Effective date: [September 05, 2025]
This Privacy Policy explains how The Virtual Mall of America, LLC (“VMOA,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you access our websites, immersive environments, zones, apps, and services (collectively, the “Services”). By using the Services, you agree to this Policy and any updates posted after the Effective Date. If you do not agree, please discontinue use.
Controller: The Virtual Mall of America, LLC, [Insert business address], Reading, Pennsylvania, USA.
Coverage: This Policy applies to all VMOA websites, immersive experiences, creator and brand portals, communications, AI-powered features, and any linked or embedded Services we control.
Not covered: Third-party sites, SDKs, stores, or platforms we link to but do not control. Their policies govern their practices.
Audience: General audience. Certain sections include rules for EEA/UK, Canada, Brazil, and specific U.S. states.
Changes: We may update this Policy. We will revise the Effective Date and, where required, provide notice. Continued use means you accept changes.
Account details: Name, handle, email, password, profile photo, avatar settings.
Identity and age checks: Date of birth, government ID (if verification is needed), parental consent information for under-18 users where required.
Contact and preferences: Country/region, language, communication preferences.
Creator/brand onboarding: Business name, role, tax information, payment details, licensing and IP representations.
Content and UGC: Posts, chat messages, voice interactions, avatars, spatial layouts you design, feedback, survey responses, support tickets.
Commerce: Shipping address, billing address, payment method details (processed by our payment processors), order contents and history.
Usage data: Pages and zones visited, session duration, clicks, interactions, referral URLs, search queries, feature use, crash/diagnostic reports.
Device and network: IP address, device identifiers, browser type/version, OS, screen resolution, time zone, network type, approximate location inferred from IP.
Cookies and similar tech: Cookies, web beacons, SDKs, local storage, session replay (if enabled), and analytics identifiers. See Section 4.
Service providers and partners: Payment processors, analytics providers, content moderation vendors, advertising and attribution partners, anti-fraud vendors.
Single sign-on or social logins: If you connect third-party accounts, we receive identifiers and profile details you authorize.
Other users and public sources: Reports, invitations, mentions, and publicly available information.
Avatars and presence: Avatar name, appearance, inventory, interactions, friends/follows, presence indicators.
Spatial context data: Room/zone layout data, object placement, movement within a zone, and environmental telemetry necessary for rendering and safety.
Audio/voice features: If you opt in to voice chat or voice commands, we may process audio streams for quality, safety, and feature functionality. We do not create or store biometric voiceprints without explicit consent.
Biometrics and inferences: We do not collect biometric identifiers (e.g., face geometry, iris, fingerprints) without your explicit, informed consent where legally permitted. We do not require biometrics to use the Services.
Sensitive data: We ask that you do not provide sensitive personal data (e.g., health, precise geolocation, financial account numbers, or government IDs) unless explicitly requested for a specific feature and protected purpose (e.g., identity verification, payments).
Minimum age: The Services are not intended for children under 13. Users 13–17 may use certain features with parental or guardian consent where required by law.
Parental controls: If we learn a child under 13 used the Services, we will delete the data. Parents or guardians can contact us to request deletion or manage a minor’s account.
We use personal information to operate, improve, and protect the Services. Where applicable (e.g., EEA/UK), processing is based on the legal grounds noted.
Provide and maintain the Services:
Operate accounts, render immersive zones, enable social features, store inventories, deliver content.
Legal bases: Contract, Legitimate interests.
Safety, trust, and moderation:
Detect, prevent, and respond to abuse, fraud, illegal content, security incidents; enforce Terms; age-gate features.
Legal bases: Legitimate interests, Legal obligation.
Personalization and experience quality:
Recommend zones, creators, and events; customize avatars or layouts; remember settings.
Legal bases: Consent (where required), Legitimate interests.
Analytics and service improvement:
Measure performance, fix bugs, conduct A/B tests, improve accessibility and load times.
Legal bases: Legitimate interests, Consent (where required).
Communications:
Send transactional messages, support responses, policy updates, marketing (with opt-out options and opt-in where required).
Legal bases: Contract, Legitimate interests, Consent (for marketing where required).
Payments and commerce:
Process orders, subscriptions, refunds, taxes, anti-fraud.
Legal bases: Contract, Legal obligation, Legitimate interests.
Legal compliance and rights:
Comply with laws, defend legal claims, respond to lawful requests.
Legal bases: Legal obligation, Legitimate interests.
Automated decisions and profiling:
We may use limited profiling to personalize content, detect fraud, or moderate harmful behavior. You can object to or request human review where your local law provides that right.
What we use:
Strictly necessary: Authentication, security, network management.
Functional: Preferences, accessibility features, remembering choices.
Performance/analytics: Traffic, engagement, crash analytics.
Advertising/measurement: Attribution, frequency capping, interest-based ads (only where permitted and with required consents).
Your choices:
Cookie banner and settings: Manage preferences at any time via “Cookie Settings” in the footer.
Browser controls: Block or delete cookies in your browser; some features may not work properly.
Do Not Track: We do not respond to DNT signals, but we honor legally required opt-outs (see Section 8).
We do not sell personal information. We may “share” data for targeted advertising only with your consent where required by law, and you can opt out (see Section 8).
Service providers:
Purpose: Hosting, cloud storage, analytics, customer support, content moderation, communications, security, and payment processing.
Safeguards: Contractual confidentiality and use restrictions.
Payment processors:
Purpose: Process payments, prevent fraud, handle chargebacks.
Data: Limited billing and transaction metadata; card details are handled by the processor and not stored by VMOA.
Partners and integrations:
Purpose: Optional brand zones, creator tools, social logins, attribution, or SDKs that extend functionality.
Control: Your use of integrations may be governed by the partner’s privacy policy.
Legal, safety, and compliance:
Purpose: Respond to lawful requests, enforce our Terms, protect rights, property, and safety of users and the public.
Business transfers:
Purpose: In a merger, acquisition, financing, restructuring, or sale of assets, data may be transferred under appropriate safeguards.
Public or community content:
Purpose: Content you post in public zones or community areas may be viewable by others, searchable, and indexable.
Retention:
Operational data: Kept while you maintain an account and as needed for service operation.
Transaction records: Retained as required for tax, accounting, and legal obligations.
Moderation and safety logs: Retained for a period proportionate to risk and legal requirements.
Deletion: We delete or anonymize data when no longer needed for the purposes collected, subject to legal holds.
Security:
Technical measures: Encryption in transit, access controls, logging, segmentation, backups.
Organizational measures: Least privilege, vendor due diligence, employee confidentiality obligations, incident response.
Limitations: No system is 100% secure; we encourage strong passwords and two-factor authentication where available.
Transfers: Your data may be processed in the United States and other countries that may have different data protection laws.
Safeguards: Where required, we use recognized mechanisms such as Standard Contractual Clauses and comparable frameworks, and we assess vendors’ security and privacy practices.
Your choices: If your local law grants rights related to international transfers, you may contact us to learn more about applicable safeguards.
Your rights depend on your location and the applicable law. We will not discriminate against you for exercising your rights.
Access, correction, deletion: You can request a copy, correction, or deletion of your data, subject to legal exceptions.
Portability: Request a machine-readable export where technically feasible.
Marketing preferences: Opt out of marketing emails via the unsubscribe link or account settings.
Cookies and ads: Manage cookie and ad preferences in the “Cookie Settings” and via applicable platform settings.
Right to know/access: Categories and specific pieces of personal information we collected.
Right to delete: Ask us to delete personal information, subject to exceptions.
Right to correct: Fix inaccurate personal information.
Right to opt out: Opt out of the “sale” or “sharing” of personal information and targeted advertising.
Right to appeal: If we deny your request, you may appeal; we will explain our decision and how to escalate.
How to exercise: Use the methods in Section 12. California residents may also use an authorized agent with proper verification.
Rights: Access, rectification, erasure, restriction, portability, and objection to processing based on legitimate interests or direct marketing.
Consent withdrawal: Where processing relies on consent, you may withdraw at any time.
Complaints: You may lodge a complaint with your local supervisory authority.
Rights: Access, correction, deletion, data portability (where applicable), and information about processing.
Consent: You may withdraw consent to optional processing at any time, without affecting lawful processing prior to withdrawal.
Sensitive information: We only use sensitive personal information for limited, necessary purposes.
Do Not Sell or Share: We do not sell personal information. If we “share” for cross-context behavioral advertising, you can opt out via “Your Privacy Choices” in the footer.
Metrics: We will maintain records of request metrics where required.
AI features:
Purpose: Recommendations, safety moderation, accessibility, and in‑experience enhancements.
Controls: We minimize personal data use and apply safeguards. Where required, we obtain consent.
Automated decisions: For significant effects, you may request human review where your law provides that right.
UGC and social features:
License: By posting content, you grant us a non‑exclusive, worldwide, royalty‑free license to host, display, and distribute it within the Services and for promotion of those Services.
Moderation: We may remove or restrict content that violates our Terms, community guidelines, or the law.
Spatial and presence data:
Use: Rendering, safety, performance, and personalization within zones.
Limits: We do not derive or store biometric identifiers from spatial data without explicit consent and clear purpose.
Voice and chat:
Use: Facilitate communication, safety review, and quality improvement.
Options: You can mute, block, or report users and opt out of certain features where available.
Policy updates: We may update this Policy to reflect changes in our practices or legal requirements. Material changes will be highlighted, and we will obtain consent where required by law.
Contact us:
Email: [Insert privacy email]
Mail: The Virtual Mall of America, LLC, [Insert address], Reading, PA, USA
Data protection contact: [Insert DPO or privacy lead contact if applicable]
Region-specific contacts: You may contact your local data protection authority if you believe your rights have been violated.
Submit a request: Email us at [Insert privacy email] with the subject “Privacy Request,” or use [Insert web form link].
Verification: We may request information to verify your identity and jurisdiction.
Response time: We generally respond within 30–45 days, or as required by applicable law.
Authorized agents: California residents may use an authorized agent; we may require proof of authorization.
Appeals: If we deny a request, you may appeal by replying to our decision email with “Appeal” in the subject line.
Your Privacy Choices / Do Not Sell or Share My Personal Information: [Insert link]
Cookie Settings: [Insert link]
Delete My Account: [Insert link or instructions]
Report a Concern: [Insert link or email]
Do Not Track: We do not respond to DNT signals. Use Cookie Settings and opt‑out links for control.
Retention periods: We maintain a schedule aligning to purpose, legal, and security needs; specific periods available upon request.
Definitions: “Personal information” means information that identifies, relates to, or can reasonably be linked to an individual or household; definitions may vary by law. “Processing” includes collecting, using, storing, disclosing, or otherwise handling personal information.
Effective Date: [Insert Date]
This Cookie Policy explains how The Virtual Mall of America, LLC (“VMOA,” “we,” “us,” or “our”) uses cookies and similar technologies to recognize you when you visit our websites, immersive environments, and related online services (“Services”). It explains what these technologies are, why we use them, and your rights to control their use.
This policy should be read together with our [Privacy Policy] and [Terms of Service].
Cookies are small text files placed on your device when you visit a website or use an online service. They are widely used to make websites work, improve efficiency, and provide reporting information.
Cookies set by VMOA are called “first‑party cookies”. Cookies set by parties other than VMOA are called “third‑party cookies”. Third‑party cookies enable features or functionality provided by third parties (e.g., analytics, advertising, social media).
We use cookies and similar technologies for several purposes:
Strictly Necessary Cookies – Required for the operation of our Services (e.g., authentication, security, load balancing).
Functional Cookies – Remember your preferences (e.g., language, accessibility settings, avatar configurations).
Performance & Analytics Cookies – Collect information about how visitors use our Services (e.g., most visited zones, error reports) to improve performance.
Targeting & Advertising Cookies – Deliver relevant ads, measure campaign performance, and limit ad frequency (only where permitted and with required consent).
Immersive & AI‑Specific Cookies – Store spatial layout preferences, zone entry history, and AI personalization settings to enhance your virtual experience.
| Category | Purpose | Examples | Retention |
|---|---|---|---|
| Strictly Necessary | Enable core site functions, security, and account login | Session ID, CSRF token | Session only |
| Functional | Remember user settings and preferences | Language choice, avatar skin | 6–12 months |
| Performance/Analytics | Measure usage and improve services | Google Analytics, heatmaps | 6–24 months |
| Targeting/Advertising | Deliver relevant ads and measure effectiveness | Meta Pixel, ad network IDs | 3–12 months |
| Immersive/AI | Save zone layouts, AI chat preferences | Zone history, AI personalization token | Session–12 months |
We may also use:
Web beacons / pixels – Small graphics with a unique identifier to track engagement.
Local storage & session storage – Browser‑based storage for faster loading and offline features.
SDKs – Embedded code in mobile or immersive apps for analytics, crash reporting, and personalization.
Some cookies are placed by third parties that provide services on our behalf, such as:
Analytics providers (e.g., Google Analytics)
Advertising networks (only with consent where required)
Social media platforms (e.g., Facebook, X/Twitter, LinkedIn)
Payment processors and fraud prevention tools
We do not control these cookies. Please review the third party’s privacy and cookie policies for more information.
You have the right to decide whether to accept or reject cookies:
Cookie banner & settings – On your first visit, you can accept, reject, or customize cookie categories. You can change your preferences at any time via the “Cookie Settings” link in the footer.
Browser controls – Most browsers allow you to block or delete cookies.
Opt‑out tools – For targeted advertising, you can opt out via industry tools such as the or .
Do Not Track – We do not respond to DNT signals, but we honor legally required opt‑outs.
Where required by law, we will only use non‑essential cookies with your consent. Strictly necessary cookies are used based on our legitimate interest in providing a secure and functional service.
We may update this Cookie Policy from time to time. The “Effective Date” at the top will indicate the latest revision. Material changes will be communicated via our Services or by email where required.
If you have questions about this Cookie Policy or our use of cookies, contact:
The Virtual Mall of America, LLC
admin@thevirtualmallofamerica.com