ThriveThrive← Back to home

Privacy notice

Last updated: 13 June 2026 · Version: 1.1

This notice explains how Thrive UK Limited ("Thrive", "we", "us") collects and processes personal data when you use the Thrive Data Connect and Thrive Engine services. It is written to satisfy the UK GDPR and the Data Protection Act 2018.

1. Who we are

Thrive UK Limited is a company registered in England & Wales. We are the data controller for account, billing and marketing data. For operational nursery data ingested via Data Connect, we act as data processor on behalf of the nursery group (the controller), under our Data Processing Agreement.

Contact for privacy queries: privacy@thrive.uk.

2. What we collect

  • Account data — name, work email, organisation name, role, password hash.
  • Operational nursery data — setting profile, aggregated attendance, key-person ratios, observation counts, pseudonymised staff records. No child-identifiable data is processed by Thrive Data Connect.
  • Engine assessment data — answers, scores and evidence files you upload to the assessment workflow.
  • Technical data — IP address, browser type, audit-log entries for security and integrity.
  • Marketing preferences — only where you have given separate, explicit opt-in consent.

3. Lawful bases

  • Contract (Art. 6(1)(b)) — delivering the Data Connect and Engine services you have signed up for.
  • Legitimate interests (Art. 6(1)(f)) — service security, fraud prevention, product analytics on aggregated data.
  • Legal obligation (Art. 6(1)(c)) — accounting, tax, statutory record-keeping.
  • Consent (Art. 6(1)(a)) — marketing emails and optional cookies; you can withdraw at any time.

4. How we use data

  • To configure and run NMS integrations (Famly, Tapestry, Blossom) and CSV imports.
  • To feed the Thrive Engine assessment and Childhood Environment Index™ methodology.
  • To provide the customer status dashboard, audit log and support.
  • To meet UK GDPR data-subject rights requests.

5. Sharing

We do not sell personal data. We share data only with vetted sub-processors strictly to deliver the service — hosting (UK/EEA region), authentication, error monitoring, email delivery. A current list is available in the DPA.

6. International transfers

Primary data is hosted in the UK (AWS London, eu-west-2) with EEA backup (eu-west-1). We do not make non-EEA transfers.

7. Retention

  • Operational data feeds: 24 months rolling, then aggregated.
  • Account data: duration of contract + 6 years for statutory records.
  • Audit logs: 12 months.
  • Evidence files uploaded to Engine: deleted on assessment closure unless retention is requested in writing.

8. Your rights

Under UK GDPR you have rights of access, rectification, erasure, restriction, portability, objection, and to withdraw consent. Email privacy@thrive.uk; we respond within one calendar month. You may also complain to the Information Commissioner's Office (ico.org.uk).

9. Security

TLS 1.2+ in transit, AES-256 at rest (AWS KMS), JWT with 24-hour rolling expiry, RBAC, MFA for Thrive admin, full audit trail. Cyber Essentials certification targeted by end of Year 1.

10. Changes

Material changes will be notified by email at least 14 days in advance.