Thrive Therapeutic Software Ltd, trading as Thrive (Thrive/We), is committed to protecting and respecting your privacy. For the purposes of the General Data Protection Regulation (GDPR) and any subsequent UK legislation covering data protection, Thrive is the data controller.
This Policy sets out why we collect personal information about individuals, whether via our website at https://thrive.uk.com/ (Site), through our app Thrive: Mental Wellbeing available on the Apple App Store and on the Google Play Store (App) or through some other means of communication, and how we use that information. It explains the legal basis for this and the rights you have over the way your information is used.
This Policy covers Thrive in relation to the collection and use of the information you give us. We may change this Policy from time to time. If we make any significant changes, we will advertise this on the website or contact you directly with the information. Please check this page occasionally to make sure you are happy with any changes.
If you have any questions about this Policy or concerning your personal information, please send an email to firstname.lastname@example.org or write to us at 15 Warwick Road, Stratford Upon Avon, CV37 6YW..
What type of personal information we collect
The type and amount of information we collect depends on why you are providing it.
The information we collect when you make an enquiry or fill out one of the forms on our Site (as well as when posting material or requesting further services, or when you report a problem with our services) includes:
- First name (optional)
- Last name (optional)
- Email (for login)
- IP address (to provide locally relevant information)
- OS (to identify and fix bugs)
- Browser (to identify and fix bugs)
The information we collect when you use our App includes special category data (as defined in the GDPR) which is necessary for the functionality of the App.
Our payments are processed by the Apple App Store and third-party payment provider, Stripe. We do not store any of your financial data on our servers.
If you are a job applicant, the information you are asked to provide is as set out in the application form and necessary for the purposes of our considering the application.
(together, personal information or your information)
How we collect personal information
We may collect personal information from you directly whenever you contact us or have any involvement with us. For example, when you:
- use our App
- visit the Site, including, but not limited to, traffic data, location data, web logs and other communication data
- enquire about our activities or services
- sign up to receive news about our activities
- register, create or update a profile
- post content on to our website/social media sites
- attend an online, telephone or one-to-one consultation with one of our mental health team members and provide us with information
- take part in our events
- contact us in any way including online, email, phone, SMS, social media or post
- fill in forms on the Site
- complete a survey that we use for research purposes
- carry out a transaction through the Site
- provide details of how effective the treatment provided through our App is and your progress during your use of our App.
We collect personal information from you indirectly:
(1) when you have given other organisations permission to share it: your information may be provided to us by other organisations if you have given them your permission. This might for example be a business working with us or when you buy a product or service from a third-party organisation. The information we receive from other organisations depends on your settings or the option responses you have given them.
(2) When it is in available on social media: depending on your settings or the privacy policies applying for social media and messaging services you use, like Facebook, Instagram or Twitter, you might give us permission to access information from those accounts or services.
How we use your personal information
We will use your personal information in a number of ways which reflect the legal basis applying to processing of your data. These may include:
- providing you with the information or services you have asked for
- sending you communications with your consent relevant to the Site and the App, including for example changes of policy, server availability, updates to the App and progress reports
- when necessary, for carrying out our obligations under any contract between us
- seeking your views on the services or activities we carry on, so that we can make improvements
- maintaining our organisational records and ensuring we know how you prefer to be contacted
- analysing the operation of our website and analysing your website behaviour to improve the website and its usefulness
- processing job applications
- establishing how you are responding to the interventions in the App.
- helping us make improvements to the methods of self-management and to our App
- ensuring that content from the Site is presented in the most effective manner
- providing you with information, products or services that you request from us or which we consider may interest you, where you have consented to be contacted for such purposes.
- carrying out our obligations arising from any contracts entered into between you and us
- allowing you to participate in interactive features of our service, when you choose to do so
- notifying you about changes to our service
- monitoring your progress during your use of the App
Use of Aggregated Data
Where data can be aggregated (and anonymised), we may use this for research purposes without restriction.
For example, we may monitor customer traffic patterns, Site and Services usage and related information in order to optimise users’ usage of the Site and Services and we may give aggregated statistics to a reputable third party.
We are entitled to do this because the resulting data will not personally identify you and will therefore no longer constitute personal data for the purposes of data protection laws.
Our legal basis for processing your personal information
The use of your personal information for the purposes set out above is lawful because one or more of the following applies:
- where you have provided information to us for the purposes of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the information for that purpose, based on the way that you provided the information to us. You may withdraw consent at any time by emailing us at email@example.com. This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned;
- it is necessary for us to hold and use your information so that we can carry out our obligations under a contract entered into with you or to take steps you ask us to prior to entering into a contract;
- it is necessary to comply with our legal obligations or government, regulatory or clinical guidelines, including those provided by NHS Digital;
- where the purpose of our processing is the provision of information or services to you, we may also rely on the fact that the processing is necessary for our legitimate interests, having balanced that need against your interests, rights and freedoms as a data subject and concluded that such processing would not cause you unjustified harm or be unexpected;
- where the processing is to protect the vital interests of you or another individual or individuals
How we keep your personal information safe
We understand the importance of keeping your personal information secure and take appropriate steps to safeguard special category data, as follows:
- Special category data is encrypted on transmission and at rest
- All access to the live database is logged
- There are only three authorised individuals that can access the live database
- Our servers are protected by extensive physical security
- All systems go through a daily scan for vulnerabilities
We always ensure only authorised persons have access to special category data, which means only our employees, and that everyone who has access is appropriately trained to manage your information.
No data transmission over the internet can be guaranteed to be completely secure. So whilst we strive to safeguard your information, we cannot guarantee the security of any information you provide online and you do this at your own risk.
Who has access to your personal information?
- Third parties who provide services for us, for example Stripe.com, that processes payments for us, or providers used. We select our third party service providers with care. We provide these third parties with the information that is necessary to provide the service and we will have an agreement in place that requires them to operate with the same care over data protection as we do
- Third parties if we run an event in conjunction with them. We will let you know how your information is used when you register for any event
- Third parties in connection with restructuring or reorganisation of our operations, for example if we merge with another business. In such event, we will take steps to ensure your privacy rights will be protected by the third party
Owing to matters such as financial or technical considerations, the information you provide to us may be transferred to countries outside the European Economic Area (EEA), which are not subject to the same data protection regulations as apply in the UK. This might be if you are using the App from an internet location outside the EEA, or specifically for the purpose of fulfilling your order, the processing of your payment details and/or the provision of support services. Currently, the two third-party suppliers we use for this purpose are Apple Incorporated (www.apple.com) and Stripe (www.stripe.com).
Where such data transfer is for a purpose other than when you are using the App from an internet location outside the EEA, we meet our obligations under GDPR by ensuring that the information has equivalent protection as if it were being held within the EEA. We do this by ensuring that any third parties processing your information outside the EEA either benefits from an adequacy determination for GDPR purposes and/or, where appropriate, we have entered into a data processing agreement with each such third party which contains model EU clauses.
We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.
Other than this, we will not share your information with other organisations without your consent.
Keeping your personal information up to date
How long we keep your personal information for
We will hold your personal information for as long as it is necessary for the relevant activity. We follow the Records Management Code of Practice for Health and Social Care 2016 for all end-user data of our App. Any other data is deleted immediately when the relevant activity stops.
Where we rely on your consent to contact you for direct marketing purposes, we will treat your consent as lasting only for as long as it is reasonable to do so. This will usually be until two years after the last time you used our services. We may periodically ask you to renew your consent.
If you ask us to stop contacting you with marketing materials, we will keep a record of your contact details and limited information needed to ensure we comply with your request.
You have the right to request details of the processing activities that we carry out with your personal information through making a subject access request. Such requests have to be made in writing. More details about how to make a request, and the procedure to be followed, can be found in our Data Protection Policy. To make a request, please contact us at firstname.lastname@example.org or through our contact page thrive.uk.com/contact-us
You also have the following rights:
- the right to request rectification of personal information that is inaccurate or out of date;
- the right to erasure of your information (known as the “right to be forgotten”);
- the right to restrict the way in which we are dealing with and using your information; and
- the right to request that your information be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”);
- rights in relation to automated decision making and profiling including profiling for marketing purposes.
All of these rights are subject to certain safeguards and limits or exemptions, further details of which can be found in our Data Protection Policy. To exercise any of these rights, you should contact our Data Protection Officer at the above email address.
If you are not happy with the way in which we have processed or dealt with your information, you can complain to the Information Commissioner’s Office. Further details about how to complain can be found here.
Surveys and user groups
We always aim to improve the services we offer. As a result, we occasionally canvass our customers using surveys (where the customer has opted in for this). Participation in surveys is voluntary, and you are under no obligation to reply to any survey you might receive from us. Should you choose to do so, we will treat the information you provide with the same high standard of care as all other customer information.
This Policy was last updated in August 2018