Updated: September 10, 2020
Your use of any user data collected or processed through the Oculus Platform, whether directly or indirectly, is subject to this Oculus Developer Data Use Policy (“Policy”). “Oculus Platform” means the set of APIs, SDKs, tools, plugins, code, technology, content, and services made available by us that enables others, including app developers, content providers, and website operators, to develop software or other functionality (including apps).
This Policy explains your obligations with respect to the receipt, collection, use and processing of User Data (as defined below) in connection with any Content you distribute via the Oculus Platform. “Content” includes any application or other technical integration with the Oculus Platform or to which we have assigned an app identification number, or any virtual reality experience, immersive media (e.g., 180- or 360-degree video), documentary, music, concert, visuals, audio content, animations or other content you distribute.
To use the Oculus Platform, integrate in-app services (e.g., matchmaking, leaderboards), distribute Content, retrieve data from us, or provide data to us, you must agree to this Policy, as well as our other applicable terms and policies made available to you, including those on our Developer Portal.
This Policy is effective as of the date you accept it or otherwise start accessing or using the Oculus Platform, and will continue until you stop accessing and using the Oculus Platform, unless earlier terminated as described below.
If you fail to comply with this Policy or any other applicable terms or policies, we may suspend or remove your Content and limit or terminate your developer access to the Oculus Platform, as described below.
Capitalized terms not otherwise defined in this Policy have the meaning given in our other terms and policies, including our Terms of Service.
If you independently collect or process personal data from an end user (whether a person or an entity) through your Content (including without limitation through web based account creation, or inputs from the end user through the Oculus headset), then it is your responsibility, as required by applicable law, to obtain any permissions/consents from the end user and/or rely on any appropriate legal basis for use or other processing of that personal data (the “Developer User Data”). It is also your responsibility to obtain consent or clear direction from end users before you give Oculus any Developer User Data.
“Oculus User Data” is any data, information, or content that is about or associated with a person, device, or unique identifier (including anonymized or hashed user IDs) that you obtain from Oculus.
“Device User Data” is any data, information, or content that is about or associated with a person, device, or unique identifier (including anonymized or hashed user IDs) that you obtain directly from an Oculus device (including microphone or camera data, or headset position or hand tracking data).
Together, Oculus User Data and Device User Data are referred to as “User Data.”
You can use User Data solely for the following purposes:
You will not perform, or facilitate or support others in performing, any of the following prohibited practices (collectively, “Prohibited Practices”):
You may share User Data only:
You agree to use no less than industry standard security measures to protect against unauthorized access, use or disclosure of User Data and Developer User Data, and to respond to and comply with all end user requests under applicable law. Without limiting the foregoing, you must delete User Data, and ensure your service provider(s) delete User Data, when a user requests their User Data be deleted or no longer has an account (unless the User Data has been obscured, or de-identified so that it cannot be associated with a particular user, browser or device). You must notify us within 24 hours of becoming aware of unauthorized processing of data or incidents that could compromise your IT systems. You must immediately begin remediation of the incident to keep us informed.
CONTENT REVIEW: In order to publish Content that uses our data-sharing APIs or otherwise accesses Oculus User Data (“Data Sharing”), you will need to submit your Content for review (“Content Review”). You must ensure that your Content is compliant with this Policy and all other applicable terms and policies prior to submitting it for Content Review. If your Content doesn’t pass Content Review, you will not be entitled to Data Sharing and we may take additional actions further detailed below.
REGULAR MONITORING: We will review your Content for compliance with this Policy and other applicable terms and policies from time to time, including at least once a year, in our sole discretion. We also will conduct regular monitoring of your Content and its access to and/or processing of Oculus User Data using technical and operational measures. You agree to cooperate with our Content Review and provide any additional information we may request in connection therewith. We may verify information you provide to us in connection with any such Content Review.
CERTIFICATION: We will require an annual self-certification of your continued compliance with this Policy in order for you to continue Data Sharing. This will include certifying: (i) your compliance with this Policy and all other applicable terms and policies, and (ii) the purpose or use for the Data Sharing you have requested or have access to, and that each such purpose or use complies with this Policy and all other applicable terms and policies. In addition, from time to time, we may request information, certifications, and attestations relating to your use of the Oculus Platform or processing of Oculus User Data, which you will provide to us in the requested time frame and form. All such certifications and attestations must be provided by your authorized representative.
AUDIT: In the event of a Necessary Condition (defined below), we, or third-party professionals working at our direction (including auditors, attorneys, consultants, and/or computer forensics analysts), may conduct a review, inspection, or audit of your and your service providers’ IT Systems or Records (“Audit”), to ensure that your and your Content’s processing of Oculus User Data is and has been in compliance with this Policy and all other applicable terms and policies.
“IT Systems” means information technology systems (real and virtual), networks, technologies, and facilities (including physical and remote access to data centers and cloud facilities) that process Oculus User Data
“Records” mean books, agreements, access logs, third-party reports, policies, processes, and other records regarding the processing of Oculus User Data.
“Necessary Condition” means any of the following: (i) it is required by applicable law, rule, or regulation or otherwise required or requested by a court order or governmental authority; (ii) we suspect that you or your Content has processed Oculus User Data in violation of this Policy or other applicable terms or policies; (iii) you enter into a change of control transaction or transfer (or request to transfer) any of your rights or obligations under this Policy or other applicable agreements, terms or policies; (iv) we determine in our sole discretion it is necessary to ensure that you and your Content have deleted Oculus User Data in accordance with this Policy and all other applicable terms and policies; or (v) we determine in our sole discretion it is necessary to ensure proper remediation of any non-compliance revealed by an Audit.
Any Audit will be conducted during normal business hours, with as little business interruption as reasonably possible, after providing you with at least 10 business days’ written notice (email will suffice), unless we determine in our sole discretion a Necessary Condition requires more immediate access. You will cooperate with the Audits, including by (i) providing all necessary physical and remote access to your IT Systems and Records, and (ii) providing information and assistance as reasonably requested (including making your personnel who are knowledgeable about your or your Content’s processing of Oculus User Data available for our questioning). You will also use commercially reasonable efforts to get permission and cooperation from your service providers for us to conduct such Audits with respect to their IT Systems, Records, and applicable personnel. You will remedy any non-compliance revealed by an Audit as soon as reasonably practicable (as we determine based on the facts and circumstances), after which we may conduct follow-up Audits to ensure proper remediation of the non-compliance. If an Audit reveals any non-compliance by you or your service provider(s) then you will reimburse us for all of our reasonable costs and expenses associated with conducting the Audit and any related follow-up Audits. Our Audit rights under this Section will survive until one year after the later of when you affirmatively demonstrate that you have stopped processing all Oculus User Data and when any data derived from Oculus User Data that are in your and your service providers’ possession or control have been deleted. For the avoidance of doubt, nothing in this Section limits any other rights or remedies we may have by law, in equity, or under this Policy or other applicable terms or policies.
With or without advance notice to you, we may enforce against your Content if we conclude you have violated this Policy or are negatively impacting the Oculus Platform, and/ or suspend your Content, while we investigate suspected violations of this Policy. You must keep your contact information up to date and respond to our requests and requests from users to delete User Data.
We may take enforcement action against you and your Content, if we believe, in our sole discretion, that:
In accordance with our Terms of Service, you will not transfer any of your rights or obligations under this Policy to anyone else without our prior consent. Transfer can include assignment, acquisition, merger, change of control, or other forms of transfer. Any unpermitted transfer will be considered null and void. For any permitted transfer of Content, you will obligate the transferee to comply with this Policy and other applicable terms and policies, and re-submit such App and Content through our App Review process for our review and approval. After any such permitted transfer by you of Content, you can only access, use, share, and retain User Data to the extent permitted by, and in compliance with, this Policy and applicable laws and regulations.
You also must comply with all applicable laws and regulations (including without limitation the European General Data Protection Regulation, ePrivacy Directive and any related EEA countries’ requirements, California Consumer Privacy Act, the Children’s Online Privacy Protection Act, and the Video Privacy Protection Act). If there is any conflict between this Policy and any other applicable online terms, the terms that are more restrictive on you and your Content or more protective of us apply.
We reserve the right to amend this Policy at any time. Your continued use of or access to Oculus Platform or User Data after any such amendment will constitute your binding agreement to this Policy as amended.
We may change, suspend, or discontinue the availability of the Oculus Platform at any time. In addition, we may impose limits on certain features and services or restrict your access to parts or all of the Oculus Platform or our other APIs or websites without notice or liability.
When this Policy has ended, all rights granted to you under this Policy will immediately stop and you will immediately stop using the User Data. The following Sections will remain in effect after this Policy has ended: Section 4 (Prohibited Uses of User Data), Section 5 (Sharing User Data), Section 6 (Security), Section 8 (Enforcement) and Section 9 (General).