Developer Data Use Policy

Updated: September 10, 2020

Your use of any user data collected or processed through the Oculus Platform, whether directly or indirectly, is subject to this Oculus Developer Data Use Policy (“Policy”). “Oculus Platform” means the set of APIs, SDKs, tools, plugins, code, technology, content, and services made available by us that enables others, including app developers, content providers, and website operators, to develop software or other functionality (including apps).

This Policy explains your obligations with respect to the receipt, collection, use and processing of User Data (as defined below) in connection with any Content you distribute via the Oculus Platform. “Content” includes any application or other technical integration with the Oculus Platform or to which we have assigned an app identification number, or any virtual reality experience, immersive media (e.g., 180- or 360-degree video), documentary, music, concert, visuals, audio content, animations or other content you distribute.

To use the Oculus Platform, integrate in-app services (e.g., matchmaking, leaderboards), distribute Content, retrieve data from us, or provide data to us, you must agree to this Policy, as well as our other applicable terms and policies made available to you, including those on our Developer Portal.

This Policy is effective as of the date you accept it or otherwise start accessing or using the Oculus Platform, and will continue until you stop accessing and using the Oculus Platform, unless earlier terminated as described below.

If you fail to comply with this Policy or any other applicable terms or policies, we may suspend or remove your Content and limit or terminate your developer access to the Oculus Platform, as described below.

Capitalized terms not otherwise defined in this Policy have the meaning given in our other terms and policies, including our Terms of Service.


If you independently collect or process personal data from an end user (whether a person or an entity) through your Content (including without limitation through web based account creation, or inputs from the end user through the Oculus headset), then it is your responsibility, as required by applicable law, to obtain any permissions/consents from the end user and/or rely on any appropriate legal basis for use or other processing of that personal data (the “Developer User Data”). It is also your responsibility to obtain consent or clear direction from end users before you give Oculus any Developer User Data.

You must clearly articulate your collection, use and processing of Developer User Data and User Data (defined below) in a publicly available and easily accessible privacy policy and abide by that privacy policy. It is also your responsibility to comply with any and all privacy and data protection laws in all applicable jurisdictions.

Your privacy policy may not supersede, modify, be less protective than, or otherwise be inconsistent with this Policy or our other applicable terms and policies with respect to User Data. This Policy applies to all User Data regardless of the disclosures you include in your privacy policy. For example, you may not sell User Data even if you disclose your intention to do so in your privacy policy.

You must retain your privacy policy in effect while using the Oculus Platform and maintain a publicly available privacy policy with current, and up to date, links to your privacy policy in the privacy policy field in your Content submission documentation, so that it can be provided to end users of your Content on the applicable product description page.


Oculus User Data” is any data, information, or content that is about or associated with a person, device, or unique identifier (including anonymized or hashed user IDs) that you obtain from Oculus.

Device User Data” is any data, information, or content that is about or associated with a person, device, or unique identifier (including anonymized or hashed user IDs) that you obtain directly from an Oculus device (including microphone or camera data, or headset position or hand tracking data).

Together, Oculus User Data and Device User Data are referred to as “User Data.”


You can use User Data solely for the following purposes:

  • Running, supporting and maintaining your Content in order to provide the experience to the end user requesting the Content and from whom the User Data was collected; and
  • Conducting analytics pertaining to your Content, and using such insights to improve your Content, provided that such User Data has been aggregated, and de-identified or anonymized such that it cannot be re-identified.


You will not perform, or facilitate or support others in performing, any of the following prohibited practices (collectively, “Prohibited Practices”):

  • Retaining, using, or disclosing User Data for any purpose other than those described in this Policy, the SDK License Agreement and any other applicable agreements with Oculus;
  • Using User Data for marketing or advertising purposes;
  • Selling, licensing, purchasing, renting, or lending User Data or similar actions, or permitting a third party to do so;
  • Using User Data to profile, discriminate, or encourage discrimination against people based on their race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition, or any other categories protected by applicable law, regulation, or other Oculus terms or policy;
  • Using User Data to perform, facilitate, or provide tools for surveillance. Surveillance includes the collection, use, or sharing of information about people, groups, or events for law enforcement, national security, intelligence or counter-intelligence purposes. The foregoing doesn’t prevent you from responding to a valid court order, if you provide Oculus with written notice and evidence of the court order, unless expressly prohibited by law from doing so;
  • Using User Data to ascertain the identity of a natural person, including real name, or actual facial or body images, to the extent not disclosed by the User Data (for example, through use of AI, facial recognition or gait identifying technologies);
  • Combining User Data with any other data, including with data separately collected by you or received from a third party;
  • Attempting to decode, circumvent, re-identify, de-anonymize, unscramble, unencrypt, reverse hash, or reverse engineer User Data that is provided to you;
  • Using User Data in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property rights or other rights of any person, or that violates any applicable law or regulation; or
  • Accessing or collecting User Data or allowing User Data to be collected using automated means such as harvesting bots, robots, spiders, or scrapers.


You may share User Data only:

  • When an end user expressly directs you in writing to share their User Data with a third party (you must retain proof of the end user’s express direction and provide it to us if we ask for it);
  • With third party service providers, provided you’ve obtained adequate permission or have other adequate legal basis to do so, and so long as you first have obtained a written agreement with such service provider that (1) limits the third party service provider’s use of User Data only to uses on your behalf to provide services to your app (and not for their own purposes or any other purposes); (2) prohibits third party service providers from using the User Data in any way that would violate this Policy or any other applicable Oculus terms or policies; and (3) requires third party service providers to keep User Data secure and confidential. You must ensure that any such third parties comply with this Policy and all other applicable terms and policies as if they were in your place, and ensure that such third parties are responsible for any non-compliance. In any event, you are responsible to Oculus for your own and any such third parties’ acts and omissions, including such third parties’ noncompliance; or
  • When required under applicable law or regulation (you must retain proof of the applicable legal or regulatory requirement or request and provide it to us if we ask for it).


You agree to use no less than industry standard security measures to protect against unauthorized access, use or disclosure of User Data and Developer User Data, and to respond to and comply with all end user requests under applicable law. Without limiting the foregoing, you must delete User Data, and ensure your service provider(s) delete User Data, when a user requests their User Data be deleted or no longer has an account (unless the User Data has been obscured, or de-identified so that it cannot be associated with a particular user, browser or device). You must notify us within 24 hours of becoming aware of unauthorized processing of data or incidents that could compromise your IT systems. You must immediately begin remediation of the incident to keep us informed.


CONTENT REVIEW: In order to publish Content that uses our data-sharing APIs or otherwise accesses Oculus User Data (“Data Sharing”), you will need to submit your Content for review (“Content Review”). You must ensure that your Content is compliant with this Policy and all other applicable terms and policies prior to submitting it for Content Review. If your Content doesn’t pass Content Review, you will not be entitled to Data Sharing and we may take additional actions further detailed below.

REGULAR MONITORING: We will review your Content for compliance with this Policy and other applicable terms and policies from time to time, including at least once a year, in our sole discretion. We also will conduct regular monitoring of your Content and its access to and/or processing of Oculus User Data using technical and operational measures. You agree to cooperate with our Content Review and provide any additional information we may request in connection therewith. We may verify information you provide to us in connection with any such Content Review.

CERTIFICATION: We will require an annual self-certification of your continued compliance with this Policy in order for you to continue Data Sharing. This will include certifying: (i) your compliance with this Policy and all other applicable terms and policies, and (ii) the purpose or use for the Data Sharing you have requested or have access to, and that each such purpose or use complies with this Policy and all other applicable terms and policies. In addition, from time to time, we may request information, certifications, and attestations relating to your use of the Oculus Platform or processing of Oculus User Data, which you will provide to us in the requested time frame and form. All such certifications and attestations must be provided by your authorized representative.

AUDIT: In the event of a Necessary Condition (defined below), we, or third-party professionals working at our direction (including auditors, attorneys, consultants, and/or computer forensics analysts), may conduct a review, inspection, or audit of your and your service providers’ IT Systems or Records (“Audit”), to ensure that your and your Content’s processing of Oculus User Data is and has been in compliance with this Policy and all other applicable terms and policies.

  • IT Systems” means information technology systems (real and virtual), networks, technologies, and facilities (including physical and remote access to data centers and cloud facilities) that process Oculus User Data

  • Records” mean books, agreements, access logs, third-party reports, policies, processes, and other records regarding the processing of Oculus User Data.

  • Necessary Condition” means any of the following: (i) it is required by applicable law, rule, or regulation or otherwise required or requested by a court order or governmental authority; (ii) we suspect that you or your Content has processed Oculus User Data in violation of this Policy or other applicable terms or policies; (iii) you enter into a change of control transaction or transfer (or request to transfer) any of your rights or obligations under this Policy or other applicable agreements, terms or policies; (iv) we determine in our sole discretion it is necessary to ensure that you and your Content have deleted Oculus User Data in accordance with this Policy and all other applicable terms and policies; or (v) we determine in our sole discretion it is necessary to ensure proper remediation of any non-compliance revealed by an Audit.

Any Audit will be conducted during normal business hours, with as little business interruption as reasonably possible, after providing you with at least 10 business days’ written notice (email will suffice), unless we determine in our sole discretion a Necessary Condition requires more immediate access. You will cooperate with the Audits, including by (i) providing all necessary physical and remote access to your IT Systems and Records, and (ii) providing information and assistance as reasonably requested (including making your personnel who are knowledgeable about your or your Content’s processing of Oculus User Data available for our questioning). You will also use commercially reasonable efforts to get permission and cooperation from your service providers for us to conduct such Audits with respect to their IT Systems, Records, and applicable personnel. You will remedy any non-compliance revealed by an Audit as soon as reasonably practicable (as we determine based on the facts and circumstances), after which we may conduct follow-up Audits to ensure proper remediation of the non-compliance. If an Audit reveals any non-compliance by you or your service provider(s) then you will reimburse us for all of our reasonable costs and expenses associated with conducting the Audit and any related follow-up Audits. Our Audit rights under this Section will survive until one year after the later of when you affirmatively demonstrate that you have stopped processing all Oculus User Data and when any data derived from Oculus User Data that are in your and your service providers’ possession or control have been deleted. For the avoidance of doubt, nothing in this Section limits any other rights or remedies we may have by law, in equity, or under this Policy or other applicable terms or policies.


With or without advance notice to you, we may enforce against your Content if we conclude you have violated this Policy or are negatively impacting the Oculus Platform, and/ or suspend your Content, while we investigate suspected violations of this Policy. You must keep your contact information up to date and respond to our requests and requests from users to delete User Data.

We may take enforcement action against you and your Content, if we believe, in our sole discretion, that:

  • You have not timely responded to our requests related to certifications, monitoring or auditing;
  • You or your Content has violated or may have violated this Policy or any other applicable terms or policies or is negatively impacting the Oculus Platform, other Facebook Products, User Data, or people who use Facebook Products; It is needed to comply with applicable laws or regulations or otherwise required or requested by a court order or governmental authority; or
  • It is needed to protect the Facebook Companies from legal or regulatory liability. Enforcement can be both automated and manual. It can include suspending or removing your Content from any distribution channels, including the Oculus Store, suspending or removing Data Sharing with you or your Content, removing your access and your Content’s access to the Oculus Platform, requiring that you stop processing and delete User Data, terminating our agreements with you, or any other action that we consider to be appropriate, including terminating other agreements with you or your ability to use Facebook Products. We may suspend or end your Content’s access to any APIs, permissions, or features that your Content has not used or accessed within a 90-day period with or without notice to you.


In accordance with our Terms of Service, you will not transfer any of your rights or obligations under this Policy to anyone else without our prior consent. Transfer can include assignment, acquisition, merger, change of control, or other forms of transfer. Any unpermitted transfer will be considered null and void. For any permitted transfer of Content, you will obligate the transferee to comply with this Policy and other applicable terms and policies, and re-submit such App and Content through our App Review process for our review and approval. After any such permitted transfer by you of Content, you can only access, use, share, and retain User Data to the extent permitted by, and in compliance with, this Policy and applicable laws and regulations.

You also must comply with all applicable laws and regulations (including without limitation the European General Data Protection Regulation, ePrivacy Directive and any related EEA countries’ requirements, California Consumer Privacy Act, the Children’s Online Privacy Protection Act, and the Video Privacy Protection Act). If there is any conflict between this Policy and any other applicable online terms, the terms that are more restrictive on you and your Content or more protective of us apply.

We reserve the right to amend this Policy at any time. Your continued use of or access to Oculus Platform or User Data after any such amendment will constitute your binding agreement to this Policy as amended.

We may change, suspend, or discontinue the availability of the Oculus Platform at any time. In addition, we may impose limits on certain features and services or restrict your access to parts or all of the Oculus Platform or our other APIs or websites without notice or liability.

When this Policy has ended, all rights granted to you under this Policy will immediately stop and you will immediately stop using the User Data. The following Sections will remain in effect after this Policy has ended: Section 4 (Prohibited Uses of User Data), Section 5 (Sharing User Data), Section 6 (Security), Section 8 (Enforcement) and Section 9 (General).