Privacy

‍

Welcome

Welcome to Thrive Global Holdings, Inc. ("Thrive Global," "Thrive," "we," "us," or "our"). Thrive provides science-backed behavior change solutions designed to improve mental, emotional, and physical wellbeing. Our website ("Site"), mobile application ("App"), and integrations with third-party platforms (such as Slack or Microsoft Teams) enable users ("you," "your," or "Users") to access personalized tools, resources, and content—such as Microsteps, assessments, educational experiences, and behavior-supportive features—that help build sustainable habits and improve overall wellbeing. Collectively, the services we provide through the Site, App, and related digital experiences are referred to as the "Service(s)."

To deliver and improve these Services, we may collect and process various types of information, including personally identifiable information (PII), engagement data (such as how you interact with content and features), behavioral insights, health-related information, and other categories of sensitive data as defined by applicable laws. We do so in accordance with appropriate legal bases and obtain your consent where required.

Thrive is committed to protecting your privacy and handling your data responsibly. We follow principles of privacy and security by design and by default, and we implement appropriate technical and organizational safeguards. Our data practices are designed to comply with applicable privacy regulations including HIPAA, GDPR, CCPA/CPRA, and other regional frameworks that may apply depending on your location and the nature of your interaction with our Services.

Quick Access: Exercise your privacy rights at https://preferences.thriveglobal.com/privacy or see Contact Information below.

Purpose of This Privacy Policy

This Privacy Policy explains what personal data we collect through the Services, how we use and share that data, and your choices concerning our data practices. This Privacy Policy forms part of our Terms and Conditions Agreement, which is available at https://www.thriveglobal.com/terms.

Users in different regions might be subject to different data protection standards and based on their employer Data Protection Agreement (DPA) with Thrive Global. This document includes sections dedicated to the European Economic Area (EEA), United Kingdom (UK), Switzerland, and California consumers and their privacy rights.

Changes to Privacy Policy

We may update this Privacy Policy as Services evolve. Material changes receive email notification 30 days before taking effect. Minor updates are posted with new "Last Updated" dates. Continued use indicates acceptance.

Legal Compliance Framework

We maintain compliance with applicable privacy laws including GDPR, CCPA/CPRA, state privacy laws, and other jurisdictional requirements. Our compliance program includes regular legal reviews, control assessments, and updates to privacy practices as laws evolve. We work with legal advisors to ensure our practices meet current regulatory standards.

Privacy Governance

Our privacy program includes designated privacy officers responsible for privacy compliance, training, and incident response. We conduct regular privacy training for our workforce and maintain accountability measures to ensure ongoing compliance with privacy obligations and protection of your personal information.

Data Protection Principles

We collect, use, and process personal information only for legitimate purposes that align with our business operations and legal obligations. We clearly specify collection purposes at or before collection time, limit collection to necessary data, and employ data minimization principles. We regularly review our data practices to eliminate unnecessary processing and implement technical and organizational measures to protect your privacy.

Principle Access Rights

We are committed to ensuring individuals have appropriate access to their personal information. Upon request, we will provide access to your personal data in a timely manner, subject to identity verification and applicable legal requirements. We may deny access in limited circumstances, such as when required by law or when access would compromise others' privacy.

Privacy Impact Assessments

We conduct privacy impact assessments to identify and mitigate risks to personal information. These assessments evaluate our data processing activities, including new projects, systems, or technologies, to ensure compliance with privacy laws and security requirements. Where risks are identified, we implement appropriate safeguards to protect your data and privacy.

Collection Limitation Details

We limit the collection of personal information to what is necessary for identified purposes. We only collect data that is relevant, adequate, and directly related to legitimate purposes outlined in this policy. Collection occurs through lawful and transparent means, with appropriate notice and consent where required by applicable law.

Legal Basis for Processing

We process personal information based on the following legal bases as applicable under privacy laws:

Consent: Where you have freely given, specific, informed consent for processing activities such as marketing communications or optional data collection.
Contract Performance: Processing necessary to perform our Services contract with you or take steps at your request before entering into a contract.
Legal Obligation: Processing required to comply with applicable laws, regulations, or legal proceedings.
Legitimate Interests: Processing necessary for our legitimate business interests, such as security, fraud prevention, and service improvement, where such interests are not overridden by your privacy rights.

Information We Collect

App Users

Account information: Name, email address, and other contact details
Profile information: Profile photo, biography, country information, and demographic information
App engagement information: Your responses to and interaction with wellbeing surveys, webinars, and learning activities
Health and activity information: Sleep, movement, heart rate, and other wellbeing data—including physical, behavioral, or emotional indicators—only if you choose to provide it directly or through a connected wearable device.
Communications: Messages with us or within the App, including support requests and social features
Note on Minor Users (Aged 13–15): If the Services are made available to dependents or family members aged 13 to 15 through an employer-sponsored or authorized program, Thrive processes their personal information only with verified parental or guardian consent or through consent provided by the sponsoring organization, in compliance with applicable child privacy laws. All such access remains subject to the Children's Privacy section of this Privacy Policy.

Site Users

Personal Data You Provide: Information entered during site registration (email/password) or sent electronically through forms, contact requests, event registrations, or email subscriptions, typically including name, contact details, company information, and phone number

Automatically Collected Data

Log data: IP address, browser type and settings, date/time of requests, and interaction patterns
Cookies: Information from cookies and other technologies (see "Cookies" section)
Device information: Device type, operating system, settings, unique identifiers, and network information
Usage Information: Content viewed, features used, actions taken, user interactions, and usage duration

Regulatory Classification Notice

Thrive's Platform is designed as a general wellbeing solution that helps individuals build healthy habits and improve overall life outcomes. While we may process health-related information when you choose to provide it, our Services:

Are not intended to diagnose, treat, cure, or prevent any disease or medical condition and are not intended to diagnose, treat, or replace advice from a licensed medical professional – if you have concerns about your mental or physical health, please consult a qualified healthcare provider
Do not constitute medical devices under FDA regulations
Provide general wellbeing insights rather than clinical health recommendations
May be offered through employer wellness programs subject to EEOC regulations
When our Services are provided through your employer's wellness program, we comply with all applicable regulations including HIPAA (when acting as a Business Associate), ADA, GINA, and EEOC wellness program requirements.

How We Use Information

Use Limitation Principles

We strictly limit the use of personal information to authorized purposes as defined at the time of collection. Data use remains aligned with original collection justifications and legal bases. We do not process personal information for purposes incompatible with those for which it was originally collected without obtaining appropriate consent or establishing a new lawful basis.

Legitimate Business Interests

Service Enhancement:

Respond to inquiries and fulfill service requests
Customize Services based on usage patterns and preferences
Send administrative information about Services, terms, and policy changes
Provide, maintain and improve content and functionality

Research and Data Management:

Conduct research and provide aggregate, anonymized usage insights
Maintain basic data to prevent unwanted processing after deletion requests

Security and Legal Compliance:

Prevent fraud, criminal activity, and service misuse
Ensure IT systems security and comply with legal obligations
Respond to lawful requests and enforce our Terms and Conditions
Protect our operations, rights, and user safety

AI Systems We Deploy

We utilize Artificial Intelligence (AI) including ML technologies to enhance our Services, classified as:

Limited Risk AI Systems (Transparency Obligations Apply):

Content Generation Systems: AI creating personalized wellbeing content and recommendations
Recommendation Engines: ML algorithms suggesting microsteps and features
Chatbots and Virtual Assistants: AI-powered support tools

Minimal Risk AI Systems:

Fraud Detection: AI identifying suspicious activity and security threats
System Optimization: ML improving app performance and user experience
Analytics Processing: AI generating anonymized usage insights

EU AI Act Compliance

Transparency Measures: Clear disclosure through appropriate notifications when AI is involved in your experience.
Human Oversight: All AI systems operate under meaningful human supervision with qualified personnel monitoring performance and users able to request human intervention.
Accuracy and Robustness: Appropriate measures ensure AI reliability, including performance validation, error and bias monitoring, and continuous improvement.
Risk Management: Risk assessment and mitigation procedures, including system evaluations, capability documentation, and incident response.

Data Governance for AI Training

Training Data: We use anonymized and aggregated user data with privacy and security compliance
Third-Party Models: We do not use your personal data to train external AI models without explicit consent
Data Quality: We implement measures ensuring training data accuracy, representativeness, and bias mitigation

Your AI Rights and Controls

Information Rights: Request details about AI systems significantly affecting you, understand automated decision logic, access training data information
Control Rights: Opt-out of AI personalization, request human review, challenge AI-generated content

Marketing

We may contact you about content, services or products we believe will interest you. Where required by law (such as for EU users), we will only send marketing information with your consent.

Opt-out Options: Follow unsubscribe instructions in emails, update user settings, or contact us.

Service-related communications necessary for delivery are not affected by marketing opt-out preferences.

Update Your Information

We provide appropriate access to personal information upon request, subject to identity verification and legal requirements. We maintain reasonable measures for data accuracy and quality. If you believe information is inaccurate, contact us for corrections.

To exercise privacy rights: Visit https://preferences.thriveglobal.com/privacy or see Contact Information.

Complaint Resolution

We take complaints about our privacy practices seriously. If you have concerns about how we handle your personal information, please contact us using the details in the Contact Information section. We will investigate promptly, acknowledge receipt within seven business days, and aim to resolve issues within 30 days. You may also have the right to lodge a complaint with a supervisory authority.

Participation and Redress Rights

We respect your rights to participate in decisions about your personal information. You may request access to, correction of, or deletion of your data, subject to applicable laws and identity verification. We will respond to requests within reasonable timeframes and provide remedies or explanations as required by law. You have the right to challenge our processing decisions and seek redress through appropriate channels.

Data Privacy Framework

We voluntarily participate in and comply with the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework. We are subject to FTC oversight and remain liable for vendor/service provider processing inconsistent with DPF principles.

Dispute Resolution: Contact us first for DPF complaints. Unresolved complaints are referred to JAMS alternative dispute resolution at no cost to you.

Usage Data and Thrive Global Programs

We derive insights from your Services use and may create aggregated/anonymized data for operational analytics, financial reporting, audit functions, and other business purposes. When processing data from employer wellness programs, we ensure all aggregated reports maintain appropriate de-identification standards to prevent individual re-identification.

For Thrive Programs (webinars, events, contests), participation grants us rights to use submitted content for legitimate business purposes. Participation indicates agreement to these terms.

Sharing and Disclosure of Information

Lawful Business Purpose Sharing

Vendors and Service Providers: We share data with third parties for hosting, email communications, customer support, and analytics (e.g., Google Analytics, Google Cloud, Microsoft Azure). All vendors comply with strict privacy standards through written agreements.

Business Transfers: Personal Data may be transferred in mergers, acquisitions, or asset sales.

Legal Requirements: We may disclose data to comply with legal obligations, protect rights/property, or ensure public safety.

Information Sharing at Your Direction

We may share data when you authorize third-party access or opt to share engagement reports with enterprise customers. You may voluntarily share information with other users through app community features.

General Data Protection Regulation (GDPR), UK GDPR, and Swiss Data Protection Act

Scope and Data Transfers

This section applies to users in the EEA, UK, and Switzerland. When you access our Services, Personal Data is transmitted to our U.S. servers with appropriate safeguards including Standard Contractual Clauses, Data Privacy Framework certifications, and technical/organizational security measures.

Data Controller and Processor Roles

Data Controller: When you provide personal data through our Platform, we determine processing purposes and comply with applicable laws including conducting Data Protection Impact Assessments where required.

Data Processor: When processing data for enterprise clients, we act according to their instructions under applicable processor obligations.

Your Rights Under GDPR

Right of Access: Obtain confirmation of processing and receive copies of your Personal Data
Right to Rectification: Request correction of inaccurate or incomplete personal data
Right to Erasure: Request deletion of your data when certain conditions apply
Right to Restrict Processing: Request that we limit how we use your data
Right to Data Portability: Receive data in a structured, machine-readable format
Right to Object: Object to our processing of your personal data at any time
Right to Withdraw Consent: Withdraw previously given consent at any time
Rights Regarding Automated Decision-Making: Not be subject to decisions based solely on automated processing
Right to Lodge Complaint: File a complaint with your local data protection authority

Access Request Procedures

We provide appropriate access to personal information upon request, subject to identity verification and applicable legal requirements. To request access, contact us using the details in Contact Information. We may deny access in limited circumstances, such as when required by law or when access would compromise others' privacy. We will respond within applicable timeframes and provide explanations for any denials.

Data Subject Rights Procedures

Request Processing: We maintain standardized procedures for handling privacy rights requests, including identity verification, request validation, exception assessment, and response coordination across business units.
Response Timelines: Standard requests receive responses within 30 days, with possible 60-day extensions for complex requests. We will notify you of any delays and provide reasoning.
Verification Requirements: Identity verification may include email confirmation, account authentication, or additional documentation for high-risk requests to prevent fraudulent access.

International Data Transfers

We implement appropriate safeguards including Standard Contractual Clauses, adequacy decisions, and supplementary measures as required by GDPR Article 46. For transfers to countries without adequacy decisions, we conduct transfer impact assessments and implement additional technical and organizational measures including enhanced encryption, access controls, and contractual protections to ensure adequate protection.

Data Retention

We retain Personal Data only as long as necessary for collection purposes, legal compliance, or dispute resolution. Data is securely disposed through industry-standard deletion or anonymization. Retention periods are documented and reviewed annually.

Data Accuracy and Quality

We strive to maintain the accuracy, completeness, and relevance of personal information we hold. We implement reasonable measures to ensure data quality, including updating records when inaccuracies are identified. If you believe your personal information is inaccurate or incomplete, please contact us for corrections using the details in the Contact Information section.

Use Limitations

We use personal information only for the purposes specified at collection and compatible purposes. We do not use your data for unrelated purposes without obtaining appropriate consent or establishing a new lawful basis. Our processing activities are documented and regularly reviewed to ensure continued alignment with stated purposes.

Processing of PHI and HIPAA Compliance

We may process Protected Health Information ("PHI") in compliance with HIPAA. PHI includes health data such as medical history, biometric data, and health-related activity information collected through employer-sponsored wellness programs or when you explicitly choose to provide such information. Processing is strictly limited to supporting our Services under appropriate safeguards, and PHI is only shared with authorized parties under Business Associate Agreements (BAA).

Data Retention Periods

PHI and ePHI Records: 6 years minimum as required by HIPAA § 164.316(b)(2)(i), with state-specific requirements governing where longer periods apply
PHI Audit Logs: 6 years minimum for all systems containing or processing ePHI, including access logs, modification records, and security event logs
HIPAA Documentation: 6 years for all HIPAA compliance documentation including policies, procedures, risk assessments, training records, and incident reports

General Data Retention:

Account data: Active period plus 90 days after deletion for security purposes
Wellbeing tracking data: Until contract termination plus 90 days
Marketing preferences: Until you opt-out, plus any legally required period
Support communications: 1 year to help improve our services
Security logs (non-PHI): 1 year for system protection and incident response
Business records: 7 years as required by financial and tax regulations

Legal Hold Procedures: We may need to keep data longer if required for legal proceedings, investigations, or regulatory matters. These legal holds take priority over standard deletion timelines until our legal team releases them.

Sub-processors

The following is our complete list of sub-processors and third-party processors, each bound by strict privacy and security requirements through written agreements. This list is regularly updated; you can join our mailing list to be notified of changes.

All Services:

Coda* - User Engagement and Project Management - 888 Villa St, Floor 4, Mountain View, CA 94041
Datagrail - Privacy Automation - 164 Townsend Street, Suite 12, San Francisco, CA 94107 US
Fivetran - Data ETL Pipeline - 405 14th St floor 11, Oakland, CA 94612 US
Google Cloud Platform - Data Warehouse - 1600 Amphitheatre Pkwy Mountain View, CA 94043 US
Google Workspace* - Content Creation - 1600 Amphitheatre Pkwy Mountain View, CA 94043 US
HubSpot - Email Marketing - 25 First Street, 2nd Floor Cambridge, MA 02141
Looker - Data Analytics - 101 Church Street, 4th Floor, Santa Cruz, CA 95060 US
Microsoft Azure - Cloud Hosting Provider - One Microsoft Way, Redmond, WA 980527 US
Rethink Autism* - Neurodivergent Care Provider - 49 West 27th Street, New York, NY 10001
Salesforce - Customer Relationship Management - The Landmark @ One Market, Suite 300 San Francisco, CA 94105 US
Segment - User Analytics - 100 California Street, Suite 700 San Francisco, CA 94111 US
Typeform* - Survey Platform - Calle de Pallars 108 (Aticco), 08018 – Barcelona (Spain)
Zapier* - Workflow Automation - 548 Market St. #62411, San Francisco, CA 94104
Zendesk - User Support Software - 450 Park Ave S, New York, NY 10016

Site Only Subprocessors:

Webflow - Marketing Website Host - 398 11th Street, 2nd Floor, San Francisco, CA 94103

App Only Subprocessors:

Amazon Web Services* - SFTP - 410 Terry Avenue North, Seattle, WA 98109 US
Datadog - Infrastructure and Security Monitoring Platform - 620 8th Avenue, Floor 45, New York, NY 10018
HumanAPI* - Wearables Integration - 951 Mariners Island Blvd., Suite 300
Qualtrics - Survey Platform - 333 W River Park Dr, Provo, UT 84604, US
Mailgun Transactional Email - 112 E Pecan Street, San Antonio, TX 78205 US

*May not be applicable to all Users

Privacy Requirements for Contractors and Processors

All contractors and processors comply with strict standards through written agreements mandating GDPR, CCPA, and HIPAA adherence, appropriate security measures, 72-hour breach notifications, regular audits, and data return/destruction upon termination.

Privacy Incident Reporting

We maintain transparent reporting mechanisms to document and address privacy-related incidents, inquiries, and compliance activities. We regularly review our privacy practices and report to relevant stakeholders, including regulators, as required by law. In the event of a data breach, we will notify affected individuals and authorities promptly, in accordance with applicable legal obligations.

California Privacy Disclosure

Do Not Track and CCPA

We do not respond to "Do Not Track" signals. We do not sell personal information for monetary consideration, but California law's broad definition of "sale" requires disclosure of cookie data sharing with third-party providers.

California Consumer Rights

Information Rights: Categories and sources of personal information collected, processing purposes, third-party sharing categories, and business disclosure purposes.

Control Rights: Opt-out from data "sale," request deletion (subject to exceptions), and non-discrimination for exercising rights.

How to Exercise Rights: Visit https://preferences.thriveglobal.com/privacy or see Contact Information.

Children's Privacy

Thrive's Services are intended for use by individuals 16 years of age or older through employer-sponsored programs. We do not knowingly collect personal information from children under the age of 16 without appropriate consent from a parent, guardian, or authorized employee of the participating organization. If we become aware that personal information has been collected from a child without the necessary consent, we will delete such information promptly and take steps to prevent future collection. For users under the age of 18, access to the Services may require parent or guardian permission, consistent with applicable laws such as COPPA (Children's Online Privacy Protection Act), CCPA/CPRA, and GDPR. Thrive does not market its Services directly to children and does not permit self-registration by minors. If you believe we may have collected information from a child in violation of this section, please contact us immediately at privacy@thriveglobal.com.

HIPAA Compliance Program

HIPAA Regulatory Compliance

Privacy Rule Compliance: We maintain compliance with HIPAA Privacy Rule requirements including individual rights, minimum necessary standards, notice of privacy practices, and administrative, physical, and technical safeguards.
Security Rule Compliance: We implement required and addressable implementation specifications under the HIPAA Security Rule, with documented decisions regarding addressable specifications based on risk assessments and organizational capabilities.
Enforcement and Penalties: We recognize HIPAA enforcement authority of the Department of Health and Human Services Office for Civil Rights and maintain compliance programs to prevent violations that could result in civil monetary penalties or criminal prosecution.
State Law Compliance: We comply with applicable state privacy and security laws that may provide additional protections for health information beyond HIPAA requirements.

Privacy Officer and Security Officer

Privacy Officer: Responsible for developing, implementing, and maintaining privacy policies and procedures, conducting privacy training, investigating complaints, and ensuring compliance with HIPAA Privacy Rule requirements.

Security Officer: Responsible for developing, implementing, and maintaining security policies and procedures, conducting security training, managing access controls, and ensuring compliance with HIPAA Security Rule requirements.

Business Associate Management

Business Associate Agreements (BAAs): All vendors, contractors, and subprocessors handling PHI on our behalf must execute Business Associate Agreements that include:

Permitted uses and disclosures of PHI
Safeguards to prevent unauthorized use or disclosure
Breach notification requirements
PHI return or destruction upon contract termination
Compliance monitoring and audit rights

Subcontractor Oversight: Business associates must obtain our approval before engaging subcontractors and ensure appropriate BAA execution with all PHI-handling subcontractors.

HIPAA Risk Assessment and Compliance Monitoring

Annual Risk Assessments: We conduct risk assessments annually to identify vulnerabilities, assess current safeguards, and determine additional security measures needed for ePHI protection.

Workforce Training: All workforce members receive HIPAA privacy and security training upon hire and annually thereafter, with role-specific training for personnel with PHI access responsibilities.

Compliance Monitoring: We maintain ongoing compliance monitoring through:

Regular audit log reviews and access monitoring
Quarterly access control reviews and privilege validation
Annual policy and procedure reviews and updates
Incident tracking and corrective action management

Minimum Necessary Standard: We limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose, except for disclosures to the individual, or when specifically authorized.

Individual Rights Under HIPAA: You have the right to:

Access and obtain copies of your PHI
Request amendments to inaccurate or incomplete PHI
Request restrictions on PHI use or disclosure
Request confidential communications
Receive an accounting of PHI disclosures
File complaints regarding PHI handling

HIPAA Security Safeguards

Administrative Safeguards:

Designated HIPAA Security Officer responsible for ePHI security
Workforce training and access management procedures
Information access management based on minimum necessary principles
Security incident procedures and contingency planning
Regular security evaluations and risk assessments

Physical Safeguards:

Facility access controls restricting physical access to ePHI systems
Device and media controls for ePHI creation, receipt, and maintenance
Secure disposal procedures for ePHI-containing devices and media

Technical Safeguards:

Unique user identification and automatic logoff procedures
Encryption of ePHI at rest (AES-256) and in transit (TLS 1.2+)
Audit controls tracking ePHI access and modifications
Integrity controls preventing unauthorized ePHI alteration
Transmission security for ePHI communications

Security

We regularly review and update our security practices to meet evolving threats and regulatory expectations. While we take strong measures to safeguard your information, no Internet or email transmission is fully secure. Please use caution when sharing sensitive information via email or through open communication channels. Thrive cannot guarantee the actions of other users with whom you choose to share information, and we are not responsible for any circumvention of privacy settings or security features within the Services. For additional information on Thrive security posture and certification please see https://thriveglobal.com/security

Cookies

We use cookies and other technologies to operate Services, enhance user experience, and gather usage data.

Cookie Types

Necessary Cookies (Always Active):

HubSpot: Privacy preferences (__hs_do_not_track, __hs_cookie_cat_pref)
Cloudflare: Security protection (_cfuvid)

Functionality Cookies (Optional):

Spotify: Music preferences (sp_landing, sp_t)

Analytics Cookies (Optional):

HubSpot: Usage tracking (hubspotutk, __hstc, __hssrc, __hssc)
Thrive Global: Engagement tracking (ajs_anonymous_id)
Google Analytics: Traffic analysis (_gat_gtag_UA_87667366_5, _ga_C4ZNYJBEB7, _ga_0S15647RW6, _ga, _gid)
Rippling: Performance monitoring (__cf_bm)
YouTube: Video analytics (YSC)
WordPress Engine: Functionality testing (wordpress_test_cookie)

Advertisement Cookies (Optional):

YouTube: Ad personalization (VISITOR_INFO1_LIVE)

Your Choices

Most browsers allow cookie control through settings. Limiting cookies may affect site functionality. Mobile device tracking control may be limited.

Links to Other Websites

The Services may contain links to Third Party Sites not controlled by us. Third Party Site information sharing is governed by their privacy policies, not ours. We do not imply endorsement of linked sites.

Contact Information

Mailing Address

Thrive Global Holdings, Inc.
599 Broadway, 6th Floor
New York, NY 10012

Tel: 1-888-700-8474

EU/UK/Swiss Residents (DataRep)

Online form: www.dpr.eu.com/thriveglobal
Email: thriveglobal@datarep.com
Ireland: DataRep, Phoenix House, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Iceland: DataRep, Laugavegur 13, 101 Reykjavik, Iceland

Thrive Privacy Policy