LedgerDomain Inc. built the XATP Compliance Suite and XATP Mobile App (“XATP”). This service is provided by LedgerDomain at no cost and is intended for use as is. This page is used to inform visitors regarding our policies with regard to the collection, use, and disclosure of Personally Identifiable Information (PII) if anyone decides to use our Service. If you choose to use our Service, then you agree to the collection and use of information in relation to this policy.

LedgerDomain will not sell your personal data to third parties, or utilize it for marketing or other purposes directly unrelated to the use of XATP, or otherwise use or intentionally disclose the information to third parties other than in accordance with the below Privacy Policy without your prior written consent. The information you submit to LedgerDomain is considered private and personal. Your private information will not be sold, rented, leased, or intentionally disclosed in any manner to any person without your prior written consent, unless otherwise required by law, or except as may be necessary for the performance of XATP services.


The purpose of XATP is to establish and maintain an electronic system to facilitate secure, electronic communication between Authorized Trading Partners (“ATPs”) as defined under the US Drug Supply Chain Security Act of 2013 (DSCSA), using digital signature technologies to authenticate and verify user identities for the purpose of verifying saleable returns, assisting in suspect & illegitimate product investigations, tracing, and similar activities. This Privacy Policy, together with the Terms of Use, describes the practices regarding the types of individual information collected by LedgerDomain, its use and permissible disclosures, along with the rights of individuals concerning their personal information.

XATP enables users to scan GS1-compliant 2D barcodes or enter the human-readable data associated with said barcodes (hereafter referred to as “the barcode” or “barcodes”) on drug packages distributed within the United States in order to access information about the drugs. These barcodes contain no PII, and the information provided to users is compiled from publicly available US federal government databases.

Should you decide to use XATP by applying for identity verification, certain information is required to process your application. This information will be deleted by the user, as defined in the Terms of Use. The purpose of this data collection is to enable other pharmaceutical supply chain participants to interact with you via secured messaging channels, and/or for LedgerDomain to issue an XATP verifiable credential that will be accepted by other parties as authentication of your identity.  If you as an ATP transact with other ATP users on the system, those users may retain information you share.


Looking up drug information. When a user submits a unique identifier, XATP may provide publicly available information about the drug. LedgerDomain specifically disclaims any responsibility for the veracity of these public datasets and asks that users confirm this content for themselves.

Applying for a verifiable credential. To gain access to functionality intended only for Authorized Trading Partners as defined under the Drug Supply Chain Security Act of 2013, we may require you to provide us with certain personally identifiable information which we use to validate your identity. These include:

  • Name
  • Email address
  • Phone number
  • Photo (including the user, and may include an acceptable form of ID)
  • Email of your Pharmacist in Charge (PIC)
  • Name of dispenser that you operate
  • Address of dispenser
  • Pharmacy license number

The information that we request will be retained by us and used as described in this Privacy Policy and the Terms of Use.

Submitting a verification request. When a user who holds a verifiable credential submits a verification request to another ATP or their agent in compliance with the DSCSA, the unique identifier is uploaded to private storage. The following data may be written to XATP data systems: document ID, uploader user ID, nonce value, document hash value, and upload timestamp. None of the aforementioned data contains any PII.

When you submit a drug verification request, the following PII is provided via email to the drug’s manufacturer as part of the request: name, email address, email of your PIC (where applicable), name of dispenser that you operate, and address of dispenser. The information contained in the barcode is also sent to the manufacturer.

Responding to a verification request. Manufacturers who receive verification requests from dispensers via XATP have the ability to securely respond to the request as part of their obligations under DSCSA. The response (i.e. whether the information contained in the barcode is verified or unverified) is retained in secure data storage, and a notification is sent to the requesting user. While LedgerDomain may be able to determine whether a manufacturer has been able to respond to a given verification request, LedgerDomain may not have the ability to determine whether a particular barcode has been marked as verified or unverified.

The app does use third-party services that may collect information used to identify you.


We want to inform you that whenever you use our Service, in a case of an error in the app we collect data and information (through third-party products) on your phone called Log Data. This Log Data may include information such as your device Internet Protocol (“IP”) address, device name, operating system version, the configuration of the app when utilizing our Service, the time and date of your use of the Service, and other statistics. Log Data may be collected from any user, regardless of whether they have been issued a verifiable credential.


Cookies are files with a small amount of data that are commonly used as anonymous unique identifiers. These are sent to your browser from the websites that you visit and are stored on your device’s internal memory.

This Service does not use these “cookies” explicitly. However, the app may use third-party code and libraries that use “cookies” to collect information and improve their services. You have the option to either accept or refuse these cookies and know when a cookie is being sent to your device. If you choose to refuse our cookies, you may not be able to use some portions of this Service.


We may employ third-party companies and individuals due to the following reasons:

  • To facilitate our Service;
  • To provide the Service on our behalf;
  • To perform Service-related services; or
  • To assist us in analyzing how our Service is used.

We want to inform users of this Service that these third parties have access to your PII. The reason is to perform the tasks assigned to them on our behalf. However, they are obligated not to disclose or use the information for any other purpose.


We value your trust in providing us your PII, thus we are striving to use commercially acceptable means of protecting it. But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and we cannot guarantee its absolute security.


This Service may contain links to other sites. If you click on a third-party link, you will be directed to that site. Note that these external sites are not operated by us. Therefore, we strongly advise you to review the Privacy Policy of these websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.


These Services do not address anyone under the age of 13. We do not knowingly collect PII from children under 13. In the case we discover that a child under 13 has provided us with personal information, we immediately delete this from our servers. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us privacy@xatp.org so that we will be able to do necessary actions.


We may update our Privacy Policy from time to time. Thus, you are advised to review this page periodically for any changes. We will notify you of any changes by posting the new Privacy Policy on this page. These changes are effective immediately after they are posted on this page.


If you have any questions or suggestions about our Privacy Policy, do not hesitate to contact us at privacy@ledgerdomain.com.