitly authorize

8. Data Retention

When personal information is no longer required, we delete, anonymize, or securely isolate it.

9. International Data Transfers

SpatialReal is headquartered in the United States. We and our service providers operate globally, including in countries without equivalent data protection levels to the EU, UK, or other regions from which our users may access the Platform.

Safeguards for transfers outside your home jurisdiction may include:

• Adequacy decisions: transfers to countries recognized as providing adequate protection, where available
• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (or UK International Data Transfer Agreements) for transfers of EEA / UK residents' personal data to the United States
• Contractual protections: binding agreements with all data recipients outside your home jurisdiction

The United States is not currently designated as adequate by the European Commission for general personal-data transfers. EEA / UK residents' personal data transfers to the United States are therefore made under SCCs.

Contact legal@spatialreal.com for information on the specific safeguards applicable to your data transfer.

10. Your Rights and Choices

10.1 General Rights (All Users)

• Access and update: log in to review or correct your information, or contact us
• Opt out of marketing: follow the unsubscribe instructions in marketing emails, or contact legal@spatialreal.com
• AI training opt-out: email legal@spatialreal.com to opt out of the use of your anonymized session metadata for AI model improvement
• Cookie management: via the cookie preferences in your browser
• Account deletion: email legal@spatialreal.com with the subject line "Account Deletion Request"

10.2 Rights Under US State Privacy Laws

California Residents (CCPA / CPRA):

• Right to Know, Access, Delete, and Correct your personal information
• Right to Opt-Out of Sale or Sharing (we do not sell personal information)
• Right to Limit Use of Sensitive Personal Information
• Right to Non-Discrimination for exercising your privacy rights

Submit requests to legal@spatialreal.com. We verify requests using the email address associated with your account.

Virginia, Colorado, Connecticut, Texas, and Other States: Residents of these and other US states with comprehensive privacy laws have similar rights, including the rights to access, correct, delete, and to opt out of targeted advertising and certain forms of profiling. Contact legal@spatialreal.com.

10.3 Rights Under GDPR (EEA and UK Users)

EEA and UK residents have additional rights under the GDPR and UK GDPR:

• Deletion ("right to be forgotten")
• Restriction of processing
• Data portability
• Object to processing based on legitimate interests or direct marketing
• Withdraw consent at any time (without affecting the lawfulness of prior processing)
• Lodge complaints with supervisory authorities:
  • EEA: https://edpb.europa.eu/about-edpb/board/members_en
  • UK: https://ico.org.uk/make-a-complaint/

GDPR Representative (Article 27): SpatialReal is not established in the EEA or UK. Based on our current operations and user base, we have assessed that we are not required to appoint an Article 27 representative at this time, as we do not systematically offer goods or services to, or monitor the behavior of, individuals in the EEA or UK. We will review this assessment if our operations change.

Submit GDPR requests to legal@spatialreal.com.

11. Children's Privacy

The Consumer Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. Parents or guardians who believe we have collected information from a child without the required consent should contact legal@spatialreal.com for prompt deletion.

SDK Developer Responsibility: Developers using the AvatarKit SDK are solely responsible for ensuring that their applications comply with the Children's Online Privacy Protection Act (COPPA), the UK Age Appropriate Design Code, and any other applicable local law. Developers must not integrate our SDK into applications directed at children under 13 without implementing appropriate age-verification and parental-consent mechanisms. SpatialReal disclaims liability for any developer's failure to comply.

12. Security

We implement technical, organizational, and physical security measures, including:

• Encryption in transit (TLS 1.2 or higher) and at rest
• Access controls and least-privilege principles
• Regular security assessments
• Incident response procedures

No system is perfectly secure. We will notify affected individuals and authorities of data breaches as required by applicable law, including under US state breach notification statutes and within 72 hours to EU supervisory authorities for GDPR-notifiable breaches.

13. Other Websites and Services

Our Service may contain links to third-party websites or applications. We are not responsible for their privacy practices. We encourage you to review their privacy policies before providing personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy at any time. Material changes will be communicated by updating the "Last Updated" date and, where appropriate, by email or in-Service notification. Where a change affects processing based on consent, we will seek renewed consent before the new processing begins. Discontinue use of the Service if you disagree with the changes.

15. Contact Us

Email: legal@spatialreal.com

We aim to respond to all inquiries within 30 days.