Privacy Policy
Privacy Policy
Effective date: 18 May 2026 Last updated: 18 May 2026 Version: 3.3
1. Who we are
Σmind ("we", "us", "our") is the trading name of the platform operated at sumofmind.co.uk (and sumofmind.com, which currently mirrors the same service). We are based in the United Kingdom.
Trader / data controller: Sum of Mind Ltd, a private limited company registered in England and Wales under company number 17217848.
Registered office and trading address: SUM OF MIND LTD 124 City Road London EC1V 2NX United Kingdom
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller of personal data processed through the Σmind platform.
How to contact us about your data:
- General privacy enquiries and data subject rights requests: support@sumofmind.co.uk
- Copyright takedowns and IP disputes: dmca@sumofmind.co.uk
- Postal address: (see "Contact details" at the end of this policy)
We are not currently required to appoint a statutory Data Protection Officer under UK GDPR Article 37, but the contact above is monitored by the team responsible for data protection.
2. Scope of this policy
This policy covers how we collect and use your personal data when you:
- visit sumofmind.co.uk;
- create or use an Σmind account;
- buy a Σmind membership;
- buy merchandise from our shop (fulfilled by Printful — see section 8);
- redeem an invitation code under our Founding Member programme;
- contact us by email.
This policy does not cover third-party websites we link to. If you click through to another site, that site's own privacy notice applies.
3. The personal data we collect
3.1 Information you give us
When you create an account:
- Email address
- Username (and optional custom display name)
- Password (stored only as a bcrypt hash — we never see your raw password)
- First name and last name (optional)
- Date of birth or age confirmation that you are 18 or over
When you complete your profile (all optional):
- Bio / tagline
- Location (city / country)
- Academic position, institution, university, ORCID ID
- Employment information
- Website URL, Google Scholar URL, LinkedIn URL, Twitter/X URL
- Profile photo and cover image
- Demographic information (age band, gender, ethnicity) — only if you choose to provide it for our internal research statistics
When you take part in the platform:
- Posts, "shorts", comments, ratings, surveys, book reviews, collections you create
- Direct messages you send to other users (encrypted at rest, see section 6)
- Records of who you follow, connect with, block, or report
- Cookie consent choices
When you buy a membership or merchandise:
- Billing name and email
- For shop orders: full delivery address (recipient name, address lines, city, county, postcode, country, phone — phone is optional)
- We do not see or store your payment card details. Card data is handled directly by Stripe (memberships and merchandise) or PayPal (merchandise only). Stripe and PayPal hold a customer reference, which we receive but which on its own does not identify you outside their systems.
When you redeem an invitation code or are invited:
- The invitation code you used
- The fact that you were referred by an existing user (so the inviter can see that their code was redeemed; the inviter does not see your email address)
When you contact us:
- Anything you choose to put in your message, including any attachments
3.2 Information collected automatically
When you use the platform, we automatically collect:
- Technical data: IP address, user-agent string (browser and OS), the pages you visit and approximate timing
- Authentication data: session identifiers, login timestamps, failed-login counters, account-lock timers
- Security logs: records of suspicious activity (e.g. brute-force attempts), kept for fraud and abuse prevention
- Anti-abuse signals on form submissions: how long elapsed between you loading a form and submitting it (form-load-to-submit milliseconds), and whether an invisible "honeypot" field that humans never see was filled in. These signals are computed locally to detect automated submissions; full detail in section 6.7
- Real-time features: WebSocket session data so live notifications, comments and feed updates work
- Cookies and similar technologies: see our Cookie Policy for the full list
3.3 Information from third parties
- OAuth sign-in (Google or Facebook), if enabled: your email, name and a provider-specific account ID. We never receive your password from these providers. OAuth tokens are encrypted in our database.
- Payment processors (Stripe, PayPal): payment status, the last four digits of your card, country of card issue, and dispute / refund records. We do not receive the full card number.
- Crypto donation processor (NOWPayments), if you donate in crypto: donation amount, currency, transaction hash, wallet address.
3.4 Categories of personal data
Our records contain ordinary personal data (identification, contact, account, content, payment, technical). We do not intentionally collect special-category data (health, religion, politics, sexual orientation, etc.). If you choose to publish such information in your own posts or profile, you do so on your own initiative as the publisher of that content.
4. Why we use your data, and our legal basis
UK GDPR requires us to identify a lawful basis for each processing activity. The table below sets ours out. Where the basis is "consent", you can withdraw that consent at any time (see section 11).
| Purpose | Personal data used | Lawful basis |
|---|---|---|
| Creating and running your account | Email, username, password hash, profile fields | Contract (UK GDPR Art. 6(1)(b)) — necessary to provide the service you signed up for |
| Publishing your posts, comments and other contributions, and showing them to other users | Username, public profile fields, content you publish | Contract |
| Selling and delivering memberships | Email, billing details, Stripe customer ID, payment records | Contract |
| Selling and delivering shop orders, including sharing delivery details with Printful | Recipient name, full delivery address, email | Contract |
| Sending transactional emails (account verification, receipts, password reset, renewal reminders, refund notifications, takedown notices) | Contract and our legitimate interest in operating the service | |
| Renewal reminder notices 7 days and 1 day before a paid subscription auto-renews | Legal obligation (CMA / Digital Markets, Competition and Consumers Act 2024 guidance) | |
| Account security: detecting brute-force attempts, blocking abusive IPs, rate-limiting | IP address, login attempts, user-agent | Legitimate interest in keeping the platform secure |
| Content moderation: reviewing user reports, profanity / toxicity scoring, removing illegal or harmful content | Content text, metadata, IP address of the poster (where relevant) | Legitimate interest, plus legal obligation under the Online Safety Act 2023 for in-scope harms |
| Marketing emails (e.g. announcements, newsletters), where you have opted in | Consent (Privacy and Electronic Communications Regulations) | |
| Optional analytics cookies (Google Analytics) | Pseudonymous identifier set by the cookie | Consent |
| Optional demographic research statistics | Age band, gender, ethnicity (only if you provide them) | Consent |
| Compliance with our tax, accounting, anti-fraud and dispute-resolution obligations | Order history, invoices, payment records | Legal obligation |
5. Who we share your data with
We do not sell your personal data and we do not allow third parties to use it for their own marketing.
We share data with the following categories of recipient, in each case under a written data processing agreement that limits them to acting on our instructions:
5.1 Infrastructure and hosting
- Google Cloud Platform (Google Cloud Run, Cloud SQL, Cloud Storage) — UK / EU regions where available. Provides our application hosting, database and file storage.
5.2 Payment processors
- Stripe Payments UK, Ltd. — processes membership subscriptions, paid content purchases, creator tips, and merchandise card payments. Stripe is a separate data controller for fraud-prevention purposes.
- PayPal (Europe) S.à r.l. et Cie, S.C.A. — alternative payment method for merchandise. PayPal is a separate data controller.
- NOWPayments OÜ — processes crypto donations to Σmind. Used only when you actively initiate a donation.
5.3 Order fulfilment
- Printful, Inc. — fulfils every shop order. We pass the recipient's name, full delivery address, email and (if supplied) phone number, together with the items ordered, to Printful so they can manufacture and ship the goods. See section 8 for more detail.
5.4 Communications
- The SMTP relay we use to send transactional email (currently configured to send via our own mail server; if we move to a third-party email provider in future, this policy will be updated).
5.5 Anti-abuse, integrity and AI services
These services see only the data needed for the specific feature, and only when that feature is used or enabled.
- Google reCAPTCHA Enterprise — bot detection on admin login and payment / membership checkout only. Until May 2026 reCAPTCHA was run on every login, registration and forgot-password attempt; in the bot-defence rollout of 18 May 2026 we narrowed its perimeter substantially (see section 6.7), so most of your interactions with Σmind no longer involve a reCAPTCHA call to Google at all.
- Google Perspective API — toxicity scoring on comments and content (only the text being scored is sent)
- Google Vision SafeSearch — automated detection of unsafe content in user-uploaded images
- Google Safe Browsing API — checking outbound links posted by users for malware / phishing
- Google Books API, Crossref, Unsplash, Pexels, Google Places API — content-enrichment lookups; we send a search query (e.g. an ISBN or place name), not your personal data
- Hugging Face Inference API — text-to-image generation (Stable Diffusion 2). Only the prompt you type is sent. Off by default.
- Ollama — runs locally in our infrastructure (or in a private Cloud Run sidecar) for AI features such as the writing assistant, feed personalisation suggestions, and discussion synthesis. Your text is not sent to a third-party LLM provider.
For the local-only anti-abuse mechanisms that replace reCAPTCHA on the wider perimeter — Altcha proof-of-work, honeypot fields, form-fill timing, disposable-email blocklist, IP-reputation blocklist, manuscript edit-history capture, and stylometric AI-likelihood scoring — see section 6.7. None of those mechanisms transmit any data to a third party.
5.6 Analytics
- Google Analytics 4 — only loads if you have given consent under the "analytics" cookie category. We use IP anonymisation and disable Google Signals and Ad Personalisation.
5.7 Authorities and legal disclosures
We may disclose your data where we are legally required to, for example in response to a court order, lawful police request, ICO investigation, or to enforce or defend our legal rights.
5.8 In a corporate transaction
If we ever sell, merge, or restructure the business, your data may be transferred to the buyer or successor entity. We will tell you in advance and your rights under this policy will continue to apply.
6. Security: how we protect your data
We treat your data as data we are responsible for, not data we own.
6.1 Encryption at rest
All directly-identifying personal data fields are encrypted at rest before they touch the database, using AES-256-GCM authenticated encryption (the standard set by NIST FIPS 197 and required for UK GDPR Article 32 "appropriate technical measures").
The fields encrypted at rest include:
- Email addresses, first name, last name
- Phone number, full address
- Bio, location, academic credentials, employment information
- Social media profile links (Google Scholar, LinkedIn, Twitter/X, ORCID)
- OAuth account IDs and tokens
- Two-factor authentication secrets and backup codes
- IP addresses recorded against consent records and audit logs
- Profile photos and cover images
- Demographic data (where you have provided it)
When you delete your account, the encryption key for your data is destroyed at the end of the deletion grace period (see section 10), making the data permanently unrecoverable.
6.2 Encryption in transit
All traffic to and from sumofmind.co.uk uses HTTPS (TLS). We enforce HTTP Strict Transport Security and a strict Content Security Policy.
6.3 Authentication
- Passwords are stored only as bcrypt hashes
- Two-factor authentication (email-based codes or authenticator app) is available
- Hardware security keys / passkeys (WebAuthn) are supported
- Administrative accounts require a third factor
6.4 Direct messaging
Messages you send to other users are encrypted at rest server-side using the same AES-256-GCM scheme. They are not end-to-end encrypted: we (and a court order) could in principle decrypt them, but routine administrative access is technically prevented and audit-logged.
6.5 Audit logging
Decryption of personal data and administrative actions on accounts are logged for security review.
6.6 Breach notification
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office within 72 hours (UK GDPR Art. 33), and
- Tell you directly if the risk is high (UK GDPR Art. 34).
6.7 Anti-abuse measures and behavioural signals
To defend the platform from automated abuse — bots creating accounts, credential-stuffing attacks, AI-driven content flooding — we run a layered set of defences. Most of them are local to our infrastructure: they run inside Σmind and do not send any data to a third party. We describe each one here so you can see exactly what we collect and why.
The legal basis for everything in this section is our legitimate interest in keeping the platform secure and usable (UK GDPR Article 6(1)(f)). None of the signals here are special-category data and none of them produce automated decisions about you within the meaning of Article 22 (see section 14).
Altcha proof-of-work CAPTCHA. On the login, register, forgot-password, comment, publish and newsletter forms, your browser is asked to perform a small mathematical proof-of-work puzzle before the form will submit. Solving the puzzle takes a fraction of a second on a normal device and is invisible to you in the typical case; bots find it disproportionately costly. The puzzle runs entirely between your browser and our servers — no third party is involved. After verification, the challenge and response are discarded.
Honeypot form field. Each protected form has an invisible field that a normal human user will never see. Bots filling out forms automatically tend to fill it in. We record only whether the field was filled (a true/false flag); we log this in our security records only if it triggers.
Form-fill timing. We measure how many milliseconds elapse between the form rendering in your browser and your submitting it. Submissions faster than the configured threshold (currently 2,000 ms) are very likely to be automated. We log this only when a submission is rejected.
Disposable-email blocklist. At registration, the email address you provide is checked against a local list of throwaway / temporary email-provider domains. The list is a public-domain text file (~3,400 entries) that ships with Σmind — we do not consult any external service per registration. If your email is on the list, the registration is rejected and you can try a permanent address.
IP-reputation blocklist. At login and registration, your visiting IP address is checked against a curated local list of IP ranges known for hosting botnets, spam relays and similar long-lived bad actors (the FireHOL Level 1 list). If your IP is on the list, you are not denied service — you are simply asked to solve a CAPTCHA challenge to confirm you are human. The list refreshes periodically and is consulted purely as a local file — no per-visit lookup is sent to any third party.
Manuscript editor edit-history capture. If you are publishing a paid-content article through our Manuscript editor, we record four summary counts about how you authored it: keystroke count, edit-event count, paste count, and time-to-publish in milliseconds. We do not record the keys you pressed, the timing between keystrokes, or any of the content you typed. The four counts are stored alongside the post for 90 days and then aggregated; their purpose is to help us tell apart human-authored articles from AI-flooding attacks at scale.
Stylometric AI-likelihood score. When a piece of content is published, we run a server-side text-statistics check that produces a single integer (the "AI-likelihood score") and store it alongside the post. The score is a signal, not a verdict: it flags some content for human moderator review; it does not by itself remove content or restrict the author. See section 14.
Kill-switches. Each defence above can be turned off by the platform administrator using an internal setting. If something we do here is impairing legitimate use, we can roll it back in seconds.
Effect of these defences on Google reCAPTCHA. Before this rollout, Google reCAPTCHA Enterprise was loaded on every public login, register and forgot-password attempt. Now reCAPTCHA is loaded only on admin login and on the payment / membership checkout — see section 5.5. This is a substantial reduction in cross-border (US) data transfers.
7. International transfers
Most of your data is stored on UK or EU infrastructure. Some of the third parties listed in section 5 are based in the United States or process data globally (notably Stripe, Printful, Google services and Hugging Face).
When data leaves the UK, we rely on one of the following safeguards under UK GDPR Chapter V:
- the UK adequacy regulations for the EU/EEA;
- the UK extension to the EU–US Data Privacy Framework for participating US providers; or
- the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, where adequacy / framework reliance is not available.
You can ask us for a copy of the relevant safeguards by emailing support@sumofmind.co.uk.
8. Sharing your data with Printful (shop orders)
Every order placed through our shop is fulfilled by Printful, Inc., a print-on-demand provider headquartered in the United States with manufacturing facilities in multiple countries.
When you place an order, we transmit to Printful:
- The recipient's name
- The recipient's full delivery address (lines 1 and 2, city, county, postcode, country code)
- The recipient's email address
- The recipient's phone number, if supplied
- The product variants and quantities ordered
- A reference to your order number
We do this so Printful can manufacture, label and post your order. Printful is contractually required to use this data only for that purpose. Printful's own privacy policy is available at https://www.printful.com/policies/privacy.
If you ask us to delete your account, we keep the order record (anonymised where possible, but the delivery details on the dispatch note inevitably persist for tax-compliance and dispute-handling reasons — see section 10).
9. Children
You must be at least 18 years old to register for or use Σmind. We do not knowingly collect personal data from anyone under 18.
If you believe we have inadvertently collected data from a person under 18, contact support@sumofmind.co.uk and we will delete the account and its data without undue delay.
We support the principles of the ICO's Age Appropriate Design Code, but because Σmind is restricted to adults the AADC's child-specific protections do not currently apply.
10. How long we keep your data
| Data category | Retention |
|---|---|
| Active account data | While your account exists |
| Inactive account (no login for an extended period) | We may contact you and, if there is no response, suspend the account; full retention rules are in our Data Retention Schedule |
| Account deletion request | We mark the account for deletion. After a 30-day grace period (during which you can cancel by logging back in), we destroy the encryption keys and overwrite the personal-data fields. Public posts you authored are anonymised to "Deleted user" rather than removed, so other users' threads do not break. |
| Membership and order records | At least 6 years after the end of the relevant tax year (HMRC requirement for VAT and corporation-tax records) |
| Payment audit logs (Stripe, PayPal, NOWPayments references) | At least 6 years for the same reason |
Cookie consent logs (CookieConsentLog) |
6 years (CNIL guidance, also useful as evidence in any ICO enquiry) |
| Security and access logs | Up to 7 years for compliance and incident-response purposes |
| Direct messages between users | Until either participant deletes them or deletes their account |
| Marketing-email records | Until you unsubscribe or withdraw consent |
The full schedule with the legal basis for each line is in our Data Retention Schedule.
11. Your rights
Under UK GDPR you have the rights set out below. You can exercise them by emailing support@sumofmind.co.uk or by using the in-app tools where available. We respond within one calendar month as required by Article 12, and may extend by up to two further months for unusually complex requests (we will tell you if so).
| Right | What it means | How to exercise it |
|---|---|---|
| Right to be informed (Art. 13–14) | Know what we do with your data | Reading this policy is the main route |
| Right of access (Art. 15) | Get a copy of your personal data | "Download my data" in account settings, or email us. We provide a JSON export covering 60+ tables of your activity. |
| Right to rectification (Art. 16) | Correct inaccurate data | Edit your profile in settings, or email us |
| Right to erasure (Art. 17) | Delete your account and personal data | "Delete account" in account settings (30-day grace period applies). Note: order and tax records may be retained where required by law. |
| Right to restrict processing (Art. 18) | Pause our use of your data | Email us. We will freeze the data until the issue is resolved. |
| Right to data portability (Art. 20) | Receive your data in a machine-readable form to give to another service | Use the data export above (JSON) |
| Right to object (Art. 21) | Object to processing based on legitimate interests, or to direct marketing | Email us (legitimate-interest objections), or use the unsubscribe link in any marketing email |
| Rights related to automated decision-making (Art. 22) | We do not subject you to fully automated decisions with legal or similarly significant effects | |
| Right to withdraw consent (Art. 7) | Withdraw consent for any consent-based processing | Cookie banner, settings page, or email us |
| Right to lodge a complaint (Art. 77) | Complain to the regulator | Information Commissioner's Office, https://ico.org.uk, helpline 0303 123 1113 |
Detail on how each right works in practice is in our Subject Rights Procedure.
12. Cookies
Cookies are dealt with in detail in our Cookie Policy. In short:
- We use a small set of strictly-necessary cookies for login, security and preference storage. These do not require consent.
- We use Google Analytics only if you opt in (analytics consent).
- We do not run advertising cookies in our default configuration.
You can change your choices any time from the cookie-preferences link in the footer.
13. Marketing communications
We do not auto-subscribe you to marketing newsletters. Transactional emails (account verification, receipts, security alerts, renewal reminders required by law) will be sent regardless of marketing preferences because they are necessary to provide the service.
If we introduce optional newsletters, we will ask for your specific opt-in consent before adding you and there will always be an unsubscribe link.
14. Automated decision-making and AI features
We use automated systems for:
- Content recommendations and feed ranking — to suggest content you may want to read. You can override the algorithmic feed at any time and switch to a chronological view.
- Spam, abuse and toxicity scoring — to flag content for moderator review.
- Bot detection and rate limiting — to keep the service available.
- Stylometric AI-likelihood scoring on published content — a single integer is computed server-side and stored alongside each post. It flags content for human moderator review; it does not by itself remove content or restrict your account. See section 6.7.
- IP-reputation gating on login and registration — adds a CAPTCHA challenge if your visiting IP is on a known-bad list. It does not deny service. See section 6.7.
- Optional AI writing assistant, feed-control natural language input, and discussion synthesis — only when you actively use them. The text you type is processed by our own Ollama instance running on infrastructure we control; it is not sent to a third-party LLM provider for these flows.
None of these systems take fully automated decisions that produce legal or similarly significant effects on you within the meaning of UK GDPR Article 22. The AI-likelihood score and the IP-reputation lookup in particular are signal-only: they may inform a human moderator's review but they do not, on their own, suspend an account, remove content, or deny access. If we ever change that — for example by introducing automated account suspension without human review — we will update this policy and seek explicit consent where required.
15. Search engine indexing
If you set your account to public, search engines such as Google may index your username, profile, and the posts / shorts / book reviews / collections you have published. We embed Schema.org structured data on public content pages so that search engines display titles, dates and excerpts accurately.
You can stop search engines indexing your profile and content from the privacy section of your account settings. Existing indexed copies may take some time to drop out of search results — you can speed this up by submitting an "outdated content" request directly to the search engine.
16. Changes to this policy
We may update this policy from time to time. When we do:
- We update the "Last updated" date and increment the version number at the top of the document.
- For material changes that affect your rights or how we use your data, we will email you and / or display an in-app notice and may ask you to re-accept the policy.
A list of historical versions is kept in our Subject Rights Procedure.
17. Contact details
By email
- General privacy enquiries and data subject rights: support@sumofmind.co.uk
- Copyright takedowns: dmca@sumofmind.co.uk
Postal address
SUM OF MIND LTD trading as Σmind 124 City Road London EC1V 2NX United Kingdom
Company number: 17217848 Place of registration: England and Wales ICO registration number: [to be added once ICO data-protection fee is paid] VAT registration number: [to be added once company VAT registration is in place]
Information Commissioner's Office (UK supervisory authority): https://ico.org.uk · helpline 0303 123 1113