1. ExorLive Help Centre
  2. Legal
  3. Legal

Privacy Policy

Avatar
Print Friendly and PDF

1. Important Information

This Privacy Policy explains how the ExorLive Group (“ExorLive”, “we”, “us”) processes personal data when you use our digital solutions, including the ExorLive platform, the ExorLive GO app, and related services (collectively referred to as the “Services”).

ExorLive is a digital solution within exercise, rehabilitation, and health technology. The solution is used by healthcare professionals, educational institutions, and organisations and provides end users (patients, citizens, clients, or students) with digital access to exercise and rehabilitation content.

Depending on how the Services are used, ExorLive may act either as a data controller or a data processor for personal data.

1.1 Who This Policy Applies To

This Policy applies to:

  • Healthcare professionals and instructors using ExorLive in their work
  • Representatives and employees of customers and partners
  • End users (patients, citizens, clients, students) using ExorLive GO
  • Users who have created a Personal Account with ExorLive

1.2 Information for End Users (Patients, Citizens, and Clients)

If you use ExorLive GO as part of a training or treatment programme through a clinic, municipality, educational institution, or another organisation, that organisation is the data controller for the personal data processed in connection with the service.

In such cases, ExorLive processes personal data on behalf of the organisation in the role of data processor and in accordance with the applicable Data Processing Agreement.

If you also create a Personal Account with ExorLive (EPIC Account), ExorLive is the data controller for personal data related to that account.

The EPIC Account is a personal identity account that makes it possible to:

  • securely identify yourself using a national eID solution (e.g. BankID/MitID)
  • connect your ExorLive Go Accounts across organisations
  • provide you with a consolidated overview of your affiliations with different organisations.

The EPIC Account does not itself provide access to exercise or treatment data but functions as an identity and access mechanism for such services.

Use of the EPIC Account is voluntary.

For questions regarding processing, access, or deletion of exercise or treatment data, you must contact the organisation from which you receive the service. For questions regarding your Personal Account with ExorLive, you may contact ExorLive directly.

2. Data We Process as Data Controller

Categories and examples:

  • Identity and contact data: name, position, organisation, email address, phone number, billing/delivery address.
  • Customer and relationship data: account owner, roles/access rights, licence/contract status, communication with us.
  • Transaction and financial data: purchases, payments, credit notes, invoice details (personal data only where relevant).
  • Technical data: IP address, login/device information, browser/operating system, time zone, app status/error logs.
  • Profile/user data: account settings, preferences, interests, feedback/surveys.
  • Usage data: how the Services are used (features, frequency, interactions).
  • Marketing/communication data: consents, unsubscribe status, newsletter interactions.
  • Recruitment data: CVs, applications, references, recruitment notes.
  • Events/webinars: name, email, phone number, organisation/role, industry, participation.

For the Personal Account (EPIC Account), we additionally process:

  • Identity information: name, email address, phone number, country, language, and national identity number
  • Technical and security data: IP address, device information, and login history
  • Account administration data: internal user IDs
  • Relationship data: links between your accounts across organisations
  • Consent data: history of consents relating to data sharing

This information is used for identity management, secure authentication, and proper linking of accounts.

3. Data We Process as Data Processor

When our customers use the Services for patient treatment, we process patient personal data on their behalf and according to their instructions. This may include identity information, access credentials, exercise programmes, outcome measures, messages/feedback, adherence data, diagnoses/classifications, and any patient-uploaded media.

Processing takes place solely in accordance with our Data Processing Agreement. We may not use the data for our own purposes, and we will notify the customer if an instruction appears to conflict with applicable legislation.

Upon termination of a licence, we delete or return all personal data within 90 days and document the deletion upon request.

4. How We Collect Personal Data

  • Directly from you: registration, account creation, purchases/renewals, enquiries (sales, support), consents, recruitment, participation in webinars/events.
  • Automatically: cookies, logs, and similar technologies on websites/apps for operation, security, and improvement purposes.

5. Purpose and Legal Basis (ExorLive as Data Controller) 

PurposeTypical DataLegal BasisRetention
Account creation and administrationIdentity, contact, customer relationshipContract (Art. 6(1)(b))As long as the account is active
Delivery and operation of the ServicesIdentity, contact, technical data, usage dataContract (Art. 6(1)(b))As long as the account is active
Customer service and supportIdentity, contact, case details, logsContract (Art. 6(1)(b))Up to 12 months
Improvement, quality, and statisticsUsage data, technical data, feedbackLegitimate interest (Art. 6(1)(f))Anonymised or deleted
Marketing, events, and webinarsIdentity, contact, preferencesConsent (Art. 6(1)(a))Until unsubscribe or deletion
Identity management and account linking (EPIC)Identity, national identity number, technical data, relationship data, consent historyContract (Art. 6(1)(b))As long as the account is active

Change of purpose: We do not use data for new, incompatible purposes without ensuring a lawful basis for processing.

6. Retention and Deletion

We retain personal data only as long as necessary for the relevant processing purposes and longer only where required or permitted by law. When data is no longer needed, it is securely deleted or anonymised.

How to Request Deletion Send your request to support@exorlive.com. We will request the necessary verification to confirm your identity or authority (where acting on behalf of others). When an account is deleted, access rights are removed, and we delete or anonymise data that is not required to be retained by law or contract. You will receive confirmation once the deletion has been completed.

Deletion of a Personal Account with ExorLive does not automatically result in deletion of personal data processed by organisations you are affiliated with through ExorLive GO. Requests for deletion of such data must be directed to the relevant organisation acting as data controller.

7. Sharing Data Between Organisations (EPIC)

If you use an EPIC Account, you may choose to share data between organisations you are affiliated with (for example when changing healthcare providers or receiving follow-up from a new organisation).

Such sharing only takes place when:

  • you have provided explicit and informed consent,
  • you have actively selected which data is to be shared, and
  • the receiving organisation has been enabled to receive such data within the system.

The sharing only includes the information you have chosen to make available and does not automatically provide access to other data or organisations with which you are affiliated.

You may withdraw your consent to further sharing at any time. This will stop future sharing but will not affect processing of data already received by an organisation.

ExorLive is not the data controller for the receiving organisation’s further processing of data after sharing. This is governed by the receiving organisation’s own responsibilities as data controller.

8. Transfers to Third Countries

The ExorLive Group processes and stores personal data within the EU/EEA. Our core suppliers use data centres located in Ireland.

Certain organisations may have purchased dedicated storage solutions for data processed within their own environment, including geographical storage within the Nordic region. This does not include data related to the EPIC Account identity solution.

If, in specific cases, data is transferred or made available to group companies or subprocessors outside the EEA, we ensure an equivalent level of protection by:

  • conducting transfer impact assessments (TIAs) and implementing necessary supplementary measures (technical and organisational),
  • relying on a valid adequacy decision (e.g. the EU–US Data Privacy Framework) or ensuring implementation of Standard Contractual Clauses (SCCs).

We never transfer more data than necessary, and you may contact us at support@exorlive.com for further information about applicable mechanisms and current subprocessors.

9. Security

We have implemented technical and organisational measures to protect personal data against unauthorised access, alteration, loss, and misuse. ExorLive is certified according to ISO/IEC 27001. Access is granted according to the principle of least privilege and subject to confidentiality obligations.

Information is stored and transferred in encrypted form. In some cases, personal data may also be pseudonymised through dedicated security solutions where such storage has been selected or purchased by the organisation.

We maintain procedures for handling potential breaches and will provide notifications where required by law.

10. Your Rights

Subject to the conditions and exemptions set out in the GDPR, you have the right to:

  • obtain access to the personal data we process about you,
  • request correction of inaccurate or incomplete data,
  • request deletion (“the right to be forgotten”) where applicable,
  • object to processing based on legitimate interests and opt out of direct marketing,
  • request restriction of processing,
  • data portability (for data you have provided to us, processed automatically and based on consent or contract),
  • withdraw consent where processing is based on consent (without affecting the lawfulness of processing carried out before withdrawal).

We respond as quickly as possible and normally within 30 days. For complex requests, the deadline may be extended with prior notice. You may contact us at dpo@exorlive.com to exercise your rights.

11. Children

The Services are not directed at children. We do not knowingly collect personal data from children under the age of 13 without parental or guardian consent where required as data controller. If you believe a child has provided us with information without such consent, please contact support@exorlive.com.

12. Contact and Complaints

Data Controller/DPO: Thomas Vesth Bjerregaard
Email: dpo@exorlive.com
Address: ExorLive AS, Hovfaret 4, 0275 Oslo, Norway
Organisation no.: 985 542 597

You always have the right to lodge a complaint with the relevant supervisory authority. We appreciate the opportunity to resolve the matter directly with you first, so please feel free to contact us.

Articles in this section

See more