Privacy Policy | Thrive Therapeutic Software

About this Privacy Notice

Thrive Therapeutic Software Ltd (Thrive) is committed to protecting your personal information and being transparent about how we use it, whether you use our App, Thrive: Mental Wellbeing (Thrive App), or are applying for a job with us, or we have a commercial relationship.

This Privacy Notice gives you a clear explanation about how Thrive collects personal information (or “personal data”), the types of personal information we collect, how we use it (or “process” it) and whether we share it with anyone else. It also explains your legal rights and choices regarding the information you provide to us.

Children’s Privacy: Our services are not aimed at children. In the limited circumstances where we may collect and use personal information about children, we will comply with relevant law and guidelines.

Please take the time to read this information carefully and if you have any questions about it please contact Thrive’s Data Protection Officer (DPO), whose contact details can be found below.

Our Contact Details

If you need to contact us about this Privacy Notice or have any query relating to your personal information, you can contact us by email or post. Please contact our Data Protection Officer using any one of the contact details below.

Data Protection Officer
Thrive Therapeutic Software Limited
15 Warwick Road
Stratford Upon Avon
Warwickshire
CV37 6YW
[email protected]

Who Is Responsible for Your Personal Data?

Thrive is responsible for how and why your personal data is used. The legal phrase for this is Data Controller (or “Controller”).

Thrive is a limited liability company incorporated in England & Wales with registration number 07928073.

Security of Your Personal Data

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. For example:

Your personal data is encrypted both on transmission and at rest;
All access to our live database is logged;
Access to our live database is restricted to those staff that require it to provide the service;
Your personal data is securely stored on servers located in London, UK which are protected by extensive physical security;
Thrives IT systems are scanned daily for vulnerabilities.

We have also put in place procedures to deal with any suspected or actual personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We restrict access to your personal data to those employees, agents, contractors and third-party service providers that have a legitimate requirement to be able to access your information. In any event, we have taken the necessary measures to ensure that these other parties handle your information securely and only on our instructions.

No data transmission over the internet can be guaranteed to be completely secure. So, whilst we strive to safeguard your personal data, we cannot guarantee the security of any information you provide online and you do this at your own risk.

If you would like more specific information about our security measures please contact our DPO.

Cookies

By using our website, you agree that we can use cookies for the purposes described below on your device unless you adjust your browser to manage or prevent cookies.

In addition to the information which you supply to us, our website uses some standard technology to automatically collect further information from your visit, through the use of cookies.

Cookies are small text files which are downloaded to your device when you visit our website. Software on your device, for example, a web browser, stores the cookies and sends them back to our website next time you visit. Cookies allow websites to recognise your device and preferences and provide information to the owners of sites which can be used to improve your online experience. Cookies allow us to manage user preferences, enable content, recognise repeat users and gather analytic and usage data so we can observe behaviour and compile aggregate data to improve our website for you.

We do not use cookies to deliver targeted advertising.

Please see our cookie policy to learn more about how we use cookies and how to opt out of using them.

Links to Other Websites

Our website may contain links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their Privacy Notices. When you leave our website, we recommend that you read the Privacy Notice of any website you visit.

Information We Transfer Outside the European Economic Area (EEA) and the UK

Some of our service providers are located outside the EEA, and so to use their services your personal data may be transferred outside the EEA.

Whenever we transfer your personal information to countries outside the EEA, we will process and safeguard your information in accordance with this Privacy Notice, ensure that it is adequately protected and that the transfer complies with data protection law.

We only transfer personal information to other countries when it is necessary for the services we provide you, or it is necessary for the establishment, exercise or defence of legal claims or subject to safeguards that assure the protection of your personal information. For example, we will ensure that your data is transferred:

to countries, which fall under an adequacy decision by the EU-Commission and have been deemed to provide an adequate level of protection for personal data, currently including Switzerland, Uruguay, Argentina, Japan, Israel, Isle of Man, New Zealand, Guernsey, Canada, Andorra, Faroe Islands and Jersey;
Governed by one of the following safeguards: EU Commission-approved Standard Contractual Clauses;

If you would like more information about the safeguards and mechanisms we deploy to ensure your information is adequately protected when it is transferred outside the EEA, please contact Thrive’s DPO.

Your Legal Rights

You have the following legal rights in relation to the processing of your personal information:

To be informed: You have the right to know what personal information we are processing about you, how and why. The information in this Privacy Notice, together with other information on our website, is intended to provide you with this information. If you need more information, please contact our DPO.
Access: You have the right to request a copy of your personal information that we hold about you together with other information relating to its use, subject to the application of any relevant legal exemptions.
Erasure: At your request, we will delete your personal information from our records providing we don’t have an overriding legitimate reason for holding on to it.
Rectification: We aim to keep your personal information accurate, current, and complete. We encourage you to contact us by emailing [email protected] let us know if any of your personal information is inaccurate or changes so that we can keep it correct and up-to-date.
Objecting: In certain circumstances, you have the right to object to the processing of your personal information where we are: (i) processing your personal information on the legal basis of legitimate interests and we have no compelling reason we can demonstrate to continue with that processing, or (ii) using your personal information for direct marketing, or (iii) using your personal information for statistical purposes.
Right to restrict processing: you have the right to ask us to restrict the processing of your personal information whilst a disagreement is resolved about its accuracy or whether we can use it on the legal basis of “legitimate interests”.
Rights related to automated decision making: where we take automated decisions in relation to your personal information with no human involvement (i.e. such as credit scoring) you have the right to ask us for human intervention or to challenge any such decision.
Right to withdraw consent: If you have provided your consent to the collection, processing and transfer of your personal information, you have the right to fully or partly withdraw your consent.
Portability: You have the right to request that some of your personal information is provided to you, or to another information controller, in a commonly used, machine-readable format.

How to Exercise Your Legal Rights:

You may exercise any of the above rights, at any time, by emailing [email protected] together with a proof of your identity, i.e. a copy of your ID card, or passport, or any other valid identifying document.

Complaints

If you believe that your information protection rights may have been breached, you have the right to lodge a complaint with the applicable supervisory authority, or to seek a remedy through the courts.

Updating Your Personal Data

If any of the personal data that you have provided to us changes, for example, if you change your email address or if you wish to cancel any request you have made of us, or if you become aware we have any inaccurate personal data about you, please let us know by sending an email to [email protected].

We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.

Change of Ownership

If we were to sell or transfer Thrive to another organisation, your records would also transfer to the new owner. Limited information may also be shared, where required, with legal and other professional advisors involved in that transaction.

The reason we would transfer your records is to minimise the disruption to the ongoing operation of Thrive and to ensure we and a new owner were able to comply with our legal obligations regarding the retention of such records, including the ongoing delivery of care to our members and others.

Changes to our Privacy Notice

We will update and change this Privacy Notice from time to time to reflect any significant changes to how we process your personal data or changing legal requirements. Any changes we may make to this Privacy Notice in the future will be posted on our website on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates to our Notice to make sure you are happy with any changes.

Want More Detail?

The type of personal information we collect and how we use it will vary depending on our relationship. To find out more about how we use your personal information, you should select and read the detailed Privacy Notice that applies to our relationship.

Simply choose from the options below:

Service Users of the Thrive Mental Wellbeing App and other Thrive services (including prospective and past service users)
Job Applicants
Commercial contacts

Service Users of the Thrive Mental Wellbeing App and other Thrive Services

The following information forms part of our Privacy Notice for service users of the Thrive Mental Wellbeing App (the Thrive App) and other Thrive services such as guided self-help or Thrive Counselling, (including prospective, current and past service users). It also applies to individuals taking part in Thrive surveys and events.

It sets out further important information about the personal data that Thrive may collect and hold about you and how that information may be used.

Personal Data We Collect and How We Collect it

The extent of the personal information we collect and use will depend on what information you choose to provide to us and the Thrive service you are using. Different levels of personal data will be collected where necessary for the functioning of the Thrive app or the provision of Thrive services.

We may collect and process the following different kinds of personal data about you but only where required for the delivery of our service or where you choose to provide it to us:

Identity and Contact Data: such as your name, address, telephone number, email address, Date of Birth, and other personal information that you choose to provide;
Your country of residence
Ethnicity
NHS number (only where necessary for the service being provided)
Opinions
Support Contact Details: such as contact details of carers, close relatives, next of kin and representatives;
Correspondence between us such as enquiries, emails, incidents and complaints
Details of how you use our services including our website, the Thrive app, other Thrive Services, your IP address, or other device information;
Images and video may be recorded at our events
Technical information such as OS (to identify and fix bugs), Browser (to identify and fix bugs)
Other Information as may be reasonably required.

Special Categories of Personal Data

Special Category Personal Data specifically means personal data relating to race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data.

When you use the Thrive App or other Thrive Services, we may collect and process special category personal data where this is necessary for the functionality of the Thrive App or the provision of the Thrive services. For example:

Details about your current physical or mental health, your medical history, treatments, test results, medication, referrals, care plans, care packages, medial opinions, weight, lifestyle and details of relevant support you are receiving;
Details about your health and mood so the Thrive app can provide relevant assistance for self-management or promotion of wellbeing;
Details about your sex life and/or sexual orientation, your religion, nationality, race and/or ethnicity, but we will only collect this sort of information where you choose to provide it to us.

We do not routinely collect any information about criminal convictions (including offences and alleged offences and any court proceedings or sentence) unless you give this sort of information to us.

Source of Your Personal Information

Thrive expects to collect your personal information directly from you and indirectly via third-party sources. For example:

Thrive collects your personal data directly from you in these ways:

when you use the Thrive App or receive another Thrive service such as a telephone consultation with a Thrive mental health team member;
when you send us an enquiry, sign up to receive news about our services or submit an online form or otherwise carry out any transaction via our website;
when you take part in a Thrive research survey;
when you register, create or update a profile;
when you communicate with us;
when you post content to our website or social networking platforms;
when you attend one of our events;

Thrive collects your personal data indirectly from third parties where you have given another organisation permission to share your personal data with Thrive. For example, where Thrive is working with a third-party organisation or where you purchase a product or service from a third-party organisation. The personal data Thrive receives may depend upon the settings and options you have with that third-party organisation.

If You Choose Not to Provide Personal Data to Us

In order for Thrive to provide its services to you, we do require you to provide us with a certain amount of your personal data. You are free to withhold information from us that you feel uncomfortable with disclosing.

In order to provide you with the Thrive App or other Thrive Services, we need to collect a valid email address from you. If you decide to withhold that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (to provide you with the Thrive App or other Thrive Services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

How We Use Your Personal Data

Thrive will process your personal data in accordance with this Privacy Notice and only where we are legally permitted to do so.

Generally, we will use your personal data for the following purposes:

To administer our services to you and to manage our relationship. Depending on our relationship this may include necessary communications and administration.
Where there is a legal or regulatory obligation to do so, such as in connection with fraud prevention, for safeguarding purposes or in connection with legal proceedings;
In connection with your treatment and/or care, including tests or assessments and health/medical examinations;
For our legitimate business purposes including administration, surveys, events, use of third-party services such as IT, insurance and legal advice.

What Legal Basis Does Thrive Have for Using my Personal Data?

The EU General Data Protection Regulation (GDPR) requires us to have a legal basis to justify using your personal data. The legal basis used will vary, depending on why we are using your personal data. If we process "special categories of personal information" such as health or medical information, we must have an additional legal basis to justify using it.

The table below identifies the purposes for using your personal data together with the legal basis for doing so under GDPR:

Purpose	Legal Basis for Processing
Processing your enquiry, online form or correspondence, setting up a new account, managing your consultations and other appointments.	Taking the necessary steps so that you can enter into a contract with us for the delivery of the Thrive App or other Thrive services. (Article 6(1)(b) GDPR) The use is necessary for fulfilling our legitimate business interests (e.g. business administration or responding to your enquiry) and those interests are not overridden by your privacy rights and freedoms. (Article 6(1)(f) GDPR)
	Legal Basis for Special Category Personal Data
	Explicit consent (Article 9(2)(a) GDPR) For the purposes of healthcare, treatment and the management of our healthcare systems and services. (Article 9(2)(h) GDPR)
Purpose	Legal Basis for Processing
Processing your personal data through the Thrive App. Managing your consultations and appointments. Providing you with healthcare, services through the Thrive App and other Thrive Services.	Fulfilling our contract with you for the provision of the Thrive App and other Thrive services. (Article 6(1)(b) GDPR)
	Legal Basis for Special Category Personal Data
	The use is necessary to provide you with healthcare (or health assessment) and other related services. (Article 9(2)(h) GDPR) Explicit consent (Article 9(2)(a) GDPR) To protect your vital interests where you are physically or legally incapable of giving consent. (Article 9(2)(c) GDPR)
Purpose	Legal Basis for Processing
Liaising with other healthcare professionals about your care. Contacting others where necessary such as your support/emergency contacts. Sharing your personal data with external third-parties for regulatory or legal reasons such as safeguarding purposes.	Fulfilling our contract with you for the provision of Thrive services. (Article 6(1)(b) GDPR) For our legitimate interest in ensuring that other healthcare professionals who are involved in your care (such as your GP) or other clinician, are fully informed about your treatment by us, providing these interests are not overridden by your own privacy rights and protections. (Article 6(1)(f) GDPR)
	Legal Basis for Special Category Personal Data
	For the purposes of preventative medicine, medical diagnoses, the provision of healthcare or treatment or the management of healthcare systems and services (Article 9(2)(h) GDPR) To protect your vital interests where you are physically or legally incapable of giving consent (Article 9(2)(c) GDPR) For reasons of substantial public interest under UK or EU law. (For example, where it is necessary for safeguarding purposes.) (Article 9(2)(g) GDPR) For us to establish, exercise or defend our legal rights (Article 9(2)(f) GDPR
Purpose	Legal Basis for Processing
For internal training, security and overall quality purposes. This may include monitoring phone calls and other correspondence and conducting surveys.	For our legitimate interest in ensuring that our staff are adequately trained and ensuring that our service levels are of the standard we expect, providing these interests are not overridden by your own interests. (Article 6(1)(f) GDPR)
	Legal Basis for Special Category Personal Data
	For the provision of healthcare and the overall management of our healthcare systems (Article 9(2)(h) GDPR)
Purpose	Legal Basis for Processing
Investigating complaints or claims, defending or exercising our legal rights, complying with our legal and regulatory obligations including clinical guidelines provided by NHS Digital.	In order to comply with our legal obligations. (Article 6(1)(c) GDPR) For our legitimate interest in ensuring that our business meets required standards and its interests are protected, providing these interests are not overridden by your own privacy rights and protections. (Article 6(1)(f) GDPR)
	Legal Basis for Special Category Personal Data
	For us to establish, exercise or defend our legal rights. (Article 9(2)(f) GDPR) For the provision of healthcare and the overall management of our healthcare systems and services including those provided by a third party. (Article 9(2)(h) GDPR)
Purpose	Legal Basis for Processing
Managing our business: the retaining of client and patient records, maintaining and retaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (such as tax, financial, legal or public relations advice)	For our legitimate interest in managing and developing our business, providing that these interests are not overridden by your own privacy rights and protections. (Article 6(1)(f) GDPR) In order to comply with our legal obligations. (Article 6(1)(c) GDPR
	Legal Basis for Special Category Personal Data
	For the provision of healthcare and the overall management of our healthcare systems and services. (Article 9(2)(h) GDPR) For us to establish, exercise or defend our legal rights. (Article 9(2)(f) GDPR)
Purpose	Legal Basis for Processing
Disclosing and transferring some or all of your records to a third party where we sold or transferred all or part of our business or any of its assets	In order to comply with our legal and contractual obligations. (Article 6(1)(c) GDPR For our legitimate interest in developing our business, including marketing, providing that these interests are not overridden by your own privacy rights and protections. (Article 6(1)(f) GDPR)
	Legal Basis for Special Category Personal Data
	For the purposes of preventative medicine, medical diagnoses, the provision of healthcare or treatment or the management of healthcare systems and services. This includes the ability of third-party healthcare providers to be fully informed about your needs so they can provide you with an appropriate care. (Article 9(2)(h) GDPR) The transfer is necessary to protect your vital interests where you are physically or legally incapable of giving consent. (Article 9(2)(c) GDPR)

Who Do We Share Your Personal Data With?

We may share your personal data with third parties listed below for the purposes set out in the above table (Purposes/Legal Bases). Where your personal data is shared, only the minimum amount that is necessary to fulfil the purpose is shared. We always ensure that data is shared securely and strictly in accordance with the law.

Our Thrive healthcare professionals involved in your care or treatment.
Other members of our staff involved in your care or treatment such as our development team for the purposes of providing you with technical support or where providing specific data to our clinical team.
Where you provide us with your explicit consent or another legal reason exists, we may securely share your medical or health information and other personal or special category data with other professionals, who are not employed by us. These individuals will be subject to their own statutory duty of confidentiality and your data will be shared strictly in accordance with data protection laws.
Other healthcare service providers within the private sector.
NHS organisations and their private sector service providers such as your GP, NHS Resolution, NHS England, Clinical Commissioning Groups, NHS Trusts, or the Department of Health.
HM Revenue and Customs, regulators such as the Care Quality Commission and the Information Commissioner’s Office (ICO) and other authorities based in the UK and other relevant jurisdictions who require us to report processing activities in certain circumstances.
The police and other regulatory third parties in connection with the prevention and detection of crime or for safeguarding purposes.
The local Safeguarding Team (which comprises specialist members from the local authority, Police and NHS) where we are concerned for your safety and welfare or that of others.
Certain external third-party service providers whom we have engaged to perform services on our behalf and under our instructions. For example, our cloud service provider who provides our servers. We select our third-party service providers with care and only share the information that is necessary to provide the service. We have a contract with them that requires these third- party service providers to process your personal data only on our instructions, securely and in accordance with relevant data protection laws.
Third party professional advisors including lawyers, accountants, auditors and insurers.
Event partners where we are running the event in conjunction with a third-party. We will let you know how your information is going to be shared and why when you register for any event.
Anyone that has been appointed or you have asked to communicate with us on your behalf such as your insurer, individuals you have named as an emergency contact, such as your next of kin.
Third parties who have acquired our business or with whom we have merged.

Health Screening

Within the Thrive App we provide validated clinical questionnaires that screen for the presence of various mental health symptoms including symptoms of depression, anxiety, stress and other conditions. Once you complete one of these questionnaires we calculate your score and provide you with the questionnaire’s standardised results. Based on these results we provide you with goals and recommendations and, where guided self-help is provided, one of our psychological therapists may reach out to you to confirm if you would like additional support. You are free to ignore or change any of these goals and recommendations. Where guided self-help is provided, you are also free to reach out to our psychological therapists at any time regardless of the results of those screening questionnaires.

How Long We Keep Your Personal Data For

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Thrive follows the Records Management Code of Practice for Health and Social Care 2016 where it processes personal data in connection with the Thrive App and other Thrive services.

By law, we are required to retain basic information about our customers such as contact details, identity, financial and transaction data for six years after they cease being our customers for tax purposes.

In some circumstances, you have the legal right to ask us to delete your personal data. More information about this right can be found above in the section called “Your Legal Rights”.

If you would like more information about how long we retain specific records relating to you please contact Thrive’s DPO.

Other General Information About How We Process Your Personal Data

For general information about how we collect and process your personal data including for example, how we keep it secure, your legal rights and who to contact if you have any questions about this Privacy Notice or your personal data, please click here.

Privacy Notice for Job Applicants

The following information forms part of our Privacy Notice for job applicants. It sets out further important information about the personal data that Thrive Therapeutic Software Ltd, holds about you and how that information may be used.

The Personal Data We Collect About You

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data: such as your name, marital status and dependants, title, date of birth and gender, name of next of kin;
Contact Data: includes billing address, delivery address, email address and telephone numbers, next of kin contact details;
Recruitment Information: such as “right to work” permit documentation (if relevant), current or former employment details, professional qualifications, references and other information included in a Curriculum Vitae or cover letter or application form as part of the application process, photograph ID, work history and experience and interview records including the output from tasks performed during the recruitment process;
Financial Data: We may process information about your current remuneration and benefits should you choose to provide this;
CCTV footage: and other information obtained through electronic means such as swipe card records;
Other Data: Where your interview was conducted by video conference, we may retain a digital recording together with other information produced during the recruitment process.

Special Categories of Personal Data

Special Category Personal Data specifically means personal data relating your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data.

We may collect and hold the following special categories of information about you: Information about your health such as details of medical conditions, sickness records, Occupational Health records; race; ethnicity; sex life or sexual orientation; religious or philosophical beliefs and details of trade union membership.

We may also record any criminal convictions (including offences and alleged offences and any court proceedings or sentence) if you have given this information to us or we have obtained it from a third party such as the Disclosure and Barring Service.

Where Do We Obtain Your Personal Data From?

In most cases, Thrive collects personal data directly from candidates, through the application and recruitment process. However, sometimes, your personal data is obtained indirectly from third parties such as an employment agency. For example:

Thrive collects your personal data directly from you in these ways:

When you apply direct for a job with Thrive;
When you submit an enquiry via our website, or correspond with us by telephone, email or post about your application or prospective application.

Thrive may occasionally collect your personal data indirectly from third parties in these ways:

The Disclosure and Barring Service;
Overseas Police agencies (in the context of a job application);
Referees that have sent us a reference about you;
Professional and educational bodies such as the Nursing and Midwifery Council (NMC), Health and Care Professions Council (HCPC) in the context of confirmation of qualifications or professional regulatory matters;
A family member or other person communicating with us on your behalf;
Occasionally, government agencies such as HMRC or the Home Office.

If You Provide Us with Personal Information About Others

If you provide personal information to us about others you should inform the individual about the contents of this Privacy Notice. We will process such information in accordance with this Privacy Notice.

If You Fail to Provide Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (including an employment contract). In this case, we may have to cancel the contract we have with you or are trying to enter into with you, but we will notify you if this is the case at the time.

How We Use Your Personal Data

We will process your personal information in accordance with this Privacy Notice and only where we are legally permitted to do so. The main purposes for collecting and using your personal data are to facilitate your application for employment with us and so that we can comply with our legal and regulatory requirements. More information about how we use your personal data is set out below.

Data protection law requires us to have a legal basis to justify using your personal data. The legal basis used will vary, depending on why we are using your personal data. If we process more sensitive personal data, known as "special category personal data”, we must have an additional legal basis to justify using it.

You will find details of the "legal bases" we rely upon for each of our processing purposes set out below.

Purpose: The Recruitment Process

Thrive will use your personal data to assess your suitability for the role you have applied for including your qualifications, skills and experience. We may carry out background checks, take up references, confirm your qualifications and, where relevant confirm that you have the right to work in the UK. We will use your name and contact details to correspond with you about your application and for monitoring outcomes generally. Your information may be used to comply with our equal opportunity monitoring and reporting obligations are met. We will retain some of the recruitment records for a certain period in accordance with our Data Retention Policy.

Legal Bases:

Where the use is necessary in connection with your employment contract with us.
Where the use is necessary in order for us to comply with our legal obligations. For example, we may have a legal duty to carry out background checks.
Where the use is necessary for our legitimate interests including carrying out our assessment to see if you are suitable for the role you have applied for, complying with our legal obligations and developing our recruitment process, providing these interests are not overridden by your privacy rights and freedoms.

Additional legal bases for special categories of personal data:

Where the use is necessary in order for us to comply with our obligations as an employer. For example, we may need to process your health information to determine if we need to make reasonable adjustments so that you can attend the interview and carry out the job you have applied for and also to confirm your fitness to perform the job in question.
Where the use is necessary for reasons of substantial public interest based upon law. For example, where the job you are applying for entitles or requires us to carry out criminal records checks, to deal with insurance-related matters or fraud prevention and detection.
Occasionally, where the use is necessary to establish, exercise or defend our legal rights.

Purpose: Complying with our legal obligations and regulatory requirements

Legal Bases:

Where the use is necessary for us to comply with a legal obligation. For example, we may have a legal duty to carry out background checks or report certain concerns to a regulatory body.
Where the use is necessary for fulfilling our legitimate interests including compliance with relevant statutory, regulatory or legal requirements, providing those interests are not overridden by your privacy rights and freedoms.

Additional legal bases for special categories of personal data:

Where the use is necessary in order for us to establish, exercise or defend our legal rights.
Where the use is necessary for reasons of substantial public interest on the basis of law. For example, where it is necessary to process your personal information for the purposes of crime prevention or safeguarding purposes or to protect any individual from neglect or harm.

Who Do We Share Your Personal Data With?

We may share your personal data with third parties listed below for the purposes set out above (Purposes/Legal Bases). Where your personal data is shared, we only share the minimum amount of information required to fulfil the purpose of sharing. It is shared securely and strictly in accordance with the law.
Other internal staff at Thrive that are involved in the recruitment process, management of staff and record keeping.
Your previous employers, referees, other current employers, staffing agencies, educational establishments and professional bodies.
Disclosure and Barring Service or Disclosure Scotland.
Professionals, clinicians, other staff and our advisors in order to deal with questions, complaints or claims, including those made by yourself.
HM Revenue and Customs, our regulators such as the Care Quality Commission and the Information Commissioner’s Office (ICO) and other authorities based in the UK and other relevant jurisdictions who require us to report processing activities in certain circumstances.
The police and other regulatory third parties in connection with the prevention and detection of crime or for safeguarding purposes.
Certain external third-party service providers whom we have engaged to perform services on our behalf and under our instructions. For example, our cloud service provider who provides our virtual servers. We select our third-party service providers with care and only share the information that is necessary to provide the service. We have a contract with them that requires these third- party service providers to process your personal data only on our instructions, securely and in accordance with relevant data protection laws.
Third-party professional advisors including lawyers, accountants, auditors and insurers.
Anyone that has been appointed or you have asked to communicate with us on your behalf, such as your insurer, individuals you have named as an emergency contact, such as your next of kin.
Third parties to whom we may sell, transfer or merge parts of our business or assets.

Automated Decision-Making and Profiling

Thrive does not use your personal information for automated decision making or profiling purposes.

Automated decision-making is the process of using personal data to make a decision that produces significant legal effects for the individual involved, and that decision is made solely by automated means without a human being involved at all.

Profiling means the analysis of certain characteristics of an individual’s personality, behaviour, interests and habits to find out more about their preferences or to make predictions about their behaviour and/ or to make decisions about them.

How Long We Keep Your Personal Data For

In some circumstances, we may pseudonymise or anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

In some circumstances, you have the legal right to ask us to delete your personal data. More information about this right can be found above in the section called “Your Legal Rights”.

If you would like more information about how long we retain specific records relating to you please contact Thrive’s DPO.

Other General Information About How We Process Your Personal Data

For general information about we collect and process your personal data including for example, how we keep it secure, your legal rights and who to contact if you have any questions about this Privacy Notice or your personal data. Please click here.

Privacy Notice for Commercial Contacts

The following information forms part of our Privacy Notice for Thrive’s commercial contacts (Including our Corporate Partners or employees of a Corporate Partner or any other person which Thrive contacts or interacts with in the context of establishing, developing, maintaining, servicing or otherwise furthering the business relationship). It sets out further important information about the personal data that Thrive Therapeutic Software Ltd, holds about you and how that information may be used.

The Personal Data We Collect About You

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data: such as your name, information about your job title and hierarchical position; and educational level or work experience;
Business Contact Data: including company address, business telephone number and e-mail address;
Information you provide us during the course of our business relationship, including in response to corporate surveys or questionnaires or other correspondence;
Data from initiation, maintenance and execution of our business relationship, including performed and planned orders and related data such as delivery modalities or insurance coverages; user login and subscription data; use of our web services or newsletters; and data about your budget;
Company data of our Corporate Partners, such as company name and company business registration number; information from our due-diligence or other onboarding procedures; or our Corporate Partner´s business needs;
Data relating to the assertion or defence against legal claims, including the prevention of misconduct; compliance checks or investigations; and information regarding compliance violations or other infringements;
Personal contact details such as your mobile phone number where you choose to provide these to us;
Other Data: Where we conduct meetings via video conference, we may retain the recording together with other notes relating to our meeting.

Special Categories of Personal Data

Thrive does not expect to routinely process any special category personal data in relation to its business contacts.

Where Do We Obtain Your Personal Data From?

Most of the personal data we process, you have provided directly to us. Other personal data may be provided by your employer, our corporate partners or other instances involved in the initiation of your business relationship and/or the execution of contracts with our corporate partners.

In addition, we may process personal data which we permissibly obtain from publicly accessible third-party sources (such as LinkedIn) or that are legitimately transmitted to us by third parties (such as credit agencies).

If You Provide Us with Personal Information About Others

If You Fail to Provide Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel the contract we have with you or are trying to enter into with you, but we will notify you if this is the case at the time.

How We Use Your Personal Data

We will process your personal information in accordance with this Privacy Notice and only where we are legally permitted to do so. Thrive processes personal data of its business contacts for various business purposes in connection with your business relationship with Thrive or our corporate partners. These primarily include:

For the initiation, performance and execution of a contract with you or our Corporate Partners, including to meet our contractual obligations; necessary due diligence and other onboarding requirements.
For market analysis, including through surveys, to better understand the markets in which we do business; and for product and service development.
For account management and maintenance of our supplier database.
For business communication and promotion of our products and services.
In order to comply with our legal and regulatory obligations.
For the security of Thrives premises, IT security and in connection with data breach procedures.
For asserting or the defence of legal claims or the prevention of misconduct, compliance violations or other infringements, such as routine inspections; internal investigations; or dispute resolution cases.
In connection with our customer services activities, such as responding to your correspondence, queries or complaints.
For customer relationship management, including listing important contacts for our business; connecting individuals with accounts of our corporate partners and for customers surveys.
For the prevention and detection of crime.

Thrive processes personal relating to its Business Contacts based on multiple different legal bases: Most commonly, we will use your personal data in the following circumstances:

Where we need to perform a contract that we are about to enter into or have entered into with you. For example:

Where we need to process your personal data in order to initiate or perform a contract between us.

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. For example:

To grow the Company’s business by networking and market research and analysis of potential business opportunities as well as through direct marketing, including marketing activities and communications or regarding product or service development processes.

Where we need to comply with a legal obligation. For example:

Where we need to process your personal data to comply with a court order or a specific statutory obligation.

Generally, we would not routinely expect to rely on consent as a legal basis for processing your personal data other than in exceptional circumstances. For example, where we propose to publish an image of you on our website taken at one of our events. Where we do rely on consent to process your personal data, you have the right to withdraw that consent at any point in time. Details of how to do that can be found here.

Who Do We Share Your Personal Data With?

We may share your personal data with third parties listed below for the purposes set out above (Purposes/Legal Bases). Where your personal data is shared, we only share the minimum amount of information required to fulfil the purpose of sharing. It is shared securely and strictly in accordance with the law.

Other internal staff within Thrive;
Certain external third-party service providers whom we have engaged to perform services on our behalf and under our instructions. For example, our cloud service provider who provides our virtual servers. We select our third-party service providers with care and only share the information that is necessary to provide the service. We have a contract with them that requires these third-party service providers to process your personal data only on our instructions, securely and in accordance with relevant data protection laws;
Third party professional advisors such as lawyers, accountants, auditors and insurers;
Third parties to whom we may sell, transfer or merge parts of our business or assets.

Automated Decision-Making and Profiling

Thrive does not use your personal information for automated decision making or profiling purposes.

How Long We Keep Your Personal Data for

In some circumstances, you have the legal right to ask us to delete your personal data. More information about this right can be found above in the section called “Your Legal Rights”.

If you would like more information about how long we retain specific records relating to you please contact Thrive’s DPO.