Privacy is an issue that has been central to our cultural discussion for a few years now. As we shift into a constantly connected state there are more and more people who are monitoring our every activity online, feeding that data back to eager marketers who use it to better target you with ads. Facebook generates over $5.6 billion a year in ad revenue by doing just that, so it should come as little surprise that Facebook would be exploring ways to take that practice into the next generation of social media – virtual reality.

It turns out that when you install the software to run Facebook’s Oculus Rift it creates a process with full system permissions called “OVRServer_x64.exe.” This process is always on, and regularly sends updates back to Facebook’s servers.

The process’ main purpose is to help detect when the Rift is turned on and on your face so that it can launch Oculus Home, but the further reaching implications of it are potentially much more salacious.

Digging into the Oculus Rift’s Privacy Policy that users agree to when checking “Agree” on the Terms and Conditions there are a couple of interesting bits that may prove to be concerning (if not completely expected).

A section of the privacy policy outlines “information automatically collected about you when you use our services” including when, where, and how you interact with content on the platform even going as far as tracking your movements in virtual space.

Full text from the section:

Information Automatically Collected About You When You Use Our Services . We also collect information automatically when you use our Services. Depending on how you access and use our Services, we may collect information such as: Information about your interactions with our Services, like information about the games, content, apps or other experiences you interact with, and information collected in or through cookies, local storage, pixels, and similar technologies (additional information about these technologies is available at https://www.oculus.com/en-us/cookies-pixels-and-other-technologies/);

Information about how you access our Services, including information about the type of device you’re using (such as a headset, PC, or mobile device), your browser or operating system, your Internet Protocol (“IP”) address, and certain device identifiers that may be unique to your device;

Information about the games, content, or other apps installed on your device or provided through our Services, including from third parties;

Location information, which can be derived from information such as your device’s IP address. If you’re using a mobile device, we may collect information about the device’s precise location, which is derived from sources such as the device’s GPS signal and information about nearby WiFi networks and cell towers; and

Information about your physical movements and dimensions when you use a virtual reality headset.

And it isn’t just Facebook who is able to collect your data, under the policy “third parties may also collect information about you through the Services” this includes entities on the “related companies” list.

So how are Oculus and Facebook planning to use this information? A number of the uses that are outlined in the policy seem fairly mundane, such as helping you create an account or to enable user to user communication, and help improve the user experience. But one line in particular stands out:

To market to you . We use the information we collect to send you promotional messages and content and otherwise market to you on and off our Services. We also use this information to measure how users respond to our marketing efforts.

Virtual reality offers an unparalleled level of access to data for advertisers. Before metrics were measured in how long someone watched a video or how many times a link was clicked, but with VR you can get far more granular. An ad executive at Coke, for instance, could tell just how long you stared at the Coke bottle cleverly placed inside your favorite game as an in-game ad and use that data to better place it in the game for you next time.

Read More: How Virtual Reality is Going to Influence the 2016 Presidential Election

Back in 2013, Microsoft weathered a storm around a similar policy with the Xbox One. The “always-on” controversy was the result of Microsoft requiring the Xbox One to always be connected to the internet to allow for a number of services to work. The policy was poorly communicated to customers by Microsoft Studios head Phil Spencer’s own admission, and ultimately hurt the device’s sales. The main concern from the public was the the system would be constantly monitoring consumer’s behaviors in their homes, breaching their privacy.

When Oculus was first acquired by Facebook, there was an outcry from a number of enthusiasts who were worried that it would lead to a virtual reality nanny state. This recent development seems to add some credibility to those concerns.

We have reached out to Oculus, but the company has declined to offer an official comment at this time.

Update (4/5/15): Oculus has issued the following official statement:

Users and content developers own all the content and IP they create using Oculus services. We are not taking ownership. Our terms of service give Oculus a license to user created content so we can enable a full suite of current and future products and services on our platform, like sharing a piece of VR content with a friend. People continue to own the rights to the content and can do whatever they like with it outside of our platform. This is very clear in our terms: “Unless otherwise agreed to, we do not claim any ownership rights in or to your user content.”