15% off your first subscription blood test

Privacy Policy

Last updated: 6th Jun 2023

Contents

1. INTRODUCTION

Hello, welcome to Thriva's privacy notice. We know what you're thinking - “Oh no, another boring and confusing privacy notice…How am I going to understand all this dull legalese?!”

Well worry no more! This privacy notice is provided in a layered format so you can click through to the specific areas that may be of interest to you below. We've also prepared a handy glossary section at the end of this document, to avoid lengthy definitions in the body of the notice. That's where you can check the definition(s) for all capitalised terms.

Here at Thriva, want to take the guesswork out of managing your health and to help you understand what's happening inside your body, the impact your lifestyle is having, and what you can do to feel your best. We believe that health data presents a groundbreaking opportunity to put better health in your hands so you can feel your best today and long into the future.

We're very aware that making use of our services means you're opting to share personal and sensitive data with us and we fully accept the great responsibility that comes with safeguarding your health data. We're continuously working towards the highest standards of data protection and security— as you'll see below we take your privacy very seriously!

What’s the purpose of this notice?

The purpose of this notice is to transparently explain to you what Thriva does with your Personal Data and how we manage interactions with third-parties across a complex digital ecosystem.

Translating your health information into personalised and actionable insights is at the core of our Services. We also do a lot of work to provide clinically safe solutions and improve our business generally. As a result, we do a lot of things with data and we have tried our very best to provide this information in a clear and accessible way.

It’s important that you read this privacy policy together with any other privacy notices we may provide on specific occasions when we are collecting or processing Personal Data about you. So that you’re fully aware of how and why we’re using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.

Who we are and what this notice applies to?

This notice was prepared by Thriva Limited (“Thriva”, “we”, “us”) and we are the Controller of the Personal Data processed under this notice.

This notice is made for and applies to anyone who is an end-user of Thriva’s Services, a subscriber, or anyone who is visiting our Website or uses our App (our “Customers”). However, not all parts of this privacy notice will apply to all Customers as we offer a range of Services and we do so either directly to customers or indirectly via a third party. The key difference between direct and indirect services is that our direct Customers have engaged with us directly on our App or Website and our indirect Customers have purchased Services via or in connection with a Partner (for example, where you have purchased tests at a pharmacy or at the recommendation of an independent health practitioner that will also receive a copy of the results). Our Partners will typically incorporate the Services that we offer as part of their wider relationship with you. They may, for example, use the test results to inform their health recommendations or to design a holistic treatment plan.

Where our Partners are sole practitioners or otherwise trading in their personal capacity we also carry out some limited processing of Partner Personal Data (see indirect services section).

🛑 What is not covered by this privacy notice 🛑

This privacy notice does not cover how our Partners process Personal Data as part of their wider services. We encourage you to read their privacy notices so that you understand how your Personal Data will be used by them.

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Contact details

If you have any questions about this privacy notice or our privacy practices in general — the privacy team would love to hear from you!

You can contact our Data Protection Officer at: DPO@thriva.co.

Changes to this privacy notice

When we make changes to the Services that we offer, or where we make changes to how we process your data, we may be required to update this privacy notice and therefore we reserve the right to do so.

If we make any material changes, we’ll let you know either via email, through the App, and/or by presenting you with a new version of this privacy notice on our Website. In some cases, we’ll ask you to explicitly acknowledge changes to the privacy notice but we don’t require this for every update. Where we have notified you of a change and you continue to use our Services after the effective date, we take such continued use to mean that you accept the updated privacy notice.

— If you don’t accept the terms of this privacy notice, please do not use the Services. —

You can check the privacy notice posted on our Website and in the App for the latest version of our privacy notice and older versions are available on request.

2. THE PERSONAL DATA WE USE

We collect Personal Data about you in a variety of ways. Sometimes we collect Personal Data automatically when you interact with the Services, and sometimes we collect the Personal Data directly from you. At times, we may receive Personal Data about you from other sources and third parties. This is usually where we provide our Services to you indirectly and via a third party.

Our Services are not available to minors and we do not knowingly collect data relating to children.

The Personal Data we process about you

We process different kinds of Personal Data about you and we’ve grouped the Personal Data into the following categories:

  • Account Data includes data related to your Thriva account such as your first name, last name, username or similar identifier, title, date of birth, gender and Thriva ID numbers. Where relevant, it also includes purchases or orders made by you, telemetry data relating to your purchases (i.e. status of your orders), your interests, preferences, feedback and survey responses (where no standalone privacy notice has been provided) and details of your conversations with us where you have contacted our customer services or support team.
  • Contact Data this includes delivery address, email address and telephone numbers.
  • Financial Data this includes data related to orders and purchases such as your payment card details, billing address, tokens, gift card/voucher details, details about orders and/or subscriptions and other details of Services you have purchased from us.
  • Health Profile Data - this includes any general health information that you provide to us other than your Test Result Data (for example, information regarding age, weight, height, ethnicity and information regarding your lifestyle, your current health status and your goals).
  • ID Data - this includes information used to verify your identity. For example, if you submit a data subject access request we may take steps to verify your identity if we deem it appropriate to do so.
  • Test Result Data - includes your test results, any escalations related to your test results, any doctor commentary on your test results, any consultation and/or prescription(s) relating to your result. Where relevant, Test Result Data also includes the analytics we run on your results to provide actionable insights related to your health, such as trend data and predicted future results.
  • Technical Data this includes internet protocol (IP) address, your login data, and other technology on the devices you use to access our website and/or App. It also includes usage data such as information about how you use our Website, App and Services.
  • Marketing and Communications Data this includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Aggregated Data - this includes statistical data from any of the above categories and, although it is derived from Personal Data, it is not considered Personal Data in its statistical form as long as it does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users that report delays in receiving their testing kits due to postal strikes and we may share these percentages with our Partners and/or fulfilment providers for planning purposes. These third parties will only receive the statistical data and will not be able to identify you.

A quick note about Special Category Data - as a healthcare provider, we collect data that is considered extra sensitive about you (in particular information about your health and genetic data) that is known as Special Category Data under data protection laws. Special Category Data can only be processed in particular circumstances and we have included additional information regarding our processing of Special Category Data in the sections that follow.

We do not collect any information about criminal convictions and offences.

If you fail to provide Personal Data

Where we need to collect Personal Data and you fail to provide that data when requested, we may not be able to enter into a contract with you, perform Services or otherwise respond to requests from you. If you have already ordered or requested Services from us but subsequently fail to provide information or object to our processing then we may not be able to deliver the Services to you.

3. HOW WE COLLECT YOUR PERSONAL DATA

We use different methods to collect data from and about you.

Direct interactions

If we have a direct relationship with you, that’ll be our primary source of information. You may give us Personal Data such as Account, Contact, Financial, Health Profile, ID and Marketing and Communication Data. This is done by filling in forms, participating in consultations or by corresponding with us (via post, phone, email or otherwise). For example, this includes Personal Data you provide when you:

  • create an account on our website or in our App (including populating your health profiles);
  • order Services;
  • subscribe to our service or publications or request marketing to be sent to you;
  • enter a competition, promotion or survey; or
  • give us feedback or contact us for customer support.

Automated technologies and information generated by our Services.

As you interact with our Website, App and otherwise make use of our Services, we'll automatically collect, process and/or generate Account Data, Test Result Data, Technical, and/or Aggregate Data. We generate this information about you as a result of using our Services, for example when you use different features of our Website or App or provide us with a test sample that our labs analyse to provide you with your test results.

We also collect and/or create data by automated means using cookies, server logs, analytics and other similar technologies. For details regarding our use of cookies and similar technologies on our Website and in our App, please see our cookie policy.

Third parties

Where our relationship with you is indirect, we may receive details about you from our Partners in order to provide the Services. We also receive information that is generated by our third party suppliers about you, for example from our fulfilment providers (the companies that build and send our CE marked test kits), our laboratories and our doctors and/or nutritionists. We may also receive Personal Data about you from third parties for advertising and marketing purposes.

4. HOW WE USE YOUR PERSONAL DATA

We’ll only use your Personal Data when the law allows us to. Most commonly, we’ll use your Personal Data in the following circumstances:

  • Where we need to in order to perform the contract we’re about to enter into or have entered into with you.
  • Where it’s necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights don’t override those interests.
  • Where we need to comply with a legal obligation.

Where we process data relating to your health, or other kinds of Special Category data, most commonly, we will rely on the following conditions:

  • You have provided your explicit consent for the use of your data for one or more specific purposes;
  • The processing is necessary to provide you with healthcare services, including preventive medicine, medical diagnosis and/or treatment and/or to manage our systems and services.
  • The processing is necessary for statistical purposes but only where it is proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Click here to access helpful resources that provide more detailed guidance on the types of lawful basis that exist in law.

Purposes for which we will use your Personal Data

In the below sections we have set out descriptions of the ways we plan to use your Personal Data, including the lawful basis and special category conditions that we rely on. We have also identified our legitimate interests where this is relevant. We have grouped these purposes under different headings to make it easier to read.

Keep in mind that we provide a range of Services and not all of these will apply to every Customer. To make this easier to follow, we have structured this section to first cover our core services and we’ve then covered additional services under separate headings. You should read the core services section and then each relevant additional services section that corresponds with your particular circumstances.

Sometimes we process the same Personal Data for different purposes. We are required to identify a lawful basis (and special category conditions where relevant) for each different purpose so some categories of Personal Data will appear under multiple headings. We’re always happy to provide further details, so please contact us if you have any questions.

Standard Services

By ‘Standard Services’ we mean the processing activities that relate to the use or interaction with our Website, our App and/or the purchase of our Services.

Purpose of processingWe collect Personal Data when you visit our Website or install our App. We use cookies (see our cookie policy for further details) and analytics on our Website and App to compile reports and help us improve their functionality. We also use third party web-applications to keep our Website and App secure and to monitor their performance.
Type of Personal Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is either Article 6(1)(a) of the UK GDPR, for example when we require your consent for the optional cookies we use, or Article 6(1)(f) which allows us to process Personal Data when it’s necessary for our legitimate interests. For example, it is in our legitimate interest to maintain the integrity of our IT systems and safeguard the continuity of our business.
Purpose of processingTo sign you up as a new customer and create your Thriva account on our website or app. This includes creating your health profile, recommending tests profiles and sending you important messages and updates about your account.
Type of Personal Data
  • Account Data
  • Contact Data
  • Health Profile Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(b) of the UK GDPR as we need the Personal Data in order to recommend and/or place an order for Services, including where we’re taking steps to potentially enter into a contract with you. Some of the data that we need for these purposes is Special Category Data. We rely on Article 9(2)(h) of the UK GDPR in relation to your Special Category Data and this processing is done under the responsibility of Thriva’s doctors. For example, we may ask you about your current health status and goals in order to recommend appropriate test profiles.
Purpose of processingTo process, manage and deliver the Services you have ordered from us. This includes managing payments (including vouchers, gift cards and discounts), managing the fulfilment process (i.e. building and sending test kits to you), managing and sharing information so that you can track your kit and result status, processing test results data, managing escalations and doctor reviews, and to provide you with your personalised commentary on the results (where relevant).
Type of Personal Data
  • Account Data
  • Contact Data
  • Financial Data
  • Health Profile Data
  • Test Result Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(b) of the UK GDPR as we need the Personal Data in order to provide the Services to you. Some of the data that we need for these purposes is Special Category Data. We rely on Article 9(2)(h) of the UK GDPR in relation to your Special Category Data and this processing is done under the responsibility of Thriva’s doctors. For example, we use the information you provide in your health profile to inform the analysis of your test results.
Purpose of processingA core part of our Services is to help you understand your health better. We use analytics to provide you with actionable and personalised insights based on your health goals, test results and health profile. For example, we provide automated test recommendations based on your health profile and completed results. We also provide trend data so that you can see how your test results change over time. We are working hard to develop more features to help you understand your results in the context of your lifestyle, to make informed changes and track progress.
Type of Personal Data
  • Account Data
  • Health Profile Data
  • Test Result Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(b) of the UK GDPR as we need the Personal Data in order to provide the data insights that are included in the Services you have purchased. Some of the data that we need for these purposes is Special Category Data. We rely on Article 9(2)(h) of the UK GDPR in relation to your Special Category Data and this processing is done under the responsibility of Thriva’s doctors. For example, the insights we provide are intended to help you take actionable steps to improve or maintain your health (we call this preventative healthcare).
Purpose of processingTo manage customer support function and respond to any inbound queries, complaints and feedback.
Type of Personal Data
  • Account Data
  • Contact Data
  • Financial Data
  • Health Profile Data
  • Test Result Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(b) of the UK GDPR where the query, complaint or feedback relates to Services you have purchased. Where the query, complaint or feedback is not provided in the context of an actual or potential order then we rely on Article 6(1)(f) of the UK GDPR as it’s in our legitimate interest to be able to address any questions you may have. Some of the data that we need for these purposes is Special Category Data. We rely on Article 9(2)(h) of the UK GDPR in relation to your Special Category Data and this processing is done under the responsibility of Thriva’s doctors. For example, we may need to address any questions you have regarding an actual or failed test.
Purpose of processingTo comply with legal and regulatory requirements applicable to our Services and business. Including investigating, evaluating, demonstrating, monitoring, improving and reporting on such requirements.
Type of Personal Data
  • Account Data
  • Contact Data
  • Health Profile Data
  • ID Data
  • Test Result Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(c) of the UK GDPR as we need to process the Personal Data in order to comply with a legal or regulatory obligation. For example, we are registered with the Care Quality Commission to provide regulated activities under the Health and Social Care Act 2008. We are also the legal manufacturer of our CE marked in vitro diagnostic medical devices and our platform includes software that are registered as medical devices - we have legal obligations in respect of all these regulated activities and Services. It could also include compliance with other laws such as data protection laws. For example, if you ask to exercise your data subject right(s). Some of the data that we need for these purposes is Special Category Data. We rely on Article 9(2)(h) of the UK GDPR in relation to your Special Category Data and this processing is done under the responsibility of Thriva’s doctors. For example, this may include investigating and reporting incidents involving our medical devices or result variances. It also includes obligations such as safeguarding for our (adult) Customers and legal requirements in relation to our retention of health records.
Purpose of processingTo manage, administer and develop our business. This means safeguarding and quality checking our Website, App, wider IT infrastructure and supply chain. We do this in order to ensure our business and Services work well and are safe, accurate and reliable, including for business continuity purposes. It also includes understanding how our customers use our Services so we can make them even better and grow our business. In the context of a business reorganisation, acquisitions or restructuring exercise, it could also mean processing that is necessary for such corporate purposes.
Type of Personal Data
  • Account Data
  • Contact Data
  • Health Profile Data
  • Test Result Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(f) of the UK GDPR when it is necessary for our legitimate interests in operating and expanding our business. This includes conducting audits, quality assurance checks, troubleshooting, data analysis, testing, system maintenance and support, hosting and investigations. It also encompasses managing the overall operations of our business, such as ensuring the provision of administration and IT services, network security, fraud prevention, and business continuity planning and management. Some of the data that we need for these purposes is Special Category Data. We rely on Article 9(2)(h) of the UK GDPR in relation to your Special Category Data and this processing is done under the responsibility of Thriva’s doctors. For example, any assurance checks, hosting and other purposes listed above may involve Special Category Data as our Services are provided for healthcare purposes. In addition, we pseudonymised your Personal Data where appropriate across our IT infrastructure and we use aggregate data to manage and plan our healthcare services.
Purpose of processingTo provide statistical insights related to our Services and business, including for internal business purposes, for sharing with partners, and for publications.
Type of Personal Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(f) of the UK GDPR when it is necessary for the purpose of generating dashboards, internal reports and insights as it is in our legitimate interest to understand how customers interact with our Services and for business planning and forecasting purposes. For example, to analyse test failure rates, failed deliveries and to understand how our customers interact with different features of our Services. We share some statistical insights with our Partners where appropriate but this is not considered Personal Data. For example, we might share with them how many of the tests they have ordered have resulted in failed tests. Some of the data that we need for these purposes is Special Category Data. We rely on Article 9(2)(h) of the UK GDPR where the processing relates to how we plan and manage our healthcare services. We share some statistical insights with our Partners where appropriate but this is not considered Personal Data. For example, we might inform them of average test result values for particular analytes or the percentage of Customers that have brought their results into normal range over a set timeframe. Where we process Special Category Data purely for statistical purposes and not for business insights then we rely on Art 9(2)(j). For example, we aggregate certain health statistics and insights and share these where we consider this to be in the public benefit. We only share the statistical findings (this does not include Personal Data) and only in circumstances where we consider that such processing is unlikely to be considered intrusive. For example, we might share interesting insights such as the correlation between Vitamin D deficiency and self-reported time spent walking.
Purpose of processingTo request and receive legal advice, to manage complaints, claims, disputes. To respond to requests, warrants and orders from courts, governmental, regulatory and/or enforcement bodies and authorities. To carry out investigations, evaluations, demonstrations, monitoring, improving, reporting on and meeting our compliance with such requirements.
Type of Personal Data
  • Account Data
  • Contact Data
  • Financial Data
  • Health Profile Data
  • ID Data
  • Test Result Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(c) of the UK GDPR where we need to process the Personal Data in order to comply with a legal or regulatory obligation. For example, in order to comply with a court order or notice from a regulator. Alternatively, if the processing relates to actions we are not legally required to do, for example, seeking legal advice or bringing a claim against a third party, then we rely on Article 6(1)(j) as it is in our legitimate interest to do so. Some of the data that we need for these purposes could be Special Category Data. We rely on Article 9(2)(f) for processing necessary to establish, exercise or defend any legal claims.
Purpose of processingFor marketing, advertising and growth purposes. Including managing and sending out mass marketing and direct marketing communications, newsletters and campaigns. For audience matching and to analyse the effectiveness of our marketing efforts. To collect user survey feedback, testimonials and reviews from customers regarding our Services and provide compensation to participants in our user research sessions.
Type of Personal Data
  • Account Data
  • Contact Data
  • Health Profile Data
  • Test Result Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(a) of the UK GDPR where we process your Personal Data (other than Special Category Data) for marketing, advertising and/or growth purposes and we are required to have your consent to do so. For example, for direct marketing purposes or to use non-functional cookies. Alternatively, if the processing relates to activities where we are not required to obtain your consent then we rely on Article 6(1)(j) of the UK GDPR. For example, when a marketing campaign is not targeted to any particular individual but available on our website for everyone (mass marketing). It is in our legitimate interest to grow our business and acquire new customers. Some of the data that we process for these purposes could be Special Category Data. We rely on Article 9(2)(a) for such processing. For example, when we launch products or services that fit with your health goals and you have given us your explicit consent for your health information to be used for marketing purposes.

Thriva+

Thriva+ provides additional features that are not available in our Standard Services such as personalised recommendations, action plans and discounts. It also includes enhanced data insights and the option to seek further guidance by scheduling consultations with either doctors or nutritionists.

All processing purposes under the Standard Services apply. In addition, Thriva+ includes:

Purpose of processingTo process and manage the Thriva+ membership model (where applicable). Including managing payments, tokens, reminders and related tasks and communications. To deliver the Thriva+ additional Services you have ordered from us, including enhanced data insights and booking consultations with nutritionists and/or GPs.
Type of Personal Data
  • Account Data
  • Contact Data
  • Financial Data
  • Health Profile Data
  • Test Result Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(b) of the UK GDPR as we need the Personal Data in order to provide the Thriva+ Services to you. Some of the data that we need for these purposes is Special Category Data. We rely on Article 9(2)(h) of the UK GDPR in relation to your Special Category Data and this processing is done under the responsibility of Thriva’s doctors. For example, we provide enhanced analytics insights as part of Thriva+ Services.
Purpose of processingTo manage and deliver remote consultations that you have booked via our platform with nutritionists and/or doctors.
Type of Personal Data
  • Account Data
  • Contact Data
  • Health Profile Data
  • Test Result Data
  • Technical Data
  • Aggregate Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(b) of the UK GDPR as we need the Personal Data in order to provide the Thriva+ Services to you. Some of the data that we need for these purposes is Special Category Data. We rely on Article 9(2)(h) of the UK GDPR in relation to your Special Category Data and this processing is done under the responsibility of Thriva’s doctors. For example, where you have booked a remote consultation with a doctor we share relevant data, including your Test Result and Health Profile Data, with the doctor and we manage the consultation process and any follow-up (including prescriptions). We may also disclose your health record with your NHS GP but we will always seek your consent prior to doing so.

Thriva in Person

For those that would like an alternative to the standard finger prick collection method we provide an option to attend a clinic or pharmacy and a nurse or phlebotomist will help you collect your sample via a venous draw.

Purpose of processingTo book, manage and coordinate with third party providers for a venous draw appointment
Type of Personal Data
  • Account Data
  • Contact Data
  • Financial Data
Lawful basis for processing, including legitimate interest description where relevantThe lawful basis we rely on to process your Personal Data for these purposes is Article 6(1)(b) of the UK GDPR as we need the Personal Data in order to provide the Thriva in Person Service to you.

Indirect Services

The key difference between direct and indirect services is that our direct Customers have engaged with us directly on our App or Website and our indirect Customers have purchased Services via or in connection with a Partner (for example, where you have purchased tests at a pharmacy or at the recommendation of an independent health practitioner that will also receive a copy of the results). Our Partners will typically incorporate the Services that we offer as part of their wider relationship with you. They may, for example, use the test results to inform their health recommendations or to design a holistic treatment plan. It is the Partner that is your primary contact for contractual purposes.

We carry out all the processing activities listed above for our indirect Services. The only change to the above lists of processing purposes is that we are not able to rely on Article 6(1)(b) as the lawful basis where we do not have a contractual relationship directly with you. In these circumstances, we rely on Article 6(1)(f) instead as it is in our legitimate interest to comply with the contractual provisions in our contract with our Partner so that they can in turn provide their services to you.

We also carry out one additional form of processing and that is sharing the relevant Test Results, Health Profile Data and Aggregate Data with our Partner so that they can provide their services to you. For example, where our Partner is a registered medical professional they sometimes do their own analysis of the Test Result Data so that they can incorporate this into their services. We rely on Article 9(2)(h) of the UK GDPR in relation to your Special Category Data that we share with Partners and this processing is done under the responsibility of Thriva’s doctors.

In addition to the Customer Personal Data, in order to provide the indirect services we also process limited information regarding our Partners. Normally this will just include business contact details and billing details but where our Partner is a sole practitioner or otherwise trading in their personal capacity, we treat their data as Personal Data. The lawful basis we rely on to process Partner Personal Data for these purposes is Article 6(1)(b) of the UK GDPR as we need the Personal Data in order to provide the indirect services and to invoice you for them.

Marketing

We thought it would be helpful to provide some additional information regarding our marketing activities.

We may use your Account, Contact, Technical and Health Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased Products or Services from us and you have not opted out of receiving that marketing.

You can opt to receive general marketing information, such our newsletters, but we will ask for additional consent to provide personalised marketing where we are using any Special Category data as part of the process (in other words, where we use your health data to inform what material we think you might be interested in).

Consenting to marketing is entirely voluntary and you can make full use of our Services without receiving any marketing from us.

If you consent to receiving marketing but later change your mind you can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please click here.

Change of purpose

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

5. DISCLOSURE OF YOUR PERSONAL DATA

To help deliver our services we may share your Personal Data with third parties. We have summarised these below and we require all third parties to respect the security of your Personal Data and to treat it in accordance with the law.

Service providers

We engage other companies to process your Personal Data on our behalf. Some of these third parties are our Processors.

Processors are companies that help us run our business and generally support our IT, supply and service infrastructure. They may process different categories of Personal Data on our behalf depending on what services we have engaged them to provide. We remain responsible for any acts or omissions of our Processors and we undertake due diligence on them (when appropriate depending on the nature of the Personal Data they will access the services they provide) before we give them access to Personal Data. We also execute formal data processing agreements with them. This means that they cannot do anything with your personal information unless we have instructed them to do it.

Some of our service providers are independent Controllers where their roles are not compatible with being a Processor. These include our professional advisors that are required to exercise independent judgement in delivering their services, such as lawyers and self-employed GPs. These service providers are under professional duties of confidence, as well as contractual obligations.

Examples of our service providers (both Processors and Controllers) include:

  • Hosting, technology, analytics and security providers and tooling;
  • Laboratories, including sub-contracted laboratories;
  • Fulfilment partners that build and ship our test kits;
  • Payment processors;
  • our Thriva in Person providers that enable our multichannel blood testing service (finger prick & venous draw) across multiple locations and home-visits;
  • Professional advisors such as lawyers, tax advisors, auditors, accountants and medical consultants.
  • Support and customer services platforms and tools;
  • Platforms that enable booking and direct consultations with GPs or nutritionists; and
  • Marketing and PR consultants, tools and platforms.

We do not allow our service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with the contractual terms governing our relationship.

Partners

This section only applies where we have an indirect relationship with you.

We will share some of your information with our Partner so that they can provide their services to you. The exact category of Personal Data will vary depending on how these services are being delivered (for example, we can host and display the test result directly to you or we can share them with the Partner so they can manage this process). It also depends on whether the Partners are themselves qualified to provide medical reporting or if they have contracted with us to provide reporting and escalation services.

Our Partners are independent Controllers and are under separate legal obligations to provide you with a notice detailing what information they process about you and where they receive the information from. We always try to coordinate with our Partners so that both Thriva’s privacy notice (this notice) and our Partners privacy notice are made available to you. If you have not seen the Partner’s privacy notice then we recommend you ask them for a copy.

External third parties

The final category of recipients that we may be required to share your Personal Data with are external third parties that are not service providers or Partners.

This category includes any third party or parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this privacy policy.

It also includes third parties that we are required to share data with in certain circumstances such as in response to a court order, as part of a legal obligation, regulatory investigation or legal process. This can include parties such as regulators, government agencies, courts and any third parties we have engaged in connection with such requirements.

6. INTERNATIONAL TRANSFERS

Thriva is based in the United Kingdom (“UK”) and we have designed our IT infrastructure so that most of our service providers are also located in the UK. However, some service providers are based abroad and their processing of your Personal Data will involve a transfer of data outside the UK.

Whenever we transfer your Personal Data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring appropriate safeguards are implemented. This includes transferring your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data (such as to companies in the EU that are subject to EU GDPR). Alternatively, where a service provider is located outside of the jurisdictions deemed adequate, we ensure we use specific contracts approved for use in the UK which give Personal Data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Data out of the UK.

7. DATA SECURITY

Thriva is certified under ISO27001 and we have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and service providers who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. DATA RETENTION

We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Details of retention periods for different aspects of your Personal Data are available in our retention policy which you can request from us by contacting us. In some circumstances you can ask us to delete your data: see the below for further information.

10. CONTACT US

If you have any questions or concerns about your privacy you may contact us at:

Email: DPO@Thriva.co

GLOSSARY

TermDefinition
“App”The mobile application developed and published by Thriva and available in the App Store and Google Play.
“Customer”anyone who is a Thriva user, subscriber, or anyone who is visiting our Website or uses our App
“Controller”Controllers are the main decision-makers and they exercise overall control over the purposes and means of the processing of personal data.
“Lawful Basis”
We have listed the relevant lawful basis that we rely on for the processing of Personal Data. The regulator has provided detailed guidance in relation to each of these grounds and you can access this information here.
“Partners”means our business partners where we provide Services indirectly to Customers. For example, where a Customer has purchased tests at a pharmacy or at the recommendation of an independent health practitioner. Our Partners will also receive a copy of the Customer’s test results and may receive a copy of the doctor report. Our Partners are independant Controllers and will typically incorporate the Services that we offer as part of their wider relationship with the Customer. They may, for example, use the test results to inform their health recommendations or to design a holistic treatment plan. Customers should review the Partner’s privacy notice to understand how they process Personal Data as this is not covered by Thriva’s privacy notice.
“Personal Data”means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
“Services”means all services and products that we provide, as updated from time to time, including:
  • testing kits (finger prick and venous) and related information, posting and tracking services;
  • lab testing, doctor reporting, escalations, doctor and/or nutritionist consultations, supplements and/or prescriptions and related services;
  • data analytics, insights and predictive results to inform your understanding of your health;
  • our Thriva App, including any beta versions; and
  • our Websites.
“Special Categories Data”Is defined in UK GDPR as: The UK GDPR defines special category data as:
  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.
“Website”means www.thriva.co for Customers and https://specialists.thriva.co for Partners.