Your Data. Your Identity. Your Control.

1 Introduction

This Privacy Policy explains how X-PEN ID (eXtended Professional & Educational Network ID) collects, uses, stores, shares, and protects information about you when you use the platform at xpenid.com and connected services including XIJIR, SEIPID, PubLibra, X-NeuroVerification Engine, and Prof. X.

X-PEN ID is a persistent, human-centric digital identity and verification platform. By design, much of the profile content you create is intended to be public — your name, education, publications, credentials, and contributions are meant to be discoverable by people, search engines, and AI agents. This Policy explains exactly what is public, what stays private, and the controls available to you.

Definitions

• "Personal Data" — any information that identifies or can identify a natural person.
• "Processing" — any operation performed on personal data (collection, storage, display, deletion, etc.).
• "Public Profile Data" — information you choose to publish on your X-PEN ID profile, intended for public discovery.
• "Private Data" — information used for account access, security, or verification, never publicly displayed.
• "You" / "Contributor" — any individual who uses, registers on, or holds an X-PEN ID profile.

2 Data We Collect

2.1 Data you provide directly

When you register, build a profile, or interact with the platform, you may provide:

• Account data: email address, password (hashed), name, optional phone number
• Identity data: title, first/middle/last name, public name, honorific suffix, profile picture, country, city, biography
• Education: institutions, degrees, fields of study, dates, projects, theses
• Experience: organizations, positions, roles, dates, responsibilities
• Internships, courses, specializations: training records, certificates, dates
• Publications: articles, books, chapters, co-authors, identifiers (DOI, ISBN, SEIPID)
• Awards & memberships: recognitions, fellowships, association memberships
• Languages & knowledge areas: proficiency, research interests, skills, keywords
• External identifiers: ORCID, ISNI, Scopus, Google Scholar, ResearchGate, GitHub, LinkedIn, Wikidata, etc.
• Events & Jobs: when you post events and jobs
• Verification documents: uploaded scans of IDs, degrees, certificates (private — see Section 6)
• Reviews, Report, & feedback: reviews you submit, when you report an id, contact form submissions
• Community trust signals: support signals, attestations, corrections, familiarity confirmations, co-authorship confirmations, institutional-association confirmations, and any report you submit about another contributor, credential, publication, or affiliation (see Section 14)

2.2 Data collected automatically

When you interact with the platform, our servers may automatically log:

• Technical data: IP address, browser type, device type, operating system
• Usage data: pages viewed, actions taken, login times, referring URLs
• Approximate location: derived from your IP address (city / country level only) for security and fraud prevention

3 What's Public vs What's Private

X-PEN ID is, by design, a public identity platform. The whole point of the platform is to make verified contributor information discoverable. The table below makes this explicit, so there are no surprises.

We do not share private fields with anyone — not advertisers, not partners, not other users. Private data is only accessed internally by authorized XRC team members under documented protocols, strictly for platform operations, security, or verification.

4 How We Use Your Data

We process your data for the following purposes:

• Service provision: creating, displaying, and maintaining your X-PEN ID profile
• Public indexing: generating Schema.org-compliant JSON-LD for your public profile so search engines and AI agents can discover you
• Verification: reviewing identity documents, credentials, institutional affiliations, and publication claims
• Community trust signals: receiving, weighing, and acting on support signals, attestations, reports, and correction recommendations submitted by verified contributors at any level (see Section 14)
• Communication: sending platform notifications, verification updates, important account messages
• Security: detecting and preventing fraud, abuse, unauthorized access
• Improvement: understanding usage patterns to improve features and reliability
• Legal compliance: meeting legal obligations and responding to lawful requests

Legal basis for processing

We process your data on the following legal bases:

• Consent — you create an account and choose to publish profile information
• Contractual necessity — to deliver the services you requested
• Legitimate interests — platform security, fraud prevention, infrastructure operation
• Legal obligations — when required by applicable law

Consent given on registration

By creating an X-PEN ID account and accepting our Terms of Service during registration, you provide explicit and informed consent for the following data processing activities:

• Public distribution of profile data — your profile content (as listed in Section 3) will be made publicly visible on your X-PEN ID profile page, included in our public search results, and emitted as Schema.org / JSON-LD for search engines and AI agents to index and display.
• Verification of submitted information — when you submit credentials, claims, or documents, you authorize XRC to take reasonable steps to verify them, including direct contact with relevant institutions, employers, supervisors, or issuing bodies (see Section 6).
• Platform-wide identifier issuance — your X-PEN ID code becomes a permanent public identifier associated with your contributor record, intended to remain stable and citable for life.
• Operational necessity — processing required to operate the platform, maintain security, prevent fraud, and meet legal obligations.

5 Search Engine & AI Indexing

One of the core purposes of X-PEN ID is to make your contributor identity discoverable. By creating an X-PEN ID account, you provide explicit consent for X-PEN ID to publish, distribute, and make your public profile content available — including, but not limited to:

• Crawled and indexed by search engines (Google, Bing, DuckDuckGo, Yandex, etc.)
• Read by AI agents and assistants (ChatGPT, Perplexity, Claude, Gemini, etc.) when answering questions about you or your work
• Cached or referenced by third-party academic indexes, knowledge graphs, and discovery systems
• Displayed in our public search results and X-Feed
• Emitted as Schema.org JSON-LD for machine-readable consumption

6 Verification Documents

When you upload documents for verification (national ID, degree certificates, employment letters, etc.), they are treated with stricter protection than public profile data:

• Never publicly visible — verification documents do not appear on your profile
• Access-restricted — only authorized XRC verification team members can view them
• Audit-logged — every access is recorded
• Time-limited storage — documents are retained only as long as needed for verification, between 1 to 6 months depending on the document type and verification stage
• Securely deleted — once verification is complete or the retention period ends, documents are securely deleted

The result of your verification (your verification level, badge, or "stone") is part of your public profile — but the underlying documents are never published or shared with third parties.

Biometric data (selfie photo / selfie video)

Where the verification method you choose includes a selfie photo or selfie video for face-match against a government ID (see Verification System § Identity verification), the selfie is treated as biometric data. Under the GDPR this is a special category of personal data under Article 9 and is processed only on the basis of your explicit consent, given at the moment you submit the file for verification. Biometric data is:

• Used solely to confirm that the person in the ID is the person submitting the profile
• Reviewed by authorized XRC verification personnel (and, where used, an accredited identity-verification subprocessor under a data-processing agreement)
• Not used to train any biometric or face-recognition model
• Not reused for any purpose beyond the specific verification request
• Securely deleted once the verification decision is recorded, in line with the retention window above

You may withdraw biometric consent at any time by contacting privacy@xpenid.com. Withdrawal does not affect the validity of a verification decision already made on the basis of that consent, but causes any retained biometric file to be deleted ahead of schedule.

Verification through third-party contact

By submitting any credential, document, or claim for verification (whether a degree certificate, employment letter, identification document, publication record, or institutional affiliation), you grant XRC explicit authorization to take reasonable steps to verify its authenticity. This may include, but is not limited to:

• Contacting the issuing university, registrar's office, or academic department to confirm a degree, transcript, or student record
• Contacting the relevant employer or HR department to confirm a position, employment dates, or role
• Contacting the issuing body of a certificate, license, or professional accreditation
• Contacting journals, publishers, or co-authors to confirm a publication or contributor role
• Contacting government agencies or official registers where document authentication is publicly available
• Cross-referencing your data with public databases, persistent identifier registries, and authoritative sources (e.g., ORCID, Scopus, ISNI, Web of Science)

This authorization is granted at the moment you submit information for verification, and is part of the platform's integrity protocol. We will conduct such checks discreetly and only to the extent reasonably necessary. The information shared with third parties during verification will be the minimum required to confirm the specific credential or claim under review.

7 Data Sharing & Third Parties

We do not sell your data. We do not rent your data. We do not share your private data with anyone.

The only situations in which any data may leave our systems are:

• Public profile data — by design, available to anyone visiting your profile or querying our public search
• Infrastructure providers — our hosting partners process data only to keep the platform running, under strict data processing agreements
• Email delivery — when we send transactional emails (verification, password reset, notifications), an email service provider handles delivery
• Verification confirmation — in some verification cases, we may contact your stated institution to confirm a credential, with your knowledge
• Legal requirements — when compelled by valid legal process under applicable law
• Business continuity — in the event of a merger, acquisition, or transfer of operations, your data would transfer subject to the same privacy protections

Third-party services we use

We use a small, carefully chosen set of third-party services. Each receives only the data needed to perform its specific function:

About Google Analytics specifically

We use Google Analytics on public-facing pages only — not on your authenticated dashboard or profile editing screens. Google Analytics helps us understand how visitors find and navigate the platform, which pages are useful, and where to improve. We have configured it with the following privacy protections:

• Limited to public pages — analytics is not loaded in your authenticated dashboard or profile-editing area
• Aggregated reporting — we use Google Analytics for aggregated insights, not to track individuals

Google's own use of data collected through Google Analytics is governed by Google's Privacy Policy. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, or by enabling "Do Not Track" in your browser.

About the location/weather strip

When you open the navigation drawer, you may see a small line showing your approximate city, country, and current temperature. To make this work, two third-party services are used:

• ip-api.com reads your IP address and returns an approximate city/country — this lookup is cached for 30 minutes per session to minimize repeat requests
• OpenWeatherMap receives only the resulting latitude/longitude (not your IP) and returns the local weather

This information is shown only to you, in your own session. It is not stored in your profile, not shared with anyone else, and not used to track you across the platform.

Data Processing Agreements: All third-party providers are bound by their respective terms of service and applicable data protection laws.

Suspended, banned, or restricted accounts

To preserve the integrity of the platform and protect the wider scholarly community, X-PEN ID maintains the right to suspend, restrict, or terminate accounts that violate our Terms of Service — including, but not limited to, fraudulent credentials, falsified publications, identity misrepresentation, abusive behavior, or attempts to manipulate the verification system.

Where an account is restricted, banned, or terminated for documented platform-integrity reasons:

• The X-PEN ID code, public name, and the category of violation (e.g., "fraudulent credentials," "duplicate identity," "verification abuse") may be publicly disclosed on a platform integrity register or by appending a clear notice on the affected profile
• This disclosure is intended to warn the broader scholarly ecosystem — including journals, institutions, and integrators — that the identifier is no longer valid or trusted
• Disclosure is limited to information necessary for transparency; we do not publish private personal data, verification documents, or detailed personal accusations
• Affected users will, where reasonable and legally appropriate, be notified of the action and offered a path to contest the decision

By using X-PEN ID, you acknowledge and accept that this transparency mechanism is part of the platform's integrity model. Full procedural details, including grounds for action and the appeals process, are set out in our Terms of Service.

8 Data Security

We protect your data through layered technical and organizational measures:

• Encryption in transit — all data transferred between your device and our servers is encrypted via HTTPS / TLS
• Password hashing — passwords are stored as one-way cryptographic hashes
• Access control — internal access to private data is restricted to authorized personnel
• Direct browser-block protection — internal API endpoints reject direct browser access
• Audit logging — sensitive operations are logged for accountability
• Incident response — defined process for detecting, containing, and notifying about any potential breach

9 Your Data Protection Rights

You hold meaningful, exercisable rights over your data. These align with GDPR principles and applicable Pakistan data protection law:

To exercise any of these rights, email privacy@xpenid.com. We respond to legitimate requests within 30 days.

10 Cookies & Tracking

We use a minimal set of cookies and similar technologies, all first-party:

• Essential cookies — for login sessions, security, and basic platform function
• Preference cookies — to remember your settings (e.g., display preferences, language)
• Session storage — for short-lived data like the weather/location strip cache

We do not use third-party advertising cookies, behavioral tracking pixels, or cross-site tracking. You can disable cookies in your browser settings, though some platform features (notably login) require essential cookies.

11 Data Retention

How long different types of data are kept:

12 International Data Transfers

X-PEN ID is operated from Pakistan. Our hosting and email infrastructure may process data in jurisdictions outside Pakistan. When data is transferred internationally, we ensure that adequate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) with infrastructure providers, where applicable
• Selection of providers with strong data protection certifications
• Encryption in transit and at rest

If you are located in the European Economic Area, the United Kingdom, or other regions with data export rules, you can request information about the safeguards in place by contacting privacy@xpenid.com.

13 Children's Privacy

X-PEN ID is intended for students, researchers, authors, and professionals engaging in academic or professional activity. The minimum age to create an account is 13 years. Users between 13 and 18 must have parental or institutional consent, in accordance with the laws of their country of residence.

We do not knowingly collect data from children under 13. If you believe a child under 13 has registered, please contact privacy@xpenid.com and we will remove the account and associated data without delay.

14 Community Trust Signals

X-PEN ID operates a community-supported verification model. Every verified contributor — at every level from Level 1 to Level 5 — may submit support signals, attestations, reports, or correction recommendations about other contributors, credentials, publications, or institutional affiliations they personally know or recognize. The operational rules sit in Account Lifecycle & Reporting, Levels & Stone System, and Verification System. This section explains the data side of that activity.

14.1 What we collect when you submit a signal

• The X-PEN ID code of the profile, credential, or record being referenced
• The category of the signal (identity familiarity, credential familiarity, co-authorship, institutional association, correction, report, integrity concern)
• The free-text description and any evidence, links, or attachments you choose to provide
• Your verified X-PEN ID, your current level/stone, and the submission timestamp
• Routine technical data normally collected with any platform action (IP, device, session)

14.2 How we use it

• Signals are private to the XRC Verification Team — never shown to the reported contributor and never published on the Public Integrity Register
• Signals are inputs only. Final verification, correction, restriction, revocation, level progression, or stone recognition always remains under XRC review. A signal alone does not approve, reject, suspend, or unlock anything
• Patterns across signals (coordinated, retaliatory, paid, or duplicate attestations) are monitored, and abuse may itself trigger action against the submitter
• Aggregate, de-identified signal data may inform internal product, integrity, and abuse-detection improvements

14.3 Reporter identity protection

Your identity as a submitter is held in confidence by XRC. It is not shared with the contributor being reported, not published on the Public Integrity Register, and not disclosed to third parties — except where (a) we are compelled by valid legal process, (b) you give written consent to disclose, or (c) the submission itself is determined to be a bad-faith, fraudulent, paid, or harassing act requiring action against you.

14.4 Signals you must not submit

You must not submit a signal that:

• You have been paid, offered a benefit, or otherwise induced to provide
• Vouches for a person, credential, institution, publication, or contribution you do not genuinely know
• Is part of a coordinated brigading, revenge-reporting, or harassment campaign
• You know — or should reasonably know — to be false, misleading, or unverifiable

These actions are violations of our Terms of Service and the Payment Integrity & Anti-Bribery policy, and are themselves grounds for suspension, termination, and Public Integrity Register entry.

15 Non-User Profiles & Deceased Persons

X-PEN ID is intended to be populated by contributors registering their own identity. We do not permit profiles to be created on behalf of people who have not consented, except in narrow, well-defined circumstances. This section explains how we handle data about people who are not, or are no longer, active platform users.

15.1 Profiles of living non-users

• Creating a profile claiming to be another living person, or registering an account in someone else's name without that person's explicit authorization, is an impersonation violation and is removed on confirmation
• Where a public figure is referenced in a verified contributor's work (as co-author, supervisor, employer, mentor), the reference may appear as metadata on the verified contributor's profile, but no standalone X-PEN ID profile is created without the named person's participation
• Any living person who finds themselves identified on the platform without having created an account may contact privacy@xpenid.com to request review, correction, masking, or removal of references to them
• Where the reference is part of a verified scholarly record (citations, co-authorship, institutional history) we will balance the individual's request against the integrity of the public scholarly record; in such cases we may mask personal details while leaving the underlying citation traceable

15.2 Deceased contributors

• Where an X-PEN ID is associated with a contributor who has passed away, the identity record is preserved under the persistent-identity principle so that citations, publications, and scholarly references continue to resolve
• Profile picture, biographical contact details, and active-session data may be masked or removed at the request of an authorized family member, executor, institution, or other person holding documented authority
• Where the platform receives credible evidence of death, the profile may be marked accordingly and login access disabled, while public scholarly content remains visible
• Requests are handled by emailing privacy@xpenid.com with proof of authority and a description of the action requested

15.3 Historical and pre-platform figures

Mentions of historical persons (authors, scientists, founders) inside a verified contributor's bibliography, citation list, or institutional history are treated as factual references to publicly known work — not as profiles in their own right. No X-PEN ID code is issued to a non-participating historical figure.

15.4 Minors and dependants

We do not create profiles for minors who have not registered themselves in line with Section 13 (Children's Privacy). References to minors in a verified contributor's record (for example, a co-authored school project) are handled with extra restraint and may be redacted on request.

16 CCPA & US State Privacy Rights

This section provides additional disclosures for residents of the United States, including California (CCPA / CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with applicable consumer-privacy laws. Where any specific US state law grants rights beyond those in Section 9 (Your Data Protection Rights), those rights also apply.

16.1 We do not sell your personal information

X-PEN ID does not sell personal information for monetary or other valuable consideration, and does not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We do not knowingly process personal information of consumers under 16 for sale or sharing.

16.2 Categories of personal information

The categories of personal information we collect are listed in Section 2 (Data We Collect). What is public versus private is set out in Section 3. We retain data per the schedule in Section 11 (Data Retention). We do not use personal information for purposes incompatible with those disclosed in Section 4.

16.3 Your US state privacy rights

• Right to know — what personal information we collect, use, disclose, and (if applicable) sell or share
• Right to access — a copy of the personal information we hold about you
• Right to delete — subject to the persistent-identity limits described in Section 9
• Right to correct — inaccurate personal information
• Right to opt out — of sale or sharing for targeted advertising (we do neither; the right is preserved nonetheless)
• Right to limit — the use of sensitive personal information (we use such data only for verification, security, and account integrity)
• Right to non-discrimination — for exercising any of these rights
• Right to appeal — a denied request, by replying to our decision email

16.4 How to exercise these rights

Send requests to privacy@xpenid.com with the subject line "US Privacy Rights Request" and a description of the right(s) you wish to exercise. We will verify your identity using your existing account information or, for non-account-holders, reasonable identity evidence. We respond to verified requests within 45 days, extendable once where reasonably necessary, in line with applicable law. Authorized agents may submit requests on your behalf with documented authority.

16.5 Shine the Light (California)

California residents may request, once per calendar year, information about any disclosure of personal information to third parties for direct marketing purposes. X-PEN ID does not engage in such disclosures.

16.6 Notice of Financial Incentive

We do not offer financial incentives in exchange for personal information. The fast-verification fee described in our Payment Integrity policy is a service fee for processing speed, not consideration for data.

17 Accessibility

X-PEN ID is committed to a platform that is accessible to the widest possible audience. We design, build, and maintain xpenid.com with the goal of conformance to the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA, and we track updates to WCAG 2.2 and equivalent international standards (such as the EN 301 549 baseline used in the EU and Section 508 in the US).

17.1 What we do

• Semantic HTML, keyboard navigability, and ARIA labelling across core flows
• Sufficient color contrast, scalable typography, and visible focus styles
• Alt text for meaningful images and descriptive link text
• Captioning and transcripts for any platform-produced media, where applicable
• Compatibility testing with major screen readers and assistive technologies on a best-effort basis

17.2 Known limitations

Some user-submitted content (PDFs of publications, third-party embedded materials, historical uploads) may not meet WCAG standards because it originates outside XRC's control. Where you encounter such content and need an accessible alternative, please contact us.

17.3 Feedback and assistance

If any part of the platform creates an accessibility barrier for you, please email accessibility@xpenid.com (or privacy@xpenid.com if that mailbox is unavailable) with the page URL, the assistive technology you use, and a description of the issue. We aim to acknowledge accessibility requests within 5 business days and to provide a substantive response or remediation plan within a reasonable period thereafter.

18 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the platform, our practices, or applicable law. When we make material changes, we will:

• Update the "Effective" date at the top of this page
• Increment the version number
• Notify registered users by email or in-platform notice
• For significant changes, give prior notice before the change takes effect

Continued use of the platform after the effective date of an updated Policy constitutes acceptance of the changes.

19 Contact Us

For any privacy-related question, request, or concern:

For general inquiries unrelated to privacy, use our contact page. For governance and operational details, see our governance page.