General Privacy Policy

WEBSITE VISITORS & OTHER BUSINESS PARTNERS

Updated December 2025

This privacy policy sets out how ExR Solutions Limited ("ExR", also "we", "us", and "our") uses and protects personal data belonging to individuals who interact with us in a general, non‑Contributor capacity - for example, as visitors to our website, viewers of our content, as well as our other business partners, distributors, licensors, co‑producers, clients, or service providers.

If you are engaged with ExR as a contractor, crew member, healthcare professional or other individual featured on‑screen in our content (collectively, a "Contributor"), or are a prospective Contributor, please refer to our Contributor Privacy Policy for details on how we process personal data in those circumstances.

1. IMPORTANT INFORMATION AND WHO WE ARE (section 1)
2. TYPES OF PERSONAL DATA WE COLLECT ABOUT YOU (section 2)
3. HOW IS YOUR PERSONAL DATA COLLECTED? (section 3)
4. HOW WE USE YOUR PERSONAL DATA (section 4)
5. MARKETING (section 5)
6. DISCLOSURES OF YOUR PERSONAL DATA (section 6)
7. INTERNATIONAL TRANSFERS (section 7)
8. DATA SECURITY (section 8)
9. DATA RETENTION (section 9)
10. YOUR LEGAL RIGHTS (section 10)
11. CONTACT DETAILS (section 11)
12. COMPLAINTS (section 12)
13. CHANGES TO THIS PRIVACY POLICY AND / OR YOUR DATA (section 13)
14. THIRD PARTY LINKS (section 14)
15. COOKIES (section 14)

1. IMPORTANT INFORMATION AND WHO WE ARE

Important Information.

This privacy policy gives you information about how ExR collects and uses your personal data. This includes through your use of our website https://exr.education/ ("Website"), as well as your other interactions with us, such as email correspondence. If you are a contributor or prospective contributor to one of our programmes (referred to as a "Contributor", whether as talent, cast, or crew), we will collect and use additional personal data: for more information, please see our Contributor Privacy Policy.

It is important that you read this privacy policy together with any other privacy/data protection notice or clauses or fair processing notice (other privacy notices) we may provide on specific occasions so that you are aware of how and why we are using your personal data. This privacy notice supplements other notices and privacy policies and is not intended to override them, except where otherwise stated in those other privacy policies.

Our Website is not intended for children and we do not knowingly collect or process personal data belonging to children.

Who We Are.

EXR SOLUTIONS LIMITED, a company incorporated in England and Wales (co. reg. no. 12653591) with registered offices at 1 Pickle Mews, London, SW9 0FJ, United Kingdom ("ExR"), is an educational media company producing medical training videos and immersive VR content.

For the purposes of data protection law, ExR is the ‘controller’ and responsible for your personal data. If you have any questions about this privacy policy, including any requests to exercise your legal rights (section 10), please contact us using the information set out in the contact details section (section 11).

2. THE TYPES OF PERSONAL DATA WE COLLECT ABOUT YOU

Under the UK General Data Protection Regulation (UK GDPR), “personal data” means any information about a living individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:

• Identity Data such as first name and surname.
• Professional Data such as your job, employer or role in a work‑related context.
• Contact Data such as billing address, delivery address, email address and, in some situations, telephone numbers.
• Financial Data such as bank account and payment card details, but only if we arrange payments to/from you, such as bank details for vendor payments.
• Transaction Data such as information regarding payments to/from ExR, contract details, services provided or received, production collaborations, contract negotiations and commercial agreements.
• Technical Data related to your use of our Website or IT systems such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug‑in types and versions, operating system and platform.
• Usage Data such as information about how you interact with and use our Website and IT systems.
• Marketing Data such as your preferences in receiving marketing from us and our third parties and your communication preferences.
• Project Data such as consultation and other meeting notes, storyboards, correspondence and planning documents that include personal details, if you collaborate with us on our audiovisual content or educational projects.
• Legal & Compliance Data such as information containing personal data and related to regulatory compliance, contract disputes, tax and audit records, and rights management, contractual obligations, and compliance with applicable health, safety and/or safeguarding requirements.

Special Category Data: ExR will only process sensitive (“special category”) personal data, such as health information, where it is strictly necessary and permitted by law. For example, you may inform us of accessibility requirements to facilitate a safe and efficient visit to filming sites or certain locations. In such cases, we will only process such data where we have obtained your explicit consent or where processing is otherwise permitted under UK GDPR, and always in compliance with applicable data protection laws. If you are a Contributor or prospective Contributor (for example you are working on our content or are featured in one of our videos), the special category data we may require is as set out in our Contributor Privacy Policy.

Aggregated and Statistical Data: In the interests of transparency, please also note that we sometimes collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals’ Usage Data to calculate the percentage of users accessing a specific page to analyse general trends in how users are interacting with our Website to help improve our service offering.

If you fail to provide personal data: Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may have to cancel or modify our arrangement with you. We will notify you if this is the case at the time.

3. HOW IS YOUR PERSONAL DATA COLLECTED?

We use different methods to collect data from and about you including through:

• Your interactions with us. You may give us your personal data by corresponding with us by phone, email or otherwise interacting with our business. This includes personal data you provide when you: email or phone our offices; submit our ‘Contact Us’ form on our Website; enter into a contract with us; create an account with us to view our content collections; request marketing materials to be sent to you; or engage with our social media accounts for example Instagram and LinkedIn.
• Automated technologies or interactions. As you interact with our Website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. You can view our Cookie Policy here.
• Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources where the context requires, as set out below:
  • Technical Data is collected from analytics providers and search information providers (such as Google).
  • Contact, Financial and Transaction Data is collected from providers of technical, payment and delivery services.
  • Identity and Contact Data is collected from publicly available sources (such as Companies House), professional networking sites (such as LinkedIn).
• Audiovisual content platforms. ExR may use third‑party platforms to share content in the future. If a user accesses such content via an external platform (e.g., if ExR hosts training videos on a third‑party app or website), some personal data (like viewing data or account info) might be collected by that third party and shared with us.

4. HOW WE USE YOUR PERSONAL DATA

Legal basis: The law requires us to have a proper reason (a “legal basis”) for collecting and using your personal data. We rely on one or more of the following legal bases:

• Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you.
• Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and improve our relationships with our partners and clients. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted by law).
• Legal obligation: We may use your personal data where it is necessary for compliance with our legal obligations. We will identify the relevant legal obligation when we rely on this legal basis.
• Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

Purposes for which we will use your personal data: We have set out below a description of all the ways we plan to use the various categories of your personal data, and which of the legal bases we rely on to do so.

Change of Purpose. We will only use your personal data for the purposes for which we collected it, unless we need to use it for another reason that is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

5. MARKETING

Direct marketing: You will receive marketing communications from us only if you have requested information from us and you have not opted out of receiving the marketing. We may also analyse your Identity, Contact, Technical, Usage and Transaction Data to form a view which content, services and offers may be of interest to you so that we can then send you relevant marketing communications.

Third‑party marketing: We will obtain your express consent before we share your personal data with any third party for their own direct marketing purposes.

Opting out of marketing: You can ask to stop sending you marketing communications at any time by following the opt‑out links within any marketing communication sent to you or by contacting us using the contact details provided below (section 11). If you opt out of marketing communications, you will still receive communications that are essential for doing business with you, for example, messages relating to a production we are working on together.

6. DISCLOSURES OF YOUR PERSONAL DATA

Where necessary, we may share your personal data with the parties set out below, strictly for the purposes set out in the Purposes for which we will use your personal data table above (section 4). We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third‑party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes, in accordance with our instructions.

• Contributors: we may need to share personal data with our staff, crew, and contractors engaged by us to work on a project, as well as individuals captured on camera and/or featured on‑screen in our content.
• Business Partners and Collaborators: ExR works with a variety of business partners and collaborators to create cutting‑edge content, including medical device manufacturers, medical charities, NHS trusts, academic and medical institution partners, professional healthcare associations, subject‑matter experts, and other Contributors. This is for processing information essential to our content and projects including for managing pre‑production, post‑production, production shooting, equipment and other logistics.
• Email and Cloud Storage: For sending and storing information essential to our business. For example, ExR uses secure email and cloud storage services (currently ProtonMail/ProtonDrive based in Switzerland) to send and store information.
• Payment Service Providers: For processing payments and ensuring secure financial transactions.
• IT and System Administration Providers: For hosting our Website, maintaining network security, and troubleshooting system issues. For example, our website and content are hosted on Amazon Web Services (AWS) servers in the UK.
• Marketing Communications Providers: We may use tools (such as Mailchimp or similar) to send you information we believe is of interest, or to invite you to events, but only if you have opted in. We may also work with marketing agencies to help promote our services, but we will only share your personal data with such partners with appropriate consent or as permitted by law.
• Social Media Platforms and Users: We may post content on social media platforms (e.g., LinkedIn) but if those posts include personal data (such as featuring a Contributor or partner by name or image), we will obtain consent beforehand.
• Regulatory or Legal Compliance Parties: Where required to comply with applicable laws, law enforcement, or government authorities such as HMRC.
• Third‑Party Advisers: In some cases we may share limited personal data in the context of a project or video content when obtaining services or advice from our professional advisers and representatives, including accountants and solicitors.
• Business Transaction Parties: If we sell or transfer part of our business, the acquiring party may use your personal data in line with this policy.

7. INTERNATIONAL TRANSFERS

The majority of our business partners, collaborators, users, and Contributors are based in the United Kingdom. However, from time to time we may transfer your personal data internationally to entities based in other jurisdictions that carry out certain functions on our behalf. In particular, our email and cloud storage provider is in Switzerland, and we may in future use platforms based in the United States or elsewhere to host video content.

In some instances, the destination country or countries may have laws that do not provide the same level of data protection as required in the UK or elsewhere in Europe. Accordingly, whenever we transfer your data internationally:

• We will only transfer your personal data to countries that have been deemed by the UK to provide an adequate level of protection for personal data, such as countries within the EEA (the member states of the European Union together with Iceland, Liechtenstein, and Norway); and/or
• We will use specific terms which give the transferred personal data the same protection as it has in the UK, namely the UK adequacy decision for Switzerland, the International Data Transfer Agreement or the International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers (as appropriate), and/or the UK Extension to the EU‑U.S. Data Privacy Framework to transfer personal data to the United States.

8. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. For example, ExR uses encryption, password protections, and multi‑factor authentication on its systems to prevent unauthorised access to personal data. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties (such as our Business Partners and Collaborators, described in section 6) who have a proper justification to use your personal data. We also have procedures to deal with any suspected personal data breach and will follow all legal requirements with regard to notifying you and any applicable regulator of a breach.

9. DATA RETENTION

The GDPR’s data minimisation principle states that personal data should only be collected and stored when it is necessary to accomplish a specific purpose. It also states that data should only be kept for as long as it is needed.

To determine the length of time ExR will keep (retain) your personal data, we consider:

• the amount, nature and sensitivity of the personal data;
• the potential risk of harm from unauthorised use or disclosure of that personal data;
• the purposes for which the personal data were collected;
• whether we can achieve those purposes without your personal data;
• the applicable legal, regulatory, tax, accounting or other requirements;
• the long‑term nature of the content, including our need to distribute or licence it in the future.

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including any tax or regulatory requirements. We may retain your personal data for a longer period in the event of a complaint or dispute (including legal litigation) between you and ExR.

By law we must keep basic information about our commercial transactions and payments (including Contact, Identity, Financial and Transaction Data) for six (6) years for tax and accounting purposes. However, in some situations you can ask us to delete your data: please see section 10 below for further information.

10. YOUR LEGAL RIGHTS

You have certain rights under data protection laws in relation to your personal data:

• Right of access: Request access to your personal data (commonly known as a “subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Right to rectification: Request correction of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide.
• Right to erasure: Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal data to comply with local law. Please note, however, that we may not always be able to fulfil your erasure request. You will be notified and the reasons explained to you, if this applies to you.
• Right to object: Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
• Right to object to direct marketing: Object at any time and for any reason to the processing of your personal data for direct marketing purposes.
• Right to data portability: Request the transfer of your personal data to you or to a third party. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Right to withdraw consent: Withdraw consent at any time, where we are relying on consent as the lawful basis to process your personal data. This will not affect the lawfulness of any processing carried out before you withdrew your consent. If you withdraw your consent, you may not be able to participate in our production or project and our arrangement and/or contracts with you may need to be changed. We will advise you if this is the case at the time you withdraw your consent.
• Right to restriction of processing: Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

If you wish to exercise any of these rights, please contact us using the contact details provided in section 11.

No fee is usually required: you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond: We try to respond to all legitimate requests within 30 days. Occasionally it could take us longer than a month if your request is particularly complex or you have made multiple requests. In any event, we will notify you.

11. CONTACT DETAILS

If you have any questions about this privacy policy or wish to exercise your rights, please contact us in the following ways:

• Email address: info@exr.education
• Postal address: 1 Pickle Mews, London, SW9 0FJ, United Kingdom

12. COMPLAINTS

You have the right to make a complaint at any time regarding our use of your personal data, including where you believe we are unlawfully processing your data. For UK residents, data protection complaints are handled by the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). For EEA residents, you may complain to your local data protection authority (https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm).

We would, however, appreciate the chance to address your concerns before you approach the ICO or other regulator, so please contact us in the first instance.

13. CHANGES TO THIS POLICY AND / OR YOUR PERSONAL DATA

We keep our privacy policy under regular review, and the date of last update appears at the beginning of it. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

14. THIRD‑PARTY LINKS

Our Website may include links to third‑party websites, plug‑ins, or applications. By clicking on those links or enabling those connections, third parties may be able to collect or share data about you. Please note that ExR does not endorse, monitor, or assume responsibility for the content, privacy practices, or data processing activities of these third‑party websites. When you leave our Website, we encourage you to read the privacy policy of every other website you visit.

15. COOKIES

A cookie is a small file that is sent to your browser from a web server and is stored on your computer. Cookies help us to analyse web traffic and identify which pages of our Website are being used. Our Website also uses cookies to respond to you as an individual so that it can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences as well as enabling you to login. We only use this information for statistical analysis purposes and then it is removed from our systems.

A cookie in no way gives us access to your computer or any information about you, other than information about how you use the Website and the personal data you choose to share with us (including personal data you automatically share with us by way of your browser settings).

In particular, we use the following cookies:

• Essential cookies. These cookies are used to identify unique visitors to the Website. If you log in to the Website, these are the cookies that allow us to remember who you are and what your preferences are so that we can provide you with access to pages personal to you, for example your account pages. These cookies can help to keep your visit to the Website secure.
• Non-essential cookies. These cookies allow us to identify your device as you use the Website, so that you are not treated as a new visitor each time you go to another part of the Website.

You can choose to accept or decline cookies. Most web browsers automatically accept certain cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of our Website. We may also use banners and pop-ups from time to time to give you options around cookie use.

You can find more information about the specific cookies we use and the purposes for which we use them in the table below. You can also find more information about cookies generally here: www.allaboutcookies.org.