Privacy Policy

Last updated: May 2026

Thrivr ("Thrivr", "we", "our", "us") — a sole trader based in the United Kingdom — is the controller of personal data processed through the Thrivr mobile application. We are committed to protecting your privacy and handling your data lawfully, fairly and transparently in line with the UK GDPR, the Data Protection Act 2018 and equivalent global privacy regimes (including the EU GDPR and the California Consumer Privacy Act).

1. What we collect

We collect:

  • Account data — name, email address and authentication credentials.
  • Content you create — your vision statement, goals and sub-goals, character qualities and ratings, kickstart responses, daily check-ins, intentions and the letter to your future self.
  • Usage data — check-in history, streaks, articles read, your Thrivr Score and milestones.
  • Device data — device type, operating system, app version, language and time zone.
  • Subscription and purchase data — managed by Apple App Store or Google Play; we receive a receipt confirming the active tier but never your payment card details.
  • Push notification identifiers — held by OneSignal so we can send the daily reminder and kickstart cycle if you opt in.

2. Why we process this data

We process your data:

  • To deliver the Thrivr service you have signed up for (lawful basis: performance of a contract).
  • To personalise your experience — quiz scoring, recommendations and progress narratives (legitimate interest, balanced with your rights).
  • To send the notifications you have enabled (consent, which you can withdraw at any time in the You tab).
  • To comply with legal obligations such as tax and consumer law (legal obligation).

3. Sharing your data

We do not sell your data. We only share it with the processors required to run the app:

  • Supabase Inc. — secure database hosting and authentication. Data is encrypted in transit and at rest.
  • OneSignal — push notification delivery (you can disable this at any time).
  • Apple and Google — subscription billing and receipt validation.

We may also disclose data where we are legally required to (for example, in response to a valid court order), or as needed to protect the safety of our users.

Compassion International

10% of every subscription is donated to Compassion International. We share aggregated financial information only — never your name, email or content.

4. International transfers

Your data is primarily stored in the EU. Where any processor (such as OneSignal) is located outside the UK or EU, we rely on the UK addendum to the EU Standard Contractual Clauses to safeguard the transfer.

5. How long we keep your data

We keep your account data for as long as your account is active. When you delete your account from the You tab, we delete your data within 30 days, except where we are legally required to retain it (for example, financial records for HMRC). Aggregated, anonymised data may be retained for analytics.

6. Your rights

Under the UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased ("the right to be forgotten").
  • Restrict or object to processing.
  • Data portability — receive a copy of your data in a structured format.
  • Withdraw consent at any time (for example, for notifications).
  • Lodge a complaint with the Information Commissioner's Office (ico.org.uk) if you believe we have mishandled your data.

To exercise any of these rights, email hello@thrivr.app. We will respond within one calendar month.

If you are in the EU, EEA or Switzerland, the same rights apply under the EU GDPR. If you are in California, you have additional rights under the CCPA including the right to know what categories of data we collect and a right to non-discrimination for exercising those rights.

7. Children

Thrivr is not directed at people under 16. If you believe a child has signed up, contact us and we will delete the account.

8. Security

We use industry-standard encryption (TLS in transit, AES at rest) and Supabase Row Level Security so that one user cannot access another user's data. No system is perfectly secure — please choose a strong, unique password.

9. Changes to this policy

We may update this policy as the app evolves. If we make material changes we will notify you within the app at least 14 days before they take effect.

10. Contact

Privacy questions, requests and complaints: hello@thrivr.app Postal address available on request.