Legal

Privacy Policy

Last updated: May 2026

1. Introduction

THRIVE ("we", "us", "our") is committed to protecting the privacy and security of personal data processed through our platform. This Privacy Policy explains how we collect, use, store, and protect information when you use the Thrive clinical care platform.

We act as a data processor on behalf of your organisation (the data controller) for all clinical and patient data. For account-related data (your login credentials, profile), we act as the data controller.

2. Information We Collect

Account Information

  • Full name and email address
  • Organisation membership and role
  • Password (stored as a secure hash — we never store plaintext passwords)

Clinical Data (processed on behalf of your organisation)

  • Service user personal details, health information, and care records
  • Incident reports, behavioural assessments, and care plans
  • Medication records and administration logs
  • Daily care observations and progress notes
  • Uploaded files (photos, documents)

Technical Data

  • IP address (for rate limiting and security purposes only)
  • Browser type and session information (for authentication)
  • Audit log entries (actions performed within the platform)

3. How We Use Your Information

We use information solely for the following purposes:

  • Providing and maintaining the Thrive platform
  • Authenticating users and managing access permissions
  • Enforcing security measures (rate limiting, session management)
  • Maintaining audit trails for governance and compliance
  • Providing technical support when requested

We do not use your data for advertising, marketing profiling, AI model training, or any purpose unrelated to delivering the Thrive service.

4. AI Processing

Thrive includes an optional AI writing assistant (Aayu) that runs entirely within your web browser. The AI model is downloaded to your device and processes text locally. No clinical text, patient data, or care plan content is transmitted to any external server during AI processing. We do not use any cloud-based AI services (such as OpenAI, Google, or similar) for processing your data.

5. Data Sharing

We do not sell, rent, trade, or share your personal or clinical data with any third party. The only parties with access to your data are:

  • Authorised members of your organisation (as determined by your admin)
  • Our infrastructure provider (Supabase/AWS) who act as a sub-processor under strict contractual obligations

We will only disclose data if required by law (e.g., a court order or regulatory requirement).

6. Data Storage & Security

  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Database hosted on Supabase (AWS eu-west-2, London) with SOC 2 Type II compliance
  • Row Level Security (RLS) enforced on all database tables
  • Automatic daily backups with 7-day point-in-time recovery
  • Security headers including HSTS, CSP, X-Frame-Options
  • Rate limiting and automatic lockout on authentication endpoints
  • Leaked password protection (passwords checked against known breach databases)

For full details, see our Security Overview.

7. Data Retention

Clinical data is retained for as long as your organisation maintains an active account. Upon account closure, data is retained for a period consistent with healthcare record-keeping regulations (typically 8 years for adult health records as per NHS guidelines), after which it is permanently deleted from all systems including backups.

You may request data export or deletion at any time by contacting us.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure of your data
  • Restrict or object to processing
  • Data portability (export in standard formats)
  • Withdraw consent at any time
  • Lodge a complaint with the ICO (Information Commissioner's Office)

To exercise any of these rights, contact us at [email protected].

9. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising, analytics, or tracking cookies. For full details, see our Cookie Policy.

10. Children's Privacy

Thrive is a professional clinical tool intended for use by adult care practitioners. We do not knowingly collect personal data from individuals under 18 as platform users. Service user data relating to minors is processed solely on behalf of and under the direction of the data controller (your organisation).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of any material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

For any privacy-related questions or to exercise your data rights, contact us at: [email protected]