Privacy Policy

Thrivur Health

DATA PRIVACY AND PROTECTION POLICY

Purpose and Scope

The purpose of this policy is for THRIVUR HEALTH and legal and regulatory requirements under current applicable privacy laws. “Privacy Laws” mean laws, in multiple jurisdictions worldwide, that relate to (a) the confidentiality, collection, use, handling, processing, security, protection, transfer, or free movement of personal data, personally identifiable information, or consumer or client information, (b) electronic data privacy, (c) trans-border data flow or (d) data protection.

“Personal Data” means a type of data regulated by Privacy Laws.

This policy applies to all THRIVUR HEALTH employees, independent contractors, and Personal Data as defined above.

Data Protection Policy Statement.

THRIVUR HEALTH is classed as a Data Controller/Data Processor based on the context of the processes under current privacy law. This policy confirms our commitment to protecting the privacy of the personal data of our consumers, clients, employees, and other individuals. Our Information Security Policy is aligned to standard ISO027001 to ensure that personal data processes are conducted using best practice processes.

THRIVUR HEALTH DATA POSITION

As a collector of first-party data, THRIVUR HEALTH has adopted the following principles:

Be transparent about what we collect, why we collect it, how we use it, and who we share it with.
Use clear statements in all privacy-related communications and provide a plain language privacy policy.
Obtain just-in-time, informed consent before collecting or processing personal data, especially Sensitive Personal Information.
Collect the least amount of data needed, relevant and limited to what is necessary.
Delete means deleting everything a reasonable person would intend for the deletion or confirming if the consumer could be adversely affected.
Use standard industry practices to secure personal data from unauthorized access when stored and during usage.
Unless otherwise required by Privacy Laws, all Personal Information is classified as Confidential with Medium or High Risk or otherwise recommended by industry standards.
Sensitive Personal Data is classified as Confidential and High Risk, or as otherwise recommended by industry standards.

Overview of the Privacy Team and Role of the Data Privacy Officer

The Privacy Team is responsible for complying with individual rights requests. However, all employees and contractors who receive communication from a data subject must forward it to EMAIL. When responding to requests, the Privacy Team will work with support from the Data Privacy Officer (or designated delegate) who received the request, their manager, IT, and the Legal team. The Privacy team will manage and respond to all individual rights requests.

Data Protection Principles

THRIVUR HEALTH employs Fair Information Privacy Practices.

Data purpose minimization. THRIVUR HEALTH ensures that the data collected is not excessive and is appropriate to the purpose for which it was collected. We conduct PIAs/DPIAs (if required) as part of our project lifecycle.

Accuracy. THRIVUR HEALTH takes reasonable steps to ensure personal data is accurate. Where necessary for the lawful basis on which data is processed, measures will be put in place to ensure that personal data is kept up to date. We provide data that is reviewed and assessed for accuracy periodically. We have implemented processes [LIST] to rectify and erasure data without undue delay.

Data Retention. Personal data will be kept only as long as needed, or once the legitimate business purpose expires. THRIVUR HEALTH will establish a data archiving/retention policy for all categories of processed personal data. This policy will be reviewed annually and determine data retention standards.

Questions to consider include: What data is retained? Why is the data retained? For how long? In which format is data retained? (PI, de-identified, archived) Who has access to archived data? How is data deleted/destroyed? When?

Data Destruction. Personal data is retained and destroyed in line with our Information Security Policy. THRIVUR HEALTH has established a data deletion process for all Data Subjects via the OneTrust form. For all deletion requests, regardless of origination source, the Privacy Team will delete the Data Subject’s PI and SPI across all THRIVUR HEALTH information systems.

Security. THRIVUR HEALTH will ensure that personal data is stored securely using modern and up-to-date software.

Record Keeping Requirements. The Privacy Team will maintain and annually review all privacy-related policies, records, and documentation to ensure ongoing regulatory compliance. Data storage will be in line with the Data Retention Policy.

Data Privacy by Default. All user settings are set to privacy-protected by default. The user requires no action to ensure their privacy is protected. THRIVUR HEALTH provides just-in-time warnings for public-facing personal data at the registration and before posting (e.g., “Username is public, so choose wisely”).

Data Privacy By Design. It helps to identify and address the data protection and privacy concerns at the project’s design and development stage, building data protection compliance from the outset rather than bolting it on as an afterthought.

Privacy Impact Assessments (PIA). THRIVUR HEALTH will conduct a privacy impact assessment, or PIA, each time a new personal data processing activity or data processing tool is implemented. Following best practices, employees must complete a PIA and submit for legal review.

Complete and submit the PIA for Legal review and approval before kickoff meetings for any activity that:

Uses or affects personal information or sensitive personal information;
Creates a significant change to a current process; or
Your project or product is a new initiative for the business or community.

Some examples include

Profiling, evaluating, ranking, or scoring data subjects for predictive purposes.
Automated-decision making.
Systematic monitoring.
Processing sensitive data or data of a highly personal nature.
Large-scale data processing.
Matching or combining data sets.
Processing data concerning vulnerable data subjects.
Innovative uses or applications of new technologies or organizational solutions to personal data.

Legal will review the PIA within the time period specified in the Service Level Agreement.

Data Protection Impact Assessment (DPIA). If, after reviewing a PIA, the Legal Department determines further review is required, a meeting will be scheduled to conduct a Data Privacy Impact Assessment (DPIA).

Rights of Data Subjects Data Subject Access Requests. All DSAR requests will be handled following the process outlined via the THRIVUR HEALTH RIGHTS AND REQUEST POLICY.

Right to be Informed. Individuals have the right to be informed about how we use their Personal Information. These rights include:

What: The name and contact details of THRIVUR HEALTH
Who: Name and contact details of our Data Privacy Officer
What: Purposes of the processing
Why/How: Lawful basis of processing

Right of Access. Individuals have the right to access their personal data. Any such requests to THRIVUR HEALTH will be handled promptly and according to legal requirements.

Right to correct or “rectify.” The GDPR includes the right to have inaccurate personal data rectified or completed if it is incomplete.

Right to Erasure (Be Forgotten). The GDPR introduces the right to have personal data erased and is known as ‘the right to be forgotten.”

All personal data will be permanently deleted or deidentified across all THRIVUR HEALTH systems, regardless of the request’s origin. When deleting personal data, it must be irrecoverable.

Appropriate backup and disaster recovery solutions are in place and detailed in THRIVUR HEALTH BUSINESS CONTINUITY POLICY.

Right to Portability. This right allows individuals to obtain and reuse their personal data for tier own purposes across different services. It allows them to safely and securely move, copy or transfer personal data from one IT environment to another safely and securely without affecting usability. This allows individuals to use applications and services that may use this data to find a better deal or help them understand their consumption habits. This only applies to information the individual has provided to THRIVUR HEALTH or a controller.

Reliable, fair, lawful, and transparent processing.

To ensure its processing of data is reliable, lawful, fair, and transparent, THRIVUR HEALTH will maintain and annually review a “Register of Systems,”

Lawful basis or Legitimate Business Purpose. All data processed by THRIVUR HEALTH must be done on at least one (1) of the following lawful bases:
- Contractual obligations and relationships;
- Providing services;
- Advertising and marketing; AND/OR
- Consent-based.
Legal obligation. Taxes, compliance records, warrants, subpoenas, or other lawful court orders.
Marketing and advertising. Includes all media products and communications. Note Consent-based requirements.
Public Interest.

THRIVUR HEALTH primarily relies upon consent for a lawful basis to process. It will establish documentation that the data subject has consented to processing their personal data.

Suppose the data subject’s consent is given in the context of a written declaration that also concerns other matters. In that case, the request for consent will be presented in a manner that is distinguishable from the other issues, in an intelligible and easily accessible form, using clear and plain language.

The data subject will have the right to withdraw their consent anytime. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Before giving consent, the data subject will be informed thereof. It will be as easy to withdraw as to give consent.

When assessing whether consent is freely given, the utmost account will be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Does this involve the collection of new information about an individual?
Does this require individuals to provide information about themselves?
Does this involve making decisions or taking actions that can significantly impact an individual?

Compliance; Record of consent. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent will be kept with the personal data. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent will be available. Systems in place ensure such revocation is reflected accurately in THRIVUR HEALTH ’s compliance documentation.

Risk Assessments.

Risk is defined as “data processing that is ‘likely to result in a high risk to the rights and freedoms of natural persons.’” If yes to any of the above questions, identify the types of risk:

illegitimate access,
loss of personal data
repurposing
data-based discrimination
highly sensitive data
new technology which may be perceived as invasive

Contractual Obligations.

All contracts involving a transfer of personal data, regardless of data format, must be reviewed by the Data Privacy Officer or Legal Counsel, and supplemented with the applicable Data Privacy Agreement.

Security.

THRIVUR HEALTH will ensure that personal data is stored securely using modern and up-to-date software. Access to personal data will be limited to personnel who need access, and appropriate security should be in place to avoid unauthorized information sharing.

Breach

In the event of a breach, employees will inform their direct supervisor, a member of the Technology Team, or a member of the Data Privacy Team and invoke the Incident Management Process.

Breaches are assessed, and where appropriate and required, the Data Subjects and the Information Commissioners Office will be informed without undue delay.

In the event of a breach of security leading to the accidental, unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data, THRIVUR HEALTH will promptly assess the risk to people’s rights and freedoms.

Legal Representation.

In the event of a breach of security leading to the accidental, unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data, THRIVUR HEALTH is represented by INSERT FIRM. In-House counsel will manage all communications with outside counsel.

Data Incident Response Plan.

THRIVUR HEALTH will create a Data Incident Response Plan to demonstrate:

how to recognize a personal data breach and why a personal data breach isn’t only about loss or theft of personal data;
how to escalate a security incident to the appropriate person or team in our organization to determine whether a breach has occurred;

a response plan for addressing any personal data breaches that occur; and

allocated responsibility for managing breaches to a dedicated person or team.

California Policy

This Privacy Notice for California Residents supplements the information contained in Thrivur Health ‘s Code of Ethics and applies solely to all visitors, users, and others who reside in the State of California (”consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and any terms defined in the CCPA have the same meaning when used in this notice.

Information we Collect

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or device (”personal information”). In particular, we may have collected the following categories of personal information from individuals within the last twelve (12) months:

Category	Examples
A. Identifiers.	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, agency identification number, Social Security number, driver’s license number, passport number, or other similar identifiers.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information.
D. Commercial information.	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
F. Internet or other similar network activity.	Browsing history or search history.
G. Geolocation data.	Physical location or movements.
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.
I. Professional or employment-related information.	Current or past job history or performance evaluations.

continued —

Category	Examples
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
K. Inferences drawn from other personal information.	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Personal information does not include:

Publicly available information from government records;
Deidentified or aggregated consumer information;
Information excluded from the CCPA’s scope, like:
health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

‌

Thrivur Health obtains the categories of personal information listed above from the following categories of sources:

Directly from you; and
From our government partners.

Use of Personal Information

We may use, or disclose, the personal information we collect for one or more of the following business purposes:

To fulfill or meet the reason you provided the information;
To process your requests, purchases, transactions, and payments and prevent transactional fraud;
To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses;
To help maintain the safety, security, and integrity of our services, databases and other technology assets, and business;
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations;
As described to you when collecting your personal information or as otherwise set forth in the CCPA;
To respond to government partner requests under our contracts; and
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Thrivur Health ’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Thrivur Health about you is among the assets transferred.

Thrivur Health will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

Thrivur Health may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract. We share your personal information with the following categories of third parties:

Service providers;
Government partners; and
Auditing entities.

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, Thrivur Health may have disclosed the following categories of personal information for a business purpose:

Category A: Identifiers.

Category B: California Customer Records personal information categories.

Category C: Protected classification characteristics under California or federal law.

Category D: Commercial information.

Category E: Biometric information.

Category F: Internet or other similar network activity.

Category G: Geolocation data.

Category H: Sensory data.

Category I: Professional or employment-related information.

Category J: Non-public education information.

Category K: Inferences drawn from other personal information.

We disclose your personal information for a business purpose to the following categories of third parties:

Service providers;
Government partners; and
Entities with oversight responsibilities for each location.

Sales of Personal Information

In the preceding twelve (12) months, Thrivur Health has not sold the following categories of personal information:

California Customer Records personal information categories.
Protected classification characteristics under California or federal law.
Commercial information.
Biometric information.
Internet or other similar network activity.
Geolocation data.
Sensory data.
Professional or employment-related information.
Non-public education information.
Inferences drawn from other personal information.

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that Thrivur Health disclose certain information to you about our collection and use of your personal information over the past twelve (12) months. Once we receive and confirm your verifiable request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:

The categories of personal information we collected about you;
The categories of sources for the personal information we collected about you;
Our business or commercial purpose for collecting that personal information;
The categories of third parties with whom we share that personal information; and
The specific pieces of personal information we collected about you (also called a data portability request).‌

Deletion Request Rights

You have the right to request that Thrivur Health delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
Exercise free speech, ensure the right of another individual to exercise their free speech rights, or exercise another right provided for by law;
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
Enable solely internal uses that are reasonably aligned with expectations based on your relationship with us;
Comply with a legal or contractual obligation;
Comply with requirements for applicable certifying and/or licensing entities; and
Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

‌

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable request to us by either:

Calling us at 1-800-624-2931 ext. 33118; or
Visiting Thrivur Health .com/contact-us.

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable request related to your personal information. You may also make a verifiable request on behalf of your minor child.

You may only make a verifiable request for access or data portability twice within a twelve (12) month period. The verifiable request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable request does not require you to create an account with us. We will only use personal information provided in a verifiable request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time (up to ninety [90] days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the twelve (12) month period preceding the verifiable request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Information Opt-Out and Opt-In Rights

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

Deny you goods or services;
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
Provide you a different level or quality of goods or services; and
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

‌‌Changes to Our Privacy Notice

Thrivur Health reserves the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of Thrivur Health ‘s Website following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this notice, the ways in which Thrivur Health collects and uses your information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Phone: 1-800-624-2931 ext. 33118

Website: www.Thrivur Health .com/contact-us