Thriva Privacy Notice

What’s the purpose of this notice?

The purpose of this notice is to transparently explain to you what Thriva does with your Personal Data and how we manage interactions with third-parties across a complex digital ecosystem.

Translating your health information into personalised and actionable insights is at the core of our Services. We also do a lot of work to provide clinically safe solutions and improve our business generally. As a result, we do a lot of things with data and we have tried our very best to provide this information in a clear and accessible way.

It’s important that you read this privacy policy together with any other privacy notices we may provide on specific occasions when we are collecting or processing Personal Data about you. So that you’re fully aware of how and why we’re using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.

Who we are and what this notice applies to?

This notice was prepared by Thriva Limited (“Thriva”, “we”, “us”) and we are the Controller of the Personal Data processed under this notice.

This notice is made for and applies to anyone who is an end-user of Thriva’s Services, a subscriber, or anyone who is visiting our Website or uses our App (our “Customers”). However, not all parts of this privacy notice will apply to all Customers as we offer a range of Services and we do so either directly to customers or indirectly via a third party. The key difference between direct and indirect services is that our direct Customers have engaged with us directly on our App or Website and our indirect Customers have purchased Services via or in connection with a Partner (for example, where you have purchased tests at a pharmacy or at the recommendation of an independent health practitioner that will also receive a copy of the results). Our Partners will typically incorporate the Services that we offer as part of their wider relationship with you. They may, for example, use the test results to inform their health recommendations or to design a holistic treatment plan.

Where our Partners are sole practitioners or otherwise trading in their personal capacity we also carry out some limited processing of Partner Personal Data (see indirect services section).

🛑 What is not covered by this privacy notice 🛑

This privacy notice does not cover how our Partners process Personal Data as part of their wider services. We encourage you to read their privacy notices so that you understand how your Personal Data will be used by them.

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Contact details

If you have any questions about this privacy notice or our privacy practices in general — the privacy team would love to hear from you!

You can contact our Data Protection Officer at: DPO@thriva.co.

Changes to this privacy notice

When we make changes to the Services that we offer, or where we make changes to how we process your data, we may be required to update this privacy notice and therefore we reserve the right to do so.

If we make any material changes, we’ll let you know either via email, through the App, and/or by presenting you with a new version of this privacy notice on our Website. In some cases, we’ll ask you to explicitly acknowledge changes to the privacy notice but we don’t require this for every update. Where we have notified you of a change and you continue to use our Services after the effective date, we take such continued use to mean that you accept the updated privacy notice.

— If you don’t accept the terms of this privacy notice, please do not use the Services. —

You can check the privacy notice posted on our Website and in the App for the latest version of our privacy notice and older versions are available on request.

The Personal Data we process about you

We process different kinds of Personal Data about you and we’ve grouped the Personal Data into the following categories:

• Account Data includes data related to your Thriva account such as your first name, last name, username or similar identifier, title, date of birth, gender and Thriva ID numbers. Where relevant, it also includes purchases or orders made by you, telemetry data relating to your purchases (i.e. status of your orders), your interests, preferences, feedback and survey responses (where no standalone privacy notice has been provided) and details of your conversations with us where you have contacted our customer services or support team.
• Contact Data this includes delivery address, email address and telephone numbers.
• Financial Data this includes data related to orders and purchases such as your payment card details, billing address, tokens, gift card/voucher details, details about orders and/or subscriptions and other details of Services you have purchased from us.
• Health Profile Data - this includes any general health information that you provide to us other than your Test Result Data (for example, information regarding age, weight, height, ethnicity and information regarding your lifestyle, your current health status and your goals).
• ID Data - this includes information used to verify your identity. For example, if you submit a data subject access request we may take steps to verify your identity if we deem it appropriate to do so.
• Test Result Data - includes your test results, any escalations related to your test results, any doctor commentary on your test results, any consultation and/or prescription(s) relating to your result. Where relevant, Test Result Data also includes the analytics we run on your results to provide actionable insights related to your health, such as trend data and predicted future results.
• Technical Data this includes internet protocol (IP) address, your login data, and other technology on the devices you use to access our website and/or App. It also includes usage data such as information about how you use our Website, App and Services.
• Marketing and Communications Data this includes your preferences in receiving marketing from us and our third parties and your communication preferences.
• Aggregated Data - this includes statistical data from any of the above categories and, although it is derived from Personal Data, it is not considered Personal Data in its statistical form as long as it does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users that report delays in receiving their testing kits due to postal strikes and we may share these percentages with our Partners and/or fulfilment providers for planning purposes. These third parties will only receive the statistical data and will not be able to identify you.

A quick note about Special Category Data - as a healthcare provider, we collect data that is considered extra sensitive about you (in particular information about your health and genetic data) that is known as Special Category Data under data protection laws. Special Category Data can only be processed in particular circumstances and we have included additional information regarding our processing of Special Category Data in the sections that follow.

We do not collect any information about criminal convictions and offences.

If you fail to provide Personal Data

Where we need to collect Personal Data and you fail to provide that data when requested, we may not be able to enter into a contract with you, perform Services or otherwise respond to requests from you. If you have already ordered or requested Services from us but subsequently fail to provide information or object to our processing then we may not be able to deliver the Services to you.

Direct interactions

If we have a direct relationship with you, that’ll be our primary source of information. You may give us Personal Data such as Account, Contact, Financial, Health Profile, ID and Marketing and Communication Data. This is done by filling in forms, participating in consultations or by corresponding with us (via post, phone, email or otherwise). For example, this includes Personal Data you provide when you:

• create an account on our website or in our App (including populating your health profiles);
• order Services;
• subscribe to our service or publications or request marketing to be sent to you;
• enter a competition, promotion or survey; or
• give us feedback or contact us for customer support.

Automated technologies and information generated by our Services.

As you interact with our Website, App and otherwise make use of our Services, we'll automatically collect, process and/or generate Account Data, Test Result Data, Technical, and/or Aggregate Data. We generate this information about you as a result of using our Services, for example when you use different features of our Website or App or provide us with a test sample that our labs analyse to provide you with your test results.

We also collect and/or create data by automated means using cookies, server logs, analytics and other similar technologies. For details regarding our use of cookies and similar technologies on our Website and in our App, please see our cookie policy.

Third parties

Where our relationship with you is indirect, we may receive details about you from our Partners in order to provide the Services. We also receive information that is generated by our third party suppliers about you, for example from our fulfilment providers (the companies that build and send our CE marked test kits), our laboratories and our doctors and/or nutritionists. We may also receive Personal Data about you from third parties for advertising and marketing purposes.

A quick word about consent

Consent can be a little confusing when used in a healthcare context so we wanted to take a moment and explain the different scenarios where consent comes into play.

The principle of consent is an important part of medical ethics and we rely on your consent to provide and perform the tests, result analysis, doctor reporting, doctor consultations, prescriptions and related healthcare services, including sharing your health records with our Partners (where relevant for indirect Customers).

Consent for these purposes is required for medical treatment and testing, and under the common law duty of confidence. This is separate and distinct from consent under data protection laws. Generally, we do not rely on data protection consent as the lawful basis for processing your data under data protection law except in certain circumstances, such as in relation to direct marketing.

Purposes for which we will use your Personal Data

In the below sections we have set out descriptions of the ways we plan to use your Personal Data, including the lawful basis and special category conditions that we rely on. We have also identified our legitimate interests where this is relevant. We have grouped these purposes under different headings to make it easier to read.

Keep in mind that we provide a range of Services and not all of these will apply to every Customer. To make this easier to follow, we have structured this section to first cover our core services and we’ve then covered additional services under separate headings. You should read the core services section and then each relevant additional services section that corresponds with your particular circumstances.

Sometimes we process the same Personal Data for different purposes. We are required to identify a lawful basis (and special category conditions where relevant) for each different purpose so some categories of Personal Data will appear under multiple headings. We’re always happy to provide further details, so please contact us if you have any questions.

Standard Services

By ‘Standard Services’ we mean the processing activities that relate to the use or interaction with our Website, our App and/or the purchase of our Services.

Thriva+

Thriva+ provides additional features that are not available in our Standard Services such as personalised recommendations, action plans and discounts. It also includes enhanced data insights and the option to seek further guidance by scheduling consultations with either doctors or nutritionists.

All processing purposes under the Standard Services apply. In addition, Thriva+ includes:

Thriva in Person

For those that would like an alternative to the standard finger prick collection method we provide an option to attend a clinic or pharmacy and a nurse or phlebotomist will help you collect your sample via a venous draw.

Indirect Services

The key difference between direct and indirect services is that our direct Customers have engaged with us directly on our App or Website and our indirect Customers have purchased Services via or in connection with a Partner (for example, where you have purchased tests at a pharmacy or at the recommendation of an independent health practitioner that will also receive a copy of the results). Our Partners will typically incorporate the Services that we offer as part of their wider relationship with you. They may, for example, use the test results to inform their health recommendations or to design a holistic treatment plan. It is the Partner that is your primary contact for contractual purposes.

We carry out all the processing activities listed above for our indirect Services. The only change to the above lists of processing purposes is that we are not able to rely on Article 6(1)(b) as the lawful basis where we do not have a contractual relationship directly with you. In these circumstances, we rely on Article 6(1)(f) instead as it is in our legitimate interest to comply with the contractual provisions in our contract with our Partner so that they can in turn provide their services to you.

We also carry out one additional form of processing and that is sharing the relevant Test Results, Health Profile Data and Aggregate Data with our Partner so that they can provide their services to you. For example, where our Partner is a registered medical professional they sometimes do their own analysis of the Test Result Data so that they can incorporate this into their services. We rely on Article 9(2)(h) of the UK GDPR in relation to your Special Category Data that we share with Partners and this processing is done under the responsibility of Thriva’s doctors.

In addition to the Customer Personal Data, in order to provide the indirect services we also process limited information regarding our Partners. Normally this will just include business contact details and billing details but where our Partner is a sole practitioner or otherwise trading in their personal capacity, we treat their data as Personal Data. The lawful basis we rely on to process Partner Personal Data for these purposes is Article 6(1)(b) of the UK GDPR as we need the Personal Data in order to provide the indirect services and to invoice you for them.

Marketing

We thought it would be helpful to provide some additional information regarding our marketing activities.

We may use your Account, Contact, Technical and Health Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased Products or Services from us and you have not opted out of receiving that marketing.

You can opt to receive general marketing information, such our newsletters, but we will ask for additional consent to provide personalised marketing where we are using any Special Category data as part of the process (in other words, where we use your health data to inform what material we think you might be interested in).

Consenting to marketing is entirely voluntary and you can make full use of our Services without receiving any marketing from us.

If you consent to receiving marketing but later change your mind you can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please click here.

Change of purpose

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Service providers

We engage other companies to process your Personal Data on our behalf. Some of these third parties are our Processors.

Processors are companies that help us run our business and generally support our IT, supply and service infrastructure. They may process different categories of Personal Data on our behalf depending on what services we have engaged them to provide. We remain responsible for any acts or omissions of our Processors and we undertake due diligence on them (when appropriate depending on the nature of the Personal Data they will access the services they provide) before we give them access to Personal Data. We also execute formal data processing agreements with them. This means that they cannot do anything with your personal information unless we have instructed them to do it.

Some of our service providers are independent Controllers where their roles are not compatible with being a Processor. These include our professional advisors that are required to exercise independent judgement in delivering their services, such as lawyers and self-employed GPs. These service providers are under professional duties of confidence, as well as contractual obligations.

Examples of our service providers (both Processors and Controllers) include:

• Hosting, technology, analytics and security providers and tooling;
• Laboratories, including sub-contracted laboratories;
• Fulfilment partners that build and ship our test kits;
• Payment processors;
• our Thriva in Person providers that enable our multichannel blood testing service (finger prick & venous draw) across multiple locations and home-visits;
• Professional advisors such as lawyers, tax advisors, auditors, accountants and medical consultants.
• Support and customer services platforms and tools;
• Platforms that enable booking and direct consultations with GPs or nutritionists; and
• Marketing and PR consultants, tools and platforms.

We do not allow our service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with the contractual terms governing our relationship.

Partners

This section only applies where we have an indirect relationship with you.

We will share some of your information with our Partner so that they can provide their services to you. The exact category of Personal Data will vary depending on how these services are being delivered (for example, we can host and display the test result directly to you or we can share them with the Partner so they can manage this process). It also depends on whether the Partners are themselves qualified to provide medical reporting or if they have contracted with us to provide reporting and escalation services.

Our Partners are independent Controllers and are under separate legal obligations to provide you with a notice detailing what information they process about you and where they receive the information from. We always try to coordinate with our Partners so that both Thriva’s privacy notice (this notice) and our Partners privacy notice are made available to you. If you have not seen the Partner’s privacy notice then we recommend you ask them for a copy.

External third parties

The final category of recipients that we may be required to share your Personal Data with are external third parties that are not service providers or Partners.

This category includes any third party or parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this privacy policy.

It also includes third parties that we are required to share data with in certain circumstances such as in response to a court order, as part of a legal obligation, regulatory investigation or legal process. This can include parties such as regulators, government agencies, courts and any third parties we have engaged in connection with such requirements.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.

Your right to object to processing

You have the right to object to processing in certain circumstances. You can read more about this right here.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.

Exercising your rights

If you wish to exercise any of the rights set out above, please contact us on DPO@thriva.co.

No fee usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to response

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at DPO@thriva.co and we’ll respond.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to us as the UK supervisory authority. Please follow this link to see how to do that.