US Privacy Notice
Last updated: July 7, 2026
1. Scope of this notice
This notice supplements our Privacy Policy and Cookie Policy for visitors and users located in the United States. It addresses the California Consumer Privacy Act as amended by the CPRA, the Colorado Privacy Act, the Virginia CDPA, the Connecticut CTDPA, the Texas TDPSA and the Washington My Health My Data Act (MHMDA), among comparable state laws.
VRET is a professional (B2B) virtual reality exposure therapy platform sold to licensed clinicians and clinics. For the clinical data processed inside the platform, the clinician or clinic is the controller/business and VRET acts as a service provider/processor under their instructions (see the Data Processing Agreement). For our marketing and website data (the information described below), VRET is the business/controller.
2. Categories of personal information we collect
- Identifiers and professional contact data — work email, name, practice type, when you submit a form, book a demo or subscribe.
- Internet / device activity — pages viewed, referrer, approximate location (from IP), and analytics identifiers, only if you consent (see our cookie banner).
- Marketing attribution — campaign parameters (UTM) and advertising click identifiers, only if you consent.
- Inferences — limited, aggregate campaign attribution (which channel brought a visit). We do not build individual advertising profiles.
We collect this information directly from you and automatically from your device. We do not knowingly collect personal information from minors; the Service is not directed to children.
3. How we use it
- To respond to your enquiry, provide a demo and operate the Service.
- To measure and improve our website and marketing (with consent).
- To meet legal, security and accounting obligations.
4. We do not sell or share your personal information
VRET does not sell your personal information, and does not “share” it for cross-context behavioural advertising as those terms are defined under the CPRA and comparable state laws. We have not sold or shared personal information in the preceding 12 months.
We use a limited set of analytics and advertising-measurement service providers (Google Analytics 4, Microsoft Clarity, LinkedIn Insight Tag), and only after you consent. These are engaged as service providers/processors under contractual restrictions and are not authorised to use your information for their own purposes.
5. Global Privacy Control (GPC)
We honour the Global Privacy Control browser signal. If your browser or extension sends a GPC signal, we treat it as a valid request to opt out of any sale/sharing and of targeting cookies, and we do not set analytics or advertising cookies for that visit. You can also manage your choices at any time from the “Manage cookies” link in the footer.
6. Your state privacy rights
Depending on your state of residence, you may have the right to:
- Know and access the personal information we hold about you.
- Correct inaccurate personal information.
- Delete your personal information.
- Obtain a portable copy of your information.
- Opt out of sale/sharing and of targeted advertising (see section 4-5).
- Not be discriminated against for exercising your rights, and to appeal a denied request where your state provides an appeal.
Washington My Health My Data Act: the MHMDA has no revenue or volume threshold and covers consumer health data with a private right of action. Where we process any consumer health data of Washington residents in our marketing context, we do so only with your consent and do not sell it.
7. How to exercise your rights
Submit a request to privacidad [arroba] vret.es with the subject “US privacy request”. We will verify your request using the information you provide and respond within the timeframe required by your state law (generally 45 days, extendable once). You may use an authorised agent where your state permits.
8. Health data and your clinical relationship
For the clinical data processed inside the platform on behalf of a clinician or clinic, that professional is the controller and the governing framework is set out in our master services agreement and Data Processing Agreement. Additional contractual terms apply before any regulated health information is onboarded; contact us before onboarding such data.
9. Contact
For any question about this notice or your rights: privacidad [arroba] vret.es.