We know that your data is extremely personal and private to you, and we take data protection very seriously.

We are thrilled that Thriva has recently become CQC registered. Thriva is now able to support users to better understand and improve their health by offering regulated medical services in addition to our existing testing services - from conducting a blood test, through to this test being reviewed by a GP, having a GP video consultation to discuss the results, to the GP’s diagnosis and prescription, and ongoing support. 

Our new regulatory status also means we need to change some aspects of how we handle your personal data. 

Who is CQC?

CQC is the independent regulator of health and social care in England. It monitors, inspects, rates and regulates clinical services.

What does our recent CQC registration mean for you?

Thriva’s new CQC registration means we have to update our privacy notice. We’re making these changes to align how we handle personal data with the new regulatory requirements that apply to us as a CQC regulated entity. The key changes include:

We are changing the lawful basis and special category conditions that we rely on to process health data 

  • Previously, Thriva relied on consent and explicit consent as the lawful basis and special category condition for processing your health data under the data protection law.
  • As of 28th Nov 2023, we will rely on a combination of different Article 6 lawful bases for different processing activities. These will primarily be performance of a contract, compliance with a legal obligation and legitimate interest.
  • We are also changing the Article 9 special category condition from explicit consent to provision of healthcare systems and services.
  • Because we draw on historic data to show you changes to your test results over time, these changes will apply retrospectively to your old health data as well as new health data. 

Our new processing activities

  • We have also updated our privacy notice to provide you with additional clarity on our processing activities. You can review the updated notice here and the older notice here.
  • We will be undertaking additional processing activities as part of the new regulated services where you opt to make use of these services (including the option to consult with GPs regarding your test results and receive medical prescription).
  • We have also added new processing activities so that we can provide you with a reliable, high quality service.

Other regulatory requirements

Our home blood testing kits are CE-marked. This means everything in our kits meet health and safety requirements within the European Economic Area (EEA).

Our team of NHS doctors, data scientists and clinicians use the power of technology to ensure that everything we do is safe and credible. Our medical device products are also regulated by the MHRA.

Our class 1 medical software device draws on data from more than 500 peer-reviewed scientific publications to provide relevant and personalised health information. Doc-chain combines data — such as blood results and self-inputted health data — with the latest evidence to deliver health insights to users. This information allows better understanding of blood results, and their importance for health. Doc-chain also delivers scientifically-backed interventions, which include next steps on how you can make improvements to your health. Increasing health knowledge empowers users to take better control of their health, which is the first step to improving health outcomes.

Opting out

Thriva is committed to allowing our customers control over what happens to their personal data. If these changes aren’t for you, you can opt out by clicking here to delete your account. You may wish to download your test results before deleting your account


Thriva takes extensive measures to ensure the security of our services and protect the data of our customers.

Our standards

Thriva has achieved and maintains an ISO 27001 certification, the international standard for managing information security.

Vulnerability disclosure

Thriva encourages anyone who believes they have found a security bug or vulnerability in any of the applications or services we create or use to report it to

When investigating and reporting an issue, please:

  • Include as much detail as possible such as: website, IP or page where the vulnerability can be observed; a brief description of the type of vulnerability; steps to reproduce the issue
  • Comply with applicable laws and regulations
  • Do not attempt to modify any data or access personal data of our customers
  • Do not use any tools or take any actions that are likely to impact the availability or integrity of our services
  • Do not share the vulnerability information beyond Thriva, without Thriva's written consent

Thriva values the expertise and effort of those who take the time to report vulnerabilities. Thriva will respond to anyone who has submitted a valid report. You are welcome to ask about the status of a vulnerability report.

At this time, Thriva does not operate a bug bounty programme or provide monetary rewards for vulnerability disclosures.


Your data is in safe hands. We use the latest encryption technologies and continually assess our GDPR-compliance.