PainScience.com Sensible advice for aches, pains & injuries
 
 

Security, Privacy, and Refund Policies

The “fine print” page for PainScience.com, with some extra details on ecommerce security


We are all cynical about the “fine print,” but they are simple and customer-friendly on this website. Here are the highlights in plain English…

Topics covered in more detail on this page…

Who are you buying from? A quick e-commerce security primer

Many consumers are understandably a little concerned about giving out their credit card info online. Fortunately, it’s very safe if you know who you are giving it to. Most online fraud involves con-artists who are pretending to be legit vendors: they take your money and disappear.

And so the biggest rule of e-commerce security is to trust the seller, not so much the technology. Of course, you can never know for sure, but most honest businesses go out of their way to be identifiable and easy to contact.

My name is Paul Ingraham, owner and publisher of PainScience.com, based in Vancouver, Canada. It’s a one-man shop and always has been. PainScience.com has been online since 2000 (as SaveYourself.ca for many years, then PainScience.com since late 2014). To verify my identity, see my domain name records. You can also Google my name and find lots of evidence of me out there, being who I am, part of a community of professionals. I have Twitter and Facebook accounts, where I often publicly interact with all kinds of colleagues and experts, as well as readers… all of which would be really hard for a con-artist to fake.

Paul Ingraham
, PainScience.com Publisher

6001 Vine St • VancouverBC • V6M4A4 • CANADA


778-968-0930

Refund policy: 100% lifetime money-back guarantee

Please feel free to request a refund at any time, even months after purchase. I refund automatically upon request, like a reflex. I haven’t got any interest in having unhappy customers, ever. If you don’t like the product, please allow me the opportunity to either address your concern or return your money. My refund rate is just under 1%, compared to the >8% return rate typical for retail. Most of those refunds are for customers who simply bought the wrong book hoping it would apply to them — and I have no problem with that. Why would I?

Credit card information is encrypted in transit, I never see it, and it’s never stored

All PainScience.com pages are encrypted (not just the store pages) and have been since 2014. All information sent between my server and your device gets converted into gibberish for the trip. Even if a bad guy intercepted it, there’s no way to read it. So if you submit credit card information to buy an ebook, for instance, your credit card number is encrypted.

But it gets better! No one can send credit card info to me, a lowly retailer—instead, it goes straight from your web browser to a sophisticated payment processor, Stripe, a highly regarded company (A+ BBB rating). Since card info is only ever handled by Stripe, my own security practices are a moot point (as far as sensitive payment is concerned).

And so it’s quite literally true that using my internet store is “safer than a bank machine.” (Although this is difficult to prove, it’s a reasonable statement.) The lion’s share of online theft of credit card information is actually low-tech: thieves just fool people into voluntarily sending them information. They usually don’t steal individual credit card numbers “in transit” as they fly through the Internet tubes… because that’s really hard. Hackers rarely try to crack encrypted card info. It’s just not worth their effort.

Payment information is nearly impossible to steal from individual secured transactions & all of these companies allow customers to challenge charges in any case.

Card numbers are also not stored by either PainScience.com or Stripe. I can’t do that because I never get them in the first place. Stripe could save card numbers in principle, and they do it for some kinds of transactions (subscriptions I believe)… but not for the simple kinds of sales I do.

Privacy policy: your contact information will never be used to contact you

When you make a purchase at my store, I ask for your personal contact information — name, physical address, email address. This is mainly an anti-fraud measure.1

Abusing that information by sharing it or selling it is unthinkable. It is completely safe from that kind of abuse. I will never share it or sell it. I never send unsolicited email to customers; I only use your email to send you a purchase confirmation email (or to respond to your inquiries, of course). I hate spam as much as you do! We all hate it together.

Storage of personal information is highly secure

My customer information (names, emails, addresses) is stored in two places: a database on PainScience.com, and another one on Stripe. Are those databases secure? Hardly a day goes by that we don’t hear about a huge data breach, due to sloppy security at yet another big company — hundreds of them now!

My own security is excellent: I run a tight ship, and a weird one. I’m a mildly paranoid, fastidious dork. I am the guy who tries to talk people into using a password manager. Not only do I place a high priority on security for my business, everything about PainScience.com is completely custom (“security through obscurity”). So PainScience.com is a small, hard, and non-standard target: it would be a tedious and a poor investment for a hacker to try to break in!

Stripe is a huge, juicy target… but a famously technically competent one. Most security breaches happen at companies where security is neglected (often to a degree that makes experts cringe), Stripe is at the other end of the spectrum: lots of elite programmers there. Their data is about as locked down as the Pentagon’s. Possibly more.

Personal information is not publicly exposed (even thought it might look that way)

Occasionally a customer notices that their name is displayed on what appears to be a publicly accessible page (the account page, or the full-access version of a tutorial). Appearances are deceiving. Due to an invisible security system, only you can see “your” pages here, unless you share the full-access link with someone yourself: the link itself is a simple login, but it's not as simple as it looks). They are definitely not available to the general public, and malicious scraping/crawling software cannot get to them either.

For obvious reasons, I don’t publish any details about how that system works. Suffice it to say it lets me customers in and keeps everyone else out.

What about social media website visitor tracking? Will Facebook and Google know that I was here?

It is possible, yes — unfortunately website visitor tracking is a very sophisticated technology these days. But it is also entirely out of my hands. It is all about your own browsing practices, and the way Google and Facebook do business. PainScience.com is out of that loop.

I certainly share my readers concerns about browsing security in general. However, this is a broad social and technological problem, and it is not within my power to protect people in this way. Technologically, social media buttons (Facebook “liking”) facilitate tracking only for opted-in and logged-in users of those services, and are not a privacy problem for anyone else. Anyone can browse privately at any time if they choose to do so. If you do not want Facebook to know what web pages you are looking at, for instance, then make sure you are logged out of Facebook when you browse the web — although even that’s not a guarantee, unfortunately. They have other ways of tracking the browsing habits of their logged out users.

I strongly recommend using ad-blocking software. Most ad-blocking also blocks tracking. I don’t know the options for Windows and Android, but on Apple’s platform, 1Blocker and Ghostery are both excellent.

Related

Notes

  1. This is changing, Stripe no longer requires it, and in the future it probably won’t be necessary for fraud prevention, but for now I think it’s still a good policy. BACK TO TEXT