Legal

Privacy policy

This page is maintained by the Thrivio workspace owner as a starting template covering the notice requirements of GDPR Articles 13 & 14. It is not a certification, DPA, or legal advice — review with counsel before publishing as a customer-facing commitment. Last updated 4 July 2026.

Who we are

Thrivio (“we”, “us”) provides an AI growth workspace for marketing teams. For personal data you submit to Thrivio through our app, we act as the data controller. For personal data your end-users submit to your workspace through your webhooks and forms, you are the controller and we are the processor — see our Data processing page.

What we collect

  • Account data: name, email, hashed password (or Google OAuth identifier), workspace membership, role.
  • Usage data: pages visited, features used, timestamps, IP address, browser user-agent.
  • Content you create: projects, audits, opportunities, tasks, notes, uploaded assets.
  • Support communications: messages you send us and metadata about them.
  • Billing data: handled by our payments provider; we store invoice records only.

Why we process it (lawful bases)

  • Contract (Art. 6(1)(b)): providing the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): keeping the service secure, preventing abuse, improving features.
  • Consent (Art. 6(1)(a)): optional analytics cookies and marketing emails.
  • Legal obligation (Art. 6(1)(c)): tax, accounting, responding to lawful requests.

How long we keep it

Account data is kept for the life of your account plus 30 days after deletion is requested (grace window to cancel). Audit and analytics data follows your workspace retention setting; the default is 365 days for lead data. Billing records are kept for 7 years to satisfy accounting law.

Who we share it with

We share personal data only with the sub-processors listed on our Sub-processors page (hosting, AI inference, analytics, integrations you enable). We never sell personal data.

International transfers

Some of our sub-processors process data in the United States. Where required, transfers are covered by the EU Standard Contractual Clauses and equivalent UK IDTA / Swiss addenda. Contact us for a copy of the safeguards in place for any specific sub-processor.

Your rights

Under GDPR and the UK GDPR you can request access, rectification, erasure, restriction, portability, and objection. To exercise these rights on your Thrivio account, go to Settings → Account for self-service export and deletion, or email privacy@thrivio.example. You also have the right to complain to your supervisory authority.

Cookies and similar technologies

See our Cookie policy for the full list of storage keys, their purpose, and how to change your preferences.

Security

Data is encrypted in transit over HTTPS and at rest in our hosting provider. Access is restricted by row-level security policies. For our vulnerability-reporting contact see our security.txt.

Changes

When we materially change this policy we will notify signed-in users in-app and, where required, ask for renewed consent.