Privacy Policy

Privacy, in plain language.

We measure how people experience work, which means we process personal data — and we take that seriously. Here's what we collect, why, how long we keep it, and the rights you have over it.

01 · Who we are

Who we are.

Thrive at Work is operated by Thrive at Work s.r.o., a company registered in Prague, Czech Republic, with a subsidiary entity in San Francisco, California, USA.

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, Thrive at Work s.r.o. is the data controller for the website at thriveatwork.ai and for marketing communications. When we provide the Thrive Index to an organisation, that organisation is the data controller for its employees' survey responses and Thrive at Work is the data processor.

Contact our data protection team at [email protected].

02 · What we collect

What we collect.

We collect only what is necessary to run the service and to measure what the Thrive Index is designed to measure. We do not sell data. We do not use it to train third-party models.

Website visitors

  • Basic request data (IP address, user agent, referrer) logged by our hosting provider
  • Form submissions you send us — name, email, organisation, message
  • Cookie preferences and a minimal session identifier (see Cookies)

Waitlist and marketing contacts

  • Name, work email, organisation, role
  • Interaction history with our emails (opens, clicks) where you have consented

Platform users (when deployed with an organisation)

  • Authentication data — magic-link email address only; no passwords
  • Survey responses — always analysed in aggregate, never linked to a named individual in reports
  • Segment metadata provided by the organisation (role, team, tenure band, location)
03 · Why we process it

Why we process it.

We process each category of data for a specific, lawful purpose under GDPR Article 6:

DataPurposeLawful basis
Website logsSecurity, abuse preventionLegitimate interest
Form submissionsRespond to your enquiryLegitimate interest
Waitlist emailsKeep you informed about the productConsent
Survey responsesMeasure capacity and engagementContract (with employer) + legitimate interest
Benchmark contributionsBuild industry norms, always anonymisedLegitimate interest

You can withdraw consent at any time by emailing [email protected] or using the unsubscribe link in any marketing email.

04 · How long

How long we keep it.

We keep personal data only as long as we need it for the purpose we collected it.

DataRetention
Website logs30 days
Form submissions24 months from last contact
Marketing listUntil you unsubscribe, then 30 days
Raw survey responsesAs directed by the client organisation, default 24 months
Anonymised benchmarksIndefinite (no longer personal data)
05 · Who we share with

Who we share with.

We share data only with carefully chosen processors who are contractually bound to protect it:

  • Cloud hosting — within the EU
  • Email delivery — for transactional and marketing email
  • Analytics — privacy-respecting, cookieless where possible
  • Your employer — aggregated survey results only (minimum cohort of seven), never individual responses

We do not sell personal data. We do not share it with advertisers. We do not use it to train external AI models.

06 · International transfers

International transfers.

Personal data is stored primarily within the European Union. Where we transfer data to the United States (for example, to our San Francisco entity or to US-based sub-processors), transfers are protected by Standard Contractual Clauses approved by the European Commission, and by the EU–US Data Privacy Framework where the recipient is certified.

07 · Your rights

Your rights.

Under GDPR and equivalent laws you have the right to:

  • Access a copy of your personal data
  • Correct inaccurate data
  • Erase your data (subject to our legal obligations)
  • Restrict or object to processing
  • Port your data to another service
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority — in the Czech Republic, the Úřad pro ochranu osobních údajů (uoou.cz)

To exercise any of these rights, email [email protected]. We will respond within 30 days.

08 · Security

How we protect it.

Encryption in transit and at rest. Role-based access control. Regular security review. Penetration testing before platform release. Our architecture is designed so that no single person at Thrive at Work can read an individual's survey response — aggregation happens before humans see the data.

If a breach ever occurs, we will notify affected users and the relevant supervisory authority within 72 hours, as required by GDPR.

09 · Changes

Changes to this policy.

We may update this policy to reflect changes to the service, legal requirements, or our practices. When we make material changes, we will notify users by email and update the effective date at the top of this page. Your continued use of the service after the change signals your acceptance of the updated policy.