Last updated: 16 March 2026
| Site | Good Proof by Mind Chill |
| Public-site controller | Mind Chill Nootropics Ltd |
| Company number | 09667911 |
| Registered office | 1 Orwell Street, Bristol BS3 4LN, United Kingdom |
| Rights and privacy contact | [email protected] |
This Privacy Policy explains how Mind Chill Nootropics Ltd uses personal data in connection with the public Good Proof website and related public-facing Good Proof channels that link to this Policy.
For the public Site, Mind Chill Nootropics Ltd, company number 09667911, registered in England and Wales with registered office at 1 Orwell Street, Bristol BS3 4LN, United Kingdom, is the controller of the personal data described in this Policy unless a specific form, order, or signed service document expressly says otherwise.
If you later contract for a pilot, production deployment, or enterprise service under a signed document that names a different contracting entity or describes a different controller arrangement, that signed document or service-specific notice will apply for that service to the extent stated.
Depending on how you use the Site, we may collect:
(a) identity and contact data, such as your name, email address, company name, job title or role, LinkedIn URL, region, and business contact details;
(b) enquiry and request data, such as sector, lane, intent, use case, procurement path, go-live timing, constraints, notes, request type, buyer role selections, and any information you submit in sprint, specimen, clause-pack, partner, contact, or other forms;
(c) subscription and communications data, such as newsletter sign-up details, unsubscribe choices, email delivery status, and our records of communications with you;
(d) verification and technical usage data, such as stamp identifiers queried, verifier request timestamps, approximate device and browser information, server logs, referrer information, request metadata, and rate-limiting or anti-abuse signals;
(e) security and anti-abuse data, such as hashed IP information, honeypot results, CAPTCHA or Turnstile results, authentication events, admin-session data, and related security telemetry; and
(f) cookie, analytics, and preference data, including data from cookies, local storage, analytics tags, or similar technologies used on the Site.
We collect personal data directly from you when you fill in forms, request downloads, subscribe for updates, contact us, book or request a sprint, apply for partnership, use public verifier tools, or otherwise interact with the Site.
We also collect technical information automatically through server logs, security tooling, cookies and similar technologies, analytics tools, and anti-abuse controls.
In limited cases, we may receive data from group entities, service providers, scheduling tools, or public business sources where relevant to a request or business relationship.
We use personal data for the following purposes:
(a) to operate, secure, and maintain the Site and public verifier tools;
(b) to respond to enquiries, provide requested downloads, manage sprint and partner applications, and take steps at your request before entering a contract;
(c) to communicate with you about requested materials, bookings, updates, operational notices, and business relationship matters;
(d) to prevent fraud, spam, abuse, unauthorised access, scraping, and other security or integrity risks;
(e) to improve the Site, understand usage patterns, and measure demand for products or content;
(f) to administer newsletters, preferences, and unsubscribe requests;
(g) to establish, exercise, or defend legal claims and meet legal, regulatory, accounting, and record-keeping obligations; and
(h) where permitted, to send business-to-business marketing or product updates.
Our lawful bases include performance of a contract or taking steps at your request before entering a contract, our legitimate interests in operating and protecting the Site and developing our business, compliance with legal obligations, and consent where consent is required by law, including for certain cookies or similar technologies and, where applicable, certain marketing activities.
Where we rely on legitimate interests, those interests generally include running and improving the Good Proof site and public verifier, understanding demand for our services, maintaining security, preventing abuse, keeping records, communicating with business contacts, and protecting our legal and commercial position.
We only rely on legitimate interests where we have considered that those interests are not overridden by your rights and freedoms.
We may share personal data with carefully selected service providers and recipients that help us operate the Site and related workflows, including categories such as:
(a) hosting, infrastructure, and storage providers;
(b) database, application, and development platform providers;
(c) email and transactional communications providers;
(d) security, anti-bot, WAF, and rate-limiting providers;
(e) analytics and performance measurement providers;
(f) scheduling and booking providers;
(g) professional advisers, auditors, insurers, and legal counsel; and
(h) relevant group entities where necessary for internal administration, service fulfilment, governance, compliance, or customer response.
From the current Site setup, these providers may include Vercel, Supabase, Cloudflare, Upstash, Resend, Cal.com, Google, and other comparable infrastructure or advisory providers used from time to time. We do not sell personal data.
Some of our providers or group contacts may be located outside the United Kingdom. Where personal data is transferred internationally, we take steps intended to ensure that appropriate safeguards are in place, such as adequacy regulations, the UK International Data Transfer Agreement or Addendum, Standard Contractual Clauses, or other lawful transfer mechanisms as appropriate.
If you want more information about relevant safeguards, contact us at [email protected].
We keep personal data only for as long as reasonably necessary for the purposes described in this Policy, including to respond to requests, maintain appropriate business records, protect the Site, meet legal or contractual obligations, and handle disputes.
Retention periods may vary depending on the dataset. For example, request and enquiry records may be kept for business development and audit purposes, security logs may be kept for shorter operational periods or longer where needed for incident handling, and unsubscribe records may be kept so that we can respect suppression preferences.
Where data is no longer needed, we will delete it or anonymise it where reasonably practicable.
Depending on the circumstances and applicable law, you may have rights to request access to your personal data, rectification, erasure, restriction, objection, portability, and withdrawal of consent where consent is the basis relied on.
You may also have the right to complain to the Information Commissioner’s Office in the United Kingdom if you believe your personal data has been handled unlawfully.
To exercise rights or make a privacy request, contact us at [email protected].
If you are located in Singapore or if we process your personal data in connection with Singapore, the Personal Data Protection Act 2012 (PDPA) applies to that processing in addition to the general provisions of this Policy. This section sets out how we meet our obligations under the PDPA.
(a) Purposes of collection, use, and disclosure. We collect, use, and disclose personal data only for the purposes described in this Policy, or for purposes that a reasonable person would consider appropriate in the circumstances and that are directly related to those described purposes. We will notify you of any new purpose before or at the time of collecting personal data for that purpose, and where required we will obtain your consent. We do not collect, use, or disclose personal data for purposes beyond what is reasonable and appropriate.
(b) Consent. Where the PDPA requires consent for the collection, use, or disclosure of your personal data, we will obtain your consent in an appropriate manner. You may withdraw consent at any time by contacting us at [email protected]. Withdrawal of consent may affect our ability to provide certain services or respond to requests. We will inform you of the likely consequences of withdrawal before processing it.
(c) Access and correction. Under the PDPA you have the right to request access to personal data about you that is in our possession or control, and to request correction of any personal data that is inaccurate, incomplete, or out of date. To exercise these rights, contact us at [email protected]. We will respond within a reasonable time and in any event within 30 days, or inform you if we require an extension. We may charge a reasonable fee for access requests to cover the cost of responding.
(d) Accuracy. We take reasonable steps to ensure that personal data in our possession or control is accurate, complete, and up to date, having regard to the purposes for which it is used and the interests of the individual.
(e) Protection. We apply reasonable security arrangements to protect personal data in our possession or control from unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. Details of our security measures are described in Section 13 of this Policy.
(f) Retention and disposal. We retain personal data only for as long as it is needed for the purposes for which it was collected, or for legal, regulatory, or business purposes as described in Section 9 of this Policy. When personal data is no longer needed, we will dispose of it in a reasonable manner or anonymise it.
(g) Transfer outside Singapore. Where we transfer personal data outside Singapore, we take steps to ensure that the recipient provides a standard of protection comparable to that under the PDPA, in accordance with Section 26 of the PDPA. This may include contractual arrangements with the recipient, reliance on comparable legal frameworks in the destination country, or obtaining your consent to the transfer. Our current infrastructure providers and their locations are described in Section 6 of this Policy.
(h) Breach notification. In the event of a data breach that is assessed as notifiable under the PDPA, we will notify the Personal Data Protection Commission (PDPC) as soon as practicable and in any event within three calendar days of making that assessment, in accordance with the PDPA’s mandatory breach notification requirements. Where required, we will also notify affected individuals as soon as practicable.
(i) Supervisory authority. The supervisory authority for data protection in Singapore is the Personal Data Protection Commission (PDPC). If you believe that your personal data has been handled in a manner that does not comply with the PDPA, you may lodge a complaint with the PDPC at www.pdpc.gov.sg.
We may send you service-related communications where necessary to fulfil a request or manage an existing business relationship.
Where we send broader updates or marketing, we will do so in accordance with applicable law and provide a way to unsubscribe where required. You can also contact us at [email protected] to opt out of non-essential marketing communications.
Singapore Do Not Call Registry. Where we send marketing messages to Singapore telephone numbers, we will check the relevant registers of the Singapore Do Not Call (DNC) Registry maintained by the PDPC before doing so, in accordance with the PDPA. If your Singapore telephone number is registered on the DNC Registry and you have not given us clear and unambiguous consent to contact you for marketing purposes, we will not send you marketing messages to that number. You may register or check your DNC status at www.dnc.gov.sg.
We use technical and organisational measures intended to help protect personal data, including access controls, logging, encryption in transit, anti-bot and anti-abuse measures, rate limiting, and provider-level security tooling. No internet-based system can be guaranteed completely secure, but we take security seriously and review safeguards over time.
The Site is intended for business, professional, and general information audiences and is not directed to children. We do not knowingly collect personal data from children through the Site.
We may update this Policy from time to time. We will post the updated version on the Site and update the Last updated date. Material changes may also be highlighted through an appropriate notice where warranted.
Mind Chill Nootropics Ltd
Company number: 09667911
Registered office: 1 Orwell Street, Bristol BS3 4LN, United Kingdom
Contact for privacy, cookies, support, and rights requests: [email protected]
See also our Cookie Policy and Terms of Service.