Welcome to Thrive Global Holdings, Inc. ("Thrive Global," "Thrive," "we," "us," or "our"). Thrive provides science-backed behavior change solutions designed to improve mental, emotional, and physical wellbeing. Our website ("Site"), mobile application ("App"), and integrations with third-party platforms (such as Slack or Microsoft Teams) enable users ("you," "your," or "Users") to access personalized tools, resources, and content—such as Microsteps, assessments, educational experiences, and behavior-supportive features—that help build sustainable habits and improve overall wellbeing. Collectively, the services we provide through the Site, App, and related digital experiences are referred to as the "Service(s)."
To deliver and improve these Services, we may collect and process various types of information, including personally identifiable information (PII), engagement data (such as how you interact with content and features), behavioral insights, health-related information, and other categories of sensitive data as defined by applicable laws. We do so in accordance with appropriate legal bases and obtain your consent where required.
Thrive is committed to protecting your privacy and handling your data responsibly. We follow principles of privacy and security by design and by default, and we implement appropriate technical and organizational safeguards. Our data practices are designed to comply with applicable privacy regulations including HIPAA, GDPR, CCPA/CPRA, and other regional frameworks that may apply depending on your location and the nature of your interaction with our Services.
Quick Access: Exercise your privacy rights at https://preferences.thriveglobal.com/privacy or see Contact Information below.
This Privacy Policy explains what personal data we collect through the Services, how we use and share that data, and your choices concerning our data practices. This Privacy Policy forms part of our Terms and Conditions Agreement, which is available at https://www.thriveglobal.com/terms.
Users in different regions might be subject to different data protection standards and based on their employer Data Protection Agreement (DPA) with Thrive Global. This document includes sections dedicated to the European Economic Area (EEA), United Kingdom (UK), Switzerland, and California consumers and their privacy rights.
We may update this Privacy Policy as Services evolve. Material changes receive email notification 30 days before taking effect. Minor updates are posted with new "Last Updated" dates. Continued use indicates acceptance.
We maintain compliance with applicable privacy laws including GDPR, CCPA/CPRA, state privacy laws, and other jurisdictional requirements. Our compliance program includes regular legal reviews, control assessments, and updates to privacy practices as laws evolve. We work with legal advisors to ensure our practices meet current regulatory standards.
Our privacy program includes designated privacy officers responsible for privacy compliance, training, and incident response. We conduct regular privacy training for our workforce and maintain accountability measures to ensure ongoing compliance with privacy obligations and protection of your personal information.
We collect, use, and process personal information only for legitimate purposes that align with our business operations and legal obligations. We clearly specify collection purposes at or before collection time, limit collection to necessary data, and employ data minimization principles. We regularly review our data practices to eliminate unnecessary processing and implement technical and organizational measures to protect your privacy.
We are committed to ensuring individuals have appropriate access to their personal information. Upon request, we will provide access to your personal data in a timely manner, subject to identity verification and applicable legal requirements. We may deny access in limited circumstances, such as when required by law or when access would compromise others' privacy.
We conduct privacy impact assessments to identify and mitigate risks to personal information. These assessments evaluate our data processing activities, including new projects, systems, or technologies, to ensure compliance with privacy laws and security requirements. Where risks are identified, we implement appropriate safeguards to protect your data and privacy.
We limit the collection of personal information to what is necessary for identified purposes. We only collect data that is relevant, adequate, and directly related to legitimate purposes outlined in this policy. Collection occurs through lawful and transparent means, with appropriate notice and consent where required by applicable law.
We process personal information based on the following legal bases as applicable under privacy laws:
Thrive's Platform is designed as a general wellbeing solution that helps individuals build healthy habits and improve overall life outcomes. While we may process health-related information when you choose to provide it, our Services:
We strictly limit the use of personal information to authorized purposes as defined at the time of collection. Data use remains aligned with original collection justifications and legal bases. We do not process personal information for purposes incompatible with those for which it was originally collected without obtaining appropriate consent or establishing a new lawful basis.
Service Enhancement:
We utilize Artificial Intelligence (AI) including ML technologies to enhance our Services, classified as:
Limited Risk AI Systems (Transparency Obligations Apply):
Minimal Risk AI Systems:
We may contact you about content, services or products we believe will interest you. Where required by law (such as for EU users), we will only send marketing information with your consent.
Opt-out Options: Follow unsubscribe instructions in emails, update user settings, or contact us.
Service-related communications necessary for delivery are not affected by marketing opt-out preferences.
We provide appropriate access to personal information upon request, subject to identity verification and legal requirements. We maintain reasonable measures for data accuracy and quality. If you believe information is inaccurate, contact us for corrections.
To exercise privacy rights: Visit https://preferences.thriveglobal.com/privacy or see Contact Information.
We take complaints about our privacy practices seriously. If you have concerns about how we handle your personal information, please contact us using the details in the Contact Information section. We will investigate promptly, acknowledge receipt within seven business days, and aim to resolve issues within 30 days. You may also have the right to lodge a complaint with a supervisory authority.
We respect your rights to participate in decisions about your personal information. You may request access to, correction of, or deletion of your data, subject to applicable laws and identity verification. We will respond to requests within reasonable timeframes and provide remedies or explanations as required by law. You have the right to challenge our processing decisions and seek redress through appropriate channels.
We voluntarily participate in and comply with the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework. We are subject to FTC oversight and remain liable for vendor/service provider processing inconsistent with DPF principles.
Dispute Resolution: Contact us first for DPF complaints. Unresolved complaints are referred to JAMS alternative dispute resolution at no cost to you.
We derive insights from your Services use and may create aggregated/anonymized data for operational analytics, financial reporting, audit functions, and other business purposes. When processing data from employer wellness programs, we ensure all aggregated reports maintain appropriate de-identification standards to prevent individual re-identification.
For Thrive Programs (webinars, events, contests), participation grants us rights to use submitted content for legitimate business purposes. Participation indicates agreement to these terms.
Vendors and Service Providers: We share data with third parties for hosting, email communications, customer support, and analytics (e.g., Google Analytics, Google Cloud, Microsoft Azure). All vendors comply with strict privacy standards through written agreements.
Business Transfers: Personal Data may be transferred in mergers, acquisitions, or asset sales.
Legal Requirements: We may disclose data to comply with legal obligations, protect rights/property, or ensure public safety.
We may share data when you authorize third-party access or opt to share engagement reports with enterprise customers. You may voluntarily share information with other users through app community features.
This section applies to users in the EEA, UK, and Switzerland. When you access our Services, Personal Data is transmitted to our U.S. servers with appropriate safeguards including Standard Contractual Clauses, Data Privacy Framework certifications, and technical/organizational security measures.
Data Controller: When you provide personal data through our Platform, we determine processing purposes and comply with applicable laws including conducting Data Protection Impact Assessments where required.
Data Processor: When processing data for enterprise clients, we act according to their instructions under applicable processor obligations.
We provide appropriate access to personal information upon request, subject to identity verification and applicable legal requirements. To request access, contact us using the details in Contact Information. We may deny access in limited circumstances, such as when required by law or when access would compromise others' privacy. We will respond within applicable timeframes and provide explanations for any denials.
We implement appropriate safeguards including Standard Contractual Clauses, adequacy decisions, and supplementary measures as required by GDPR Article 46. For transfers to countries without adequacy decisions, we conduct transfer impact assessments and implement additional technical and organizational measures including enhanced encryption, access controls, and contractual protections to ensure adequate protection.
We retain Personal Data only as long as necessary for collection purposes, legal compliance, or dispute resolution. Data is securely disposed through industry-standard deletion or anonymization. Retention periods are documented and reviewed annually.
We strive to maintain the accuracy, completeness, and relevance of personal information we hold. We implement reasonable measures to ensure data quality, including updating records when inaccuracies are identified. If you believe your personal information is inaccurate or incomplete, please contact us for corrections using the details in the Contact Information section.
We use personal information only for the purposes specified at collection and compatible purposes. We do not use your data for unrelated purposes without obtaining appropriate consent or establishing a new lawful basis. Our processing activities are documented and regularly reviewed to ensure continued alignment with stated purposes.
We may process Protected Health Information ("PHI") in compliance with HIPAA. PHI includes health data such as medical history, biometric data, and health-related activity information collected through employer-sponsored wellness programs or when you explicitly choose to provide such information. Processing is strictly limited to supporting our Services under appropriate safeguards, and PHI is only shared with authorized parties under Business Associate Agreements (BAA).
Legal Hold Procedures: We may need to keep data longer if required for legal proceedings, investigations, or regulatory matters. These legal holds take priority over standard deletion timelines until our legal team releases them.
The following is our complete list of sub-processors and third-party processors, each bound by strict privacy and security requirements through written agreements. This list is regularly updated; you can join our mailing list to be notified of changes.
*May not be applicable to all Users
All contractors and processors comply with strict standards through written agreements mandating GDPR, CCPA, and HIPAA adherence, appropriate security measures, 72-hour breach notifications, regular audits, and data return/destruction upon termination.
We maintain transparent reporting mechanisms to document and address privacy-related incidents, inquiries, and compliance activities. We regularly review our privacy practices and report to relevant stakeholders, including regulators, as required by law. In the event of a data breach, we will notify affected individuals and authorities promptly, in accordance with applicable legal obligations.
We do not respond to "Do Not Track" signals. We do not sell personal information for monetary consideration, but California law's broad definition of "sale" requires disclosure of cookie data sharing with third-party providers.
Information Rights: Categories and sources of personal information collected, processing purposes, third-party sharing categories, and business disclosure purposes.
Control Rights: Opt-out from data "sale," request deletion (subject to exceptions), and non-discrimination for exercising rights.
How to Exercise Rights: Visit https://preferences.thriveglobal.com/privacy or see Contact Information.
Thrive's Services are intended for use by individuals 16 years of age or older through employer-sponsored programs. We do not knowingly collect personal information from children under the age of 16 without appropriate consent from a parent, guardian, or authorized employee of the participating organization. If we become aware that personal information has been collected from a child without the necessary consent, we will delete such information promptly and take steps to prevent future collection. For users under the age of 18, access to the Services may require parent or guardian permission, consistent with applicable laws such as COPPA (Children's Online Privacy Protection Act), CCPA/CPRA, and GDPR. Thrive does not market its Services directly to children and does not permit self-registration by minors. If you believe we may have collected information from a child in violation of this section, please contact us immediately at privacy@thriveglobal.com.
Privacy Officer: Responsible for developing, implementing, and maintaining privacy policies and procedures, conducting privacy training, investigating complaints, and ensuring compliance with HIPAA Privacy Rule requirements.
Security Officer: Responsible for developing, implementing, and maintaining security policies and procedures, conducting security training, managing access controls, and ensuring compliance with HIPAA Security Rule requirements.
Business Associate Agreements (BAAs): All vendors, contractors, and subprocessors handling PHI on our behalf must execute Business Associate Agreements that include:
Subcontractor Oversight: Business associates must obtain our approval before engaging subcontractors and ensure appropriate BAA execution with all PHI-handling subcontractors.
Annual Risk Assessments: We conduct risk assessments annually to identify vulnerabilities, assess current safeguards, and determine additional security measures needed for ePHI protection.
Workforce Training: All workforce members receive HIPAA privacy and security training upon hire and annually thereafter, with role-specific training for personnel with PHI access responsibilities.
Compliance Monitoring: We maintain ongoing compliance monitoring through:
Minimum Necessary Standard: We limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose, except for disclosures to the individual, or when specifically authorized.
Individual Rights Under HIPAA: You have the right to:
We regularly review and update our security practices to meet evolving threats and regulatory expectations. While we take strong measures to safeguard your information, no Internet or email transmission is fully secure. Please use caution when sharing sensitive information via email or through open communication channels. Thrive cannot guarantee the actions of other users with whom you choose to share information, and we are not responsible for any circumvention of privacy settings or security features within the Services. For additional information on Thrive security posture and certification please see https://thriveglobal.com/security
We use cookies and other technologies to operate Services, enhance user experience, and gather usage data.
Necessary Cookies (Always Active):
Functionality Cookies (Optional):
Analytics Cookies (Optional):
Advertisement Cookies (Optional):
Most browsers allow cookie control through settings. Limiting cookies may affect site functionality. Mobile device tracking control may be limited.
The Services may contain links to Third Party Sites not controlled by us. Third Party Site information sharing is governed by their privacy policies, not ours. We do not imply endorsement of linked sites.
Thrive Global Holdings, Inc.
599 Broadway, 6th Floor
New York, NY 10012
Tel: 1-888-700-8474
© 2025 Thrive Global Holdings, Inc. All rights reserved.