Privacy Policy & Cookies

Information about how we handle personal data

1. Introduction

We are Thrive.App Ltd. You can find further details about us and how to contact us in section 11. In this notice, “we”, “us” and “our” refer to Thrive.App Ltd. This notice explains how we handle the personal data we obtain in the course of our business activities, which includes personal data relating to individual personnel and representatives of our clients, visitors to our website, people that communicate with us and end users of the mobile apps our clients build and make available from our platform. We process different types of personal data for different purposes depending on whether we are processing personal data on our own behalf as a ‘controller’ or as a service provider on behalf of our clients as a ‘processor’. (A ‘controller’ is a person or entity that determines why and how personal data is processed. A ‘processor’ or ‘agent’ is a person or entity that processes personal data on behalf of a controller on the controller’s instructions.)

2. Our processing of personal data as a controller

Types of personal data we process We process the following types of personal data relating to individual personnel and representatives of our clients, website visitors and people that communicate with us, as a controller: - Usage data: data about website visitors’ use of our website and services, such as IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths. This data is collected automatically by our analytics tracking system. - Client contact data: data relating to our clients’ personnel and representatives that we obtain in connection with entering into and performing contracts for the provision of our services to clients, such as names, business email addresses, postal addresses and telephone numbers and job titles. This data might be provided by you directly and/or by other personnel or representatives of your organisation. - Account data: data relating to our clients’ personnel and representatives collected in connection with setting up client accounts to enable access to our services, such as names, usernames and email addresses. This might be provided by you directly and/or by other personnel or representatives of your organization, for example via user validation lists/files supplied by a client, user on boarding forms within Thrive.App Ltd platform or integration with a client’s single sign-on system. - Correspondence data: data contained in or relating to any communications we receive such as via email or our various website contact forms, including any personal data contained in the communication content, address and contact details and any metadata associated with the communication (such as the date and time of your communication or information automatically collected about your device and browser when you use our website contact form). - Marketing data: data we obtain for marketing purposes such as names and business email addresses comprised in client contact data and marketing opt-in requests, marketing preferences and other information obtained in connection with marketing opt-in or opt-out requests.

Core processing purposes

The purposes for which we use personal data in the normal course of our business, the types of personal data we use for those purposes and our legal bases for doing so are set out in the table below. An explanation of what the different legal bases mean can be viewed here. Purposes of processing Types of personal data Legal basis Analysing use of our website Usage data Our legitimate interests in monitoring, improving and protecting our website, network, systems and data Entering into contracts and communicating with clients and their personnel or representatives in connection with performing contracts Client contact data The legitimate interests of us and our clients in entering into and performing contracts for providing and receiving requested services Enabling and controlling online access to our services, e.g. validating access to, and assigning permissions within, The Thrive.App Ltd platform and the mobile apps Account data Our legitimate interests in enabling our clients to access and use our services and ensuring the security of our website, network, systems and data Monitoring clients’ use of our services for billing purposes Account data Usage data Our legitimate interests in billing clients for use of our services based upon their usage Billing clients for use of our services Client contact data Our legitimate interests in billing clients for use of our services Communicating with you, for example in response to an enquiry or complaint Correspondence data Our legitimate interests in administering our business, services and website and communicating with clients, potential clients and users of our services Providing clients with (non-marketing) service information relevant to our clients generally, such as any maintenance work or problems affecting access to or use of our services and information regarding upgrades or new releases Client contact data Account data Our legitimate interests in administering our business, services and website and communicating important service information to clients and service users Sending marketing communications (see more on this in the ‘Using personal data for marketing purposes’ section below Marketing data Our legitimate interests in promoting our business, products and services to drive sales and sustain and grow our business.

Using personal data for marketing purposes

We may use marketing data for the purposes of sending marketing communications in the following circumstances: - If you are a representative or personnel of a client of ours - If you have requested marketing communications from us You can opt-out of receiving these communications at any time by using the unsubscribe links made available in every email or by emailing support@thrive.app.

Other processing purposes

In addition to the core processing activities set out above, we may also process personal data if and to the extent necessary for the following purposes: Purpose Legal basis Establishing, exercising or defending legal claims Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of you and others Obtaining or maintaining insurance coverage, managing risks or obtaining professional advice Our legitimate interests in protecting our business against risks Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator. Compliance with a legal obligation in order to protect your vital interests or the vital interests of another natural person Protection of vital interests

Explanation of legal bases

Under EU data protection law, it is only lawful to process personal data if there is a legal basis for doing it, and those legal bases are prescribed by the law. Below is an explanation of the legal bases referred to in this notice. Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation Protection of vital interests: processing of personal data is necessary in order to protect an individual’s vital interests

3. Our processing of personal data as a processor

We are a provider of a software-as-a-service that enables our clients to create and maintain interactive mobile apps using our platform. Once an app has been created, our clients can publish content on the mobile app, send push notifications to end users and view analytics data about use of the app. The end users of our clients’ mobile apps are typically our clients’ staff and/or customers. Personal data relating to end users of our clients’ mobile apps and individuals who are identifiable from content published by our clients via the mobile apps are processed via our platform as a result of our clients’ use of the mobile apps for their own business purposes. This may include the following types of personal data: - contact details: emails and phone numbers - role - postal business addresses - usernames and passwords - unique identifiers relating to end user devices (where clients opt to use push notification tools and end users opt to allow notifications) - tracking/analytics/usage data relating to end users (where clients opt to use usage statistics tools and to the extent that this data enables individuals to be identified) - personal data that may be contained within content published by the client via the mobile app This personal data is processed via our platform for the following purposes: - to enable our clients to use their mobile apps for their business purposes - to enable end users to access content on our clients’ mobile apps - to enable end users to access other client systems where our platform acts as a portal - to authenticate end users of a client’s app onto other software of the client - to enable our clients to send push notifications relating to their apps to end users (where the client has opted to use push notification tools and where the end user has opted to allow notifications) - to enable our clients to collect usage statistics relating to their mobile apps (where the client has opted to use usage statistics tools). We process this personal data as a processor by virtue of our role in managing the platform from which the software is provided to our clients and when providing support services to our clients in relation to their use of the software. Our clients are the controllers of this personal data, and this processing is governed by contracts between us and our clients.

4. Recipients of personal data

We may share the personal data described in this notice with the following categories of recipients, where and to the extent necessary for the purposes described in this notice: - insurers - professional advisers: such as lawyers, accountants, consultants - service providers: such as providers of datacentre, IT infrastructure, banking, payment, accounting, billing, emailing and website analytics services. Our current service providers include: - Microsoft UK, who provide Azure datacentre and IT infrastructure services - Google LLC, our website analytics and Gmail email services provider - SurveyMonkey Europe UC, who provides the various Wufoo forms we use on our website to enable people to make product enquiries and contact us - Zoho CRM, who provide sales process management software that we use for our business purposes - Hubspot Ltd, who provide marketing automation and sales process management software that we use for our business purposes - organisations or individuals engaged by us in the course of providing our services: such as individual consultants or their personal service companies - prospective buyer: if we propose to sell or do sell any business or assets. There may also be circumstances in which we need to share personal data with other organisations or individuals, such as where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above. In all cases, we will only share personal data with such recipients where and to the extent reasonably necessary for the relevant processing purpose and in accordance with applicable data protection law.

5. International transfers of personal data

The personal data described in this notice is stored on servers situated in the United Kingdom and accessed by staff in the United Kingdom. Our use of Google Analytics, Gmail, SurveyMonkey (Wufoo), Zoho and Hubspot involves transfers of personal data to the United States of America. The providers of these services all self-certify to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. The Privacy Shield Frameworks are adequacy decisions of the European Commission and Swiss Government in respect of the transfer and subsequent processing of personal data to and by organisations in the U.S. who self-certify their compliance with the principles set out in those decisions – known as the ‘Privacy Shield Framework Principles’. To learn more about the Privacy Shield Frameworks, see https://www.privacyshield.gov/. Links to the providers’ Privacy Shield certifications are set out below:

Google: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

SurveyMonkey (Wufoo): https://www.privacyshield.gov/participant?id=a2zt0000000Gn7zAAC&status=Active

Zoho Coporation: https://www.zoho.com/privacy/privacyshieldframeworks.html

Hubspot Inc: https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG

In addition to the above, it may become necessary to transfer personal data described in this notice to other organisations based in various countries around the world, including countries outside the EEA, in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for international transfers stipulated by applicable data protection law.

6. Retention of personal data

We will only retain the personal data described in this notice for as long as necessary to fulfil the processing purposes described in this notice. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means and applicable legal requirements. We will apply the following general retention periods and/or retention criteria to the personal data described in this notice: - Usage data: 1 year - Client contact data: 6 years after the relevant client contract has ended - Account data: 6 years after the relevant client contract has ended - Correspondence data: 6 years after the date of the correspondence or termination of the client contract to which the communication relates (whichever is later) - Marketing data: we will continue to use this data until the earlier of the date that we receive an opt-out request or 2 years after the last interaction with the relevant individual, after which time we will retain the email address and marketing preference information to ensure that we do not send marketing to an unsubscribed email address or after the 2 year period described in this paragraph These retention periods are subject to any longer retention periods that may be necessary for compliance with a legal obligation, establishing, exercising or defending legal claims or in order to protect someone’s vital interests.

7. Security of personal data

We will take appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data. We are ISO27001 accredited, meaning that we implement the security measures required in order to achieve such accreditation and certification. Our platform is subject to regular penetration testing by an external body to ensure it has an appropriate level of control against intrusion, and meets and exceeds the L1 Mobile Application Security Verification Standard (MASVS). We will notify you and any applicable regulator of any personal data breach where we are legally required to do so.

8. Your rights

You have a number of different rights you might be able exercise against us in relation to personal data about you that we process. These are rights to: - access, obtain rectification or erasure, restrict processing and object to processing of your personal data - have your personal data ‘ported’ to you or another organisation - complain to a supervisory authority about our processing of your personal data - withdraw consent to our processing of your personal data (where you have given consent) The availability of these rights varies depending on the legal basis that we rely on for processing the relevant personal data. Below we have summarised these rights and explained how you can request to exercise them. Please note that if you are an end user of one of our client’s mobile apps, you should contact that client if you want to exercise any of your data protection rights in relation to the personal data described in section 3 of this notice above. This is because it is the controller, not the processor, who must respond to requests from individuals to exercise their rights under EU data protection law. If you are an end user of one of our client’s mobile apps, we process your personal data as a processor on behalf of the client that makes their mobile app available to you, and that client is the controller of your personal data. Therefore, please contact the client with whom you have a relationship with any requests to exercise your rights. Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee. Rectification: You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. We may need to verify the accuracy of the new data you provide to us. Erasure: You have the right to the erasure of your personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them, you successfully object to our processing, you object to our use of your personal data for direct marketing purposes, we have processed your personal data unlawfully, or an applicable law requires the relevant personal data to be erased. However, there are exclusions to the right to erasure, including where we have overriding legitimate grounds to continue processing the relevant personal data or are required to do so by applicable law or where we need it to establish, exercise or defend a legal claim. Restriction: You have the right to restrict our processing of your personal data where you contest the accuracy of the personal data, our processing is unlawful, we no longer need the personal data for our purposes but you require it to establish, exercise or defend a legal claim, or you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it to establish, exercise or defend a legal claim, to protect the rights of another natural or legal person or for reasons of important public interest or with your consent. Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for the processing. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). Data portability: where our processing of your personal data is based on your consent or performance of a contract and is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others. Complain to an EU supervisory authority: If you consider that our processing of your personal data infringes EU data protection laws, you have a legal right to lodge a complaint with an EU supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. Withdraw consent: where any of our processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal. How to exercise these rights against us: You can exercise any of your rights in relation to your personal data that require any action by us by emailing your request to support@thrive.app, in addition to any other methods specified in this policy. How to complain to an EU supervisory authority: To make a complaint to an EU supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. A list of the EU supervisory authorities can be found here:

https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

Relevant contact details for the UK supervisory authority, the Information Commissioner’s Office (ICO), can be found here: https://ico.org.uk/concerns/.

9. Updating your personal data

Please let us know if any of the personal data that we hold about you needs to be corrected or updated.

10. Our use of cookies and similar storage technologies

What is a cookie? A cookie is a file containing an identifier (a string of letters and numbers) that is sent by our web server to your web browser when you visit our website and is stored by your browser. The identifier is then sent back to our server each time your browser requests a page from our server. Cookies are either “persistent” cookies or “session” cookies: a persistent cookie will be stored by your web browser and remain valid until its set expiry date, unless deleted by you before the expiry date; a session cookie, on the other hand, will expire when you close your web browser. Cookies do not typically contain any information that personally identifies a website user, but we might theoretically be able to identify individuals by linking any personal data we already have with information stored in and obtained from cookies. Web beacons (also known as “tracking pixels” or “clear gifs”) are similar storage technologies. These are tiny graphics files that contain a unique identifier that allow us to measure the effectiveness of our advertising by understanding the actions that people take on our website. Third parties, including Facebook, may use web beacons to collect or receive information from our website and elsewhere on the Internet and use that information to provide measurement services and target ads.

You can choose to accept or decline cookies. You can usually modify your browser setting to decline cookies if you prefer. To find out more about cookies, including how to see what cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.

Find out how to manage cookies on popular browsers:

To find information relating to other browsers, visit the browser developer's website. To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.

11. Our details

This website is owned and operated by Thrive.App Ltd. We are a private limited company registered in Northern Ireland under company number NI 603525, and our registered office is at Thrive.App Ltd, Innovation Centre Unit 5b, Queens’s Road, Belfast BT3 9DT. We are registered on the Information Commissioner’s Office register of fee payers, under registration number ZA200435. Our designated Data Protection Officer is Thrive.App Ltd Chief Operating Officer who can be contacted at Thrive.App Ltd, Innovation Centre Unit 5b, Queens’s Road, Belfast BT3 9DT or support@thrive.app You can contact us using any of the email addresses, postal addresses or telephone numbers published on our website from time to time. For enquiries relating to this notice or our processing of your personal data, please contact support@thrive.app, which is a dedicated contact address for this purpose.

12. Changes to this notice

We may update this notice from time to time by publishing a new version on our website and, where any changes materially affect you, we will also make reasonable efforts to notify you.