Privacy Policy
Jump to
February 2026
Welcome to Thrivea’s Privacy Policy!
Please note that this Privacy Policy applies to personal data that is collected and processed in the course of providing Service (as defined in Section 1 of the Terms of Use) by Thrivea d.o.o. Novi Sad, with registered seat at Novosadskog sajma 2, Novi Sad, the Republic of Serbia, CIN: 21938947, TIN: 113874616, and its affiliated companies (hereinafter: “Company”, or “we”).
Company, as a Data Controller, collects and processes personal data relating to interactions on Thrivea (as defined in the Definition Section of the Terms of Use). This Privacy Policy describes how Company uses and protects any information that you share with us in relation to Thrivea.
We believe in full transparency, which is why we keep our Privacy Policy simple and easy to understand.
We strongly urge you to read this Privacy Policy and make sure that you fully understand and agree with it. If you do not agree to this Privacy Policy, please do not access, or otherwise use Thrivea. In case there is anything that you would like to ask us regarding this Privacy Policy, please send your inquiry to privacy@thrivea.com.
Please note that this Privacy Policy applies solely to the use of the Thrivea app and Services, as defined in the Terms of Use. The use of any other products offered by the Company is governed by separate privacy policies, terms of use, and other applicable policies, and is not covered by this Privacy Policy.
Along with the Terms of Use, this Privacy Policy represents a contract between you and the Company. Thus, any capitalized but undefined term in this Privacy Policy shall have the meaning given to it in the Definitions Section of the Terms of Use.
1. DEFINITIONS
| TERM | MEANING |
|---|---|
| Consent | Your explicit consent on the processing of personal data. Persons who are 16 years of age or older may give free consent to the processing of their personal data. |
| Cookies | Cookies and other similar technologies (e.g. web beacons) are small pieces of data stored on your device (computer or mobile device). This information is used to track your use of the Thrivea and to compile statistical reports on Thrivea’s activity. |
| Data Controller | An entity that alone or jointly with others determines the purposes and means of the processing of personal data. |
| Data Processor | Any natural or legal person who processes the data on behalf of the controller. |
| Data Subject, or you | Any natural person that shares personal data with us via Thrivea, or in relation to Thrivea (e.g. via email). |
| Employer | The Client (as defined in Section 1 of Terms of Use) who made your Personal Data available to us and who is using the Service. |
| Employee | An individual that is engaged as an employee, consultant, or contractor of Client, and who is registered on Thrivea by Admin (as defined in Terms of Use) with the purpose of HR management, and who has been invited, permitted or caused to have access to Thrivea by Admin, either through the Employee Account or otherwise. A natural person who is registering Employee Account on the Software as Client’s representative or Employee as determined by the Admin. |
| Data Protection Law | Means a) General Data Protection Regulation 2016/679 or b) Law on Personal Data Protection of the Republic of Serbia or c) Texas Data Privacy and Security Act or d) the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). |
| Personal data or data | Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, either directly or indirectly. Therefore, data about a company or any legal entity is not considered to be personal data but registering on behalf of a legal entity may include sharing personal data. For example, information about one-person companies may constitute personal data where it allows the identification of a natural person. The rules also apply to all personal data relating to natural persons in the course of professional activity, such as the employees of a company or organization, and business e-mail addresses like “firstname.surname@company.com”. This Privacy Policy does not apply to information from which no individual can reasonably be identified (anonymized information). |
| Processing | Any operation or set of operations that is performed on personal data or sets of personal data. This includes activities such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. |
2. DATA CONTROLLER AND DATA PROCESSOR
In relation to your personal data processed via Thrivea, Company may be either a Data Controller or Data Processor.
When Company acts in the capacity of a Data Controller, Company determines the purposes and means of the processing of personal data. The purpose of data processing is the reason why we process your personal data. The table in Section 3.1 of the Privacy Policy presents the purposes and legal basis for data processing. In those cases, Company is responsible for your personal data.
Apart from Section 3.2, this Privacy Policy primarily contains information on processing your data in the capacity of a Data Controller. Should you have any inquiries, or you wish to exercise any of the rights of a Data Subject stipulated in Section 9, please contact us:
- Thrivea d.o.o. Novi Sad,
- Novosadskog sajma 2, Novi Sad, the Republic of Serbia
- Email: privacy@thrivea.com
Given that Company strongly supports fair personal data processing, despite being only a Data Processor in the below-listed cases, Company made an additional effort to explain such personal data processing via Thrivea – in Section 3.2 of this Privacy Policy.
The information contained therein outlines how personal data processing via Thrivea functions in general. But if you wish to send an inquiry, or exercise any of the rights which you may have under the applicable data protection law as the Data Subject, please contact the Client directly, as they hold the position of Data Controller.
Since Company is a company operating under the laws of the Republic of Serbia, it falls under the scope of application of the Data Protection Law, and as a Data Processor, it is obliged to sign the Data Protection Addendum to the Terms of Use (“DPA”), with the Client as a Data Controller. The DPA reflects the agreement between Client and Company regarding the terms that govern the processing of personal data under Thrivea’s Terms of Use. By creating an account on the platform or otherwise accepting the Terms, the Admin user agrees to the DPA on behalf of the Client. Accepting the DPA will be considered as an amendment to the Contract (within the meaning of the Definitions Section of the Terms of Use) and will be considered to form a part of the Contract. The individual accepting the Terms represents and warrants that they have the authority to bind the Client to the DPA.
3. WHAT DATA DO WE PROCESS ABOUT YOU AND WHEN?
We may collect and receive information about you in various ways:
- Information you provide using Thrivea (for example, by creating an Account on Thrivea).
- Information you decide to provide through getting in touch with us.
- Information we collect using cookies and similar technologies as explained below.
Personal data we may collect automatically
Each time you use Thrivea we may automatically collect the following information:
- At the time of logging in, Thrivea may store certain authentication and technical information in the browser’s local storage, including access, refresh, and ID tokens generated through Microsoft Authentication Library (MSAL) / Azure AD B2C, as well as basic account details such as name and email address. Thrivea also stores limited technical flags (e.g., logout timestamp and device type) necessary to ensure proper navigation and session management. All MSAL-related data is automatically deleted upon logout. Thrivea does not store passwords or sensitive personal data in local storage.
- When you use Thrivea, we may keep a record of certain usage details for security, audit, and operational purposes, including the date and time of access and activity within the Platform.
- We may collect technical information about your computer or mobile device for system administration and security, including IP address, device type (mobile/desktop), browser type, operating system, and related log data.
- We may also collect information about your interaction with Thrivea, such as the pages or features accessed, session duration, and content uploaded or managed within the Platform, to the extent necessary for providing the Service and maintaining audit and compliance requirements.
This information is collected primarily by using cookies and similar tracking technology, as explained in more detail in our Cookie Policy.
3.1 Company AS DATA CONTROLLER
DATA WE COLLECT | PURPOSE | LEGAL BASIS | RETENTION PERIOD |
|---|---|---|---|
| Client and Admin Account Information First and last name, the name of the company, email address and the password. | Creating and maintaining an Account at Thrivea according to the Terms of Use. | Processing is necessary for the performance of the Contract (as defined in Section 1 of the Terms of Use). Without providing first and last name, the name of the company, email address and the password, you cannot create a Client Account. | Until the Account is deleted in accordance with the Terms of Use |
| Payment information collected by a third-party payment processor Card holder name, Card number, Expiration date, Security code Billing Information: First name, Last name, Company, VAT ID, Contact Email, Address, Country, State, City, ZIP code | When subscribing to any of the Paid Plans or when changing any Paid Plan in accordance with the Terms of Use, this information is being collected by a third-party processor. Thrivea currently uses Stripe. Therefore, Stripe’s Privacy Policy applies to the processing of your payment information. | Processing is necessary for the performance of the Contract (as defined in Section 1 of the Terms of Use). | We keep only the last four digits of the credit card number under subscription billing info until such Agreement is terminated and for the period necessary to comply with the applicable financial and tax accounting and other statutory obligations in accordance with the applicable law (Section 21 of the Terms of Use). |
| Additional Data Provided by You i.e., information you voluntarily choose to share with us by contacting us (e.g. via email or through the support option within the Thrivea app). | If you send us an inquiry or otherwise request support, we will collect the data you decide to share with us. | Processing of personal data is either necessary to provide a Service or part thereof or the processing is based on your consent. | If the processing is based on your consent, we keep the information until you withdraw your consent or for one year, whichever date comes first. |
| Information necessary for identification, time and date of data subject’s request | To allow Data Subjects to exercise their rights in accordance with this Privacy Policy, as defined in Section 9. | Processing is necessary for compliance with a legal obligation to which the Data Controller is subject. | We keep this information for a period of one year. |
| Other personal data | For the prevention and detection of fraud, money laundering or other crimes or to respond to a binding request from a public authority or court. | The processing is necessary to comply with legal and regulatory obligations. | In accordance with the applicable statutory deadlines. |
3.2 Company AS DATA PROCESSOR
As previously stated, concerning some of your personal data processed on Thrivea, Company is a Data Processor, and the Client is the Data Controller. Company processes personal data following instructions from the Data Controller under the Terms of Use, and DPA (if any). The purpose of such personal data processing includes but is not limited to: enabling access to Thrivea, inviting and adding users to the Client Account, creating and managing Employee Accounts, adding, editing and displaying employee-related information and organizational structures, managing internal HR processes and workflows within Thrivea, including task management, reminders, notes, performance reviews and goals, organizational charts, calendars, time-off management (vacation, sick leave, holidays), employment-related records, and other functionalities made available within the platform.
As a processor, Company is permitted to collect, use, disclose and/or otherwise process your personal data only in accordance with its contracts with the Client.
3.2.1 Processing prior to using the Service
Employee’s data
- The Client, acting as your Employer, shares your first and last name, work email address, and work history (job title, location of work), for the purpose of inviting you to access Thrivea and creating an Employee Account.
- If you have any questions regarding the legal basis for such personal data processing, please contact your Employer who added you to Thrivea.
3.2.2 Processing during the usage of Thrivea
Employee’s data
If you decide to accept the invitation sent to your email address to use Thrivea, you will be required to create an account. To create an account, you will need to confirm your first and last name and work email address, and choose a password for your account.
Optional data that may be added within Thrivea depending on applicable Permission Groups, includes, without limitation:
- Photographs (profile and banner images)
- Assigned connections and role within the Client’s organization
- Organizational unit or placement within the employer’s organizational structure
- Performance ratings, reviews, and goals
- Tenure and hire date
- Work mobile number and personal phone number
- Private email address
- Date of birth
- Gender and nationality
- Marital status and spouse information (first and last name, gender, date of birth)
- Residency address
- Available days off, including vacation, sick leave, and holidays
- Bank account information (such as account holder name, account number, account type, IBAN, bank name, routing number, SWIFT code, or sort code)
- Passport number and passport nationality
- Work eligibility and immigration-related documentation (e.g. visas, permits, and their expiration dates)
- Employment history (including contract type, employment type, salary payment type)
- Salary history (including base salary, pay period, and pay frequency)
- Display name, prefix, hobbies, skills, food preferences, and “about” section
- Usernames or identifiers for communication or collaboration tools (e.g. Skype, Slack)
- Links to social media profiles (e.g. Facebook, X, LinkedIn)
- Shared documents and uploaded files, where document upload functionality is enabled and permission is granted
The scope of optional data and available functionalities may change over time as Thrivea evolves and new features are introduced.
User access rights within Thrivea are determined by Permission Groups configured by the Client. Permissions may vary depending on the modules and data categories assigned to each User. Additional details regarding Permission Groups are available in the Thrivea Platform and on our Website.
If you have any questions regarding the legal basis for such personal data processing, please contact your employer who added you to Thrivea.
4. WHAT DO WE NOT DO?
Company will never:
- Sell any kind of personal information or data.
- Disclose this information to marketers or third parties not specified in Section 6 of the Privacy Policy.
- Process your data in any way other than stated in this Privacy Policy.
5. PERSONAL DATA SECURITY
We take administrative, technical, organizational, and other measures to ensure the appropriate level of security of personal data we process. Upon assessing whether a measure is adequate and which level of security is appropriate, we consider the nature of the personal data we are processing and the nature of the processing operations we perform, the risks to which you are exposed by our processing activities, the costs of the implementation of security measures and other relevant matters in the particular circumstances.
Some of the measures we apply include access authorization control, information classification (and handling thereof), protection of integrity and confidentiality, data backup, firewalls, data encryption and other appropriate measures. We equip our staff with the appropriate knowledge and understanding of the importance and confidentiality of your personal data security.
Whenever we save your personal information, it’s stored on servers and in facilities that only selected personnel and our contractors have access to. We encrypt all data that you submit through Thrivea during transmission using SSL in order to prevent unauthorized parties from viewing such information. Remember – all information you submit to us by email is not secure, so please do not send sensitive information in any email to Company. We never request that you submit sensitive or personal information over email, so please report any such requests to us by sending an email to privacy@thrivea.com.
We protect personal information you provide online in connection with registering an account via Thrivea. Access to your own personal information is available through a password selected by you. This password is encrypted while transmitted from your mobile device to our servers and while stored on our systems. To protect the security of your personal information, never share your password to anyone. Please notify us immediately if you believe your password has been compromised.
6. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
Company utilizes external processors and sub-processors for certain processing activities. We conduct information audits to identify, categorize and record all personal data that is processed outside our company so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible. The list of our sub-processors is approved by the Client.
We have strict due diligence procedures and measures in place and review, assess and background check all processors prior to forming a business relationship. We obtain company documents, certifications, references and ensure that the processor is adequate, appropriate, and effective for the task we are employing them for.
We audit their processes and activities prior to the contract and during the contract period to ensure compliance with the data protection regulations and review any codes of conduct that oblige them to confirm compliance.
This is the list of processors and sub-processors with whom we share your personal data:
| DATA PROCESSOR | ROLE | TYPE OF DATA PROCESSED | DATA PROCESSING LOCATION |
|---|---|---|---|
| Microsoft Azure | Application hosting, database, and storage | User identification and contact data | EU (West / North Europe) |
| Stripe | Subscription processing and billing | Billing information | EU / USA (with SCC) |
| SendGrid | Sending system and notification emails | E-mail address, name | EU |
| Business communications and customer support | E-mail communication | EU | |
| Sentry* | Monitoring errors and system stability | Technical data (logs, error context) | EU |
| SUB-PROCESSOR | ROLE | TYPE OF DATA PROCESSED | DATA PROCESSING LOCATION |
|---|---|---|---|
| Microsoft Azure | Hosting of the application, database, and backups | Employee data (HR data) | EU |
| Microsoft (Entra ID / M365) (optional) | SSO authentication and integrations | Employee identification data | EU |
| Google (optional) | Integrations (if used by the Client) | Employee identification data | EU |
| SendGrid | Sending HR notifications | Employees’ business email addresses | EU |
| Sentry* | System monitoring | Technical logs (excluding HR data content) | EU |
*Important: Sentry and similar tools do not process the content of HR data, but only technical metadata.
Access to Personal Data processed within Thrivea is strictly limited to authorized individuals and entities, based on operational necessity and the principle of least privilege.
The following categories of persons may come into contact with Personal Data:
- Thrivea personnel (e.g., CTO / DevOps)
- Client representatives (e.g., HR users / Admin Users)
All individuals and entities with access to Personal Data are:
- contractually bound by confidentiality obligations;
- trained on applicable data protection requirements, including GDPR principles; and
- outside accountants, legal counsels, and auditors.
Moreover, we may disclose your personal information to third parties:
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation;
- to prevent and detect fraud or crime;
- in response to a subpoena, warrant, court order, or as otherwise required by law.
Please note that personal information may be disclosed or transferred as part of, or during negotiations of, a merger, consolidation, sale of our assets, as well as equity financing, acquisition, strategic alliance or in any other situation where personal information may be transferred as one of the business assets of Company.
We do not have a list of all third parties we share your data with. However, if you would like further information about whom we have shared your data, you can request this by contacting us at privacy@thrivea.com.
7. California Privacy Rights
As we have done above, businesses are required to inform members of the categories of personal information they collect and the purposes for which the categories will be used, at or before the point of collection.
You also have the following rights:
Request for Information or Deletion. You have the right to know whether we are processing your personal information, and in some instances, you have the right to request that we disclose to you the categories listed below for the preceding 12 months. We have the right to request verification of your identity for all requests for information. In responding to this right, we shall provide to you:
- The categories of personal information we collect about you.
- The categories of sources from which your personal information is collected.
- The business or commercial purpose(s) for collecting, selling, sharing, or disclosing your personal information, and the categories of personal information disclosed for such purpose(s).
- The categories of third parties with whom we share your personal information.
- The categories of personal information we have sold, if any, about you and the categories of third parties to whom your personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold. Please note that Company does not sell any personal information about you.
- The specific pieces of personal information we have collected about you.
In addition, you may have the right to request we delete your personal information.
Request for Correction. You have the right to request the correction or rectification of inaccurate information in your personal information.
Do Not Sell or Share My Personal Information. You have the right to opt out of the sale or sharing of the individual’s personal information. However, we do not sell your personal information, nor do we share your personal information to provide personalized or targeted advertising. If you have any questions or further comments on the matter, please reach out to us via the contact information at the bottom of this document.
Limiting the Use of Sensitive Personal Information. You have the right to direct us to use or disclose sensitive personal information only for providing goods or services, or as otherwise minimally permitted under applicable law. However, we do not use or disclose sensitive personal information for any purpose not defined under this Notice, or as otherwise minimally permitted under applicable law.
Right of Non-Retaliation. Employees, applicants, and independent contractors that are residents of California have the right not to be retaliated against by an employer for actualizing these rights.
Non-Discrimination. You have the right not to receive discriminatory treatment by us due to your exercise of the rights provided by the CCPA. We do not offer financial incentives and price or service differences, and we do not discriminate against consumers, employees, applicants, or independent contractors for exercising their rights under the CCPA.
Verification Process for Exercising Rights. To protect your privacy, we verify privacy rights requests to ensure that only you (or your authorized agent) can exercise rights pertaining to your personal information. As part of our verification process, we may request you to submit additional information.
If you are an authorized agent wishing to exercise rights on behalf of a state resident, please contact us using the information at the bottom of this Notice and provide us with a copy of the resident’s written authorization designating you as their agent. We may need to verify your identity and place of residence before completing your rights request.
How to Submit a Request
If your personal information is processed by the Client (Employer) as the Data Controller/Business (as described in Section 3.2), requests to exercise California privacy rights should generally be submitted directly to your Employer.
If Company receives such a request directly, Company may redirect the request to the Client or notify the Client before responding, as Company acts as a Service Provider in relation to Employee data.
Where Company acts as a Data Controller/Business (for example, regarding Client Account registration, billing, or communications), California residents may submit a request by contacting:
Email: privacy@thrivea.com
Company may require verification of identity before fulfilling a request.
Authorized agents may submit requests on behalf of California residents, subject to proof of authorization.
Handling Excessive or Repetitive Requests
If your requests are clearly repetitive or excessive, we may either charge a reasonable fee based on the cost of processing or refuse to act on the request altogether. If we decline to act, we will provide the reason for doing so.
8. TEXAS PRIVACY ADDENDUM
This Texas Privacy Addendum (“Addendum”) applies only to personal data of individuals who are residents of the State of Texas and is provided in accordance with the Texas Data Privacy and Security Act (“TDPSA”). It supplements the disclosures in this Privacy Policy where required under Texas law.
Under the TDPSA, certain individuals who are residents of Texas may be considered “consumers” and may have rights regarding their personal data, subject to statutory limitations and exemptions.
This Addendum applies only to the extent the TDPSA is applicable.
All capitalized terms not defined in this Addendum have the meanings given in this Privacy Policy or the Terms of Use.
What is Personal Data (Texas)
For Texas residents, “Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable individual. Personal Data does not include deidentified data or publicly available information.
Roles Under the TDPSA
As described in Section 2 of this Privacy Policy:
- When your personal data is processed via Thrivea at the direction of the Client (Employer), Thrivea is a Data Processor acting on behalf of the Client, who is the Data Controller.
- In limited contexts (e.g., certain independently directed billing, communications, security operations), Thrivea may act as a Data Controller under Texas law.
Under the TDPSA, both Controller and Processor obligations apply, and Thrivea adheres to applicable contractual safeguards and technical measures as described in this policy to protect your personal data.
Categories of Personal Data and Purposes of Processing
Personal Data collected about you will vary depending on your interaction with Thrivea and whether Company acts as Controller or Processor.
Thrivea may process the following categories of Personal Data:
- Identifiers (name, work email, account credentials)
- Professional or employment-related information (HR records uploaded by Client)
- Billing and subscription information (processed via Stripe)
- Technical and usage data (IP address, device type, audit logs)
- Sensitive data, only where provided by the Client and required for HR administration
Purposes of processing are described in Section 3 of this Privacy Policy and include providing the Service, maintaining security, supporting Clients, and complying with legal obligations.
Categories of Sources
Thrivea collects Personal Data from the following sources:
- Directly from Users (e.g., account registration, profile updates)
- Directly or indirectly from Clients (Employers) who upload Employee data
- Automatically through use of the Platform (logs, cookies, session activity)
- Third-party service providers supporting platform delivery (hosting, monitoring)
Disclosure of Personal Data
Thrivea may disclose Personal Data for business purposes as described in Section 6 of this Privacy Policy, including disclosure to:
- hosting and infrastructure providers (e.g., Microsoft Azure)
- billing processors (e.g., Stripe)
- communication providers (e.g., SendGrid)
- system monitoring providers (e.g., Sentry – technical metadata only)
- professional advisors and authorities where required by law
Thrivea does not sell Personal Data.
Thrivea does not process Personal Data for targeted advertising.
Texas Consumer Rights
Texas residents may have the following rights under the TDPSA, subject to applicable exceptions:
- Right to confirm whether a Controller processes your Personal Data
- Right to access and obtain a copy of Personal Data
- Right to correct inaccuracies
- Right to delete Personal Data
- Right to data portability
- Right to opt out of processing for:
- targeted advertising
- sale of Personal Data
- profiling in furtherance of decisions producing legal or similarly significant effects
Thrivea does not sell Personal Data and does not engage in targeted advertising.
How to Submit a Rights Request
Where Thrivea processes Employee Personal Data as a Processor on behalf of the Employer (Client), rights requests should generally be submitted directly to the Employer.
Where Thrivea acts as a Controller (e.g., Client Account registration or billing), requests may be submitted by contacting:
Email: privacy@thrivea.com
Authentication and Verification
To protect your privacy, Thrivea will verify your identity before responding to a rights request.
Verification may include:
- confirming access through an authenticated account, or
- requesting additional information necessary to verify identity
Where legally required, Thrivea may request a signed declaration to confirm identity.
Authorized Agents
Where permitted by the TDPSA, you may designate an authorized agent to submit a request on your behalf.
Thrivea may require:
- proof of the agent’s authorization; and
- verification of your identity directly with you
Response and Appeal Process
Thrivea will respond to verified consumer requests within 45 days of receipt
Where reasonably necessary, Thrivea may extend the response period once by an additional 45 days, provided you are informed of the extension within the initial 45-day period.
If Thrivea declines to take action on your request, you may appeal the decision by emailing: privacy@thrivea.com
Subject line: “TDPSA Appeal”
Thrivea will respond to appeals within 60 days of receipt.
If the appeal is denied, you may contact the Texas Attorney General through its consumer privacy webpage.
No Discrimination
Thrivea will not discriminate or retaliate against any individual for exercising rights under the TDPSA. This includes not:
- denying services
- charging different prices
- providing a different level or quality of service
- suggesting that exercising rights will result in adverse treatment
Do Not Track / Opt-Out Preference Signals
Thrivea does not use Personal Data for targeted advertising. If Thrivea implements legally recognized opt-out preference signals (such as Global Privacy Control) in the future, Thrivea will honor such signals to the extent required by applicable law.
Updates
Thrivea may update this Addendum from time to time. Any changes will be posted as part of this Privacy Policy in accordance with Section 10.