Privacy policy

1. WHAT INFORMATION WE COLLECT AND HOW

The information we collect about users varies depending on whether they are an individual looking for a job through the Xpat system ("expati") or a company looking for employees through the system ("employer").
If you are an applicant, we collect the following information:
Information you provide to us: This is your personal information that you provide to us when you contact us, log into Xpat's system or request assistance. You generally provide this information by filling in and submitting a form through our website, logging into Xpat's system either through your Facebook profile or via SMS or by adding the relevant information to your interface at Xpat, applying work with electronic credentials, answer a satisfaction survey, or fill out a contract or request for assistance. In this way, you can provide us with your first name, last name, electronic signature, profile picture in the Xpat system, email address, telephone number, date of birth, information about your life course, education and career, attachments (such as a CV or certificate), information about language skills, links to your public profiles (eg your website, Facebook or LinkedIn page, etc.) and information about your other qualifications. If you have asked us for help, we have information about your specific needs. To improve our service and user support, we also record calls when you decide to leave a voice message for us.
Information we receive when you use our services: we collect information about how you use our services, from accessing our website to using Xpat's system. The information is as follows:
Information about your activity on our website: We use cookies to analyze traffic on our website. When you visit our website, we record your activity on it, such as the number of pages you visit, how long you stay on the page, which pages are viewed, repeated visits to the page, etc. We never link this information to your personal information, such as information you enter into forms through our website or your IP address. 

Information about your activity in Xpat's system: when you use Xpat's system, whether through the website or our app, we receive information about the overview of your job applications, whether electronic signatures are used, messages between you and employers, the status of your applications and your job preferences.
Information about your device: When we receive notifications about technical anomalies (e. crash reports) or requests for assistance, we receive information about the version of the program/app you use, the device, including the operating system and hardware, the so-called stack trace ) of the anomaly and other information necessary to improve our products, services and fix software bugs. This information collected when using the Xpat app is not linked to individuals in any way. If you connect to Xpat's system with the web application, we collect information about your operating system, browser, how long the system is used in the respective session, user-agent header, web address and breadcrumbs. We may also collect the information and associate it with your IP address, but use the IP address only to resolve technical anomalies in Xpat's system, specifically to verify that you are the same user affected by the anomaly and to estimate how many users the same anomaly has affected. We do not use IP addresses to link device information to specific individuals.
If you are an employer, we are the data processor for most of your personal data. In such cases, such information that we work with is subject to the data processing agreement between us and your company. However, we still work with certain information as a data controller:

Information we receive when you use our services: We collect information about how you use our services, from accessing our website to using Xpat's system. The information is as follows:
Information about your activity on our website: we use cookies to analyze traffic on our website. When you visit our website, we record your activity on it, such as the number of pages you visit, how long you stay on the page, which pages are viewed, repeated visits to the page, etc. We never link this information to your personal information, such as information you enter into forms through our website or your IP address. 
Information about your device: When we receive notifications of technical anomalies (e. crash reports) or requests for assistance, we receive information about your operating system, browser, how long the system is used in the relevant session, user-agent header , web address and so-called breadcrumbs paths. We may also collect the information and associate it with your IP address, but use the IP address only to resolve technical anomalies in Xpat's system, specifically to verify that you are the same user affected by the anomaly and to estimate how many users the same anomaly has affected. We do not use IP addresses to associate device information with specific individuals.
 

2. HOW WE USE INFORMATION COLLECTED AND ON WHAT LEGAL BASIS

We use the information we collect to provide you with our services, in particular to enable you to create an access to Xpat's system, to use Xpat's system properly and to provide the information about you that is most relevant to getting the job you are interested in, or to enable your company to find the most suitable person for the job. We also use personal data to maintain, protect and further improve Xpat's system.
 
Information we collect, including your personal information, is also used to protect us and other users of our Services.
Your email address may be used to send you newsletters about our services, such as notifications of proposed changes or improvements.
We use information collected through cookies to improve the interface and overall quality of our services. For this purpose, we use a number of third-party services, such as Google Analytics.
The legal basis for the processing of your personal data varies depending on whether you are the applicant or the employer. If you are an employer, we process your personal data to fulfil a contract with you and our legal obligations and to protect our legitimate interests. If the applicant also processes your personal data in order to fulfil a contract with you and our legal obligations and to protect our legitimate interests, but where we also disclose your personal data to other data controllers – your potential employers – we need your consent to such processing. Because the basic purpose of Xpat's system is to provide your potential employers with information about you, we are unable to provide our services to you unless you give us your consent to share the information with them.
You can rest assured that if we ever intend to use your information for purposes not disclosed in this policy, we will always notify you in advance and provide you with an opportunity to stop using our services.
Our legitimate interests in the processing of your personal data relate to the ability to do any of the following:
to contact you for a mutual business relationship, including direct marketing;
to improve our services;
to correct errors that arise during the use of our Services;
to ensure backup and recovery of systems and data in the event of system failure;
to defend the legal claims of Xpat and our other clients;
to assess the quality of our services on the basis of satisfaction surveys you answer;
to evaluate the effectiveness of marketing you have been involved in; and
ensuring efficient customer service and the execution of work.

3. HOW LONG DO WE WORK WITH INFORMATION COLLECTED

Your personal information is only stored and processed for the time necessary for the purpose for which it was collected. For example, if you decide to delete your access on Xpat's system, we will retain your personal information for an additional 30 days as a result of your decision to re-create the account, after which we will delete your personal information.
When we share your personal data with employers, we grant them access to it for a maximum period of 12 months from the date of your application. When 12 months have passed since your application or withdrawal of your application, the employer will no longer see your personal data.
Please note that in some cases we may retain some of your personal information for a longer period, in particular when required by law (such as tax law) or when we need it to protect our legitimate interests (e.g. if we have a dispute pending in court and we need information to prove that you were a customer). In such cases, we only store the personal information necessary for such purposes and delete it as soon as possible. 
 

APPLICATION PROCESS

If an applicant is interested in applying for a job advertised on Xpat, he/she may submit an application to a company containing the information already available on his/her individual interface, together with the additional information requested by the company and further information that the applicant wishes to provide. This communication always occurs via Xpat.
The Company and the Applicant are responsible for any communication that may occur between them, whether or not it takes place through Xpat.
An applicant can withdraw his/her application at any time by selecting the appropriate option in Xpat.
An application is available to companies in Xpat for one year from the time the applicant submits an application to a company, unless the applicant closes their access prior or withdraws an application.

4. WHO HAS ACCESS TO YOUR INFORMATION

Xpat attaches great importance to the protection of your personal data and will never sell your personal information to third parties. We only disclose personal information to third parties for the above purposes and to the extent necessary.
As stated above, your personal data will be shared with data subjects and employers in Xpat's system. If you are an applicant, your personal data will only be visible to employers with whom you have applied for a job. If you are an employer, your personal data will only be visible to other employers and applicants if you include it in the job advertisement.
We may also transfer your personal data to cloud service providers that provide data transmission between us and you, technology service providers and service providers that provide support and maintenance services, our developers, our legal advisors for contractual or dispute resolution, and to external audit and tax advisors.
We share information about your use of Xpat's system with third parties that provide us with services in connection with promotional and marketing services.
If we transfer your personal data to third parties, we always do so on the basis of an adequate agreement with that party in order to be able to monitor their processing of your personal data. 
 

5. HOW WE ENSURE SECURITY OF PERSONAL INFORMATION

Periodic risk assessment. We regularly assess information security risks related to personal information to ensure that its security is acceptable with us.
Security processes within the company. We are committed to protecting your personal data from the risk of human error. In particular, the following measures may be taken:
We adhere to specific safety guidelines and documents that apply within the company:
We regularly provide training to our employees in relation to policies that govern the processing of personal data and information security risks;
We contractually define the responsibilities of employees, external partners, service providers and other third parties who have access to your personal information;
We have established and maintained standard procedures for the processing of personal data.
Technical measures. We have put in place important technical measures to ensure the security of your personal data. In particular, the following measures may be taken:
Server/server antivirus solution for malware protection;
Cybersecurity solutions that combine firewalls, network settings, and other technologies;
Encryption of data transfer in Xpat's system using HTTPS;
All personal data are stored securely in an SQL database of EU/EEA brokers;
Backing up of critical data and infrastructure.
Physical security. For the protection of personal data in written form and the physical security of IT equipment:
We control access to databases that store your personal data;
We have ensured the security of premises where servers are located and the storage of personal data.

6. EXERCISE OF YOUR RIGHTS

 You have the following rights in relation to the processing of your personal data:
a) the right of access to personal data;
(b) the right to rectification;
c) the right to erasure data ("the right to be forgotten");
d) the right to restrict processing;
(e) the right to object to processing ('right to object'); and
f) the right to lodge a complaint concerning the processing of personal data.
Your rights are explained in more detail below. You can exercise all your rights by writing to us on einar@xpat.is. You can lodge a complaint with the Data Protection Authority (www.personuvernd.is).
The right of access means that you can ask us at any time to confirm whether your personal data is being processed. If so, you have the right to access all relevant information and to information about the purposes for which, to what extent and to whom it is made available, how long we will process it, whether you have the right to rectify it, delete it, restrict its processing or object to the processing, where we obtained the personal data and whether it is used for automated decision-making; including profiling.
The right to rectification means that you may at any time ask us to rectify or supplement your personal data if it is incorrect or incomplete.
The right to erasure means that we must erase your personal data if (i) it is no longer necessary to store it for the purposes for which it was collected or for which it has been processed, (ii) the processing is unlawful, (iii) you object to the processing and there are no legitimate reasons for the processing overriding your rights, (iv) we are required to do so by law or (v) you have withdrawn your consent for our processing of your personal data.
The right to restrict processing means that, pending a conclusion on issues relating to the processing of your personal data, we must restrict the processing thereof.
Right to object means that you may object to the processing of your personal data that we process for purposes of our legitimate interests, in particular for direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for that purpose. 

7. VALIDITY PERIOD

This privacy policy is effective as of May 7, 2023.