Privacy Policy
Effective date: May 9, 2026
1. Introduction
This Privacy Policy explains how Parklife, Inc.("Company", "we", "us", or "our") collects, uses, shares, and protects personal data when you use the Thrive platform ("Service") at thrive-board.com and related services.
2. Data We Collect
2a. Account holders
- Identity: name, email address, encrypted password (for email/password sign-up), profile image.
- Authentication credentials: tokens from Google or Microsoft when you sign in via those services.
- Organization data: organization name, member roles, invitations, and domain access settings.
- Thriveboard data: thriveboards, dashboard sets, widgets, displays, and circle memberships you create.
- Activity logs: actions you take within the Service (e.g., creating thriveboards, inviting members, connecting data sources).
- Device and network: IP address, user agent, and session information.
2b. Connector data (health and fitness)
Thrive lets you connect third-party services (currently Whoop, Oura, and Strava) to surface your own data on your thriveboards. When you authorize a connector via OAuth, we receive the data the provider exposes for the scopes you approve. This may include sleep, recovery, strain, heart-rate, workout, activity, and similar health and fitness metrics.
You authorize each connection explicitly. The third-party provider remains the original source of the underlying account, and your relationship with that provider continues to be governed by their own terms and privacy policy. You can disconnect a connector at any time from your account settings, which revokes our access and triggers deletion of the cached data we hold from that provider.
We do not sell health or fitness data. We do not use it for advertising. We do not share it with any third party except the processors listed in Section 5, and only to the extent necessary to deliver the Service.
2c. Automated collection
- Cookies: session-based authentication cookies (see Section 7).
- Consent records: when you accept these Terms of Service or this Privacy Policy, or grant a data-sharing permission within the Service, we record the acceptance timestamp, document version, and your IP address.
3. Data Controller and Processor Roles
Applicable data protection laws (including the GDPR) distinguish between data controllers (who determine the purposes and means of processing) and data processors (who process data on behalf of a controller).
- Personal accounts: Parklife is the data controller for personal data of individual account holders.
- Organization accounts:when you join or create an organization, the organization is the controller for personal data processed within that organization (members, roles, activity, thriveboards created in that workspace). Parklife processes that data on the organization's behalf as a data processor.
Organizations that require a Data Processing Agreement (DPA) can request one at hello@thrive-board.com.
4. How We Use Your Data
- Service delivery: to operate, maintain, and improve the Thrive platform.
- Authentication: to verify your identity and manage sessions.
- Communications: to send transactional emails (invitations, verification, password resets, notifications) via our email provider.
- Billing: to process payments and manage subscriptions via Stripe.
- Security: to detect and prevent unauthorized access, fraud, and abuse.
- Legal compliance: to comply with applicable laws, regulations, and legal processes.
5. Third-Party Processors
We share personal data with the following categories of service providers, solely for the purposes described above:
| Provider | Purpose |
|---|---|
| Stripe | Payment processing |
| Resend | Transactional email delivery |
| Vercel | Hosting, CDN, and serverless compute |
| Neon | Database hosting (PostgreSQL) |
| Google / Microsoft | OAuth social sign-in |
| Whoop, Oura, Strava | Optional third-party data sources you choose to connect |
We require our third-party processors to protect personal data through appropriate contractual and technical safeguards. We are not liable for the independent acts or omissions of third-party providers beyond the scope of our agreements with them. We encourage you to review the privacy policies of any third-party services you interact with through Thrive.
We do not sell your personal data to third parties. We do not share personal data for advertising purposes.
6. Legal Basis for Processing (GDPR)
For users in the EU/EEA/UK, we process personal data under the following legal bases:
- Contract performance: processing necessary to provide the Service you requested.
- Legitimate interests: security, fraud prevention, product improvement.
- Consent: where you have given explicit consent (e.g., authorizing a connector or accepting these terms at sign-up).
- Legal obligation: where processing is required to comply with applicable law.
7. Cookies and Sessions
Thrive uses session-based authentication cookies to keep you signed in. These are strictly necessary for the Service to function and do not track you across other websites.
We do not use third-party tracking cookies, advertising cookies, or analytics cookies.
8. Data Retention
- Account data: retained for as long as your account is active. Upon account closure, personal data is deleted within 30 days, except where retention is required by law.
- Connector data: retained while the connector is active. When you disconnect a connector, cached data from that provider is deleted. We also operate a scheduled retention job that prunes connector data we no longer need to deliver the Service.
- Activity logs: retained for up to 24 months for security and auditing purposes.
- Consent records: retained for the lifetime of your account plus 3 years for compliance evidence.
- Backups: deleted data may persist in encrypted backups for up to an additional 30 days after deletion.
9. Public Displays and Sharing
Thrive lets you publish thriveboards as displays for public viewing, or share them with a defined group via circles. Sharing is always user-initiated, and you can revoke or unpublish a display or circle share at any time from your account.
Public display URLs are unguessable, but you should treat them as shareable links rather than authenticated resources unless you have configured additional access controls. Any data shown via a display reflects the current state of the underlying connector data at the moment the display is viewed.
You are solely responsible for the data you choose to publish. We recommend you only publish or share data you are comfortable being seen by anyone who has the URL or has been added to the circle.
10. US Privacy Rights (CCPA / CPA)
If you are a resident of California, Colorado, Connecticut, Virginia, or another US state with applicable privacy legislation, you have the following rights:
- Right to know: you can request a copy of the personal data we hold about you.
- Right to correct: you can request correction of inaccurate personal data.
- Right to delete: you can request deletion of your personal data.
- Right to opt-out of sale: we do not sell personal data, so there is nothing to opt out of.
- Non-discrimination: we will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at hello@thrive-board.com.
11. GDPR Rights (EU/UK Users)
If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:
- Access: request a copy of your personal data.
- Rectification: request correction of inaccurate data.
- Erasure:request deletion of your personal data ("right to be forgotten").
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests.
- Restriction: request restriction of processing in certain circumstances.
You also have the right to lodge a complaint with your local data protection supervisory authority. To exercise these rights, contact us at hello@thrive-board.com.
12. Children's Privacy
The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal data, please contact us at hello@thrive-board.com.
13. International Data Transfers
Your data is stored and processed in the United States. If you are located outside the US, your data will be transferred to the US for processing. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards for international data transfers where required by applicable law.
14. Data Security
We implement industry-standard security measures to protect your data, including encryption in transit (TLS), encrypted database connections, secure authentication practices, and regular security reviews. However, no method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security and are not liable for unauthorized access, disclosure, or loss of data that occurs despite our reasonable security measures. You acknowledge that the transmission of data over the internet carries inherent risks.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.
16. Contact
If you have questions or concerns about this Privacy Policy or our data practices, contact us at:
Parklife, Inc.
4283 Express Lane, Suite 146-972
Sarasota, FL 34249, USA
Email: hello@thrive-board.com
See also our Terms of Service.