Security is foundational to Immersia. Tour operators, museums, and event companies trust us with their content, their account data, and their guests' experience. Here is how we protect that trust — from infrastructure to access controls to compliance.
Infrastructure
Immersia runs entirely on Google Cloud Platform, using Firebase services — Firestore (database), Cloud Storage (media files), Firebase Auth (authentication), and Cloud Functions (backend logic). Data is stored in US regions (us-central1 and nam5). Google Cloud's physical security includes biometric access controls, 24/7 guard staff, and redundant power and networking. Google's infrastructure holds SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and FedRAMP certifications.
Encryption
All data in transit is encrypted with TLS 1.3 — the most recent and secure version of the Transport Layer Security protocol. This covers every connection: host to server, guest to server, server to database, and server to storage. Data at rest in Firestore and Cloud Storage is encrypted with AES-256 using Google-managed encryption keys. Voice streaming data is encrypted end-to-end in transit; it is never stored or recorded unless the host explicitly enables session recording (a per-session opt-in).
Payments
All payments are processed by Stripe, which is certified to PCI DSS Level 1 — the highest level of security in the payment card industry. Immersia never sees, stores, transmits, or logs your full credit card number. Payment details are tokenized by Stripe before they ever touch our servers. Subscription management, invoicing, and refund processing all happen through Stripe's infrastructure.
Authentication and access controls
Host accounts are authenticated through Firebase Auth with email/password or Google Sign-In. Firebase Auth enforces rate limiting on login attempts and uses industry-standard OAuth 2.0 and OpenID Connect protocols. Hosts can enable two-factor authentication from their account settings. Access to tour content is scoped: a host can only see and manage their own tours, media, and guest data. Organisational accounts (Enterprise plan) support role-based access — owner, admin, and editor roles with granular permissions.
Guest privacy
Guests join tours anonymously — no account, no login, no personal information required. They join through a QR code that opens a browser session. If a host enables guest contact collection, guests may optionally provide an email address, which is shared only with that specific host for follow-up communication. We do not collect device identifiers, location data, or browsing history from guests. Guest sessions are anonymous by design.
Content protection
Your tour content — images, videos, audio, and slide sequences — belongs to you. It is stored in private Cloud Storage buckets accessible only to your authenticated account. Content is never publicly accessible and never indexed by search engines. We do not share, reuse, resell, or republish any host's content. The QR code for each tour is single-use per session; expired or inactive session links return an error rather than exposing content.
Data deletion
When you close your account, we delete your uploaded media, tour configurations, and host record. Session history and invoices are retained for the period required by applicable tax and accounting regulations. Guest session data (anonymous join events) is automatically purged after 90 days. You can request immediate deletion of your data at any time by emailing contact@getimmersia.com.
GDPR compliance
Immersia complies with the EU General Data Protection Regulation (GDPR). We process personal data (host email, account identifier, optional guest email) on the legal basis of contract performance and legitimate interest. Data subjects have the right to access, rectify, delete, and port their data. We maintain a Data Processing Agreement (DPA) available to Enterprise customers. For GDPR-related requests, contact contact@getimmersia.com.
Third-party subprocessors
We rely on a small number of vetted infrastructure providers, each with their own security certifications: Google Cloud / Firebase (hosting, database, authentication, storage, functions — SOC 1/2/3, ISO 27001), Stripe (payment processing — PCI DSS Level 1), Google Analytics (anonymous usage events — SOC 2), and Resend (transactional emails — SOC 2). A full list of subprocessors is available on request and is updated in our Data Processing Agreement.
Incident response
We maintain an incident response plan covering detection, containment, investigation, and notification. In the event of a data breach affecting personal data, we will notify affected users within 72 hours of confirmation, in accordance with GDPR requirements. Service disruptions are communicated through our status page and, for paid plan subscribers, via email.
Report a security concern
If you discover a security vulnerability or have a concern about data handling, please email contact@getimmersia.com. We take every report seriously and aim to acknowledge within 24 hours and resolve confirmed issues within 7 days.