Privacy Policy

Last updated: January 14, 2026

Axon Park Malta Ltd, a company registered in Malta ("Company", "we", "our"), provides the Axon Park application (the "App") and related services across virtual reality, desktop, web, and mobile devices (together, the "Services"). Axon Park Malta Ltd is the data controller responsible for the processing of personal data under applicable data protection laws, including Regulation (EU) 2016/679 (General Data Protection Regulation or "GDPR").

Certain technical or operational services may be provided by affiliated group companies acting solely as data processors on behalf of the Company.

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use the Services. This Policy does not apply to information collected offline or to personal data processed by third parties acting independently of us.

1. Personal Data We Collect

We collect different categories of personal data depending on how you interact with the Services. "Personal data" means any information relating to an identified or identifiable natural person.

Categories of personal data

Identifiers

  • Name (if provided)
  • Username or display name
  • Email address (if provided)
  • IP address
  • Account identifiers

Account and usage information

  • Account preferences and settings
  • Game or application usage history
  • Interaction data within the Services (such as in-app actions and progression signals)

Voice and audio data (optional features)

  • If you choose to enable voice features, audio input may be processed to support real-time communication or speech-to-text functionality
  • Voice data is processed only for the relevant feature and is not used for biometric identification

Communications and user-generated content

  • Content you create or share within the Services
  • Messages or information you submit through chats, feedback forms, or support requests

Technical and device information

  • Device type
  • Operating system
  • Log files
  • Crash reports and diagnostic data

We may also process aggregated or anonymized information that does not identify you. This information is not considered personal data under GDPR.

2. Children and Age Restrictions

Axon Park is designed for young learners, and we take additional measures to protect children's privacy.

The Services may be subject to age restrictions in certain jurisdictions. In accordance with GDPR and Maltese law, where processing is based on consent and the user is under the age of 13, consent must be provided or authorized by a parent or legal guardian.

For users under the age of 13, we require verifiable parental consent before collecting personal data. This may include:

  • Email verification sent to a parent or guardian's email address
  • Confirmation through an organizational administrator (for school or institutional accounts)
  • Other verification methods appropriate to the context

If we discover that personal data has been collected from a child under 13 without verified parental consent, we will promptly delete that data and may suspend the account until proper consent is obtained.

Privacy-protective defaults

We aim to apply privacy-protective settings by default for younger users. Certain features may be limited based on age and applicable law. These defaults include:

  • Restricted communication features
  • Limited data collection
  • Enhanced privacy settings enabled by default

No targeted advertising to children

We do not use personal data of users under the age of 13 for targeted advertising.

Parents and guardians are encouraged to supervise children's use of the Services and to contact us if they have questions or wish to exercise rights on a child's behalf. Parents may request access to, correction of, or deletion of their child's personal data at any time by contacting privacy@axonpark.com.

We do not knowingly collect personal data from children below the applicable age threshold without appropriate authorization.

3. Sources of Personal Data

We collect personal data from the following sources:

Directly from you

  • When you create an account
  • When you use features of the Services
  • When you communicate with us
  • When you voluntarily provide information through forms, surveys, or support requests

Automatically through use of the Services

  • Technical data collected through cookies or similar technologies (where applicable)
  • Usage and interaction data

From third parties

  • Platform providers (such as app stores or device platforms)
  • Cloud hosting and infrastructure providers such as AWS and Google Firebase as Data Processors
  • Payment providers (if purchases are enabled)
  • Analytics service providers

We process personal data received from third parties in accordance with this Privacy Policy.

4. Cookies and Similar Technologies

We use cookies and similar technologies, where applicable, to operate and improve the Services.

Cookies are small data files placed on your device that help us understand how users interact with the Services and improve functionality.

Types of cookies we use

Essential cookies (no consent required)

  • Cookies strictly necessary for the operation of the Services
  • Authentication and security cookies
  • User preference cookies required for functionality

Analytics cookies (consent required)

  • Cookies used to understand usage patterns and improve the Services
  • Performance measurement cookies

In accordance with the ePrivacy Directive and GDPR, we obtain your consent before placing non-essential cookies (such as analytics cookies) on your device. When you first access our web Services, you will be presented with a cookie consent mechanism that allows you to:

  • Accept all cookies
  • Reject non-essential cookies
  • Customize your cookie preferences

Essential cookies that are strictly necessary for the operation of the Services do not require consent and cannot be disabled.

Some cookies are provided by third-party analytics providers, which may process personal data in accordance with their own privacy policies.

You can change your cookie preferences at any time through our cookie settings or your browser settings. Disabling certain cookies may affect the functionality of the Services.

We process personal data only where permitted by law and for the following purposes:

Provision of the Services

  • To create and manage user accounts
  • To enable gameplay, learning experiences, and interactive features

Service improvement and analytics

  • To understand usage patterns
  • To improve performance, design, and educational effectiveness

Speech-to-text and voice features

  • To support optional voice-based interactions when enabled by the user

Educational support and feedback

  • To provide learning feedback and interactive educational experiences
  • AI-assisted tools may be used to support these functions in an assistive manner, without determining final academic outcomes

Marketing and promotional purposes

  • To promote our Services, features, events, and updates
  • To communicate marketing or promotional messages to users where permitted by law
  • To measure, analyze, and improve the effectiveness of our marketing activities

Communications and support

  • To respond to inquiries
  • To provide customer support
  • To send service-related messages about the Services
  • To comply with legal obligations
  • To protect users, the Company, and others
  • To enforce our terms and policies

Lawful bases under GDPR

Depending on the context, processing is based on:

  • Performance of a contract
  • User consent, where required
  • Legitimate interests that are not overridden by user rights
  • Compliance with legal obligations

6. Use of Artificial Intelligence and Automated Processing

The Company uses limited artificial intelligence and automated processing tools to support certain features of the Services.

These include:

  • Speech-to-text functionality, where enabled by the user
  • Analytics and personalization to improve user experience
  • AI-assisted educational feedback
  • Conversational interactions with in-app virtual characters that generate responses based on user input

These systems are designed to assist users and do not produce legal or similarly significant effects on users. AI systems are not used to determine final grades, formal evaluations, or outcomes for learners.

The Company does not engage in automated decision-making within the meaning of Article 22 GDPR.

AI-assisted chat and user inputs

When using AI-assisted chat features or conversational interactions within the Services, users should avoid sharing personal data, sensitive information, or any information they do not wish to be processed by automated systems. User inputs provided to AI-assisted features may be processed to generate responses and to deliver the requested functionality. Such inputs may be transmitted to third-party AI service providers acting as data processors, as described above.

AI training

We do not use user content to train general-purpose AI models unless we clearly inform users and, where required, obtain consent.

EU AI Act compliance and Annex III (Education)

The Company has assessed the use of AI within the Services against Annex III of the EU Artificial Intelligence Act relating to education and vocational training systems. Axon Park does not deploy high-risk AI systems as defined under Annex III, based on the current design and intended use of the Services. In particular, the AI systems used within the Services are not intended to be used for any of the following:

  • Determining access to or admission into educational or vocational training institutions at any level
  • Evaluating learning outcomes where such evaluation is used to make binding or determinative decisions about a learner's educational progression or results
  • Assessing or assigning the appropriate level of education that an individual will receive or be able to access within an educational or vocational training institution
  • Monitoring or detecting prohibited behaviour of students during tests or formal assessments within educational or vocational training institutions

AI systems used in Axon Park are designed to support engagement, exploration, and learning feedback in an assistive manner and do not replace human judgment, formal assessment, or institutional decision-making.

Use of third-party AI service providers

To provide certain AI-assisted features, the Company may use third-party AI service providers acting as data processors on our behalf. Where such services are used, limited categories of personal data (such as text input, audio input for speech-to-text, or contextual interaction data) may be transmitted to those providers solely for the purpose of delivering the relevant functionality.

Some AI service providers may be located outside the European Union or European Economic Area, including in the United States. Where this occurs, we only transfer personal data when one or more of the following GDPR-compliant safeguards are in place:

  • EU-US Data Privacy Framework: The provider is certified under the EU-US Data Privacy Framework (adequacy decision adopted by the European Commission in July 2023), which provides an approved legal basis for transfers to certified US organizations.
  • Standard Contractual Clauses (SCCs): We have entered into the European Commission's approved Standard Contractual Clauses (2021 version) with the provider, which contractually obligate them to protect your data to EU standards.
  • Supplementary measures: Where required by the nature of the transfer, we implement additional technical and organizational measures such as encryption, pseudonymization, or data minimization.

These providers are contractually restricted from using personal data for their own purposes, including for training their models, unless otherwise explicitly disclosed and permitted by law. We conduct transfer impact assessments where required to ensure the adequacy of protections in the destination country.

7. Disclosure of Personal Data

We may disclose personal data in the following circumstances:

  • To service providers acting on our instructions (processors)
  • To affiliated group companies acting as data processors
  • To professional advisors under confidentiality obligations
  • In connection with a corporate transaction such as a merger, acquisition, or sale of assets
  • Where required by law or legal process
  • To protect rights, safety, or property
  • With your consent

We do not sell personal data.

You may request information about our current processors and service providers by contacting privacy@axonpark.com.

8. Data Retention and Security

Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or to comply with legal obligations. The following retention periods apply:

Data CategoryRetention Period
Account data (name, email, profile)Duration of account plus 30 days after deletion request
Learning progress and interaction dataDuration of account plus 1 year (for continuity if account is reactivated)
Payment and transaction records7 years (legal/tax requirements)
Support communications3 years from resolution
Marketing consent recordsDuration of consent plus 3 years
Log files and technical data90 days
Voice/audio data (if enabled)Processed in real-time; not retained beyond the session unless explicitly saved by the user

After the applicable retention period, personal data is securely deleted or anonymized. Anonymized data may be retained indefinitely for statistical and research purposes.

Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or misuse. These measures include:

  • Encryption of data in transit and at rest
  • Access controls and authentication requirements
  • Regular security assessments
  • Employee training on data protection

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours where feasible, and affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Articles 33 and 34.

9. International Data Transfers

The Company is established in Malta and primarily processes personal data within the European Union and European Economic Area.

Transfers within the EU/EEA

Personal data transferred between EU/EEA countries does not require additional safeguards, as all EU/EEA countries are subject to GDPR.

Transfers to countries with adequacy decisions

The European Commission has determined that certain countries outside the EU/EEA provide an adequate level of data protection. Transfers to these countries (such as the UK, Switzerland, Canada, Japan, and others) do not require additional safeguards.

Transfers to the United States

Where we use service providers located in the United States, we ensure GDPR compliance through one or more of the following mechanisms:

  • EU-US Data Privacy Framework: We prioritize working with US providers certified under the EU-US Data Privacy Framework, which was granted an adequacy decision by the European Commission on July 10, 2023. Certified organizations commit to comply with detailed privacy obligations and are subject to enforcement by the US Federal Trade Commission or Department of Transportation.

  • Standard Contractual Clauses (SCCs): Where a provider is not certified under the Data Privacy Framework, we enter into the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor, or Module Three: Processor to Processor, as applicable) adopted on June 4, 2021.

  • Supplementary measures: In accordance with EDPB guidance, we implement supplementary technical measures where necessary, including encryption of data in transit and at rest, and data minimization practices.

Transfers to other third countries

For transfers to countries without an adequacy decision and not covered above, we implement Standard Contractual Clauses and conduct transfer impact assessments to evaluate the level of protection in the destination country.

Your rights regarding international transfers

You have the right to request information about the safeguards we have in place for any international transfer of your personal data. Contact privacy@axonpark.com for more information or to request a copy of the relevant safeguards.

10. Your Rights Under GDPR

Subject to applicable law, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data (Right of Erasure)
  • Restrict processing
  • Object to processing
  • Withdraw consent at any time where processing is based on consent
  • Receive a copy of certain personal data in a structured, commonly used, and machine-readable format (Right to Data Portability)

You also have the right to lodge a complaint with a supervisory authority in the EU or EEA, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

Requests may be subject to identity verification and legal limitations.

To exercise your rights, please contact privacy@axonpark.com with the subject line "Data Subject Rights".

Data portability

Where applicable, users may request to receive personal data they have provided to us, or that has been generated through their use of the Services, in a structured, commonly used, and machine-readable format.

Such requests may be fulfilled by providing a downloadable file through the Services or by responding via our Data Protection Officer or designated privacy contact, depending on technical feasibility.

We will respond to data portability requests within one month of receipt, subject to identity verification and applicable legal limitations. This period may be extended by up to two additional months where necessary, in accordance with applicable law.

Data made available under this right generally covers information associated with the user account during the period the account was active and does not include anonymized or aggregated analytics data.

Data retention and deletion

We retain personal data in accordance with the retention periods specified in Section 8 of this Policy. For detailed retention timeframes, please refer to the retention table in that section.

Account deletion

When you delete your account or request deletion:

  • Core account data (name, email, profile) is deleted within 30 days
  • Learning progress data is retained for 1 year in case of account reactivation, then deleted
  • Payment records are retained for 7 years as required by tax law
  • All other personal data is deleted or anonymized according to the retention schedule

Anonymization

Where data is anonymized rather than deleted, it is processed so that it can no longer be used to identify you, either directly or in combination with other data. Anonymized data is not considered personal data under GDPR and may be retained indefinitely for statistical, research, and service improvement purposes.

11. Data Protection Officer

The Company has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with data protection laws and handling matters relating to personal data.

Data Protection Officer
Axon Park Malta Ltd
No. 2, Geraldu Farrugia Street
Zebbug ZBG 4351, Malta

Email: privacy@axonpark.com

You may contact our DPO directly for any questions or concerns regarding:

  • How your personal data is processed
  • Exercising your data subject rights
  • Data protection compliance
  • Privacy-related complaints

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the date at the top of this Policy. Where required by law, we will provide additional notice and, if applicable, seek consent.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

Axon Park Malta Ltd

No. 2, Geraldu Farrugia Street
Zebbug ZBG 4351, Malta

Email: support@axonpark.com

Company Registration No: C102774
VAT Number: MT29415035

For privacy-specific questions or rights requests, please use: privacy@axonpark.com