1. Who we are
PaperMind is a research and reading tool operated by Abrar Sohail (a sole trader operating under the trading name "PaperMind"). For the purposes of the GDPR, we are the "data controller" of the personal data described in this policy.
Contact for data queries: contact@abrarsohail.com — Business address: [Business postal address to be inserted before public launch]
2. Data we collect
We collect the following categories of personal data:
2.1 Account data
- Email address — required to create and access your account (provided via our authentication partner, Clerk).
- Name and profile picture — optional, if you provide them via a social sign-in provider.
- Account creation timestamp — used to enforce fair-use quotas and identify inactive accounts.
2.2 Content you upload or paste
- Files you upload (PDF, EPUB, DOCX, up to 50 MB per file), URLs you paste (YouTube, podcasts, web articles), and text you paste directly into the Service.
- Text extracted from those sources, chunk embeddings (numeric vectors used to enable semantic search), and mind-map metadata generated from your sources.
- Chat questions you send about your sources and the AI-generated answers returned.
You retain ownership of all content you upload. See our Terms of Service for the licence you grant us to process it.
2.3 Technical data
- IP address — used to prevent abuse and for rate-limiting. We store only a salted SHA-256 hash of your IP address, not the raw IP.
- Device and browser information (user agent, screen size) — used to render the interface correctly.
- Approximate location derived from IP address — used only for infrastructure routing; we do not store precise geolocation.
2.4 Optional feedback
Reviews and support messages you send us voluntarily. If you leave a review, your name and rating may appear publicly if approved by us; your email address (if provided) is used only for admin follow-up and is never displayed publicly.
3. How we use your data
We process personal data to:
- Provide, operate, and improve the Service.
- Convert your uploaded sources into mind maps, embeddings, and chat responses using third-party AI models (see Section 5 & 9).
- Authenticate you and enforce access controls (via Clerk).
- Prevent abuse, spam, and unauthorised access (via rate-limiting and hashed-IP tracking).
- Respond to your support and data-rights requests.
- Send transactional emails (account confirmations, password resets).
- Comply with legal obligations.
We do not sell your personal data. We do not use your content to train our own AI models. See Section 9 for how third-party AI providers handle your data.
4. Legal bases (GDPR / UK GDPR)
Under GDPR, we process personal data on the following legal bases:
- Contract (Art. 6(1)(b)) — processing necessary to provide the Service you signed up for (account creation, source processing, chat responses).
- Legitimate interests (Art. 6(1)(f)) — abuse prevention, rate-limiting, service improvement, and internal analytics. We have carried out a legitimate-interests assessment (LIA) and consider these interests not to override your rights and freedoms. Contact us to obtain a summary.
- Legal obligation (Art. 6(1)(c)) — compliance with tax, accounting, and law-enforcement requests.
- Consent (Art. 6(1)(a)) — for optional marketing communications where required.
5. Sub-processors
We use a small number of trusted infrastructure providers ("sub-processors") to deliver the Service. Each has been contractually bound to protect your data. We keep this list current; changes are announced at least 30 days in advance where possible.
| Provider | Purpose | Location |
|---|---|---|
| Clerk | Authentication and account management | United States |
| OpenAI | LLM (mind-map synthesis, chat), embeddings, Whisper transcription | United States |
| Railway | Application hosting and Postgres database | United States / EU (region-dependent) |
| Cloudflare R2 / Supabase Storage | Object storage for uploaded files | Global CDN / EU-selectable |
For sub-processors based outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum where applicable — see Section 7.
6. Data retention
- Account data: retained while your account is active plus 90 days after deletion for backup and legal-defence purposes.
- Uploaded content, chunks, and mind maps: retained until you delete the source or delete your account. On deletion, data is removed from live systems within 30 days and from backups within 90 days.
- Chat history: retained for the lifetime of the associated source.
- Hashed IP addresses: retained for up to 24 hours for rate-limiting, then deleted.
- Reviews: kept indefinitely once approved for public display; you may request removal at any time.
- Financial records: retained for the period required by tax law (typically 6–10 years).
7. International transfers
Because our sub-processors (Clerk, OpenAI) are based in the United States, some of your personal data will be transferred to and processed in the US. We rely on the following safeguards:
- EU–US Data Privacy Framework (DPF) where our sub-processors are certified.
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision (EU) 2021/914).
- UK International Data Transfer Addendum (IDTA) for UK data subjects.
You can request a copy of the safeguards in place by contacting us at contact@abrarsohail.com.
8. Your rights
If GDPR, UK GDPR, or a similar law applies to you, you have the following rights:
- Right of access — obtain a copy of the personal data we hold about you.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request deletion of your data. You can delete your account at any time from your dashboard.
- Right to restriction — limit our processing.
- Right to data portability — receive your data in a structured, machine-readable format. Mind maps can be exported as Markdown or JSON via the dashboard.
- Right to object — object to processing based on legitimate interests.
- Rights regarding automated decisions — you have the right not to be subject to solely automated decisions with legal or similarly significant effects. AI-generated mind maps and chat responses are informational and do not make legal or financial decisions about you.
- Right to withdraw consent — where processing is based on consent.
- Right to complain — to your local supervisory authority (in the EU, your national Data Protection Authority; in the UK, the Information Commissioner's Office at ico.org.uk).
To exercise any right, email contact@abrarsohail.com. We will respond within one month.
California residents (CCPA/CPRA): in addition to the rights above, you have the right to know the categories of personal information we collect, the right to opt out of the "sale" or "sharing" of your personal information (we do not sell or share), and the right to non-discrimination for exercising these rights.
9. AI processing & disclosures
PaperMind uses third-party artificial-intelligence services — currently OpenAI — to convert your content into mind maps and to power the chat feature. When you upload a source or send a chat message:
- Relevant portions of your content are transmitted to OpenAI over an encrypted connection.
- OpenAI processes the request and returns AI-generated results (embeddings, summaries, quotes, chat answers).
- OpenAI's API policy states that data submitted via the API is not used to train OpenAI's models. See openai.com/policies/api-data-usage-policies.
- OpenAI may retain API request data for up to 30 days for abuse-monitoring and then delete it.
Zero training on your data. We do not train, fine-tune, or otherwise use your content to improve any AI model — ours or a third party's.
AI limitations. AI-generated content may occasionally be inaccurate. We ground every quote against your source and verify substring matches before showing it, but you should verify important information independently. See our Terms for the disclaimer.
11. Data security
We use industry-standard security measures, including:
- TLS encryption in transit (HTTPS) for all API and web traffic.
- Encryption at rest for the primary database and object storage where offered by our hosting provider.
- Access controls, least-privilege principles, and regular credential rotation.
- Rate-limiting and abuse detection.
- Salted, one-way hashing of IP addresses used for rate-limiting.
- Segregation of user data by tenant (userId) at every DB query layer.
No system is perfectly secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, as required by Art. 33 & 34 GDPR.
12. Children's privacy
PaperMind is not intended for children under 16 and we do not knowingly collect personal data from children under 16 (or under 13 in the United States, per COPPA). If we learn that a child has provided personal data, we will delete it. If you believe a child has provided us with personal data, contact us at contact@abrarsohail.com.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and by updating the "Last updated" date at the top of this page. Continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.
14. Contact & data-protection queries
Questions? Requests? Complaints? We're here to help.
- Email: contact@abrarsohail.com
- Response time: we aim to respond within 5 business days; formal GDPR requests are answered within one month as required by Art. 12(3).
Note. This Privacy Policy is provided as a professionally-structured template. It should be reviewed by qualified legal counsel in your jurisdiction before you rely on it for compliance. It is not legal advice.