Privacy Policy for ImmersiV XP

Last Updated: 01 June 2026

This Privacy Policy describes the policies and procedures of AJ Lakes Training Academy Ltd (trading as ImmersiV XP) on the collection, use, and disclosure of your information and tells you about your privacy rights and how the law protects you.

We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

1. Who We Are and Important Information

AJ Lakes Training Academy Ltd is the Data Controller responsible for your personal data. Where ImmersiV XP is provided to organisations, we may act as a Data Processor. In those cases, the organisation remains the Data Controller and a separate Data Processing Agreement (DPA) applies.

  • Company: AJ Lakes Training Academy Ltd

  • Address: Craig Workshop, Craig Walk, Windermere, Cumbria, LA23 2JT

  • Emails: privacy@immersivxp.com / hello@ajlakes.com

  • Website: www.immersivxp.com

  • ICO Registration: ZB180606 (Valid until 25 August 2026)

2. Data We Collect

We collect and process the following categories of data to provide our services effectively:

  • Identity & Contact Data: Full name, email address, mobile telephone number, job title, company name, employee number, and business enquiries.

  • Account & Training Data: Securely stored login credentials, training progress, performance results, completion records, and certification details.

  • Technical & Usage Data: Automatically collected details including IP addresses, device type, browser type/version, operating system, usage logs, and session activity.

  • VR Interaction Data: User movement, physical interactions within VR environments, scenario decisions, and responses. Note: VR interaction data is not used for biometric identification and is not treated as special category data under UK/EU GDPR.

  • Payment Data: Billing name and address. Payments are handled securely via our PCI-DSS compliant third-party processors (such as Stripe). We do not store full payment card details on our servers.

3. How Your Data is Used and Shared

We process your data to deliver our training services and manage our workflows via the following avenues and third-party systems:

  • Squarespace: To host our website and capture identity, contact, professional, and enquiry details.

  • MemberSpace & Stripe: To handle secure customer membership accounts, portal access, and transaction billing details.

  • Capsule: To securely store contact data, professional details, and business enquiries within our CRM for relationship tracking.

  • Zapier: To automate data workflows and move information between our applications for operational efficiency.

  • Google Workspace: For internal business operations, data processing, and direct email communication.

  • Google Analytics: To monitor website performance, device make/model details, and browsing patterns.

For corporate users: We may share training progress, performance scores, and completion records with your employing organisation as part of the service agreement. We do not sell your personal data. All third parties are contractually required to handle data securely in line with data protection laws.

4. Legal Basis for Processing

We rely on the following lawful grounds to process your personal data:

  • Contractual Necessity: To deliver the ImmersiV XP services, access tokens, and account features you or your organisation request.

  • Legitimate Interests: To improve platform performance, evaluate user experiences, ensure infrastructure security, and operate effectively.

  • Consent: For processing non-essential cookies and sending marketing communications, which can be withdrawn at any time.

  • Legal Obligation: Where required by law or regulatory authorities.

5. Date Sharing

We only share data where strictly necessary to deliver services or comply with legal obligations.

This includes:

  • Hosting and infrastructure providers

  • Payment processors (PCI DSS compliant)

  • Analytics and communication tools

  • Professional advisers (legal, accounting, insurance)

  • Regulatory or law enforcement authorities where required

6. Data Storage and International Transfers

Because our business operations utilise global cloud infrastructures, your personal data is held on secure servers located worldwide. Where data is transferred outside the United Kingdom or the European Economic Area (EEA), we ensure appropriate safeguards are met by utilising UK/EU Adequacy Decisions, Standard Contractual Clauses (SCCs), or rigid Transfer Impact Assessments.

7. Security and Data Retention

We employ technical and organisational security measures, including data encryption in transit and at rest, role-based internal access controls, secure authentication systems, and staff data protection training. In the event of a data breach, we will notify relevant authorities and affected individuals where required by law.

We retain personal data only as long as necessary:

  • Active Subscriptions: Kept throughout your active subscription period.

  • Inactive Accounts: Maintained for up to 24 months, after which they are securely deleted.

  • Training Records & Certificates: Held for up to 6 years.

  • Financial Records: Retained for up to 7 years to comply with HMRC requirements.

  • Marketing Data: Stored until explicit consent is withdrawn.

8. Automated Decision-Making

We do not make legally significant decisions or create legal profiles based solely on automated processing.

9. Your Legal Rights

Under UK and EU data protection laws, you have the right to request access to your data, correct inaccuracies, request erasure ("the right to be forgotten"), restrict processing, object to processing, and exercise data portability.

To exercise any of these rights, please contact us at hello@ajlakes.com. We will respond to valid requests within one calendar month. You also retain the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or your relevant supervisory authority.

11. Security

• Encryption and secure data storage

• Role-based access controls

• Secure authentication systems

• Staff confidentiality obligations and data protection training

In the event of a data breach, we will notify relevant authorities and affected individuals where

required by law.

10. Children’s Privacy

ImmersiV XP is designed for users aged 13 and over. We do not knowingly collect personal data from children under the age of 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information without proper consent, please contact us immediately so we can remove the data from our infrastructure.

11. Changes

We may update this Privacy Policy periodically. Changes will be posted with a revised date. Continued use of the platform constitutes acceptance of any updated policy.

12. Contact Us

For any enquiries regarding this policy, please reach out to us at:

  • Email: privacy@immersivxp.com / hello@ajlakes.com

  • Website: www.immersivxp.com

  • Post: Craig Workshop, Craig Walk, Windermere, Cumbria, LA23 2JT