Privacy Policy

Last updated: April 21, 2026 • Effective: April 21, 2026

Summary: X-ID is a self-sovereign identity platform. We are designed to minimise personal data collection. The data you store in your wallet lives on your device and on the blockchain — we do not have access to your private keys or credential contents. This policy explains the limited server-side data we do handle.

1. Who We Are

X-ID (“we,” “our,” or “us”) operates the website at x-id.xyz and the X-ID identity platform accessible at app.x-id.xyz. For the purpose of applicable data protection laws, X-ID is the data controller for the limited personal data described in this policy.

2. The Core Architecture — What We Cannot See

X-ID is built on a self-sovereign identity (SSI) architecture. This means:

Private keys never leave your device. Your cryptographic keys are generated locally and never transmitted to our servers.
Credential contents are private. Verifiable credentials stored in your wallet are encrypted on your device. We cannot read them.
Selective disclosure is enforced client-side. When you present a credential, the zero-knowledge proof is generated on your device. We are not an intermediary in that transaction.
Blockchain data is public. DID documents, credential revocation registries, and smart contract interactions written to the Flare Network or Coston2 testnet are publicly visible on-chain. This is a fundamental property of blockchains and is not within our control to reverse.

3. Data We Collect and Why

3.1 Account Registration

When you create an X-ID account, we collect:

Email address — for account authentication, security notifications, and product updates (with consent)
A wallet address — the public key of your DID wallet, used to associate your account with on-chain identity records
Account creation timestamp

Legal basis (GDPR): Contract performance (Art. 6(1)(b)) for authentication; legitimate interests (Art. 6(1)(f)) for security; consent (Art. 6(1)(a)) for marketing emails.

3.2 Website Analytics

We collect anonymised, aggregated analytics about how visitors use x-id.xyz. This includes page views, referrer information, browser type, and approximate geographic region (country level). We do not use cookies for analytics tracking. IP addresses are truncated before storage and are not linked to individual user accounts.

Legal basis: Legitimate interests — understanding how our website performs.

3.3 API and Platform Logs

Our servers automatically record request logs that include: timestamp, API endpoint accessed, HTTP response code, and approximate request size. These logs are retained for 90 days for security and debugging purposes. Logs do not include credential contents or private key material.

Legal basis: Legitimate interests — maintaining security and reliability of the platform.

3.4 Careers and Support Applications

If you submit a careers application or support enquiry via our website forms, we collect the name, email address, and message you provide. This data is used solely to respond to your enquiry and is not shared with third parties.

Legal basis: Consent (Art. 6(1)(a)).

3.5 Organisation Accounts

If you register an organisation on the X-ID platform, we collect the organisation name, domain, billing contact email, and API usage metrics. This data is used to provision and bill for the service.

Legal basis: Contract performance.

4. Cookies and Tracking

This marketing website (x-id.xyz) uses no tracking cookies and no third-party analytics scripts. The only third-party script loaded is the Cloudflare Turnstile CAPTCHA widget on the careers form, which is loaded only when you scroll to that section. Cloudflare’s privacy policy governs their processing: cloudflare.com/privacypolicy.

The application platform (app.x-id.xyz) uses an authentication session cookie to keep you signed in. This is a strictly necessary cookie and does not require consent under ePrivacy rules.

5. How We Share Your Data

We do not sell personal data. We do not share personal data with advertisers. Data may be shared with:

Infrastructure providers — our hosting and cloud infrastructure providers who process data under data processing agreements as required by GDPR.
Cloudflare — for DDoS protection, CDN services, and CAPTCHA. Cloudflare processes traffic metadata under their Data Processing Addendum.
Legal obligation — where required by law, court order, or to protect the rights and safety of X-ID users.

6. International Data Transfers

X-ID operates infrastructure in the European Union and the United States. Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.

7. Data Retention

Account data: retained for the life of your account plus 30 days after deletion to allow recovery from accidental deletion.
API logs: 90 days rolling retention.
Careers / support messages: deleted within 12 months of last contact, or earlier on request.
Analytics data: aggregated; no individual retention limit applies.
On-chain data: immutable by blockchain design. DID documents and revocation entries written to the Flare Network cannot be deleted by X-ID. If you wish to abandon a DID, you may deactivate it (which updates the DID document to signal deactivation) but the historical record remains on-chain.

8. Your Rights

Subject to applicable law, you have the right to:

Access — obtain a copy of the personal data we hold about you
Rectification — correct inaccurate personal data
Erasure — request deletion of your personal data (subject to the blockchain limitation noted above)
Restriction — ask us to restrict processing while a dispute is resolved
Portability — receive your data in a structured, machine-readable format
Object — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing
Lodge a complaint — with your national data protection authority

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Children’s Privacy

The X-ID platform is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at [email protected] and we will delete it promptly.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These include encryption in transit (TLS 1.3), encryption at rest for sensitive fields, access controls, and regular security reviews. However, no internet transmission is 100% secure and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top and, for significant changes, notify registered users by email. Continued use of the platform after changes constitutes acceptance of the updated policy.

12. Contact

For any privacy-related queries:

Email: [email protected]
General: [email protected]