Security, Privacy, and Refund Policies
The “fine print” page for PainScience.com, with some extra details on ecommerce security
We are all cynical about the “fine print,” but it’s simple and customer-friendly on this website. Here are the highlights in plain English …
- All PainScience.com ebooks have a 100% lifetime money-back guarantee.
- The site is fully encrypted — all the pages, not just the ones that deal with sales.
- Payments are processed by Stripe, a terrific company (A+ BBB rating). Card info never touches my servers, and isn’t even stored by Stripe.
- Customer contact information is used only for fraud prevention and customer service (locating past orders). There is no mailing list, not even an opt-in mailing list. Only email addresses are stored.
- There are no ads on PainScience.com whatsoever — and therefore no 3rd party tracking either.
- I use two tiny “cookies” to provide a minor convenience features for users, and one for minor ecommerce stats (e.g. counting views).
Topics covered in more detail on this page …
- Who are you buying from? A quick e-commerce security primer
- Refund policy: 100% lifetime money-back guarantee (on e-books, but not membership fees)
- Credit card information is encrypted in transit, I never see it, and it’s either never stored at all (for book customers), or never stored by me (for memberships).
- Privacy policy: your contact information is never shared or abused
- I barely use website “cookies”
- Storage of contact information is highly secure
- What about social media? Will Google know that I was here? The website visitor tracking problem
Who are you buying from? A quick e-commerce security primer
Many consumers are understandably a bit skittish about giving out their credit card info online. Fortunately, it’s very safe if you know who you are giving it to. Most online fraud involves con-artists who are pretending to be legit vendors: they take your money and disappear.
And so
My name is Paul Ingraham, owner and publisher of PainScience.com, based in Vancouver, Canada. It’s a one-man shop and always has been. PainScience.com has been online since 2000 (as SaveYourself.ca for many years, then PainScience.com since late 2015). I don’t expose my actual address for many reasons, but you can Google my name and find lots of evidence of me out there, being who I am, part of a community of experts. I have Twitter and Facebook accounts (and more), where I have routinely interacted publicly with all kinds of colleagues and experts, as well as readers … all of which would be really hard for a con-artist to fake.
![]()
Paul Ingraham
, PainScience.com Publisher
Vancouver, Canada
778-968-0930
Refund policy: 100% lifetime money-back guarantee (on books)
Please feel free to request a refund at any time, even months after purchase. I refund automatically upon request, like a reflex. I haven’t got any interest in having unhappy customers, ever. If you don’t like the product, please allow me the opportunity to either address your concern or return your money. My refund rate is just under 1%, compared to the >8% return rate typical for retail. Most of those refunds are for customers who simply bought the wrong book hoping it would apply to them — and I have no problem with that. Why would I?
Membership fees are different. Membership is supportive patronage with good perks, not a satisfaction-guaranteed “product.” Please vote with your dollars for good science journalism with conviction! If the content turns out not to be a good fit for you, please just cancel.
Credit card information is encrypted in transit, I never see it, and I don’t store it
All PainScience.com pages are encrypted (not just the store pages) and have been since 2014. All information sent between my server and your device gets converted into gibberish for the trip. Even if a bad guy intercepted it, there’s no way to read it. So if you submit credit card information to buy an ebook, for instance, your credit card number is encrypted.
But it gets better! No one can send credit card info to me, a lowly retailer, a tiny little Internet business (albeit a very old one now) — instead, it goes straight from your web browser to a sophisticated payment processor, Stripe, a highly regarded company (see A+ BBB rating in a new tab/window). Since card info is only ever handled by Stripe, my own security practices are a moot point (as far as sensitive payment information is concerned).
And so it’s quite literally true that using my Internet store is “safer than a bank machine.” (Although this is difficult to prove, it’s a reasonable statement.) The lion’s share of online theft of credit card information is actually low-tech: thieves just fool people into voluntarily sending them information. They usually don’t steal individual credit card numbers “in transit” as they fly through the Internet tubes … because that’s really hard. Hackers rarely try to crack encrypted card info. It’s just not worth their effort.
Payment information is nearly impossible to steal from individual secured transactions, and all of these companies allow customers to challenge charges in any case.
Card numbers are also never stored by PainScience.com. I can’t do that because I never get them in the first place. Stripe could save card numbers in principle, and they do it for the recurring payments for membership, but not for one-time payments for e-books. But in twenty years of business, I’ve literally never seen a single customer's credit card number, let alone tried to master the technology needed to store it securely on the PainSci server.
Privacy policy: your contact information will never be used to contact you
When you make a purchase at my store, I ask for your address only as an anti-fraud measure. The only data about you stored on PainSci is your email address.
Abusing that information by sharing it or selling it is unthinkable. It is completely safe from that kind of abuse. In almost 20 years, I have never sent unsolicited email to customers; I only use your email to send you a purchase confirmation email (or to respond to your inquiries, of course). I hate spam as much as you do! We all hate it together.
Storage of personal information is highly secure
My customer information (emails and postal codes) is stored in two places: a database on PainScience.com, and another one on Stripe. Are those databases secure? Hardly a day goes by that we don’t hear about a huge data breach, due to sloppy security at yet another big company — hundreds of them now!
My own security is excellent: I run a tight ship, and a weird one.
Stripe is a huge, juicy target … but a famously technically competent one. Most security breaches happen at companies where security is neglected (often to a degree that makes experts cringe), Stripe is at the other end of the spectrum: lots of elite programmers there. Their data is about as locked down as the Pentagon’s. Possibly more.
I barely use website “cookies”
…and only for your convenience, not to “track” you.
“Cookies” are little piece of data stored on your computer, associated with a website. Cookies originally existed solely for the convenience of users — like remembering your preferences — and that is the only way that PainScience.com has used them, or ever will.
These days, the Internet is terrible, and cookies are horrifically abused on a large scale by a massive advertising industry that really, really wants to know everything about you so that they can sell more things to you. That kind of cookie is part of a complex set of technologies known as “tracking,” and it’s why ad blockers have become a thing.
At this time (2024), PainScience.com uses just three tiny user-friendly cookies:
- If you’re logged in, your browser saves that information, so that I can show you paywalled content you have purchased the right to view.
- Another for your subscription status, so I don’t suggest premium subscriptions if you already bought them.
- A “session” identifier that links requests for different pages, so that I can see the path a user took through my website before becoming a customer. This is helpful for troubleshooting technical issues with purchases, and tells me nothing about you. In theory I could look up the pages you looked at before you bought a book — but I never actually do. It’s a mountain of data, boring except in aggregate or when I am troubleshooting. Vanilla website admin stuff.
But that’s it. This is extremely tame for the modern web. If you look at the cookie list for a typical mainstream website, it’s horrifying by comparison.
What about social media website visitor tracking? Will Facebook and Google know that I was here?
It is possible, yes — unfortunately website visitor tracking is a very sophisticated technology these days. But it is also entirely out of my hands. It is all about your own browsing practices, and even more about the way that company’s like Google and Facebook do business. While I share my readers' concerns about browsing privacy, this is a broad social and technological problem, and it is just not within my power to protect my site visitors from it.
Really the only thing I can do is not use social media buttons (such as the ubiquitous Facebook “like” button), and I don’t, but it also doesn’t make much difference in practice.1 Their absence from PainScience.com is mainly a principled boycott, especially in the case of Facebook: as of 2023, I really don’t like the company’s corporate behaviour. I just think they are jerks.
Related
- Copyright, Reprinting, and Translations for PainScience.com
- Dammit, Jim, I’m Not a Doctor! — The inevitable medical disclaimer for PainScience.com, in which I try to say the predictable legal stuff with as much folksy charm as possible
- Help! — Answers to common questions asked by PainScience.com customers
Notes
- In theory, social media buttons (Facebook “liking”) facilitate tracking only for opted-in and logged-in users of those services, and are not a privacy problem for anyone else. Anyone can browse privately at any time if they choose to do so. If you do not want Facebook to know what web pages you are looking at, for instance, then you should make sure you are logged out of Facebook when you browse the web — although even that’s not a guarantee, unfortunately! They have other ways of tracking the browsing habits of their logged out users. So, in practice, these big tech companies can and do track anyone they possibly can in a thousand ways, and none of us can really do anything to stop them.