Privacy Policy

XPS Health ehf, org. no. 441121-1560 (“XPS Health” or “we”) provides digital services in the form of software applications for registering and keeping track of injuries and illnesses of athletes for use by physiotherapists, doctors or other medical personnel (the “Services”) to sports clubs or other organizations (the “Customer”).

Welcome, and thank you for your interest in XPS Health, our website at https://xpshealth.com, (the “Site(s)”) and all related websites, downloadable software, and other services provided by us and on which a link to this Privacy Policy (“Policy”) is displayed, and all other communications with individuals though from written or oral means, such as email or phone.

By the use of the Services, Customers can register and analyse injuries and illnesses of athletes. The Customer’s members can be trainers, medical staff and athletes (“Registered Users”).

In order to provide Customers the Services, XPS Health must process personal data on Registered Users. Such processing activities are undertaken on behalf of XPS Health’ Customers, where the Customers act as data controllers and XPS Health as a data processor, in the meaning of applicable data protection legislation, including the General Data Protection Regulation (“GDPR”). Processing undertaken by XPS Health in relation to Registered Users is subject to a data processing agreement with the Customers and this Policy does not apply to such processing activities.

This Policy applies to processing activities where XPS Health acts as a data controller, that is in relation to the company’s processing of personal data on Customer’s representatives, visitors of the Sites and on job applicants (collectively referred to as “you” in this Policy).

1. Personal Data Processed by XPS Health 

For the purposes of this Policy, personal data means any information relating to an identified or identifiable individual, i.e. information that can be traced directly or indirectly to a specific individual. Personal data does not include anonymous data or non-personal data (i.e., information that cannot be associated with or tracked back to a specific individual).

1.1 Representatives of Customers 

XPS Health processes data on representatives of Customers, such as name, e-mail address, phone number, correspondence history etc. 

The company processes the data to explore the possibilities of entering into agreement with the Customer, to provide free trial of the Services, to fulfill contractual obligations with the Customer in question, to provide support services (incl. via email or phone) and/or for marketing purposes (incl. newsletters). 

The processing is based on the legitimate interests of XPS Health. 

Data on Customers’ representatives is preserved for 5 years from the end of the business relationship with the Customer in question. 

1.2 Website 

If you contact us via a contact form on the Site or via xps.health@xpshealth.com we also process the personal data you provide, including name, e-mail address and the subject of the request. The processing is necessary for XPS Health to reply to such a request. 

1.3 Job applicants 

When individuals apply for a job at XPS Health the company processes the applicant’s personal data. That includes the applicant’s name, title, gender, national ID number, address, postal code, town/city, country, e-mail address, telephone, education and training data, work experience, previous employers, curriculum vitae, as well as other information voluntarily submitted by an applicant. 

The company processes the data to be able to select the best candidate for the position and for communication with the applicants. 

The processing is based on the applicant’s request to enter into a contract with XPS Health. 

The company retains information submitted by job applicants for six months, unless a specific consent is requested for a longer retention period. 

3. Data Security

XPS Health endeavors to maintain physical, technical and procedural safeguards which are designed to protect personal data from loss and unauthorized access, copying, use, modification or disclosure. 

XPS Health has, among other things, implemented strict and continuous security routines concerning the processing of personal data. Appropriate and reasonable standards for technical data protection and so-called built-in data protection are also applied to secure and protect personal data, including the following;

  • All employees are bound by a confidentiality agreement, 
  • All employees have undergone security and personal data training, 
  • All employees, by being placed in appropriate access groups, only have access to systems and personal data necessary for them to carry out their work tasks, 
  • Access to personal data is limited to the persons and purposes required for XPS Health to provide the Services and ensure their operation and security, 
  • Logging and continuous monitoring ensure that no employee misuses rights or permissions, 
  • Only a few key individuals have knowledge of, access to, and the ability to influence how the security system is structured, 
  • Assessment, evaluation, and revision of routines and security are continually performed, 
  • Encryption, firewalls, and other security mechanisms are used to minimize the risk of unauthorized access, and 
  • Storage takes place on highly secure servers with daily data backups to avoid the risk of destruction. These are also protected from unauthorized access through strict access controls. 


In case of a data breach, the company will inform data subjects and the authorities of the occurrence of the breach in accordance with applicable law.

4. Your Rights  

It is important that personal data in our records is both accurate and current. You are entitled to request rectification of inaccurate data on you. Taking into account the purpose of the processing, you also have the right to have incomplete personal data completed. 

You are entitled to request access to the personal data we process on you and information on the processing. You may also be entitled to a copy of the personal data undergoing processing. Where you have provided us with your personal data which we process based on your consent or our contract with you, you may have the right to receive such data in a machine-readable format and to have the data transferred to a third party.

Under certain circumstances you may have the right to request us to erase personal data concerning you with undue delay, such as where the personal data is no longer necessary in relation to the purpose for which they were collected or otherwise processed or if you withdraw your consent and where there is no other legal ground for the processing. You may also have the right to restrict further processing of your data where certain requirements are fulfilled, such as if the processing is unlawful and you prefer the restriction of data processing instead of erasure of the data.  

Please note that your rights relating to your personal data are not all absolute. In the event XPS Health cannot approve your request in relation to your personal data, the company will endeavor to inform you of the reasons why, subject to any legal or regulatory restrictions.

If your request is approved, the necessary action will be taken within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests.

If you want to use any of your rights referred to in this Policy or if you have any questions regarding our processing of your personal data, please contact XPS Health’s Data Protection Officer at dpo@xpshealth.com.

If you are not satisfied with our response, you are entitled to make a written submission to the applicable data protection authority, including the Icelandic Data Protection Authority (www.personuvernd.is).  

5. To Whom We Disclose Information

XPS Health works with third party service providers who provide website, application development, hosting, maintenance, and other services for the company. These third parties may have access to, or process personal data as part of providing those services for the company. XPS Health limits the information provided to these service providers to that which is reasonably necessary for them to perform their functions, and the company’s contracts with them require them to maintain the confidentiality of such information.

XPS Health may also disclose personal data or other information if required to do so by law, in response to a facially valid court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.

The company also reserves the right to disclose personal data or other information that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of the Services and any facilities or equipment used to make the Services available, or (v) protect our property or other legal rights, enforce our contracts, or protect the rights, property, or safety of others.

Information on you may furthermore be disclosed and otherwise transferred to an acquirer, successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets. 

7. Your California Privacy Rights

We will not share any Personal Data with third-parties for their direct marketing purposes to the extent prohibited by California law. If our practices change, we will do so in accordance with applicable laws and will notify you in advance.

8. Revisions to this Policy

XPS Health may from time to time make changes to this Policy to reflect changes in our legal or regulatory obligations or in the manner in which we deal with your personal data. We will communicate any revised version of this Policy.  Any changes to this Privacy Policy will be effective from the time they are communicated. 

9. How to Contact Us

Please contact us with any questions or comments about this Policy, your Personal Data, our use and disclosure practices, or your consent choices by email at xps.health@xpshealth.com. If you have any concerns or complaints about this Policy or your Personal Data, you may contact XPS Health’s Data Protection Officer by email at dpo@xpshealth.com.

For the personal data that the Customer processes about Registered Users, where XPS Health acts as a data processor, we ask you to contact the Customer with your questions and concerns.

Last updated: March 5, 2024