Privacy Policy

Information you give us

• Account data: Name, email address, username, and password (hashed — we never store plaintext passwords).
• Profile data: Professional headline, industry, location, education background, and any optional fields you fill in.
• Artifact content: The files, text, images, links, and MER (Method, Evidence, Result) content you post to your Pipeline.
• Messages: The content of conversations you have with other members and employers on the platform.
• Challenge submissions: Work you submit to employer challenges, including all supporting files.

Information we collect automatically

• Usage data: Which pages you visit, which artifacts you view, how long you spend on them (used to calculate qualified view counts — 10+ seconds only).
• Device data: Browser type, operating system, screen size, and IP address for security and fraud prevention.
• Interaction data: Forks, saves, connections made, and challenges entered.

Information from third parties

• If you sign in with Google, GitHub, or Apple, we receive your name and email from that provider. We do not receive or store your password from these services.

• To operate the platform: Running your profile, your Pipeline, the discovery feed, the challenge engine, and the messaging system.
• To calculate your Proof Score: Your score is derived from your own activity — artifact quality, verifications received, fork rates, and qualified views. It is not sold or shared.
• To personalise your feed: Showing you artifacts and challenges relevant to your industry and connections.
• To send you notifications: Only about activity on your account, in the frequency you've set in Settings.
• To enforce our policies: Investigating reports of abuse, ghosting, or policy violations.
• To improve the platform: Anonymised, aggregated usage data only. We will never use your individual data for this without consent.
• For legal compliance: Retaining data as required by applicable law.

• We never sell your data — to advertisers, data brokers, recruitment firms, background check companies, or anyone else.
• We never show you advertising — Xylomark has no ad network. We do not take money from companies to promote them to you.
• We never use your artifacts to train AI models — Your work is your work. It is never used to train machine learning models without your explicit, opt-in consent.
• We never share your messages with employers — Conversations between you and employers are private. We do not provide transcripts to any third party.
• We never share your unanonymised data with employers viewing your profile — Employers see what you choose to make public. Nothing more.

Visibility of your profile and artifacts is entirely in your control via Settings → Privacy. The default for new accounts is Public.

• Public artifacts: Visible to anyone, including non-members, search engines, and employers. Indexed by Xylomark's search.
• Connections-only artifacts: Visible only to your confirmed connections on the platform.
• Private artifacts: Visible only to you. Can still be shared via a direct link you control.
• Challenge submissions: Visible to the employer who posted the challenge during the review period. Blind review means your name and profile are hidden until you consent to reveal them.
• Messages: Visible only to the participants in the conversation and Xylomark's trust & safety team in the event of a policy violation report.

Your data is stored on servers in the European Union (primary) and the United States (backup). We use industry-standard encryption in transit (TLS 1.3) and at rest (AES-256). Passwords are hashed using bcrypt with a minimum cost factor of 12.

We conduct annual security audits and operate a responsible disclosure programme. To report a security vulnerability, email security@xylomark.com.

In the event of a data breach that materially affects your personal data, we will notify you within 72 hours of becoming aware of it, as required by GDPR Article 33.

Depending on your location, you may have some or all of the following rights. We honour all of them regardless of where you are.

• Right to access: Request a copy of all data we hold about you. Use Settings → Plan & Billing → Request data export.
• Right to correction: Update or correct any inaccurate information via your Settings page.
• Right to deletion: Delete your account and all associated data via Settings → Danger Zone. We'll process this within 30 days.
• Right to portability: Export your data in machine-readable format (JSON/CSV) at any time.
• Right to restrict processing: Contact us to limit how we use your data while keeping your account active.
• Right to object: Opt out of any non-essential data processing at any time via Settings.
• Right to withdraw consent: Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@xylomark.com. We will respond within 30 days.

We use only the following cookies:

• Session cookies: Required to keep you logged in. Expire when you close your browser unless you choose "Remember me".
• CSRF protection: Required to prevent cross-site request forgery attacks. Essential for security.
• Preference cookies: Storing your theme, feed layout, and notification preferences.

We do not use advertising cookies, tracking pixels, or any third-party analytics other than our own first-party analytics. We do not use Google Analytics, Meta Pixel, or similar tracking tools.

Xylomark is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we hold data about a child under 16, we will delete it promptly. If you believe we hold data about a child, please contact privacy@xylomark.com.

If we make material changes to this policy — particularly changes that reduce your privacy protections — we will notify you by email at least 30 days before the changes take effect. You will have the option to delete your account during this period if you disagree with the changes.

Minor changes (fixing typos, adding clarity, updating contact information) will be noted with a new "last updated" date but will not trigger an email notification.