This Privacy Policy explains how Global Books LLC, doing business as LibraMind ("LibraMind", "we", "us", or "our"), collects, uses, shares, retains, and protects personal information in connection with our website www.libramind.ai (the "Site") and the LibraMind platform and related services (collectively, the "Services").
This Policy should be read together with our Terms of Use and, where applicable, the Data Processing Agreement ("DPA") executed between LibraMind and an institutional customer. In case of conflict between this Policy and a fully executed DPA or written agreement, the DPA or written agreement controls with respect to the personal information processed thereunder.
1. Scope and Our Role
This Policy applies to personal information we process about:
- Site visitors — individuals who browse the Site, request a demo, sign up for our mailing list, or contact us.
- Institutional users — librarians, administrators, and other professionals who access the platform on behalf of a library, consortium, university, or other institutional customer.
The LibraMind Services are designed for use by librarians and other authorized institutional personnel. The Services are not intended to receive, and institutional customers agree not to submit, directly identifiable personal information of library patrons or end-readers. Institutional customers may, however, send aggregated or anonymized circulation, demand, or holdings statistics to the Services as input for collection analysis and recommendations, as further described in Section 2.4.
1.1 Our Role under Data Protection Laws
Our role under applicable data protection laws depends on whose data is involved:
- For Site visitor and prospect data, and for institutional account-administration data (names, business contact, billing, login activity of librarians and administrators), LibraMind acts as a controller (under GDPR/UK GDPR) or business (under CCPA/CPRA).
- For Customer Data processed on behalf of an institutional customer (such as configuration data, holdings and acquisition records, cataloging metadata, and aggregated circulation or demand statistics submitted by the customer), LibraMind acts as a processor (under GDPR/UK GDPR) or service provider (under CCPA/CPRA). The institutional customer is the controller / business and determines the purposes and means of processing through its instructions and the applicable DPA.
Where LibraMind acts as a processor / service provider, our processing of personal information is governed by the customer's written agreement and DPA, not solely by this Policy.
1.2 Controller of Record
The controller of record for personal information processed under this Policy (in our controller capacity) is:
Global Books LLC, d/b/a LibraMind
8 The Green Suite B, Dover, Delaware 19901, United States
Email: [email protected]
2. Personal Information We Collect
The categories of personal information we collect depend on how you interact with us.
2.1 Information You Provide
- Identification and contact: full name, business email, business phone, job title, institution or library name.
- Account credentials: username, password (stored in hashed form), authentication tokens, multi-factor authentication settings.
- Billing and procurement information: billing contact, billing address, purchase orders, tax identification numbers, and similar institutional procurement details. We do not store full payment card numbers; card processing is handled by our payment processors.
- Demo, support, and inquiry content: information you provide in demo requests, support tickets, sales conversations, and email correspondence.
2.2 Information Collected Automatically
- Device and connection data: IP address, device type, operating system, browser type and version, language preferences, time zone.
- Usage data: pages and features accessed, queries run, click events, session duration, error logs, performance metrics, and similar interaction data.
- Cookies and similar technologies: see Section 5.
2.3 Information From Third Parties
- Payment processors: confirmation of payment status, last four digits of payment instruments, transaction identifiers.
- Integration and data partners: bibliographic data feeds, publisher data partners (such as Ingram Content Group), library system integrations (ILS/LSP). Where these partners send us personal information, it is generally limited to professional contact data of librarians or administrators.
- Publicly available sources and business directories, for prospecting and account-research purposes (e.g., institution directories, professional networking sites).
2.4 Customer Data
When you use the Services as an institutional user, the records, queries, and content you process through the platform ("Customer Data") include account-administration data, configuration data, collection and holdings records, acquisition lists and decisions, bibliographic and cataloging records, and any aggregated or anonymized circulation, demand, or holdings statistics that the institution chooses to send to the Services as input for collection analysis or recommendations. LibraMind processes such Customer Data as a processor / service provider on behalf of the institutional customer, as described in Section 1.1, and only for the purposes and durations set forth in the customer's agreement and DPA.
The Services are designed for use by librarians and authorized institutional personnel and are not intended to receive directly identifiable personal information of library patrons or end-readers. Institutional customers are responsible for configuring their use of the Services so that (i) patron-level identifiers are not routed through the platform, and (ii) any circulation, demand, or holdings statistics submitted to the Services are appropriately aggregated or anonymized prior to submission. Categories of sensitive personal information are likewise not requested by LibraMind and should not be submitted to the Services.
3. How We Use Personal Information
We use personal information for the purposes described in the table below. The legal bases applicable to EU/UK data subjects are set out in Section 9.
| Purpose | Categories of data used | Examples |
|---|---|---|
| Provide and operate the Services | Account credentials, contact, usage, Customer Data (as processor) | Authenticate users; deliver platform features; render bibliographic results |
| Customer support | Contact, support-ticket content, usage logs | Respond to tickets; troubleshoot issues; train support staff |
| Billing and account administration | Billing contact, procurement details, transaction data | Invoice processing; tax reporting; renewal management |
| Service security and abuse prevention | IP, device, usage, account credentials | Detect unauthorized access; block automated scraping; investigate incidents |
| Service improvement (aggregated/de-identified) | Usage metrics, error rates, performance data (de-identified where practicable) | Identify performance bottlenecks; prioritize features |
| Marketing and prospect communications | Business contact, institution data, prospect-interaction history | Send demo invitations and newsletters where permitted; manage CRM |
| Legal compliance and protection of rights | As required by the matter | Respond to legal process; enforce Terms; comply with tax/accounting rules |
3.1 Personalization
Within the platform, certain features may surface recommendations or analyses based on Customer Data submitted by an institutional customer (for example, suggesting titles based on collection profiles). These personalization features are operated for the benefit of the institutional customer that submitted the data and do not create cross-customer profiles.
3.2 No Automated Decisions With Legal or Similarly Significant Effects
We do not make decisions producing legal or similarly significant effects concerning individuals based solely on automated processing of their personal information. AI-assisted outputs produced by the Services are advisory in nature and are subject to human review by the institutional customer, as described in our Terms of Use.
4. Artificial Intelligence and Model Training
LibraMind offers AI-assisted features for collection development, cataloging, and acquisitions. The following commitments govern how we use personal information in connection with our AI models, and they apply in addition to the corresponding terms in our Terms of Use (Section 6.5):
- No training on identifiable Customer Data by default. We do not use identifiable Customer Data to train, fine-tune, or otherwise improve general-purpose AI or machine-learning models that are made available to other customers or to third parties, unless the institutional customer has provided prior written consent or, if and when such functionality is made available, has explicitly opted in through a configurable setting in the Services.
- Aggregated and de-identified operational signals. We may use aggregated, de-identified, and statistically anonymized signals derived from operational use of the Services (for example, error rates, latency metrics, and feature-usage counts) to operate, secure, debug, and improve the Services. We take reasonable measures to prevent re-identification of such signals.
- Third-party AI components. Where the Services rely on third-party AI components or model providers, we contractually require such providers not to use Customer Data submitted through our Services to train their models, except where the institutional customer has consented. Current sub-processors and AI components are identified in our Sub-Processor List, as described in Section 6.3.
- Human review of outputs. AI-assisted recommendations, metadata suggestions, and similar outputs are advisory. Final cataloging, acquisition, and collection-development decisions remain with the institutional customer.
5. Cookies and Similar Technologies
We use cookies and similar technologies on the Site and the platform. Where required by applicable law (including in the EU/UK) and where non-essential cookies are used, we will obtain consent before such cookies are placed, and you will be able to withdraw or change your consent at any time.
5.1 Categories of Cookies
- Strictly necessary cookies: required to authenticate users, maintain sessions, and operate core platform functionality. These cannot be disabled without breaking the Services.
- Functional cookies: remember preferences such as language and display options.
- Analytics cookies: help us understand how the Site and platform are used (e.g., Google Analytics). Where consent is required by applicable law, these cookies will not be set until the user has provided consent.
LibraMind does not currently use advertising or cross-context behavioral-advertising cookies. If this changes, we will update this Policy and obtain consent where required.
5.2 Managing Cookies
Where a cookie-preferences control is provided on the Site, you can manage cookie preferences through it at any time. You can also manage cookies through your browser settings. Disabling strictly necessary cookies will prevent the Services from functioning correctly. For Google Analytics specifically, you may install the Google Analytics opt-out browser add-on.
5.3 Do Not Track
Because there is no industry consensus on how to interpret Do Not Track signals, our Site does not respond to them. Where required by applicable law, we will honor recognized opt-out preference signals (for example, Global Privacy Control).
6. How We Share Personal Information
We do not sell personal information in the traditional sense, and we do not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"). We share personal information only as described below.
6.1 Service Providers and Processors
We share personal information with vendors who process it on our behalf and under our instructions, including:
- Cloud hosting and infrastructure providers.
- Payment processors.
- Customer-support, CRM, email-delivery, and analytics tools.
- Identity, authentication, and security providers.
- Professional services providers (accountants, auditors, outside counsel) bound by confidentiality obligations.
These vendors are contractually required to protect personal information and to use it only for the purposes we authorize.
6.2 Institutional Customers
Where you access the Services as an authorized user of an institutional customer, the customer institution will have access to your account-administration data and to records of your activity on the platform, in the same way an employer has access to work-related systems.
6.3 Sub-Processors
Where we act as a processor / service provider for an institutional customer, we engage sub-processors (such as cloud-hosting providers) to assist in delivering the Services. A current list of sub-processors and their roles is published in our Sub-Processor List, available at libramind.ai/legal/subprocessors, and is also referenced in our DPA. Copies are available on request to [email protected]. We notify institutional customers of new sub-processors as required by the applicable DPA.
6.4 Business Transfers
If LibraMind is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction, subject to the same protections set out in this Policy or to notice and choice where required by law.
6.5 Legal and Safety Disclosures
We may disclose personal information to government authorities, courts, or other third parties where we believe in good faith that disclosure is required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of LibraMind, our customers, or others, including to prevent fraud or security incidents.
6.6 With Your Direction
We may share personal information with third parties where you direct us to do so (for example, when you authorize an integration with a third-party system).
7. International Data Transfers
LibraMind is based in the United States. We and our service providers process personal information in the United States and in other jurisdictions where they operate. If you are located in the European Economic Area ("EEA"), the United Kingdom, Switzerland, or another jurisdiction that restricts cross-border transfers, we rely on appropriate transfer mechanisms, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable, including the UK International Data Transfer Addendum and the Swiss-equivalent clauses where required;
- Adequacy decisions by the relevant regulator, where applicable;
- Supplementary measures (such as encryption in transit and at rest, and access controls) where appropriate based on a transfer-impact assessment.
Copies of the relevant transfer mechanisms applicable to your data are available upon request to [email protected].
8. Data Retention
We retain personal information only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law. Indicative retention periods are:
| Category | Indicative retention period |
|---|---|
| Account-administration data of institutional users | For the duration of the subscription, plus up to 90 days after termination for data-export purposes (subject to DPA terms) |
| Customer Data processed as processor | As instructed by the institutional customer and as set out in the DPA; by default, returned or deleted within 60 days of termination of the subscription |
| Billing and transaction records | Up to 7 years from the relevant transaction, to meet tax and accounting obligations |
| Support-ticket content | Up to 3 years from ticket closure |
| Marketing and prospect data | Until you unsubscribe, or after 24 months of inactivity, whichever is earlier |
| Security logs | Typically 12–18 months, depending on the log type and security needs |
| Backups | Backup retention follows our backup rotation schedule; backups are overwritten in the ordinary course and are not used to reconstitute deleted data except for disaster-recovery purposes |
Where retention is governed by a Written Agreement or DPA with an institutional customer, the terms of that agreement control.
9. Information for EU/EEA, UK, and Swiss Data Subjects
9.1 Legal Bases for Processing
Where the EU/UK General Data Protection Regulation or Swiss data-protection law applies, we process personal information on the following legal bases:
| Processing purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Services to institutional users | Contract (Art. 6(1)(b)) where you are a contracting party; legitimate interests of the institutional customer and LibraMind in operating the platform (Art. 6(1)(f)) where you are an authorized user |
| Customer support and account administration | Contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) |
| Billing, tax, and accounting | Legal obligation (Art. 6(1)(c)); contract (Art. 6(1)(b)) |
| Service security and abuse prevention | Legitimate interests in protecting the Services and customers (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) where applicable |
| Service improvement using aggregated/de-identified signals | Legitimate interests in improving the Services (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) where required; legitimate interests in B2B prospect communications (Art. 6(1)(f)) where permitted by applicable law |
| Compliance with legal requests and protection of rights | Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have considered the impact of the processing on you and concluded that our interests are not overridden by your rights and freedoms. You may request more information about our balancing tests by contacting us at [email protected].
9.2 Your Rights
Subject to the conditions set out in the GDPR/UK GDPR, you have the following rights with respect to personal information for which LibraMind is a controller:
- Right of access to your personal information and to a copy of it;
- Right of rectification of inaccurate or incomplete data;
- Right of erasure ("right to be forgotten") in defined circumstances;
- Right to restriction of processing in defined circumstances;
- Right to data portability for data you have provided to us and that we process by automated means on the basis of consent or contract;
- Right to object to processing carried out on the basis of legitimate interests, including profiling, and to object at any time to processing for direct-marketing purposes;
- Right to withdraw consent at any time, where processing is based on consent (without affecting the lawfulness of processing carried out before withdrawal);
- Right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of an alleged infringement.
To exercise these rights, contact us at [email protected]. We will respond within one month of receipt of your request, with the possibility of a two-month extension for complex requests, as permitted by GDPR Article 12(3). We may need to verify your identity before responding.
Where LibraMind acts as a processor (for example, in relation to patron-derived information), please direct your request in the first instance to the institutional customer that determines the purposes and means of the processing. We will support the customer in responding to your request as required by the applicable DPA.
9.3 EU and UK Representatives
Where required under GDPR Article 27 or UK GDPR, LibraMind will appoint a representative in the EU and/or the UK. Current representative details, where appointed, are available on request to [email protected].
10. Information for California Residents
This section supplements the rest of this Policy and applies to California residents whose personal information is covered by the CCPA/CPRA. It does not apply to personal information that is exempt from the CCPA/CPRA, such as personal information processed in the business-to-business context to the extent and for the duration of any applicable exemption.
10.1 Categories of Personal Information Collected
In the 12 months preceding the date of this Policy, we have collected the following categories of personal information defined under the CCPA/CPRA:
- Identifiers (e.g., name, business email, IP address);
- Customer-records information (e.g., billing contact, institution, transaction details);
- Commercial information (e.g., subscription history, service preferences);
- Internet or other electronic-network activity information (e.g., usage logs, cookie data);
- Geolocation data (approximate, derived from IP);
- Professional or employment-related information (e.g., job title, institution);
- Inferences drawn from the above to characterize professional preferences and needs.
We do not knowingly collect sensitive personal information for the purpose of inferring characteristics about a consumer.
10.2 Sources, Purposes, and Disclosures
The sources of these categories are described in Section 2; the purposes for which we use them are described in Section 3; and the categories of recipients to whom we disclose personal information for a business purpose are described in Section 6.
10.3 No Sale or Sharing for Cross-Context Behavioral Advertising
LibraMind does not "sell" personal information and does not "share" personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not engaged in such sale or sharing in the 12 months preceding the date of this Policy.
10.4 Your California Rights
- Right to know what personal information we collect about you, the sources, the purposes, and the categories of recipients;
- Right to access a copy of your personal information;
- Right to delete your personal information, subject to legal exceptions;
- Right to correct inaccurate personal information;
- Right to opt out of sale or sharing for cross-context behavioral advertising (although, as noted above, we do not engage in such practices);
- Right to limit the use and disclosure of sensitive personal information (we do not use sensitive personal information for purposes outside those permitted under CPRA § 1798.121);
- Right not to be discriminated against for exercising your rights.
To exercise these rights, contact us at [email protected]. You may also designate an authorized agent to act on your behalf. We will verify your request through reasonable means appropriate to the sensitivity of the data and the request.
11. Information for Residents of Other U.S. States
If you are a resident of a U.S. state that has enacted a comprehensive consumer-privacy law (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others), you may have rights similar to those described for California residents, including rights of access, deletion, correction, and opt-out from targeted advertising or sales. To exercise these rights, contact us at [email protected].
12. Security of Your Information
We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These safeguards include access controls, encryption of data in transit (and, where appropriate, at rest), logging and monitoring, secure software-development practices, and vendor-security reviews.
No system of safeguards is perfectly secure. You are responsible for maintaining the confidentiality of your account credentials and for logging out of shared devices. If you suspect any unauthorized access to your account, please contact us promptly at [email protected].
In the event of a confirmed personal-data breach affecting your personal information, we will notify affected individuals and, where required, regulators, in accordance with applicable law and any applicable DPA.
13. Children's Privacy
The Services are intended for use by libraries, institutions, and adult professionals. We do not knowingly collect personal information from children under the age of 16 through the Services. If we become aware that we have collected such information without an appropriate legal basis, we will delete it promptly. Where the Services are made available in school or educational settings to learners under 18, access is permitted only under the supervision and direction of an authorized educator or institution and only as permitted by applicable law and the institution's policies.
14. Third-Party Sites and Services
The Site and the platform may contain links to or embed content from third-party sites and services, including publishers, integration partners, and social-media platforms. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy notices before providing them with personal information.
15. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. Material changes will be communicated through the Site, by email to registered users, or through the platform, in accordance with applicable law. The "Last updated" date at the top of this Policy reflects the most recent revision. Your continued use of the Services after a revised Policy takes effect constitutes acceptance of the revised Policy, except to the extent your prior consent is required.
16. How to Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle personal information, please contact us:
LibraMind — Privacy Office
Email: [email protected]
Mail: 8 The Green Suite B, Dover, Delaware 19901, United States
Institutional customers requesting a Data Processing Agreement or sub-processor list should contact [email protected].