Privacy Policy

Version: 1

Effective Date: 21.03.2025

Jurisdiction: Australia – with international application

1. Introduction

THRVE GROUP PTY LTD (“we”, “us”, or “our”) is an Australian-based entity committed to respecting and protecting the privacy of individuals whose personal information we collect. This Privacy Policy governs the manner in which we handle personal information obtained through our digital platforms, including our mobile application, website, and any associated services (collectively, the “Services”).

 

This Policy is intended to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as relevant international privacy laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) (as amended by the California Privacy Rights Act (CPRA)), the Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), and other applicable regulatory frameworks.

 

By accessing or using our Services, you consent to the practices described in this Privacy Policy.

2. Scope and Application

This Privacy Policy applies to all individuals who interact with our Services worldwide, including through our website or app. It governs the collection, use, storage, processing, and disclosure of any personal information that is voluntarily provided by users or collected by us in connection with the Services.

This Policy also sets out your legal rights with respect to your personal information and the ways in which you may exercise those rights. While some sections of this Policy provide jurisdiction-specific disclosures (e.g., GDPR for EU residents), we are committed to maintaining a high standard of data protection for all users, regardless of location.

3. Types of Information Collected

We may collect the following categories of information:

3.1 Identification and Contact Information

  • Full name
  • Email address
  • Phone number (if provided)

3.2 Profile Information

  • Age or date of birth
  • Gender or gender identity
  • Uploaded photos or avatars (shared within the App community)

3.3 Sensitive Information (with explicit consent)

  • Health and wellness data (e.g. injuries, dietary preferences, chronic conditions)
  • Sexual orientation or gender identity (if provided voluntarily)

3.4 Usage and Technical Data

  • App interaction data (e.g. workouts, logs, preferences)
  • Device information, IP address, browser details
  • Activity and engagement metrics

3.5 Payment Data

  • Payment confirmation details (via Stripe or other payment processors)
  • Subscription and billing history (no full card or banking details are stored by us)

3.6 Communications and Support

  • Information voluntarily disclosed through customer support interactions or surveys

 

We do not collect biometric identifiers (e.g., fingerprints, facial scans, or DNA).

4. Collection Methods and Consent

We only collect personal information that is voluntarily submitted by users via our Services, including:

  • Account registration
  • Profile creation and updates
  • In-app actions 
  • Customer support communications
  • Payments and transactions

All collection of sensitive personal information (e.g., health or sexual orientation data) is conducted with the user’s explicit, informed consent, obtained at the time of entry. Consent may be withdrawn at any time by contacting us or modifying preferences within the App.

We do not collect personal information through automated scraping, third-party sources, or covert methods.

5. Purpose of Collection and Lawful Basis

We collect and use personal information for the following purposes:

  • To provide core Services, including app functionality, customisation of content, and delivery of personalised wellness plans.
  • To enhance user experience, including user-specific recommendations and tracking features.
  • To support community features, where applicable, such as public profiles or shared goals.
  • To communicate with users, including notifications, support, and promotional updates (subject to opt-in).
  • To process payments, manage subscriptions, and issue invoices or receipts.
  • To ensure compliance with applicable legal obligations, regulatory standards, or contractual duties.
  • To maintain security, detect fraud, and ensure the integrity of our systems.

 

Lawful Bases (for GDPR and similar frameworks)

Where required, we rely on one or more of the following lawful bases:

  • Consent
  • Performance of a contract
  • Compliance with legal obligations
  • Legitimate interests (e.g. product improvement, fraud prevention)

6. Disclosure of Personal Information

We may disclose your personal information to:

6.1 Service Providers

Including but not limited to:

  • Third party cloud infrastructure services for secure database
  • Third party payment processing for secure transactions 
  • Domain/hosting services
  • Other contracted vendors who assist in delivering our Services

All third-party service providers are bound by confidentiality obligations and must handle data in compliance with applicable privacy laws.

6.2 Internal Staff

Only authorised employees or contractors with a valid business need may access personal data. Access is role-based and governed by strict confidentiality agreements.

6.3 Other Users

If you opt-in to social or community features, limited profile information (e.g. your display name, avatar, fitness progress) may be visible to other users.

6.4 Legal and Regulatory Bodies

We may disclose data to comply with:

  • Lawful requests from government authorities
  • Legal obligations under applicable statutes or court orders
  • Enforcement of our Terms of Service
  • Detection or prevention of unlawful activity

6.5 Business Transfers

In the event of a merger, acquisition, reorganisation, or asset sale, your data may be transferred to the successor entity, subject to the same protections as described in this Policy.

We do not sell or rent personal data to third parties for marketing purposes.

7. International Data Transfers

Given our global operations and use of international vendors, your personal data may be transferred to and processed in jurisdictions outside of your own, including but not limited to:

  • Australia
  • The United States
  • The European Union
  • Canada
  • Other countries where our service providers or partners are located

Safeguards

  • We implement Standard Contractual Clauses (SCCs) or other lawful mechanisms under GDPR for EU/UK data transfers.
  • We comply with APP 8 of the Australian Privacy Principles when disclosing data overseas.
  • For Canadian users, data is safeguarded in line with PIPEDA and subject to contractual protections.

8. Data Security

We adopt industry-standard measures to protect your data, including:

  • TLS/SSL encryption for data in transit
  • Encryption at rest for sensitive information
  • Role-based access control and staff confidentiality obligations
  • Secure cloud infrastructure (e.g. AWS, Hostinger)
  • PCI DSS-compliant payment processing (via Stripe)
  • Regular patching and security testing

Despite these precautions, no system can guarantee absolute security. Users are advised to protect their credentials and report any suspicious activity. We will not be held responsible for 

9. Data Retention

We retain personal information only for as long as reasonably necessary for:

  • Delivering services to you
  • Complying with legal obligations (e.g. financial record-keeping)
  • Resolving disputes
  • Enforcing agreements

Inactive accounts may be deleted after a defined period of inactivity. Users may request account deletion at any time (see Section 10).

Backup data, if retained, is securely stored and scheduled for deletion in line with our data lifecycle policy.

10. Your Rights

Subject to applicable laws, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Rectify any inaccuracies in your information
  • Deletion: Request deletion of your account and associated data
  • Portability: Obtain your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Revoke any previously given consent
  • Restrict Processing: In limited cases, request we limit use of your data

Exercising Your Rights

To exercise your rights, contact us via the details in Section 13. We will respond within legally mandated timeframes and may request verification of your identity.

11. Data Breaches

We are subject to the Notifiable Data Breaches Scheme under Australian law. In the event of an eligible breach (i.e., one likely to result in serious harm), we will:

  • Promptly assess and contain the breach
  • Notify affected individuals
  • Notify the Office of the Australian Information Commissioner (OAIC) and any other required authority
  • Take corrective action to prevent recurrence

Similar obligations under GDPR, CCPA, and PIPEDA will also be followed where applicable.

  1. Children’s Privacy

Our Services are not intended for persons under the age of 16 (or the minimum age of digital consent in their jurisdiction). We do not knowingly collect personal data from children. If you become aware of a child having submitted personal information, please notify us immediately and we will take appropriate steps to delete the information.

13. Contact Us

For questions, concerns, or to exercise your data protection rights, please contact:

Privacy Officer

THRVE GROUP PTY LTD

Maroochydoree, Queensland, 4558, Australia

Email: privacy@thrve.com

In-App Support: Use the support feature

14. Updates to this Privacy Policy

This Privacy Policy may be revised from time to time to reflect changes in our practices, legal requirements, or business operations. The “Effective Date” at the top will indicate when the latest version takes effect.

If changes are material, we will notify you via email, in-app notification, or a notice on our website. Continued use of the Services after such changes constitutes your acceptance of the updated Policy.