Privacy Policy

This policy describes how XenoActive Group collects, uses, and protects information across our services, including Verified Identity (VI), Verified Credentials (VC), and our public websites.

Information We Collect

Account and Identity Information

When you create an account with VI, we collect:

  • Email address — used to identify your account and communicate with you
  • Password — stored as a one-way cryptographic hash; your actual password is never stored
  • Profile information — display name, username, given name, family name, pronouns, birthdate, phone number, locale, and time zone, to the extent you choose to provide them
  • Avatar image — if you upload one
  • Profile content — headline, biography, and website URL, if provided

Professional and Credential Information

When you use VC, we additionally collect:

  • Resume and work history — structured resume data and work history entries you submit
  • Social links and additional contact information — any supplementary contact details you add to your profile
  • Imported credentials — the full content of any W3C Verifiable Credentials or OpenBadges you import into your wallet
  • Employment verification information — when you request verification of work history, we store the details you provide including HR contact information

Authentication and Security Data

To protect your account and detect suspicious activity, we collect:

  • Session information — IP address, browser user agent, authentication assurance level, and authentication methods used for each active session
  • Multi-factor authentication credentials — TOTP secrets and backup codes, stored using AES-256-GCM encryption
  • Failed login counts — a counter of recent failed login attempts, used to enforce account lockout
  • Audit log — a timestamped record of security-relevant events including logins, MFA changes, password changes, token issuance and revocation, and administrative actions; each entry includes the event type, your user ID, the IP address, browser user agent, and any relevant details

Technical and Usage Data

Our web servers and API services log:

  • Request time and URL
  • IP address
  • Browser user agent

These technical logs are kept for no longer than two weeks and are used solely for monitoring service health and diagnosing problems.

Cookies and Trackers

We do not use advertising trackers or analytics cookies. Our services use only session tokens and short-lived authentication state stored in your browser to operate the login and authorization flows.

How We Use Your Information

Purpose Data Used
Authenticate you and issue access tokens Email, password hash, MFA credentials, session data
Display and share your profile Display name, username, avatar, headline, bio, website
Deliver credentials you have earned Email, name, credential content
Verify your employment history Work history details, HR contact information
Detect and prevent account compromise Failed login counts, session IP addresses, audit log
Send security alerts Email, IP address, user agent (for lockouts, MFA changes, password changes)
Send transactional email Email address (for verification links, password resets, credential notifications)
Enforce rate limits IP address and email address

We do not use your information for advertising, profiling, or automated decision-making beyond the security measures described above.

Data Retention

Data Retention Period
Web server logs Up to 2 weeks
Account profile and credentials Until you delete your account
Audit log Retained as an immutable security record

Information Sharing

We do not sell or share your personal information with third parties. We may share information only in the following circumstances:

  • With your explicit consent — for example, when you authorize a third-party application via OAuth and that application requests access to your profile claims
  • To comply with law — when required by a valid legal process, court order, or applicable regulation

When you grant an OAuth application access to your account, that application receives only the profile claims covered by the scopes you authorized (e.g., name and email under profile and email scopes). You can review and revoke connected application access at any time from your account settings.

Security

We protect your data using:

  • Passwords stored as bcrypt hashes; your plaintext password is never retained
  • MFA credentials and issuer signing keys encrypted with AES-256-GCM
  • All data transmitted over TLS
  • Account lockout after repeated failed login attempts
  • Security alert emails for sensitive account events (lockouts, MFA changes, password changes)
  • Concurrent session limits to reduce exposure from stolen refresh tokens

Your Rights

You may request at any time:

  • Access to the personal information we hold about you
  • Correction of inaccurate profile information (available directly in account settings)
  • Deletion of your account and associated personal data

To exercise these rights, contact us at the address below.

Policy Changes

We may update this policy in the future. If we make any material changes we will publish them in a conspicuous location on this website before they take effect.

Contact

If you have questions or concerns about this policy, please contact us at privacy@ this domain.