Research use only. Not for human consumption.

Legal

Privacy Policy

How we collect, use, share, and protect personal data when you use thethesynapselab.com or purchase from Synapse Research Lab LLC.

Effective: May 19, 2026Last Updated: May 19, 2026

This Privacy Policy applies to personal data processed by Synapse Research Lab LLC, a Wyoming limited liability company (“Synapse”, “we”, “us”, “our”), in connection with the website thesynapselab.com and any associated services (the “Service”). It explains what personal data we collect, why we process it, with whom we share it, how long we keep it, and the rights you have. It is written to comply with the U.S. state privacy laws (including the California Consumer Privacy Act as amended by the CPRA), the EU General Data Protection Regulation (Regulation 2016/679, the “GDPR”), and the UK GDPR and Data Protection Act 2018.

1. Controller & Contact

For the purposes of the GDPR and UK GDPR, the controller is Synapse Research Lab LLC. For privacy questions, requests, or complaints, please contact privacy@thethesynapselab.com. If we appoint an EU or UK representative or a Data Protection Officer, their contact details will be published on this page.

2. Personal Data We Collect

We collect personal data in the following categories. The exact items depend on how you interact with the Service.

2.1 You provide to us

  • Account & contact data: name, email address, password (stored hashed and salted), phone number (optional), organisation, role, country.
  • Order data: billing address, shipping address, purchase history, Products ordered, attestations made (including Researcher Representation and Acknowledgement), invoices, refund requests, support tickets.
  • Payment data: processed by our payment provider (Nifti Pay and any other processor we engage). We receive a payment token, the last four digits of the card, the card brand, the country of the issuer, and the authorisation result. We do not store full card numbers or CVV codes.
  • Communications: the content of emails, support messages, chat transcripts, survey responses, and any documents you submit (e.g. institutional verification).
  • Marketing preferences: consents, opt-ins, opt-outs, and topic preferences.

2.2 Collected automatically

  • Device & usage: IP address, approximate location derived from IP, browser type and version, operating system, device identifiers, referring URL, pages viewed, items viewed, items added to cart, session timestamps, click paths, and interaction events.
  • Cookies & similar technologies: see our Cookie Policy for the categories of cookies, pixels, local storage, and SDKs we use, the purposes for which they are set, and how to manage them.

2.3 From third parties

  • Fraud, sanctions & identity: verification results from anti-fraud, sanctions-screening, and (where applicable) age- or identity-verification providers.
  • Logistics & carriers: tracking, delivery, and customs status updates.
  • Analytics & advertising partners: aggregated performance and audience information.

We do not intentionally collect special-category data (e.g. health, biometric, genetic, racial, or political data). Please do not submit special-category data to us. If you do, you consent to our processing it as described here for the duration necessary to handle your request.

3. Purposes & Legal Bases

We process personal data for the purposes set out below. Where the GDPR or UK GDPR applies, the legal bases are indicated in brackets.

  • Account & order management (Art. 6(1)(b) GDPR — contract performance; Art. 6(1)(c) — compliance with our legal obligations).
  • Researcher Representation & risk assessment (Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interests in protecting our business and preventing misuse of Products).
  • Fraud prevention, sanctions screening, AML/KYC (Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests).
  • Customer support (Art. 6(1)(b); Art. 6(1)(f)).
  • Site analytics, performance, security & quality improvement (Art. 6(1)(f) — legitimate interests in operating and improving the Service; or Art. 6(1)(a) — consent, where required by law for non-essential cookies).
  • Marketing communications (Art. 6(1)(a) — consent where required, including soft opt-in rules under the ePrivacy Directive / PECR; Art. 6(1)(f) — for existing customers receiving similar product communications).
  • Legal claims, regulatory compliance, audits & tax reporting (Art. 6(1)(c); Art. 6(1)(f)).

4. How We Share Personal Data

We share personal data only with the categories of recipients listed below.

  • Service providers (processors): hosting and infrastructure providers (including Vercel and our backend hosting partner), e-commerce platform (Medusa), database providers, email providers, payment processor (Nifti Pay), analytics providers, customer-support tools, anti-fraud and sanctions-screening services, and shipping/customs partners. Each is bound by a data-processing agreement that restricts the use of the data to the purposes described in this Policy.
  • Carriers & customs authorities: shipping providers and the customs and postal authorities of the origin and destination jurisdictions, for the purpose of fulfilling and clearing your shipment.
  • Professional advisors: lawyers, accountants, and auditors under appropriate confidentiality obligations.
  • Authorities & regulators: where required by law, including in response to lawful requests from courts, regulators, tax authorities, or law-enforcement agencies, and to establish, exercise, or defend legal claims.
  • Corporate transactions: in connection with any merger, acquisition, restructuring, financing, or sale of assets, subject to appropriate confidentiality.

We do not sell personal data. We do not share personal data for cross-context behavioural advertising without the consent required by applicable law.

5. International Transfers

We are headquartered in the United States and use service providers located worldwide. When we transfer personal data from the EEA, UK, or Switzerland to a country that is not subject to an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, supplementary measures where required, or on a derogation under Art. 49 GDPR (such as your explicit consent or contract necessity). You may request a copy of the safeguards we use by contacting privacy@thethesynapselab.com.

6. Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, tax, audit, and reporting obligations and to resolve disputes and enforce our agreements.

  • Account data: for the lifetime of the account plus up to seven (7) years after closure, to comply with financial-record-keeping and statute-of-limitations periods.
  • Order, invoice & tax data: typically seven (7) to ten (10) years, depending on the applicable tax regime.
  • Researcher Representations & Acknowledgements: retained for the longer of (a) the limitation period in the governing law for product-liability and contractual claims, or (b) ten (10) years.
  • Marketing data: until you withdraw consent or object, plus a short suppression period to honour your choice.
  • Server logs: typically 30 to 90 days for security and operational purposes; longer for security-incident investigation.

7. Your Rights

Subject to applicable law, you may have the following rights:

  • Access — a copy of personal data we hold about you.
  • Rectification — correction of inaccurate or incomplete data.
  • Erasure — deletion in certain circumstances (subject to our retention obligations).
  • Restriction — limit our processing in certain circumstances.
  • Portability — receive certain data in a structured, machine-readable format and transmit it to another controller.
  • Objection — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing.
  • Non-discrimination & CCPA rights (California residents) — right to know, delete, correct, opt out of sale/sharing, limit use of sensitive personal information, and to be free from discriminatory treatment for exercising these rights. We do not sell or share personal information for cross-context behavioural advertising; an opt-out is provided where required.
  • Complain to a supervisory authority — in the EEA, your national data-protection authority; in the UK, the Information Commissioner's Office (ico.org.uk); in California, the California Privacy Protection Agency.

To exercise any right, please email privacy@thethesynapselab.com with sufficient information for us to verify your identity. We aim to respond within the timelines required by applicable law (typically one month under GDPR/UK GDPR, with a possible two-month extension for complex requests).

8. Cookies & Tracking

We use cookies and similar technologies to operate the Service, remember your preferences, measure performance, and (where you have consented) to support marketing. See our Cookie Policy for full details and controls.

9. Security

We use commercially reasonable technical and organisational measures designed to protect personal data, including encryption in transit, access controls, hardened authentication, network segmentation, and regular reviews of our security posture. No security measure is perfect, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials.

10. Children

The Service is not directed to and is not intended for children. Synapse does not knowingly collect personal data from anyone under the Minimum Age. If you believe a child has provided us with personal data, please contact privacy@thethesynapselab.com and we will delete the data in accordance with applicable law.

11. Automated Decision-Making

We may use automated tools to support fraud prevention, sanctions screening, and order risk-assessment. These tools may rank transactions for review. They do not produce legal or similarly significant effects in respect of you within the meaning of Art. 22(1) GDPR without human involvement; a member of our team reviews flagged Orders before any cancellation. If you wish to contest a decision, please contact privacy@thethesynapselab.com.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by reasonable means (such as a banner on the Site or a notice to your account email) and the “Last Updated” date above will be revised. Continued use of the Service after the effective date of a change constitutes acceptance, subject to any consent we are required to obtain.

13. Contact

Synapse Research Lab LLC
1309 Coffeen Avenue STE 19953
Sheridan, Wyoming 82801
United States of America
Privacy contact: privacy@thethesynapselab.com

Related Documents