Privacy Policy

This Data Privacy and Protection Policy (the “Policy”) describes how The Resurgence Training Institute Inc., operating as The Synthesis Institute (the “Institute”), collects, uses, stores, shares, and protects personal data in the course of its training programs and related activities. The Policy is the Institute’s public statement of its data protection commitments and the framework against which its data practices are governed.

This Policy applies to personal data of Students enrolled in or applying to Institute programs, of Learning Facilitators, faculty, and staff in the course of their engagement with the Institute, and of visitors to the synthesisinstitute.com website. It is intended to be read alongside the Synthesis Practitioner Code of Ethics and Conduct and the Training Services Agreement signed by every Student at enrollment.

The Institute recognises that the personal data of its Students includes sensitive categories of information, including admissions and assessment records, financial information, recordings of certain video meetings, and information disclosed in the course of training. The Institute is committed to handling this data with appropriate care and in accordance with applicable law.

1. Definitions

In this Policy, the following terms have the meanings set out below.

“Personal Data” means any information relating to an identified or identifiable natural person.
“Data Subject” means the natural person to whom Personal Data relates.
“Processing” means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, transmission, and erasure.
“Processor” means a third party that processes Personal Data on behalf of the Institute.
“Student” means an individual party to a Training Services Agreement with the Institute, including applicants, currently enrolled learners, and graduates whose certification status is maintained by the Institute.

2. Categories of Personal Data Collected

In the course of operating its programs, the Institute collects and processes the following categories of Personal Data.

Identification and Contact Information

Name, email address, mailing address, telephone number, date of birth, and other identification information provided in the application and enrollment process.

Application and Admissions Data

Information provided by applicants in the program application, admissions interview, and supporting materials. The Training Services Agreement refers to this as “Original Applicant Information.”

Background Check Authorisation and Results

The Training Services Agreement requires applicants to sign a Criminal Background Check Release. Information returned through that process is processed by the Institute in connection with admissions decisions.

Health Attestation

In accordance with the Training Services Agreement, applicants attest that they have consulted, or had the opportunity to consult, with a medical professional concerning their physical and mental ability to participate in the program. The Institute does not generally collect detailed medical records as part of admissions, although limited health information may be disclosed by Students in the course of participation.

Educational Records

Records of attendance, assignments, assessments, evaluations, communications with Learning Facilitators, leave of absence requests, and other materials generated in the course of program participation.

Recordings

In accordance with the Training Services Agreement, a Student’s image or voice from a recorded training session may be used by the Institute in training materials in connection with the program. In accordance with the Disciplinary Procedure, video recordings of Disciplinary Meetings are made and retained in the interests of transparency and accountability.

Financial Information

Tuition payments, refund processing, and related financial transactions. Payment card data is processed by the Institute’s payment processor (see Section 6) and is not stored by the Institute directly.

Communications

Email correspondence, video meeting participation, and other communications between Students and the Institute.

Website Data

Information collected through the synthesisinstitute.com website, including data collected through cookies and similar technologies. The Institute’s separate Cookie Policy provides further information.

3. Purposes of Processing

The Institute processes Personal Data for the following purposes:

Assessing applications and making admissions decisions.
Delivering the contracted training program, including the issuance of the Certificate of Completion and the maintenance of Good Standing certification status.
Communicating with Students about the program and Institute matters.
Processing tuition payments and refunds.
Operating disciplinary, grievance, hearing, and appeal procedures.
Complying with legal, regulatory, and contractual obligations, including those arising under the Colorado Office of Natural Medicine Approved Facilitator Training Program.
Improving the quality of the program through internal review, faculty evaluation, and curriculum development.
Sending marketing and Institute communications, where the Student or other Data Subject has consented to receive them (see Section 11).

4. Lawful Bases for Processing

The Institute relies on the following lawful bases for the processing of Personal Data.

Performance of a Contract

Most processing of Student Personal Data is necessary for the performance of the Training Services Agreement to which the Student is a party, or for taking steps at the Student’s request prior to entering into that agreement.

Consent

The Institute relies on consent as the lawful basis for processing in defined circumstances, including the use of Personal Data for marketing communications and the use of website cookies that are not strictly necessary.

Legal Obligation

The Institute processes Personal Data where necessary to comply with legal obligations to which it is subject, including obligations arising under Colorado regulatory frameworks and applicable mandated-reporting laws.

Legitimate Interests

The Institute processes Personal Data where necessary for its legitimate interests in operating the program, maintaining the integrity of its certification, evaluating and improving curriculum and faculty performance, and protecting the safety and rights of Students, faculty, staff, and the public, except where those interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.

5. Sharing of Personal Data

The Institute does not share Student Personal Data with third parties for those parties’ own purposes, except as set out below.

Where the Student has provided written consent to the disclosure.
Where disclosure is necessary to protect the safety of the Student or another person.
Where disclosure is required by law, court order, or legal process, including in response to a governmental or regulatory request.
Where disclosure is required in connection with mandated-reporting obligations applicable to the Institute or its faculty.

Beyond these circumstances, Student Personal Data is not sold, traded, or otherwise transferred to outside parties. Personal Data is processed by the third-party Processors identified in Section 6, who act on the Institute’s behalf and for the Institute’s purposes.

6. Third-Party Processors

The Institute uses the following third-party platforms to operate its program. These platforms process Personal Data on the Institute’s behalf for the purposes set out in this Policy.

Synthesis Circle: community platform used for cohort communication, content delivery, and learning management.
Zoom: video conferencing platform used for live cohort sessions, pod meetings, and Disciplinary Meetings.
Paysafe: payment processor used to process tuition payments.
Google Workspace: email, document storage, and collaboration platform used for Institute communications and administrative records.
HubSpot: customer relationship management platform used for applicant tracking and communications.
Typeform: forms platform used for applications, surveys, and information collection.
Retreat Guru: registration, enrollment, scheduling, and booking platform used for applicant and student account management.

The Institute relies on the published data processing agreement of each Processor identified above. Specifically: the Circle Data Processing Addendum (circle.so/dpa), the Zoom Global Data Processing Addendum (available through zoom.com/trust), the Google Cloud Data Processing Addendum (cloud.google.com/terms/data-processing-addendum), the HubSpot Data Processing Agreement (legal.hubspot.com/dpa), the Typeform Data Processing Agreement (typeform.com/dpa), and the Retreat Guru Data Management Policy (go.retreat.guru/terms). Each of these agreements is incorporated into the Institute’s commercial relationship with the relevant Processor through the main agreement, terms of service, or administrative acceptance, and includes Standard Contractual Clauses for data transferred from the European Economic Area or the United Kingdom. The Institute is in the process of confirming that the Paysafe Data Protection and Information Security Addendum is incorporated into its merchant processing agreement.

7. Data Retention

The Institute retains Personal Data for as long as it is needed to fulfil the purposes for which it was collected, including the maintenance of certification records, compliance with legal and regulatory obligations, and the integrity of the Institute’s admissions, training, and disciplinary records.

The Institute does not currently operate a fixed retention schedule with automatic deletion. Recordings of Disciplinary Meetings are retained in connection with the disciplinary record. Educational and certification records are retained for the duration of the Institute’s relationship with the Student and beyond, in support of the Institute’s ongoing endorsement of certified graduates and to enable the Institute to confirm completion and Good Standing status to third parties as provided in the Training Services Agreement.

Students may contact the Institute to request review or deletion of specific records (see Section 9). Such requests will be considered against the Institute’s legal, regulatory, and operational obligations. The Institute will review and update this Section in future revisions of this Policy as retention schedules are formalised.

8. Data Security

The Institute takes reasonable steps to protect Personal Data against loss, unauthorised access, disclosure, alteration, and destruction. These steps include the following.

Platform Security

The Institute relies on the security infrastructure of the third-party platforms identified in Section 6, including standard transport-layer encryption for Personal Data transmitted to and from those platforms.

Access Controls

Access to Student records is limited by role within the Institute. Only Institute personnel with a legitimate need access Student Personal Data. Learning Facilitators have access to records of the Students in their assigned pods; the Program Manager, Lead Learning Facilitator, and Program Director have broader access in support of program administration.

Personnel Obligations

Compliance with this Policy, including its confidentiality and data-protection requirements, is mandatory for all personnel involved in delivering the Institute’s training services. The Policy applies to employees, faculty, and Learning Facilitators in the course of their engagement with the Institute. Contractors are additionally bound by the confidentiality provisions of their contractor agreement with the Institute, under which all information relating to the Institute is treated as confidential and may not be disclosed or used except as authorised by the Institute or as required by law. Adherence to the Institute’s privacy, confidentiality, and data-protection requirements is a condition of engagement for employees and contractors.

Inherent Risk in Electronic Communication

As acknowledged in the Training Services Agreement, there is an inherent risk that electronic communications between Students and the Institute may be unlawfully intercepted by third parties not under the Institute’s control. The Institute does not guarantee the security of any information transmitted via the Internet, telephone, or text message.

9. Rights of Data Subjects

Where applicable under the law of the Data Subject’s jurisdiction, including the General Data Protection Regulation for Data Subjects in the European Economic Area and the United Kingdom, and the Colorado Privacy Act for Data Subjects who are Colorado residents, the following rights apply with respect to Personal Data held by the Institute.

Right of access. The right to obtain confirmation of whether the Institute processes Personal Data concerning the Data Subject and, where it does, to access that data.
Right to rectification. The right to request correction of inaccurate or incomplete Personal Data.
Right to erasure. The right to request deletion of Personal Data, subject to the Institute’s legal, regulatory, and operational obligations to retain certain records.
Right to restrict processing. The right to request that the Institute restrict the processing of Personal Data in defined circumstances.
Right to data portability. The right to receive Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to object. The right to object to processing carried out on the basis of legitimate interests, and to object to processing for direct marketing purposes.
Right to withdraw consent. Where processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint. The right to lodge a complaint with the data protection supervisory authority of the Data Subject’s jurisdiction.

Requests to exercise any of these rights may be directed to support@synthesisinstitute.com. The Institute will respond to verified requests within the timeframe required under applicable law, and in any case without undue delay.

10. Children

In accordance with the Training Services Agreement, the Institute admits applicants who are at least 18 years of age. The Institute does not knowingly collect Personal Data from children. Where the Institute becomes aware that Personal Data of a child has been collected without appropriate consent, that data will be deleted.

11. Cookies and Marketing Communications

Cookies

The synthesisinstitute.com website uses cookies and similar tracking technologies. A cookie banner is displayed on first visit, allowing visitors to consent to or decline non-essential cookies. The Institute’s separate Cookie Policy, available on the website, provides further information about the cookies in use and their purposes.

Marketing Communications

The Institute uses Personal Data to send communications about programs, events, and Institute updates, where the Student or other Data Subject has provided appropriate consent. Recipients may opt out of marketing communications at any time using the unsubscribe mechanism in each message or by contacting the Institute. Opting out of marketing communications does not affect the receipt of communications that are necessary for the operation of the contracted training program.

12. Personal Data Breach Response

In the event of a Personal Data breach, the Institute will respond as follows.

12.1 Discovery and Reporting

Any individual who becomes aware of a suspected or confirmed Personal Data breach must report it without delay to support@synthesisinstitute.com or to the Program Director. Reports may be made by Students, faculty, staff, Learning Facilitators, or any other person.

12.2 Initial Assessment

The Privacy Contact, or a designate, will assess the scope, severity, and likely impact of the breach within 72 hours of discovery. The assessment will identify the categories of Personal Data affected, the approximate number of Data Subjects affected, the likely cause of the breach, and the steps required for containment.

12.3 Containment and Remediation

The Institute will take immediate steps to contain the breach, secure affected systems and accounts, and prevent recurrence. Where a breach involves a third-party Processor identified in Section 6, the Institute will engage the relevant Processor to support the response.

12.4 Notification of Affected Data Subjects

Where a breach is likely to result in a risk to the rights and freedoms of Students or other Data Subjects, the Institute will notify those individuals without undue delay and no later than 30 days after the Institute determines that a reportable breach has occurred, consistent with Colorado Revised Statutes Section 6-1-716. The notification will include a description of the breach, the categories of Personal Data affected, the likely consequences, the measures the Institute is taking in response, and the contact through which further information may be obtained.

12.5 Notification of Supervisory Authorities

Where notification to a data protection supervisory authority is required by applicable law, the Institute will provide such notification within the timeframe required by law. For Data Subjects in the European Economic Area, this means notification to the relevant supervisory authority under the General Data Protection Regulation within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons.

12.6 Documentation and Post-Incident Review

All Personal Data breaches, regardless of whether external notification is required, will be documented by the Institute. The record will include the facts of the breach, the Institute’s response, and any preventive measures implemented. Following the resolution of any breach, the Institute will conduct a review to identify lessons learned and to strengthen its data protection practices.

13. Changes to this Policy

The Institute may update this Policy from time to time. Material changes will be communicated to currently enrolled Students by email and to other Data Subjects through the synthesisinstitute.com website.

14. Contact and Complaints

Questions about this Policy, requests to exercise the rights set out in Section 9, and reports of suspected Personal Data breaches may be directed to support@synthesisinstitute.com.

Data Subjects who believe that the Institute has not handled their Personal Data in accordance with this Policy or applicable law have the right to lodge a complaint with the data protection supervisory authority of their jurisdiction. For Data Subjects in the European Economic Area, this is the data protection authority of the country in which the Data Subject resides or in which the alleged infringement took place. For Colorado residents, complaints may be directed to the Colorado Attorney General.

The Institute encourages Data Subjects to contact the Institute directly in the first instance, so that the Institute may seek to resolve concerns promptly and at the source.

The Synthesis Institute has emerged as a global leader in the modern psychedelic movement and the integration of psychedelics into contemporary culture. Dedicated to providing world-class education and training, we empower aspiring and established psychedelic practitioners with the professional foundations necessary to responsibly navigate this emerging field.

With a pioneering history of advancing psychedelic research and offering legal, intentional, and professionally guided psychedelic retreat experiences to over 1,000 individuals, the Synthesis Institute has established itself as a trusted educational provider for a global, growing community of more than 500 students and graduates.

Our Mission