X-PEN ID
X-PEN iD
Privacy & data protection

Your Data. Your Identity. Your Control.

Transparent, plain-language policy on what we collect, what's public, what stays private, and the rights you hold over your data.

Overall Glance

  • X-PEN ID is a public identity platform — most profile content is intentionally visible.
  • Your email, phone, password, and uploaded documents are always private.
  • We don't sell your data. We don't share private fields with anyone.
  • Passwords are securely hashed — even our team cannot read them.
  • Your profile is indexed by search engines and AI by design.
  • You can export, edit, deactivate, or request deletion at any time.
  • By creating an account, you authorize verification checks with relevant institutions.
  • Aligned with GDPR principles + Pakistan data protection law.
  • Questions? Email privacy@xpenid.com
Effective: Jan 3, 2026
Version: 2.0
Language: English

1 Introduction

This Privacy Policy explains how X-PEN ID (eXtended Professional & Educational Network ID) collects, uses, stores, shares, and protects information about you when you use the platform at xpenid.com and connected services including XIJIR, SEIPID, PubLibra, X-NeuroVerification Engine, and Prof. X.

X-PEN ID is a persistent, human-centric digital identity and verification platform. By design, much of the profile content you create is intended to be public — your name, education, publications, credentials, and contributions are meant to be discoverable by people, search engines, and AI agents. This Policy explains exactly what is public, what stays private, and the controls available to you.

Data Controller
Xpertno Research Center (XRC) is the Data Controller for X-PEN ID. XRC is the operating entity responsible for the platform’s governance, technical operations, and verification processes. The platform was originally founded under Expert Novice Group Pvt Ltd in April 2025, in collaboration with Xpertno Research Center (SMC Pvt. Ltd.), by Nasir Razzaq, Founder and Creator of X-PEN ID.

Definitions

  • "Personal Data" — any information that identifies or can identify a natural person.
  • "Processing" — any operation performed on personal data (collection, storage, display, deletion, etc.).
  • "Public Profile Data" — information you choose to publish on your X-PEN ID profile, intended for public discovery.
  • "Private Data" — information used for account access, security, or verification, never publicly displayed.
  • "You" / "Contributor" — any individual who uses, registers on, or holds an X-PEN ID profile.

2 Data We Collect

2.1 Data you provide directly

When you register, build a profile, or interact with the platform, you may provide:

  • Account data: email address, password (hashed), name, optional phone number
  • Identity data: title, first/middle/last name, public name, honorific suffix, profile picture, country, city, biography
  • Education: institutions, degrees, fields of study, dates, projects, theses
  • Experience: organizations, positions, roles, dates, responsibilities
  • Internships, courses, specializations: training records, certificates, dates
  • Publications: articles, books, chapters, co-authors, identifiers (DOI, ISBN, SEIPID)
  • Awards & memberships: recognitions, fellowships, association memberships
  • Languages & knowledge areas: proficiency, research interests, skills, keywords
  • External identifiers: ORCID, ISNI, Scopus, Google Scholar, ResearchGate, GitHub, LinkedIn, Wikidata, etc.
  • Events & Jobs: when you post events and jobs
  • Verification documents: uploaded scans of IDs, degrees, certificates (private — see Section 6)
  • Reviews, Report, & feedback: reviews you submit, when you report an id, contact form submissions

2.2 Data collected automatically

When you interact with the platform, our servers may automatically log:

  • Technical data: IP address, browser type, device type, operating system
  • Usage data: pages viewed, actions taken, login times, referring URLs
  • Approximate location: derived from your IP address (city / country level only) for security and fraud prevention
Limited third-party services
We use Google Analytics on our public pages (homepage, about, search, etc.) to understand how visitors discover and use the platform. Google Analytics is not active in your authenticated dashboard or profile-editing areas. We also use IP-based location and weather services for the public location/weather strip in the navigation. See Section 7 for the full list of third parties and what they receive.

3 What's Public vs What's Private

X-PEN ID is, by design, a public identity platform. The whole point of the platform is to make verified contributor information discoverable. The table below makes this explicit, so there are no surprises.

Public on your profile

  • Full name, title, suffix, public name
  • X-PEN ID code (e.g., NR-XPEN2025-0001)
  • Profile picture
  • Country and city
  • Biography
  • Education records
  • Professional experience
  • Internships, courses, specializations
  • Publications (articles & books)
  • Awards and memberships
  • Languages and knowledge areas
  • External identifiers (ORCID, GitHub, etc.)
  • Verification level / badge
  • Reviews you submit
  • etc.

Always private

  • Login email address
  • Password (stored as a one-way hash)
  • Phone number
  • Uploaded verification documents
  • IP address and login history
  • Internal verification notes
  • Activity logs
  • Contact form submissions
  • Reporting an ID
  • Any document you upload privately
  • Direct messages, emails, or support tickets
About passwords
Your password is never stored in plain text. We use industry-standard one-way hashing — meaning even our own team cannot read your password. If you forget it, we can only help you reset it, not retrieve it.

We do not share private fields with anyone — not advertisers, not partners, not other users. Private data is only accessed internally by authorized XRC team members under documented protocols, strictly for platform operations, security, or verification.

4 How We Use Your Data

We process your data for the following purposes:

  • Service provision: creating, displaying, and maintaining your X-PEN ID profile
  • Public indexing: generating Schema.org-compliant JSON-LD for your public profile so search engines and AI agents can discover you
  • Verification: reviewing identity documents, credentials, institutional affiliations, and publication claims
  • Communication: sending platform notifications, verification updates, important account messages
  • Security: detecting and preventing fraud, abuse, unauthorized access
  • Improvement: understanding usage patterns to improve features and reliability
  • Legal compliance: meeting legal obligations and responding to lawful requests

Legal basis for processing

We process your data on the following legal bases:

  • Consent — you create an account and choose to publish profile information
  • Contractual necessity — to deliver the services you requested
  • Legitimate interests — platform security, fraud prevention, infrastructure operation
  • Legal obligations — when required by applicable law

Consent given on registration

By creating an X-PEN ID account and accepting our Terms of Service during registration, you provide explicit and informed consent for the following data processing activities:

  • Public distribution of profile data — your profile content (as listed in Section 3) will be made publicly visible on your X-PEN ID profile page, included in our public search results, and emitted as Schema.org / JSON-LD for search engines and AI agents to index and display.
  • Verification of submitted information — when you submit credentials, claims, or documents, you authorize XRC to take reasonable steps to verify them, including direct contact with relevant institutions, employers, supervisors, or issuing bodies (see Section 6).
  • Platform-wide identifier issuance — your X-PEN ID code becomes a permanent public identifier associated with your contributor record, intended to remain stable and citable for life.
  • Operational necessity — processing required to operate the platform, maintain security, prevent fraud, and meet legal obligations.
Withdrawing consent
You may withdraw any of the above consents at any time by editing your profile, contacting privacy@xpenid.com, or requesting account deactivation. Withdrawal does not affect the lawfulness of processing already carried out, and certain operational data may be retained as described in Section 11.

5 Search Engine & AI Indexing

One of the core purposes of X-PEN ID is to make your contributor identity discoverable. By creating an X-PEN ID account, you provide explicit consent for X-PEN ID to publish, distribute, and make your public profile content available — including, but not limited to:

  • Crawled and indexed by search engines (Google, Bing, DuckDuckGo, Yandex, etc.)
  • Read by AI agents and assistants (ChatGPT, Perplexity, Claude, Gemini, etc.) when answering questions about you or your work
  • Cached or referenced by third-party academic indexes, knowledge graphs, and discovery systems
  • Displayed in our public search results and X-Feed
  • Emitted as Schema.org JSON-LD for machine-readable consumption
Important
Once your profile content has been crawled and cached by external services, we cannot guarantee removal from third-party caches, search engine indexes, or AI training data sets. You can remove content from your profile at any time, and search engines will eventually update — but historical caches outside our control may persist.

6 Verification Documents

When you upload documents for verification (national ID, degree certificates, employment letters, etc.), they are treated with stricter protection than public profile data:

  • Never publicly visible — verification documents do not appear on your profile
  • Access-restricted — only authorized XRC verification team members can view them
  • Audit-logged — every access is recorded
  • Time-limited storage — documents are retained only as long as needed for verification, between 1 to 6 months depending on the document type and verification stage
  • Securely deleted — once verification is complete or the retention period ends, documents are securely deleted

The result of your verification (your verification level, badge, or "stone") is part of your public profile — but the underlying documents are never published or shared with third parties.

Verification through third-party contact

By submitting any credential, document, or claim for verification (whether a degree certificate, employment letter, identification document, publication record, or institutional affiliation), you grant XRC explicit authorization to take reasonable steps to verify its authenticity. This may include, but is not limited to:

  • Contacting the issuing university, registrar's office, or academic department to confirm a degree, transcript, or student record
  • Contacting the relevant employer or HR department to confirm a position, employment dates, or role
  • Contacting the issuing body of a certificate, license, or professional accreditation
  • Contacting journals, publishers, or co-authors to confirm a publication or contributor role
  • Contacting government agencies or official registers where document authentication is publicly available
  • Cross-referencing your data with public databases, persistent identifier registries, and authoritative sources (e.g., ORCID, Scopus, ISNI, Web of Science)

This authorization is granted at the moment you submit information for verification, and is part of the platform's integrity protocol. We will conduct such checks discreetly and only to the extent reasonably necessary. The information shared with third parties during verification will be the minimum required to confirm the specific credential or claim under review.

If verification cannot be completed
If a credential cannot be verified — because the issuing body does not respond, the document appears altered, or the claim cannot be substantiated — XRC may decline to grant verification, mark the claim as unverified on your profile, request additional documentation, or, where appropriate, take action on the account as described in our Terms of Service.

7 Data Sharing & Third Parties

We do not sell your data. We do not rent your data. We do not share your private data with anyone.

The only situations in which any data may leave our systems are:

  • Public profile data — by design, available to anyone visiting your profile or querying our public search
  • Infrastructure providers — our hosting partners process data only to keep the platform running, under strict data processing agreements
  • Email delivery — when we send transactional emails (verification, password reset, notifications), an email service provider handles delivery
  • Verification confirmation — in some verification cases, we may contact your stated institution to confirm a credential, with your knowledge
  • Legal requirements — when compelled by valid legal process under applicable law
  • Business continuity — in the event of a merger, acquisition, or transfer of operations, your data would transfer subject to the same privacy protections

Third-party services we use

We use a small, carefully chosen set of third-party services. Each receives only the data needed to perform its specific function:

Service Purpose What it receives
Hostinger & XRC Internal Hosting Platform infrastructure All data necessary to host and serve the platform
Transactional email service Verification, password reset, notifications Your email address and the email content being sent
Google Analytics (public pages only) Understanding visitor behavior on public pages — homepage, search, about, profile pages Anonymized usage data, IP address (anonymized), browser type, referring URL, pages visited. Not loaded in authenticated dashboard or profile-editing areas.
ip-api.com Powering the location/weather strip in the navigation drawer Your approximate IP address (used to derive city/country only)
OpenWeatherMap Providing local weather information in the navigation drawer Approximate latitude/longitude derived from IP — no personal identifier sent

About Google Analytics specifically

We use Google Analytics on public-facing pages only — not on your authenticated dashboard or profile editing screens. Google Analytics helps us understand how visitors find and navigate the platform, which pages are useful, and where to improve. We have configured it with the following privacy protections:

  • Limited to public pages — analytics is not loaded in your authenticated dashboard or profile-editing area
  • Aggregated reporting — we use Google Analytics for aggregated insights, not to track individuals

Google's own use of data collected through Google Analytics is governed by Google's Privacy Policy. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, or by enabling "Do Not Track" in your browser.

About the location/weather strip

When you open the navigation drawer, you may see a small line showing your approximate city, country, and current temperature. To make this work, two third-party services are used:

  • ip-api.com reads your IP address and returns an approximate city/country — this lookup is cached for 30 minutes per session to minimize repeat requests
  • OpenWeatherMap receives only the resulting latitude/longitude (not your IP) and returns the local weather

This information is shown only to you, in your own session. It is not stored in your profile, not shared with anyone else, and not used to track you across the platform.

Data Processing Agreements: All third-party providers are bound by their respective terms of service and applicable data protection laws.

Suspended, banned, or restricted accounts

To preserve the integrity of the platform and protect the wider scholarly community, X-PEN ID maintains the right to suspend, restrict, or terminate accounts that violate our Terms of Service — including, but not limited to, fraudulent credentials, falsified publications, identity misrepresentation, abusive behavior, or attempts to manipulate the verification system.

Where an account is restricted, banned, or terminated for documented platform-integrity reasons:

  • The X-PEN ID code, public name, and the category of violation (e.g., "fraudulent credentials," "duplicate identity," "verification abuse") may be publicly disclosed on a platform integrity register or by appending a clear notice on the affected profile
  • This disclosure is intended to warn the broader scholarly ecosystem — including journals, institutions, and integrators — that the identifier is no longer valid or trusted
  • Disclosure is limited to information necessary for transparency; we do not publish private personal data, verification documents, or detailed personal accusations
  • Affected users will, where reasonable and legally appropriate, be notified of the action and offered a path to contest the decision

By using X-PEN ID, you acknowledge and accept that this transparency mechanism is part of the platform's integrity model. Full procedural details, including grounds for action and the appeals process, are set out in our Terms of Service.

8 Data Security

We protect your data through layered technical and organizational measures:

  • Encryption in transit — all data transferred between your device and our servers is encrypted via HTTPS / TLS
  • Password hashing — passwords are stored as one-way cryptographic hashes
  • Access control — internal access to private data is restricted to authorized personnel
  • Direct browser-block protection — internal API endpoints reject direct browser access
  • Audit logging — sensitive operations are logged for accountability
  • Incident response — defined process for detecting, containing, and notifying about any potential breach
Security commitment
While we apply industry-standard protections, no online platform is 100% secure. We continuously improve our defenses, and in the unlikely event of a security incident affecting your data, we will notify affected users without undue delay.

9 Your Data Protection Rights

You hold meaningful, exercisable rights over your data. These align with GDPR principles and applicable Pakistan data protection law:

Right to access Request a copy of all personal data we hold about you.
Right to rectification Correct inaccurate or incomplete data — directly editable in your profile.
Right to erasure Request deletion of your account and associated personal data.
Right to portability Export your full profile as Schema.org JSON-LD at any time.
Right to restrict processing Request limitation of how we process your data while issues are resolved.
Right to object Object to processing based on legitimate interests, where applicable.
Right to withdraw consent Withdraw any consent you've previously given, without affecting prior lawful processing.
Right to lodge a complaint Contact your local data protection authority if your concerns are not addressed.
Limits to erasure
Because X-PEN ID is a persistent identity platform, some information already used in published verification, citations, or scholarly records may need to be retained for academic integrity, audit trails, or legal reasons. In such cases, we will deactivate your account and limit further processing, even if full erasure of historical traces is not possible.

To exercise any of these rights, email privacy@xpenid.com. We respond to legitimate requests within 30 days.

10 Cookies & Tracking

We use a minimal set of cookies and similar technologies, all first-party:

  • Essential cookies — for login sessions, security, and basic platform function
  • Preference cookies — to remember your settings (e.g., display preferences, language)
  • Session storage — for short-lived data like the weather/location strip cache

We do not use third-party advertising cookies, behavioral tracking pixels, or cross-site tracking. You can disable cookies in your browser settings, though some platform features (notably login) require essential cookies.

11 Data Retention

How long different types of data are kept:

Data type Retention
Profile data Retained until you request deletion. X-PEN ID is a lifelong identity platform — your profile is intended to be permanent.
Verification documents 1 to 6 months, depending on document type and verification stage. Securely deleted after.
Login & IP logs 6 to 12 months for security and fraud prevention.
First-party analytics Aggregated and anonymized; retained as needed for platform operation.
Deactivated/deleted account residual data 90 days, after which permanent erasure occurs (subject to legal/audit retention exceptions).
Verified scholarly records (publications, etc.) May be retained beyond account deletion for academic integrity and audit purposes — accounts marked deactivated.

12 International Data Transfers

X-PEN ID is operated from Pakistan. Our hosting and email infrastructure may process data in jurisdictions outside Pakistan. When data is transferred internationally, we ensure that adequate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) with infrastructure providers, where applicable
  • Selection of providers with strong data protection certifications
  • Encryption in transit and at rest

If you are located in the European Economic Area, the United Kingdom, or other regions with data export rules, you can request information about the safeguards in place by contacting privacy@xpenid.com.

13 Children's Privacy

X-PEN ID is intended for students, researchers, authors, and professionals engaging in academic or professional activity. The minimum age to create an account is 13 years. Users between 13 and 18 must have parental or institutional consent, in accordance with the laws of their country of residence.

We do not knowingly collect data from children under 13. If you believe a child under 13 has registered, please contact privacy@xpenid.com and we will remove the account and associated data without delay.

14 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the platform, our practices, or applicable law. When we make material changes, we will:

  • Update the "Effective" date at the top of this page
  • Increment the version number
  • Notify registered users by email or in-platform notice
  • For significant changes, give prior notice before the change takes effect

Continued use of the platform after the effective date of an updated Policy constitutes acceptance of the changes.

15 Contact Us

For any privacy-related question, request, or concern:

Privacy contact
Data Protection Officer
Email: privacy@xpenid.com
Operating entity: Xpertno Research Center (XRC)
Founding organization: Expert Novice Group Pvt Ltd
Jurisdiction: Pakistan, with GDPR alignment for international users

For general inquiries unrelated to privacy, use our contact page. For governance and operational details, see our governance page.

This document — Version 2.0 — is effective from Jan 3, 2026.

Read Terms of Service