About this Privacy Notice
Thrive Therapeutic Software Ltd (Thrive) is committed to protecting your personal information
and
being transparent about how we use it, whether you use our App, Thrive: Mental Wellbeing (Thrive
App), or are applying for a job with us, or we have a commercial relationship.
This Privacy Notice gives you a clear explanation about how Thrive collects personal information (or
“personal data”), the types of personal information we collect, how we use it (or “process” it) and
whether we share it with anyone else. It also explains your legal rights and choices regarding the
information you provide to us.
Children’s Privacy: Our services are not aimed at children. In the limited circumstances where we may
collect and use personal information about children, we will comply with relevant law and
guidelines.
Please take the time to read this information carefully and if you have any questions about it please
contact Thrive’s Data Protection Officer (DPO), whose contact details can be found below.
Our Contact Details
If you need to contact us about this Privacy Notice or have any query relating to your personal
information, you can contact us by email or post. Please contact our Data Protection Officer using
any one of the contact details below.
Data Protection Officer
Thrive Therapeutic Software Limited
15 Warwick Road
Stratford Upon Avon
Warwickshire
CV37 6YW
dpo@thrive.uk.com
Who Is Responsible for Your Personal Data?
Thrive is responsible for how and why your personal data is used. The legal phrase for this is Data
Controller (or “Controller”).
Thrive is a limited liability company incorporated in England & Wales with registration number
07928073.
Security of Your Personal Data
We have put in place appropriate security measures to prevent your personal data from being
accidentally lost, used or accessed in an unauthorised way, altered or disclosed. For example:
- Your personal data is encrypted both on transmission and at rest;
- All access to our live database is logged;
- Access to our live database is restricted to those staff that require it to provide the
service;
- Your personal data is securely stored on servers located in London, UK which are protected by
extensive physical security;
- Thrives IT systems are scanned daily for vulnerabilities.
We have also put in place procedures to deal with any suspected or actual personal data breach and
will notify you and any applicable regulator of a breach where we are legally required to do so.
We restrict access to your personal data to those employees, agents, contractors and third-party
service providers that have a legitimate requirement to be able to access your information. In any
event, we have taken the necessary measures to ensure that these other parties handle your
information securely and only on our instructions.
No data transmission over the internet can be guaranteed to be completely secure. So, whilst we
strive to safeguard your personal data, we cannot guarantee the security of any information you
provide online and you do this at your own risk.
If you would like more specific information about our security measures please contact our DPO.
Cookies
By using our website, you agree that we can use cookies for the purposes described below on
your
device unless you adjust your browser to manage or prevent cookies.
In addition to the information which you supply to us, our website uses some standard technology to
automatically collect further information from your visit, through the use of cookies.
Cookies are small text files which are downloaded to your device when you visit our website. Software
on your device, for example, a web browser, stores the cookies and sends them back to our website
next time you visit. Cookies allow websites to recognise your device and preferences and provide
information to the owners of sites which can be used to improve your online experience. Cookies
allow us to manage user preferences, enable content, recognise repeat users and gather analytic and
usage data so we can observe behaviour and compile aggregate data to improve our website for
you.
We do not use cookies to deliver targeted advertising.
Please see our cookie policy to learn more
about how we use cookies and how to opt out of using
them.
Links to Other Websites
Our website may contain links to third-party websites, plug-ins and applications. Clicking on those
links or enabling those connections may allow third parties to collect or share data about you. We
do not control these third-party websites and are not responsible for their Privacy Notices. When
you leave our website, we recommend that you read the Privacy Notice of any website you visit.
Information We Transfer Outside the European Economic Area (EEA) and the UK
Some of our service providers are located outside the EEA, and so to use their services your personal
data may be transferred outside the EEA.
Whenever we transfer your personal information to countries outside the EEA, we will process and
safeguard your information in accordance with this Privacy Notice, ensure that it is adequately
protected and that the transfer complies with data protection law.
We only transfer personal information to other countries when it is necessary for the services we
provide you, or it is necessary for the establishment, exercise or defence of legal claims or
subject to safeguards that assure the protection of your personal information. For example, we will
ensure that your data is transferred:
- to countries, which fall under an adequacy decision by the EU-Commission and have been deemed to
provide an adequate level of protection for personal data, currently including Switzerland,
Uruguay, Argentina, Japan, Israel, Isle of Man, New Zealand, Guernsey, Canada, Andorra, Faroe
Islands and Jersey;
or are
- Governed by one of the following safeguards: EU Commission-approved Standard Contractual
Clauses;
If you would like more information about the safeguards and mechanisms we deploy to ensure your
information is adequately protected when it is transferred outside the EEA, please contact Thrive’s
DPO.
You have the following legal rights in relation to the processing of your personal information:
- To be informed: You have the right to know what personal information we are processing
about you, how and why. The information in this Privacy Notice, together with other information
on our website, is intended to provide you with this information. If you need more information,
please contact our DPO.
- Access: You have the right to request a copy of your personal information that we hold
about you together with other information relating to its use, subject to the application of any
relevant legal exemptions.
- Erasure: At your request, we will delete your personal information from our records
providing we don’t have an overriding legitimate reason for holding on to it.
- Rectification: We aim to keep your personal information accurate, current, and complete.
We encourage you to contact us by emailing dpo@thrive.uk.com let us know if any of your
personal information is inaccurate or changes so that we can keep it correct and up-to-date.
- Objecting: In certain circumstances, you have the right to object to the processing of
your personal information where we are: (i) processing your personal information on the legal
basis of legitimate interests and we have no compelling reason we can demonstrate to continue
with that processing, or (ii) using your personal information for direct marketing, or (iii)
using your personal information for statistical purposes.
- Right to restrict processing: you have the right to ask us to restrict the processing of
your personal information whilst a disagreement is resolved about its accuracy or whether we can
use it on the legal basis of “legitimate interests”.
- Rights related to automated decision making: where we take automated decisions in
relation to your personal information with no human involvement (i.e. such as credit scoring)
you have the right to ask us for human intervention or to challenge any such decision.
- Right to withdraw consent: If you have provided your consent to the collection,
processing and transfer of your personal information, you have the right to fully or partly
withdraw your consent.
- Portability: You have the right to request that some of your personal information is
provided to you, or to another information controller, in a commonly used, machine-readable
format.
How to Exercise Your Legal Rights:
You may exercise any of the above rights, at any time, by emailing dpo@thrive.uk.com together with a
proof of your identity, i.e. a copy of your ID card, or passport, or any other valid identifying
document.
Complaints
If you believe that your information protection rights may have been breached, you have the right to
lodge a complaint with the applicable supervisory authority, or to seek a remedy through the
courts.
Updating Your Personal Data
If any of the personal data that you have provided to us changes, for example, if you change your
email address or if you wish to cancel any request you have made of us, or if you become aware we
have any inaccurate personal data about you, please let us know by sending an email to
dpo@thrive.uk.com.
We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or
incomplete personal data that you provide to us.
Change of Ownership
If we were to sell or transfer Thrive to another organisation, your records would also transfer to
the new owner. Limited information may also be shared, where required, with legal and other
professional advisors involved in that transaction.
The reason we would transfer your records is to minimise the disruption to the ongoing operation of
Thrive and to ensure we and a new owner were able to comply with our legal obligations regarding the
retention of such records, including the ongoing delivery of care to our members and others.
Changes to our Privacy Notice
We will update and change this Privacy Notice from time to time to reflect any significant changes to
how we process your personal data or changing legal requirements. Any changes we may make to this
Privacy Notice in the future will be posted on our website on this page and, where appropriate,
notified to you by email. Please check back frequently to see any updates to our Notice to make sure
you are happy with any changes.
Want More Detail?
The type of personal information we collect and how we use it will vary depending on our
relationship. To find out more about how we use your personal information, you should select and
read the detailed Privacy Notice that applies to our relationship.
Simply choose from the options below:
Service Users of the Thrive Mental Wellbeing App and other Thrive Services
The following information forms part of our Privacy Notice for service users of the Thrive Mental
Wellbeing App (the Thrive App) and other Thrive services such as guided self-help or Thrive
Counselling, (including prospective, current and past service users). It also applies to
individuals taking part in Thrive surveys and events.
It sets out further important information about the personal data that Thrive may collect and
hold about you and how that information may be used.
Personal Data We Collect and How We Collect it
The extent of the personal information we collect and use will depend on what information you
choose to provide to us and the Thrive service you are using. Different levels of personal data
will be collected where necessary for the functioning of the Thrive app or the provision of
Thrive services.
We may collect and process the following different kinds of personal data about you but only
where required for the delivery of our service or where you choose to provide it to us:
- Identity and Contact Data: such as your name, address, telephone number, email
address, Date of Birth, and other personal information that you choose to provide;
- Your country of residence
- Ethnicity
- NHS number (only where necessary for the service being provided)
- Opinions
- Support Contact Details: such as contact details of carers, close relatives, next of
kin and representatives;
- Correspondence between us such as enquiries, emails, incidents and complaints
- Details of how you use our services including our website, the Thrive app, other
Thrive Services, your IP address, or other device information;
- Images and video may be recorded at our events
- Technical information such as OS (to identify and fix bugs), Browser (to identify and
fix bugs)
- Other Information as may be reasonably required.
Special Categories of Personal Data
Special Category Personal Data specifically means personal data relating to race or ethnicity,
religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade
union membership, information about your health, and genetic and biometric data.
When you use the Thrive App or other Thrive Services, we may collect and process special category
personal data where this is necessary for the functionality of the Thrive App or the provision
of the Thrive services. For example:
- Details about your current physical or mental health, your medical history, treatments, test
results, medication, referrals, care plans, care packages, medial opinions, weight,
lifestyle and details of relevant support you are receiving;
- Details about your health and mood so the Thrive app can provide relevant assistance for
self-management or promotion of wellbeing;
- Details about your sex life and/or sexual orientation, your religion, nationality, race
and/or ethnicity, but we will only collect this sort of information where you choose to
provide it to us.
We do not routinely collect any information about criminal convictions (including offences and
alleged offences and any court proceedings or sentence) unless you give this sort of information
to us.
Source of Your Personal Information
Thrive expects to collect your personal information directly from you and indirectly via
third-party sources. For example:
- Thrive collects your personal data directly from you in these ways:
- when you use the Thrive App or receive another Thrive service such as a telephone
consultation with a Thrive mental health team member;
- when you send us an enquiry, sign up to receive news about our services or submit an
online form or otherwise carry out any transaction via our website;
- when you take part in a Thrive research survey;
- when you register, create or update a profile;
- when you communicate with us;
- when you post content to our website or social networking platforms;
- when you attend one of our events;
- Thrive collects your personal data indirectly from third parties where you
have given
another organisation permission to share your personal data with Thrive. For example, where
Thrive is working with a third-party organisation or where you purchase a product or service
from a third-party organisation. The personal data Thrive receives may depend upon the
settings and options you have with that third-party organisation.
If You Choose Not to Provide Personal Data to Us
In order for Thrive to provide its services to you, we do require you to provide us with a
certain amount of your personal data. You are free to withhold information from us that you feel
uncomfortable with disclosing.
In order to provide you with the Thrive App or other Thrive Services, we need to collect a valid
email address from you. If you decide to withhold that data when requested, we may not be able
to perform the contract we have or are trying to enter into with you (to provide you with the
Thrive App or other Thrive Services). In this case, we may have to cancel a product or service
you have with us, but we will notify you if this is the case at the time.
How We Use Your Personal Data
Thrive will process your personal data in accordance with this Privacy Notice and only where we
are legally permitted to do so.
Generally, we will use your personal data for the following purposes:
- To administer our services to you and to manage our relationship. Depending on our
relationship this may include necessary communications and administration.
- Where there is a legal or regulatory obligation to do so, such as in connection with fraud
prevention, for safeguarding purposes or in connection with legal proceedings;
- In connection with your treatment and/or care, including tests or assessments and
health/medical examinations;
- For our legitimate business purposes including administration, surveys, events, use of
third-party services such as IT, insurance and legal advice.
What Legal Basis Does Thrive Have for Using my Personal Data?
The EU General Data Protection Regulation (GDPR) requires us to have a legal basis to justify
using your personal data. The legal basis used will vary, depending on why we are using your
personal data. If we process "special categories of personal information" such as health or
medical information, we must have an additional legal basis to justify using it.
The table below identifies the purposes for using your personal data together with the legal
basis for doing so under GDPR:
Purpose |
Legal Basis for Processing |
Processing your enquiry, online form or correspondence, setting up a new
account, managing your consultations and other appointments.
|
- Taking the necessary steps so that you can enter into a contract with us for the
delivery of the Thrive App or other Thrive services.
(Article 6(1)(b) GDPR)
- The use is necessary for fulfilling our legitimate business interests (e.g.
business administration or responding to your enquiry) and those interests are
not overridden by your privacy rights and freedoms.
(Article 6(1)(f) GDPR)
|
Legal Basis for Special Category Personal Data
|
- Explicit consent
(Article 9(2)(a) GDPR)
- For the purposes of healthcare, treatment and the management of our healthcare
systems and services.
(Article 9(2)(h) GDPR)
|
Purpose |
Legal Basis for Processing |
Processing your personal data through the Thrive App.
Managing your consultations and appointments.
Providing you with healthcare, services through the Thrive App and other Thrive
Services.
|
- Fulfilling our contract with you for the provision of the Thrive App
and other Thrive services.
(Article 6(1)(b) GDPR)
|
Legal Basis for Special Category Personal Data
|
- The use is necessary to provide you with healthcare (or health
assessment) and other related services.
(Article 9(2)(h) GDPR)
- Explicit consent
(Article 9(2)(a) GDPR)
- To protect your vital interests where you are physically or legally
incapable of giving consent.
(Article 9(2)(c) GDPR)
|
Purpose |
Legal Basis for Processing |
Liaising with other healthcare professionals about your care.
Contacting others where necessary such as your support/emergency
contacts.
Sharing your personal data with external third-parties for regulatory or
legal reasons such as safeguarding purposes.
|
- Fulfilling our contract with you for the provision of Thrive
services.
(Article 6(1)(b) GDPR)
- For our legitimate interest in ensuring that other healthcare
professionals who are involved in your care (such as your GP) or
other clinician, are fully informed about your treatment by us,
providing these interests are not overridden by your own privacy
rights and protections.
(Article 6(1)(f) GDPR)
|
Legal Basis for Special Category Personal Data
|
- For the purposes of preventative medicine, medical diagnoses, the
provision of healthcare or treatment or the management of healthcare
systems and services
(Article 9(2)(h) GDPR)
- To protect your vital interests where you are physically or legally
incapable of giving consent
(Article 9(2)(c) GDPR)
- For reasons of substantial public interest under UK or EU law. (For
example, where it is necessary for safeguarding purposes.)
(Article 9(2)(g) GDPR)
- For us to establish, exercise or defend our legal rights
(Article 9(2)(f) GDPR
|
Purpose |
Legal Basis for Processing |
For internal training, security and overall quality purposes. This may
include monitoring phone calls and other correspondence and conducting
surveys.
|
- For our legitimate interest in ensuring that our staff are
adequately trained and ensuring that our service levels are of the
standard we expect, providing these interests are not overridden by
your own interests.
(Article 6(1)(f) GDPR)
|
Legal Basis for Special Category Personal Data
|
- For the provision of healthcare and the overall management of our
healthcare systems
(Article 9(2)(h) GDPR)
|
Purpose |
Legal Basis for Processing |
Investigating complaints or claims, defending or exercising our legal
rights, complying with our legal and regulatory obligations including
clinical guidelines provided by NHS Digital.
|
- In order to comply with our legal obligations.
(Article 6(1)(c) GDPR)
- For our legitimate interest in ensuring that our business meets
required standards and its interests are protected, providing these
interests are not overridden by your own privacy rights and
protections.
(Article 6(1)(f) GDPR)
|
Legal Basis for Special Category Personal Data
|
- For us to establish, exercise or defend our legal rights.
(Article 9(2)(f) GDPR)
- For the provision of healthcare and the overall management of our
healthcare systems and services including those provided by a third
party.
(Article 9(2)(h) GDPR)
|
Purpose |
Legal Basis for Processing |
Managing our business: the retaining of client and patient records,
maintaining and retaining accounting records, analysis of financial results,
internal audit requirements, receiving professional advice (such as tax,
financial, legal or public relations advice)
|
- For our legitimate interest in managing and developing our business,
providing that these interests are not overridden by your own
privacy rights and protections.
(Article 6(1)(f) GDPR)
- In order to comply with our legal obligations.
(Article 6(1)(c) GDPR
|
Legal Basis for Special Category Personal Data
|
- For the provision of healthcare and the overall management of our
healthcare systems and services.
(Article 9(2)(h) GDPR)
- For us to establish, exercise or defend our legal rights.
(Article 9(2)(f) GDPR)
|
Purpose |
Legal Basis for Processing |
Disclosing and transferring some or all of your records to a third party
where we sold or transferred all or part of our business or any of its
assets
|
- In order to comply with our legal and contractual obligations.
(Article 6(1)(c) GDPR
- For our legitimate interest in developing our business, including
marketing, providing that these interests are not overridden by your
own privacy rights and protections.
(Article 6(1)(f) GDPR)
|
Legal Basis for Special Category Personal Data
|
- For the purposes of preventative medicine, medical diagnoses, the
provision of healthcare or treatment or the management of healthcare
systems and services. This includes the ability of third-party
healthcare providers to be fully informed about your needs so they can
provide you with an appropriate care.
(Article 9(2)(h) GDPR)
- The transfer is necessary to protect your vital interests where you
are physically or legally incapable of giving consent.
(Article 9(2)(c) GDPR)
|
Who Do We Share Your Personal Data With?
We may share your personal data with third parties listed below for the purposes set
out in the
above table (Purposes/Legal Bases). Where your personal data is shared, only the
minimum amount
that is necessary to fulfil the purpose is shared. We always ensure that data is
shared securely
and strictly in accordance with the law.
- Our Thrive healthcare professionals involved in your care or treatment.
- Other members of our staff involved in your care or treatment such as our
development team
for the purposes of providing you with technical support or where providing
specific data to
our clinical team.
- Where you provide us with your explicit consent or another legal reason exists,
we may
securely share your medical or health information and other personal or special
category
data with other professionals, who are not employed by us. These individuals
will be subject
to their own statutory duty of confidentiality and your data will be shared
strictly in
accordance with data protection laws.
- Other healthcare service providers within the private sector.
- NHS organisations and their private sector service providers such as your GP,
NHS
Resolution, NHS England, Clinical Commissioning Groups, NHS Trusts, or the
Department of
Health.
- HM Revenue and Customs, regulators such as the Care Quality Commission and the
Information
Commissioner’s Office (ICO) and other authorities based in the UK and other
relevant
jurisdictions who require us to report processing activities in certain
circumstances.
- The police and other regulatory third parties in connection with the prevention
and
detection of crime or for safeguarding purposes.
- The local Safeguarding Team (which comprises specialist members from the local
authority,
Police and NHS) where we are concerned for your safety and welfare or that of
others.
- Certain external third-party service providers whom we have engaged to perform
services on
our behalf and under our instructions. For example, our cloud service provider
who provides
our servers. We select our third-party service providers with care and only
share the
information that is necessary to provide the service. We have a contract with
them that
requires these third- party service providers to process your personal data only
on our
instructions, securely and in accordance with relevant data protection laws.
- Third party professional advisors including lawyers, accountants, auditors and
insurers.
- Event partners where we are running the event in conjunction with a third-party.
We will let
you know how your information is going to be shared and why when you register
for any event.
- Anyone that has been appointed or you have asked to communicate with us on your
behalf such
as your insurer, individuals you have named as an emergency contact, such as
your next of
kin.
- Third parties who have acquired our business or with whom we have merged.
Within the Thrive App we provide validated clinical questionnaires that screen for
the presence
of various mental health symptoms including symptoms of depression, anxiety, stress
and other
conditions. Once you complete one of these questionnaires we calculate your score
and provide
you with the questionnaire’s standardised results. Based on these results we provide
you with
goals and recommendations and, where guided self-help is provided, one of our
psychological
therapists may reach out to you to confirm if you would like additional support. You
are free to
ignore or change any of these goals and recommendations. Where guided self-help is
provided, you
are also free to reach out to our psychological therapists at any time regardless of
the results
of those screening questionnaires.
How Long We Keep Your Personal Data For
We will only retain your personal information for as long as necessary to fulfil the
purposes we
collected it for, including for the purposes of satisfying any legal, accounting, or
reporting
requirements.
To determine the appropriate retention period for personal data, we consider the
amount, nature,
and sensitivity of the personal data, the potential risk of harm from unauthorised
use or
disclosure of your personal data, the purposes for which we process your personal
data and
whether we can achieve those purposes through other means, and the applicable legal
requirements.
Thrive follows the Records Management Code of Practice for Health and Social Care
2016 where it
processes personal data in connection with the Thrive App and other Thrive
services.
By law, we are required to retain basic information about our customers such as
contact details,
identity, financial and transaction data for six years after they cease being our
customers for
tax purposes.
In some circumstances, you have the legal right to ask us to delete your personal
data. More
information about this right can be found above in the section called “Your Legal
Rights”.
If you would like more information about how long we retain specific records relating
to you
please contact Thrive’s DPO.
Other General Information About How We Process Your Personal Data
For general information about how we collect and process your personal data including
for
example, how we keep it secure, your legal rights and who to contact if you have any
questions
about this Privacy Notice or your personal data, please
click here.
Privacy Notice for Job Applicants
The following information forms part of our Privacy Notice for job applicants. It sets out
further important information about the personal data that Thrive Therapeutic Software Ltd,
holds about you and how that information may be used.
The Personal Data We Collect About You
We may collect, use, store and transfer different kinds of personal data about you which we have
grouped together as follows:
- Identity Data: such as your name, marital status and dependants, title, date of birth and
gender, name of next of kin;
- Contact Data: includes billing address, delivery address, email address and telephone
numbers, next of kin contact details;
- Recruitment Information: such as “right to work” permit documentation (if relevant), current
or former employment details, professional qualifications, references and other information
included in a Curriculum Vitae or cover letter or application form as part of the
application process, photograph ID, work history and experience and interview records
including the output from tasks performed during the recruitment process;
- Financial Data: We may process information about your current remuneration and benefits
should you choose to provide this;
- CCTV footage: and other information obtained through electronic means such as swipe card
records;
- Other Data: Where your interview was conducted by video conference, we may retain a digital
recording together with other information produced during the recruitment process.
Special Categories of Personal Data
Special Category Personal Data specifically means personal data relating your race or ethnicity,
religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade
union membership, information about your health, and genetic and biometric data.
We may collect and hold the following special categories of information about you: Information
about your health such as details of medical conditions, sickness records, Occupational Health
records; race; ethnicity; sex life or sexual orientation; religious or philosophical beliefs and
details of trade union membership.
We may also record any criminal convictions (including offences and alleged offences and any
court proceedings or sentence) if you have given this information to us or we have obtained it
from a third party such as the Disclosure and Barring Service.
Where Do We Obtain Your Personal Data From?
In most cases, Thrive collects personal data directly from candidates, through the application
and recruitment process. However, sometimes, your personal data is obtained indirectly from
third parties such as an employment agency. For example:
Thrive collects your personal data directly from you in these ways:
- When you apply direct for a job with Thrive;
- When you submit an enquiry via our website, or correspond with us by telephone, email or
post about your application or prospective application.
Thrive may occasionally collect your personal data indirectly from third parties in these
ways:
- The Disclosure and Barring Service;
- Overseas Police agencies (in the context of a job application);
- Referees that have sent us a reference about you;
- Professional and educational bodies such as the Nursing and Midwifery Council (NMC), Health
and Care Professions Council (HCPC) in the context of confirmation of qualifications or
professional regulatory matters;
- A family member or other person communicating with us on your behalf;
- Occasionally, government agencies such as HMRC or the Home Office.
If You Provide Us with Personal Information About Others
If you provide personal information to us about others you should inform the individual about the
contents of this Privacy Notice. We will process such information in accordance with this
Privacy Notice.
If You Fail to Provide Personal Data
Where we need to collect personal data by law, or under the terms of a contract we have with you,
and you fail to provide that data when requested, we may not be able to perform the contract we
have or are trying to enter into with you (including an employment contract). In this case, we
may have to cancel the contract we have with you or are trying to enter into with you, but we
will notify you if this is the case at the time.
How We Use Your Personal Data
We will process your personal information in accordance with this Privacy Notice and only where
we are legally permitted to do so. The main purposes for collecting and using your personal data
are to facilitate your application for employment with us and so that we can comply with our
legal and regulatory requirements. More information about how we use your personal data is set
out below.
Data protection law requires us to have a legal basis to justify using your personal data. The
legal basis used will vary, depending on why we are using your personal data. If we process more
sensitive personal data, known as "special category personal data”, we must have an additional
legal basis to justify using it.
You will find details of the "legal bases" we rely upon for each of our processing purposes set
out below.
Purpose: The Recruitment Process
Thrive will use your personal data to assess your suitability for the role you have applied for
including your qualifications, skills and experience. We may carry out background checks, take
up references, confirm your qualifications and, where relevant confirm that you have the right
to work in the UK. We will use your name and contact details to correspond with you about your
application and for monitoring outcomes generally. Your information may be used to comply with
our equal opportunity monitoring and reporting obligations are met. We will retain some of the
recruitment records for a certain period in accordance with our Data Retention Policy.
Legal Bases:
- Where the use is necessary in connection with your employment contract with us.
- Where the use is necessary in order for us to comply with our legal obligations. For
example, we may have a legal duty to carry out background checks.
- Where the use is necessary for our legitimate interests including carrying out our
assessment to see if you are suitable for the role you have applied for, complying with our
legal obligations and developing our recruitment process, providing these interests are not
overridden by your privacy rights and freedoms.
Additional legal bases for special categories of personal data:
- Where the use is necessary in order for us to comply with our obligations as an employer.
For example, we may need to process your health information to determine if we need to make
reasonable adjustments so that you can attend the interview and carry out the job you have
applied for and also to confirm your fitness to perform the job in question.
- Where the use is necessary for reasons of substantial public interest based upon law. For
example, where the job you are applying for entitles or requires us to carry out criminal
records checks, to deal with insurance-related matters or fraud prevention and detection.
- Occasionally, where the use is necessary to establish, exercise or defend our legal
rights.
Purpose: Complying with our legal obligations and regulatory requirements
Legal Bases:
- Where the use is necessary for us to comply with a legal obligation. For example, we may
have a legal duty to carry out background checks or report certain concerns to a regulatory
body.
- Where the use is necessary for fulfilling our legitimate interests including compliance with
relevant statutory, regulatory or legal requirements, providing those interests are not
overridden by your privacy rights and freedoms.
Additional legal bases for special categories of personal data:
- Where the use is necessary in order for us to establish, exercise or defend our legal
rights.
- Where the use is necessary for reasons of substantial public interest on the basis of law.
For example, where it is necessary to process your personal information for the purposes of
crime prevention or safeguarding purposes or to protect any individual from neglect or harm.
Who Do We Share Your Personal Data With?
- We may share your personal data with third parties listed below for the purposes set out
above (Purposes/Legal Bases). Where your personal data is shared, we only share the minimum
amount of information required to fulfil the purpose of sharing. It is shared securely and
strictly in accordance with the law.
- Other internal staff at Thrive that are involved in the recruitment process, management of
staff and record keeping.
- Your previous employers, referees, other current employers, staffing agencies, educational
establishments and professional bodies.
- Disclosure and Barring Service or Disclosure Scotland.
- Professionals, clinicians, other staff and our advisors in order to deal with questions,
complaints or claims, including those made by yourself.
- HM Revenue and Customs, our regulators such as the Care Quality Commission and the
Information Commissioner’s Office (ICO) and other authorities based in the UK and other
relevant jurisdictions who require us to report processing activities in certain
circumstances.
- The police and other regulatory third parties in connection with the prevention and
detection of crime or for safeguarding purposes.
- Certain external third-party service providers whom we have engaged to perform services on
our behalf and under our instructions. For example, our cloud service provider who provides
our virtual servers. We select our third-party service providers with care and only share
the information that is necessary to provide the service. We have a contract with them that
requires these third- party service providers to process your personal data only on our
instructions, securely and in accordance with relevant data protection laws.
- Third-party professional advisors including lawyers, accountants, auditors and insurers.
- Anyone that has been appointed or you have asked to communicate with us on your behalf, such
as your insurer, individuals you have named as an emergency contact, such as your next of
kin.
- Third parties to whom we may sell, transfer or merge parts of our business or assets.
Automated Decision-Making and Profiling
Thrive does not use your personal information for automated decision making or
profiling purposes.
Automated decision-making is the process of using personal data to make a decision that
produces
significant legal effects for the individual involved, and that decision is made solely by
automated means without a human being involved at all.
Profiling means the analysis of certain characteristics of an individual’s personality,
behaviour, interests and habits to find out more about their preferences or to make
predictions
about their behaviour and/ or to make decisions about them.
How Long We Keep Your Personal Data For
We will only retain your personal information for as long as necessary to fulfil the purposes we
collected it for, including for the purposes of satisfying any legal, accounting, or reporting
requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature,
and sensitivity of the personal data, the potential risk of harm from unauthorised use or
disclosure of your personal data, the purposes for which we process your personal data and
whether we can achieve those purposes through other means, and the applicable legal
requirements.
In some circumstances, we may pseudonymise or anonymise your personal information so that it can
no longer be associated with you, in which case we may use such information without further
notice to you.
In some circumstances, you have the legal right to ask us to delete your personal data. More
information about this right can be found above in the section called “Your Legal Rights”.
If you would like more information about how long we retain specific records relating to you
please contact Thrive’s DPO.
Other General Information About How We Process Your Personal Data
For general information about we collect and process your personal data including for example,
how we keep it secure, your legal rights and who to contact if you have any questions about this
Privacy Notice or your personal data. Please click here.
Privacy Notice for Commercial Contacts
The following information forms part of our Privacy Notice for Thrive’s commercial contacts
(Including our Corporate Partners or employees of a Corporate Partner or any other person which
Thrive contacts or interacts with in the context of establishing, developing, maintaining,
servicing or otherwise furthering the business relationship). It sets out further important
information about the personal data that Thrive Therapeutic Software Ltd, holds about you and
how that information may be used.
The Personal Data We Collect About You
We may collect, use, store and transfer different kinds of personal data about you which we have
grouped together as follows:
- Identity Data: such as your name, information about your job title and hierarchical
position; and educational level or work experience;
- Business Contact Data: including company address, business telephone number and
e-mail address;
- Information you provide us during the course of our business relationship, including
in response to corporate surveys or questionnaires or other correspondence;
- Data from initiation, maintenance and execution of our business relationship,
including performed and planned orders and related data such as delivery modalities or
insurance coverages; user login and subscription data; use of our web services or
newsletters; and data about your budget;
- Company data of our Corporate Partners, such as company name and company business
registration number; information from our due-diligence or other onboarding procedures; or
our Corporate Partner´s business needs;
- Data relating to the assertion or defence against legal claims, including the
prevention of misconduct; compliance checks or investigations; and information regarding
compliance violations or other infringements;
- Personal contact details such as your mobile phone number where you choose to provide
these to us;
- Other Data: Where we conduct meetings via video conference, we may retain the
recording together with other notes relating to our meeting.
Special Categories of Personal Data
Special Category Personal Data specifically means personal data relating your race or ethnicity,
religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade
union membership, information about your health, and genetic and biometric data.
Thrive does not expect to routinely process any special category personal data in relation to its
business contacts.
Where Do We Obtain Your Personal Data From?
Most of the personal data we process, you have provided directly to us. Other personal data may
be provided by your employer, our corporate partners or other instances involved in the
initiation of your business relationship and/or the execution of contracts with our corporate
partners.
In addition, we may process personal data which we permissibly obtain from publicly accessible
third-party sources (such as LinkedIn) or that are legitimately transmitted to us by third
parties (such as credit agencies).
If You Provide Us with Personal Information About Others
If you provide personal information to us about others you should inform the individual about the
contents of this Privacy Notice. We will process such information in accordance with this
Privacy Notice.
If You Fail to Provide Personal Data
Where we need to collect personal data by law, or under the terms of a contract we have with you,
and you fail to provide that data when requested, we may not be able to perform the contract we
have or are trying to enter into with you. In this case, we may have to cancel the contract we
have with you or are trying to enter into with you, but we will notify you if this is the case
at the time.
How We Use Your Personal Data
We will process your personal information in accordance with this Privacy Notice and only where
we are legally permitted to do so. Thrive processes personal data of its business contacts for
various business purposes in connection with your business relationship with Thrive or our
corporate partners. These primarily include:
- For the initiation, performance and execution of a contract with you or our Corporate
Partners, including to meet our contractual obligations; necessary due diligence and other
onboarding requirements.
- For market analysis, including through surveys, to better understand the markets in which we
do business; and for product and service development.
- For account management and maintenance of our supplier database.
- For business communication and promotion of our products and services.
- In order to comply with our legal and regulatory obligations.
- For the security of Thrives premises, IT security and in connection with data breach
procedures.
- For asserting or the defence of legal claims or the prevention of misconduct, compliance
violations or other infringements, such as routine inspections; internal investigations; or
dispute resolution cases.
- In connection with our customer services activities, such as responding to your
correspondence, queries or complaints.
- For customer relationship management, including listing important contacts for our business;
connecting individuals with accounts of our corporate partners and for customers surveys.
- For the prevention and detection of crime.
Data protection law requires us to have a legal basis to justify using your personal data. The
legal basis used will vary, depending on why we are using your personal data. If we process more
sensitive personal data, known as "special category personal data”, we must have an additional
legal basis to justify using it.
Thrive processes personal relating to its Business Contacts based on multiple different legal
bases: Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform a contract that we are about to enter into or have entered into
with you. For example:
- Where we need to process your personal data in order to initiate or perform a contract
between us.
- Where it is necessary for our legitimate interests (or those of a third party) and your
interests and fundamental rights do not override those interests. For example:
- To grow the Company’s business by networking and market research and analysis of
potential business opportunities as well as through direct marketing, including
marketing activities and communications or regarding product or service development
processes.
- Where we need to comply with a legal obligation. For example:
- Where we need to process your personal data to comply with a court order or a specific
statutory obligation.
Generally, we would not routinely expect to rely on consent as a legal basis for processing your
personal data other than in exceptional circumstances. For example, where we propose to publish
an image of you on our website taken at one of our events. Where we do rely on consent to
process your personal data, you have the right to withdraw that consent at any point in time.
Details of how to do that can be found here.
Who Do We Share Your Personal Data With?
We may share your personal data with third parties listed below for the purposes set out above
(Purposes/Legal Bases). Where your personal data is shared, we only share the minimum amount of
information required to fulfil the purpose of sharing. It is shared securely and strictly in
accordance with the law.
- Other internal staff within Thrive;
- Certain external third-party service providers whom we have engaged to perform services on
our behalf and under our instructions. For example, our cloud service provider who provides
our virtual servers. We select our third-party service providers with care and only share
the information that is necessary to provide the service. We have a contract with them that
requires these third-party service providers to process your personal data only on our
instructions, securely and in accordance with relevant data protection laws;
- Third party professional advisors such as lawyers, accountants, auditors and insurers;
- Third parties to whom we may sell, transfer or merge parts of our business or assets.
Automated Decision-Making and Profiling
Automated decision-making is the process of using personal data to make a decision that
produces significant legal effects for the individual involved, and that decision is made
solely by automated means without a human being involved at all.
Profiling means the analysis of certain characteristics of an individual’s personality,
behaviour, interests and habits to find out more about their preferences or to make
predictions about their behaviour and/ or to make decisions about them.
Thrive does not use your personal information for automated decision making or
profiling purposes.
How Long We Keep Your Personal Data for
We will only retain your personal information for as long as necessary to fulfil the purposes we
collected it for, including for the purposes of satisfying any legal, accounting, or reporting
requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature,
and sensitivity of the personal data, the potential risk of harm from unauthorised use or
disclosure of your personal data, the purposes for which we process your personal data and
whether we can achieve those purposes through other means, and the applicable legal
requirements.
In some circumstances, we may pseudonymise or anonymise your personal information so that it can
no longer be associated with you, in which case we may use such information without further
notice to you.
In some circumstances, you have the legal right to ask us to delete your personal data. More
information about this right can be found above in the section called “Your Legal Rights”.
If you would like more information about how long we retain specific records relating to you
please contact Thrive’s DPO.
Other General Information About How We Process Your Personal Data
For general information about we collect and process your personal data including for example,
how we keep it secure, your legal rights and who to contact if you have any questions about this
Privacy Notice or your personal data. Please click
here.