Key Takeaways

  • VR users can be identified with over 94% accuracy using just 100 seconds of head and hand motion data — almost as accurately as a fingerprint.
  • The majority (60%) of the companies behind VR headsets take your biometric data, including Apple and Microsoft.
  • Similarly, 66% of these companies monitor your audio and voice interactions.
  • Qualcomm collects the most data out of all the analyzed VR companies, scoring 16 points in our study. Pico Interactive and Varjo follow close behind with 15 points each.
  • Many VR apps have privacy policies that are vague, incomplete, or outright misleading. 70% of Oculus apps studied had undisclosed or inconsistent data flows.

Introduction

Virtual reality (VR) devices have rapidly evolved from niche gaming gadgets into mainstream tools reshaping industries in 2025. With millions of users worldwide, they are powerful data goldmines, capturing detailed information about how users move, react, and interact in virtual environments.

While VR headsets can certainly create immersive experiences and improved services, the nature of the data these devices collect raises big privacy concerns. How much do the companies behind VR really know about you? What does that mean for your privacy?

To provide an answer to these questions, we at vpnMentor looked into the type of information gathered by major VR companies and where it ultimately ends up. You can see our findings below.

Every Move You Make

Virtual reality headsets collect a wide range of personal data, often far beyond what most users realize. To deliver immersive and responsive experiences, these devices continuously gather:

  • Head and Hand Movements: VR systems track the precise position and motion of your head and hands. A 2023 study titled Unique Identification of 50,000+ Virtual Reality Users from Head & Hand Motion Data found that these movements are so unique to each individual that they can identify you as accurately as a fingerprint or face scan — users could be identified among over 55,000 participants with over 94% accuracy using just 100 seconds of head and hand motion data.
  • Eye Tracking: Most VR headsets today include eye-tracking technology, recording exactly where you look and for how long. This data can reveal sensitive details about your emotional responses and interests and is often used by VR companies for targeted marketing.
  • Facial Dynamics and Voice Data: Built-in microphones and motion sensors in VR headsets can detect subtle facial movements as you speak. A Rutgers University study titled “Face-Mic” showed that this data can be used to derive sensitive information about users, such as passwords, credit card numbers, PIN numbers, and transactions.
  • Environmental Scanning: This includes information about your physical surroundings, such as temperature, lighting, and sound, as well as spatial mapping.
  • Biometric and Behaviour Data: VR headsets can track and record your facial expressions, heart rate, and muscle tension. These devices also monitor how users interact with each other and analyze unique behavioral patterns such as walking style, gesture habits, and reaction times.

All this data is often shared not only with the device manufacturer but also with third parties, such as advertisers. This raises significant privacy concerns about how your most personal behaviors and environments are being tracked and potentially monetized.

What the Companies Say

Many VR companies today provide only vague details about the data they collect, often burying this information within lengthy and complex privacy policies that most users overlook. To clarify exactly what data is gathered and how it is used, we examined the data collection practices of leading VR companies including Meta, Apple, and Microsoft.

Below, you can see the companies we considered in our research and the VR products they offer:

  • Meta – Meta Quest Series (Quest 2, Quest 3, Quest Pro)
  • Apple – Apple Vision Pro
  • HTC – Vive Series (Vive XR Elite, Vive Pro, Vive Flow)
  • Sony – PlayStation VR, PS VR2
  • Samsung – Gear VR, Odyssey, Future Galaxy XR devices
  • Google – Daydream, Cardboard, Project Iris
  • Microsoft – HoloLens (Mixed Reality), Windows MR headsets
  • Valve Corporation – Valve Index
  • HP – HP Reverb series
  • Lenovo – Mirage VR Series, ThinkReality VRX
  • Panasonic – Compact VR Glasses (prototype stage)
  • Pico Interactive – Pico Neo, Pico 4, Pico G3
  • Qualcomm – Snapdragon XR platform, XR2 chipset
  • Varjo – Varjo VR/XR Headsets (VR-3, XR-3, Aero)
  • Nvidia – VRWorks (hardware acceleration, GPUs)

For this research, we pored over the privacy policy of each company. While the information these companies gather through their headsets is largely the same (biometric, behavioral, and environmental data), the difference lies in how this data is handled and where it ultimately ends up. You can see our findings below.

Biggest Sharers (Meta, Google, Samsung)

Meta’s Quest VR headsets collect extensive data, from personal profile information to biometric tracking, audio, and video data. The company also records user activity within VR, including app usage, purchases, virtual events attended, fitness data, and content created.

Much of this information, including anonymized data, is sent to Meta’s servers for processing and storage. While Meta claims raw image data is processed locally and deleted, the data derived from these images (something Meta calls abstracted data) might still end up on Meta’s servers.

In its privacy policy, Meta itself admits that it also uses information about your profile, VR activity, and interactions to display targeted ads, offers, and sponsored content.

Infographic showing the type of data collected by Meta, Google and Samsung through their VR devices

Google’s VR headsets also collect extensive personal, behavioral, device, and location data, including account details, content, usage activity, and technical information. While some of this data (like photos, documents, and profile data) can be deleted at will, Google still shares non-personally-identifiable information publicly and with partners, including publishers, advertisers, and developers.

This is still concerning, as even anonymized data from VR headsets can be used to identify individuals with alarming accuracy — the 2023 study we mentioned above involving 50,000 participants also found that nearly half of VR users could be identified using only 2 seconds of motion data.

As for Samsung, its Gear VR headsets rely on compatible Galaxy smartphones to deliver the virtual reality experience. The company collects data from devices, customer service interactions, and third-party sources. Similarly to Google and Meta, this data is processed on Samsung’s servers and may be shared with third-parties, such as Samsung affiliates, for analytics and advertising purposes.

Although Samsung claims it implements physical and technical safeguards to protect user information, these measures cannot guarantee complete security. The data gathered by Samsung VR systems may be vulnerable to a range of cybersecurity threats.

This is especially concerning considering Samsung’s servers have been targeted in cyberattacks before. There was a 2025 breach in Germany (where a hacker leaked 270,000 customer records) and a 2022 incident in the U.S. where attackers accessed customer names, contact information, and product registration details

On-Device Processing (Apple)

Apple processes and stores most data collected by its Vision Pro VR headset directly on the device itself. Sensitive information, such as maps of your surroundings, eye-tracking data, Optic ID biometrics, hand and finger measurements, and your Persona is processed locally and encrypted.

Some user data (like photos, videos, and documents) can be stored in iCloud if you enable those features, making them accessible across your Apple devices. However, by default, Apple minimizes data sharing and prioritizes on-device processing of the data collected through its VR headsets.

Infographic showing the type of data collected. by Apple through its VR device

Linking Personal Data to Game Usage (Valve Corporation, Sony)

When you use a Valve VR headset through Steam, Valve collects a range of personal data, including your email, country, and payment information. This is combined with device and usage data, such as which games you play, how you interact with the platform, and even your IP address.

Valve links all this personal data directly to your game usage. For example, game developers and publishers can access information like your game ownership, achievements, matchmaking details, and in-game items through the Steamworks API — data that is tied to your Steam account.

Although Valve states it does not sell identifiable personal data to third parties, it does share personal data with service providers for content delivery, support, and legal compliance. This implies that identifiable information about users, which may include their VR activity, could remain within Valve’s ecosystem and be accessible to certain third-party service providers and developers.

Infographic showing the type of data collected. by Valve and Sony thorough their VR devices

Similarly, Sony collects extensive personal and usage data whenever you use a PlayStation VR headset. This includes your name, email, PSN Online ID, age, device identifiers, and even how you configure your VR headset.

Your activity — such as which games you play, your achievements, and your interactions with other players — is not anonymous. Sony may share some of this data with third-party service providers to process payments, deliver services, or protect against fraud.

Secure Data Handling (Microsoft, Nvidia)

Nvidia’s VRWorks-enabled devices and apps collect a range of data about your VR usage, such as which features are enabled, how your headset is configured, and how you interact with VR content.

To protect this information, Nvidia enforces strict contractual restrictions on how your data is used, stored, and shared with third parties. Transfers of personal data are safeguarded by Standard Contractual Clauses approved by the European Commission.

Infographic showing the type of data collected by Qualcomm, Pico, and HTC through their VR devices

Similarly, Microsoft’s HoloLens 2 mixed reality device is designed with multiple layers of security to protect your personal data. All device data, including diagnostic logs that may contain personally identifiable information, is protected by BitLocker encryption on the device’s flash memory.

Processing Data Outside your Home Country (Qualcomm, Pico, HTC)

When you use a Qulcomm VR headset, your personal data may not stay within your home country. Qualcomm is a global company, and its privacy practices allow for your data (including biometric information, geolocation, and device activity) to be transferred and accessed from locations around the world where Qualcomm or its service providers operate.

Pico Interactive also operates as a global VR company, and when you use its VR products, your personal data may be transferred, stored, and processed outside your home country, including in Singapore (where Pico is based).

Additionally, Pico shares your data with affiliated companies and third-party service providers who assist with cloud hosting, security, analytics, customer support, and more.

Infographic showing the type of data collected by Qualcomm, Pico, and HTC through their VR devices

HTC is also a part of a global organization with operations and data centers in the US, India, and other locations. This means your information (including names, contact details, device identifiers, geolocation, and even sensitive data) can be stored or processed on servers outside your home country.

While these companies claim to abide by contractual and legal restrictions on international data transfers, the reality is that your data could be subject to different privacy standards and government access rules than those in your home country.

Sharing Data with Vendors (Panasonic, Varjo)

When you use a Panasonic MeganeX VR headset or a Varjo XR-4 headset, a wide range of your personal data and VR activity can be shared with third-party vendors, consultants, and service providers.

While these companies claim they require vendors to follow privacy rules, once your data leaves their direct control, it may be handled according to the vendor’s own policies and security practices.

Infographic showing the type of data collected by Lenovo and HP and through their VR devices

Collecting Data from Websites and Devices (Lenovo, HP)

Lenovo doesn’t mention its VR products specifically in its privacy policy. However, it does state that it automatically collects domain names and related data (such as IP addresses and device identifiers) from visitors to its websites via web server logs. Additionally, when users create Lenovo or Motorola IDs or register products, Lenovo collects personal information like names, addresses, email addresses, product details, and system data.

Infohraphic showing the type of data collected by Lenovo and HP through their VR devices

HP also collects information about user visits and activities on its websites and applications, including data on the content viewed and behavior data such as pages visited and links clicked.

Other than to improve user experience, this information is also used to enable personalized advertising, and it is shared widely with third-party service providers. Lenovo openly admits to transferring this data globally, including to jurisdictions like China and the United States, raising serious questions about data security and user privacy.

Data Sharing Practices of VR Companies: An Overview

After analyzing the types of information collected by each of the companies mentioned above, we identified a total of 16 distinct data categories. To make it easier to compare how each company handles this data, we grouped these categories into broader data types, as outlined below:

Personal & Sensitive Data
User Identity & Profile Children’s Age Data & Parental Consent Biometric Data Payment & Transaction Data Fitness & Health Data Physical Characteristics & Movement

 

Audio-Visual & User-Generated
Audio & Voice Interactions Video User-Generated Content

 

Usage & Behavioral
Device & Usage Activity Web & Behavioral Tracking Behavioral Insights

 

Environmental & Location
Environment & Spatial Data Location & Spatial Data

 

Privacy & Sharing
Privacy & Security Measures Third-Party Data

Below, you can see an overview of what type of information is collected by each company, as per their privacy policies.

Looking at the data above, it’s interesting to note that there isn’t a single data category that any of the companies has explicitly stated it doesn’t collect; data is either confirmed to be collected or isn’t mentioned at all.

In terms of volume, Qualcomm takes the lead by collecting all identified data categories, scoring 16 points, followed closely by Pico Interactive and Varjo with 15 points each. On the other hand, Sony collects the least amount of data through its VR headset, scoring a total of 8 points.

Considering most users may be especially concerned about personal and sensitive data — such as biometrics and payment information — we took a closer look at this category.

Again, the two companies that collect the largest amount of personal and sensitive data are Qualcomm and Pico Interactive, essentially all 6 data points, or 100% of the information. This is especially concerning, considering both these companies state in their privacy policy that they share user data outside of their home countries.

The Privacy Policy Loophole

Most VR platforms today rely on vague or hidden consent models, often bundling your agreement to data collection into routine actions like starting a game or creating an account. As a result, users rarely understand what “opting in” actually means, especially when it comes to the tracking of body movements, gaze, and even emotional responses.

A California Law Review research by Yeji Kim argues that text-based privacy policies are especially inappropriate for virtual reality environments. VR headsets can collect highly intimate data, like physiological and psychological traits, and users are often unaware of the true scope of what they’re sharing.

Large-scale analyses of VR app privacy policies reveal that many are incomplete, poorly written, or inconsistent with actual data collection and handling practices. For example, a 2022 study examining the privacy practices of 140 Oculus VR apps found that 70% of the apps had dataflows not disclosed or inconsistent with their privacy policies, and 38 apps lacked privacy policies altogether.

The California Law Review research suggests that instead of relying on traditional text-based consent, VR should require new, smarter, and more transparent ways to get user permission.

For instance, companies could provide customizable privacy settings that give users control over the degree of personalization and data collection in VR. They could also implement interactive tools, such as interactive videos with questions that would make the implications of data collection clearer and more accessible to users.

The Legal and Regulatory Gaps

Despite growing awareness regarding data privacy, current laws (like the European Union’s GDPR and various regulations in the United States) don’t fully cover the unique challenges of real-time data collected by VR headsets.

In the United States, biometric privacy laws like Illinois’ Biometric Information Privacy Act (BIPA) offer some protections. For instance, it requires companies to inform individuals in writing about the collection of their biometric data and to obtain their written (or electronic) consent before doing so. BIPA also restricts how long data can be stored and prohibits companies from selling biometric information.

Recent updates to the law have clarified that companies can be held responsible for even a single violation, regardless of how many times data is collected. However, many companies and users are unaware of the law’s details, and the enforcement of BIPA remains limited and uneven across the country.

To fix this, like we mentioned in the section above, experts have suggested policymakers and VR developers create new solutions made just for VR environments. These include showing prompts inside the headset that explain what data is being collected in real time, letting users change their privacy settings anytime, and processing data directly on the device to keep sensitive information from being sent to outside servers.

As a response, some companies have begun updating their privacy policies and interfaces to increase transparency. For instance, Oculus, which is owned by Meta, announced new privacy policies and an online interface allowing users to see what data is collected during VR sessions. However, government and international regulatory bodies have yet to establish VR-specific privacy regulations.

Conclusion

VR headsets are quietly gathering far more personal and physiological data than most users realize — and this trend is only accelerating as headsets become more advanced and widespread.

The question now is whether we will learn from the internet’s past mistakes and create strong privacy protections for virtual worlds or repeat past mistakes and let VR become another platform where data is collected without restrictions.

The future of VR privacy depends on developers, lawmakers, and users working together to ensure transparency and user control before it’s too late.