Privacy Policy
Effective date: July 13, 2026
This Privacy Policy explains how Xpertia Publishing (“Xpertia,” “we,” “us”) collects, uses, stores, shares, and protects information when you use our website, journal platforms, submission and peer-review portal, and related services (together, the “Services”) — as an author, reviewer, editor, reader, job applicant, or when you choose to sign in with a Google Account or our staff connect a Google Calendar to our internal recruitment tools.
1. Information We Collect
- Account information — name, email address, affiliation, and (if you sign in with Google or ORCID) the basic profile information those providers share with us.
- Submission & editorial data — manuscripts, author details, peer-review correspondence and reports, and editorial decisions submitted through our platform.
- ORCID iD — if you link an ORCID iD, we store the iD and the profile fields you’ve made visible to us under your ORCID visibility settings (Everyone, Trusted Parties, or Only Me).
- Job applicant data — if you apply to a position through our careers/recruitment pages, we collect your resume/CV, contact details, and application responses.
- Usage data — page views and session analytics used to operate and improve the Services.
- Google user data — described in full in Section 2 below.
2. Google User Data
Xpertia integrates with Google in two distinct ways. This section discloses, for each, what Google data we access, how we use it, whether we share it, how we protect it, and how long we keep it.
2.1 Sign in with Google
- Data accessed: your basic Google profile — name, email address, and profile photo — when you choose “Sign in with Google” on our sign-in page.
- How we use it: solely to create and authenticate your Xpertia account and to display your name/photo on your author, reviewer, or editor profile. We do not use it for advertising or profiling.
- Sharing: we do not share this data with any third party.
- Storage & protection: your Google profile fields are stored in our Supabase-hosted database (encrypted at rest, transmitted only over TLS) as part of your account record, protected by row-level security so only you and authorized staff can access it.
- Retention & deletion: retained while your account is active. You may request deletion at any time — see Section 11 (“Your Rights”).
2.2 Google Calendar (internal Recruitment Center scheduling)
This feature is available only to authenticated Xpertia staff who administer job recruitment, and only after a staff member deliberately connects a Google account under Enterprise Settings → Integrations. It is not available to authors, reviewers, editors, or the general public.
- Data accessed: calendar event details and free/busy availability on the connected Google Calendar (via the Google Calendar API, using the
calendar.eventsandcalendar.readonlyscopes). - How we use it: exclusively to check interviewer availability and to create, update, or cancel calendar events (with an optional Google Meet link) for scheduling candidate job interviews inside our Recruitment Center. We do not use Calendar data for advertising, profiling, or any purpose beyond interview scheduling, and we do not use it to develop, improve, or train generalized AI or machine-learning models.
- Sharing: we do not sell or share Calendar data with third parties. The only transmission is directly to Google’s Calendar API to fulfil the scheduling action requested by our staff member, and the candidate/interviewer email addresses you add as attendees appear on the calendar event itself — the same as they would if you created that event by hand in Google Calendar.
- Storage & protection: OAuth access and refresh tokens are stored only in our server-side database, encrypted at rest and in transit, and are never exposed to the browser or to any user-facing API. Only server-side functions gated behind a staff-role check can use them.
- Retention & deletion: tokens are retained only while the integration stays connected. A staff administrator can disconnect Google Calendar at any time from Enterprise Settings → Integrations, which immediately revokes and deletes the stored tokens.
Xpertia Publishing’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
3. How We Use Your Information, and Our Legal Basis
Where GDPR applies, we rely on the following legal bases for each purpose:
- Contract — creating and operating your account, processing your manuscript submission, and managing the peer-review/editorial workflow you or your collaborators participate in.
- Legitimate interest — identifying and contacting suitable peer reviewers, detecting fraud or abuse, securing the Services, and improving them through usage analytics.
- Consent — optional communications such as newsletters, linking an ORCID iD, and any optional sharing of your reviewer recognition data with third-party indexing services (Section 6).
- Legal obligation — retaining financial and tax records, and responding to lawful requests from public authorities.
4. Peer Review Confidentiality
Manuscripts, editorial correspondence, and review reports are treated as confidential — regardless of whether a journal’s review model is open-identity, single-blind, or double-blind — and remain confidential after the editorial decision unless published alongside the article. Where a review report is published without the reviewer’s name, the reviewer’s identity is not otherwise disclosed. Because our platform hosts multiple journals in one system, a reviewer’s account and review history may be visible to editors across different Xpertia journals when they are identifying potential reviewers for another of our journals — this internal visibility is limited to editorial staff and does not extend to external parties.
5. Publication & Public Metadata
Once an article is accepted and published, certain author and article metadata becomes public as an inherent part of scholarly publishing: article title, abstract, author names and affiliations, ORCID iDs (if provided), and reference lists are registered with Crossref to mint a permanent DOI, and may also be submitted to indexing and abstracting services (such as the Directory of Open Access Journals) so your work can be discovered. This metadata is publicly and permanently accessible once published — it is not covered by the deletion rights in Section 11, consistent with the integrity of the scholarly record. Manuscripts may also be screened for originality using similarity-detection software as part of editorial review.
6. Data Sharing & Third-Party Service Providers
We do not sell your personal data. We share data only as necessary to operate the Services, with providers who are contractually bound to process it only on our behalf:
- Supabase — our database, authentication, and file-storage infrastructure.
- Vercel — web application hosting and content delivery.
- Amazon Web Services (SES) — delivery of transactional emails (confirmations, notifications).
- Stripe — payment processing for conference registrations, paid course enrollments, and article processing charges where applicable.
- Cloudflare Turnstile — bot/spam protection on our forms.
- Google Analytics — aggregated, anonymized site-usage analytics.
- Crossref, DOAJ, and other indexing services — published article metadata, as described in Section 5.
- ORCID — if you choose to link an ORCID iD (Section 1).
- AI providers (OpenAI, Anthropic, and/or Google) — used only for specific opt-in features (an AI-assisted candidate-matching tool in our internal Recruitment Center, and AI-assisted classification of support inquiries), subject to each provider’s API terms.
7. Automated Processing
We do not make decisions based solely on automated processing that produce legal or similarly significant effects concerning you without human involvement. Some features use AI-assisted automation as a tool to support a human decision-maker — for example, our internal Recruitment Center may use AI-assisted matching to help staff shortlist candidate-role fits, and our support team may use AI-assisted classification to help triage inquiries. In both cases, a human reviews the outcome before any action is taken.
8. Data Storage, Protection & Security Incidents
Data is stored in our Supabase-hosted PostgreSQL database, encrypted at rest and in transit (TLS/HTTPS). Access is restricted by row-level security policies and, for administrative functions, by staff role checks and multi-factor authentication. If a security incident affects your personal data, we will notify affected users and any required regulator without undue delay, consistent with applicable law.
9. International Data Transfers
Our service providers may process data in countries other than your own. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on an adequate safeguard — such as Standard Contractual Clauses or a provider’s certification under an applicable data-transfer framework.
10. Cookies
We use essential cookies (session/security), analytics cookies, and preference cookies. See our Cookie & Consent Policy for the full list of categories and your choices.
11. Your Rights & Data Retention
Subject to applicable law, you have the right to:
- Access a copy of your personal data
- Request correction (rectification) of inaccurate information
- Request erasure of your personal data — email info@xpertia.org and requests are logged and processed by our team
- Request restriction of, or object to, certain processing
- Receive your data in a portable format
- Withdraw consent at any time, where processing is based on consent
- Lodge a complaint with your local data protection supervisory authority
We retain submission and editorial records for the integrity of the scholarly record, and published article metadata permanently (Section 5). Account data is retained while your account is active and for up to 3 years after a deletion request, solely as required for legal, audit, or dispute-resolution purposes.
12. California Privacy Rights
If you are a California resident, the CCPA/CPRA gives you the right to know what personal information we collect, to request its deletion or correction, and to non-discrimination for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising. To exercise these rights, contact info@xpertia.org.
13. Children’s Privacy
Our Services are intended for researchers, authors, reviewers, editors, and publishing professionals, and are not directed at children. We do not knowingly collect personal data from children under 16 (or under 13 in the United States).
14. Changes to This Policy
We may update this policy from time to time. Material changes will be reflected by updating the effective date above.
15. Contact Us
For data protection or any other privacy-related inquiries, contact info@xpertia.org.
See also our full Legal Affairs & Compliance page for Terms & Conditions, Licensing, Publication Ethics, Peer Review, and Cookie policies.
