Privacy Policy
We are incorporated in India under the Companies Act, 2013 and operate as a UK-facing service provider. We are subject to UK GDPR, EU GDPR for EEA clients, and India’s Digital Personal Data Protection Act, 2023.
Who we are
THRIVEFINITY (OPC) PRIVATE LIMITED (“ThriveFinity”, “we”, “us”, or “our”) is a One Person Company incorporated in India on 11 August 2020 under the Companies Act, 2013. Our principal contact for all data protection matters is om@thrivefinity.uk.
| Detail | Value |
|---|---|
| CIN | U72900TN2020OPC137043 |
| PAN | AAICT0116B |
| GST | 33AAICT0116B1Z3 |
| MSME | UDYAM-TN-02-0006768 |
| Registered address | No. 115, Pilliyer Koil Street, Arumbakkam, Chennai, Tamil Nadu 600106, India |
We are subject to: the Digital Personal Data Protection Act, 2023 (DPDPA) for all data principals located in India; the UK GDPR (as retained by the European Union (Withdrawal) Act 2018) for clients in the United Kingdom; and the EU GDPR for clients in the European Economic Area.
What data we collect
We collect the following categories of personal data:
- Identity data: name, job title, and company name, as provided in intake forms or email correspondence.
- Contact data: email address and, where provided, telephone number.
- Document data: pitch decks, strategy documents, idea briefs, and other materials you upload or share with us for review. These may contain personal data about third parties.
- Financial data: payment method details processed exclusively by Stripe, Inc. We do not store card numbers or full payment credentials on our systems.
- Usage data: pages visited, session duration, referral source, and browser type, collected via privacy-preserving server logs. We do not use Google Analytics or any third-party tracking pixels.
- Communications data: emails, messages, and feedback you send us.
Why we collect it
UK GDPR (for UK clients) — Article 6:
- Performance of a contract (Art. 6(1)(b)): to deliver the PRISM, Pre-Launch Verification, Strategic Intelligence, and Outcome Engineering services you have ordered.
- Legitimate interests (Art. 6(1)(f)): to improve our services, prevent fraud, respond to enquiries, and maintain security. We have conducted a Legitimate Interest Assessment and determined our interests do not override your rights.
- Consent (Art. 6(1)(a)): for marketing communications such as the Friday Notes newsletter. You may withdraw consent at any time by unsubscribing or emailing om@thrivefinity.uk.
- Legal obligation (Art. 6(1)(c)): where required by applicable law, such as financial records for tax compliance.
DPDPA 2023 (for Indian residents) — Section 4:
- Consent: obtained at the point of data collection via our intake forms, clearly describing the purpose of processing.
- Legitimate uses: processing necessary for the performance of service contracts entered into at your request, and for compliance with applicable law.
How we store your data
Your data is stored on servers located within the European Economic Area (EEA) operated by Vercel, Inc. We apply 180-day retention for project-related documents, after which they are permanently deleted unless you have an active Council or Ultra engagement. Backup copies are retained for 30 days beyond deletion. You may request deletion at any time (see Section 7).
Encryption standard
We use industry-standard TLS encryption in transit and AES-256 encryption at rest for all document storage.
Third-party processors
We share data with the following sub-processors, each bound by a Data Processing Agreement:
| Processor | Purpose | Transfer basis |
|---|---|---|
| Stripe, Inc. (USA) | Payment processing. PCI DSS Level 1 certified. | SCCs |
| Vercel, Inc. (USA) | Website hosting and CDN. EEA data residency selected. | SCCs + EU data residency |
| Sanity AS (Norway) | Content management system for published content. | EEA-resident |
We do not sell, rent, or trade your personal data to any third party for marketing purposes. We self-host all website fonts — no data is sent to Google Fonts or any external font CDN.
International transfers
As an India-incorporated company serving UK and EEA clients, personal data flows from your jurisdiction to our team in India and to Vercel’s EEA-resident infrastructure. For UK clients, we rely on the UK International Data Transfer Agreement (IDTA); for EEA clients, we rely on EU Standard Contractual Clauses (SCCs) as the lawful basis for these transfers.
For Indian residents, data is stored on Vercel’s EEA infrastructure. Cross-border transfers are conducted in accordance with Section 16 of the DPDPA 2023 and any applicable government notifications regarding permissible recipient countries.
Your rights
UK & EU clients — under GDPR Chapter III:
Art. 15
Right of Access
Request a copy of the personal data we hold about you.
Art. 16
Right to Rectification
Request correction of inaccurate or incomplete data.
Art. 17
Right to Erasure
Request deletion of your data, subject to legal retention obligations.
Art. 20
Right to Portability
Receive your data in a structured, machine-readable format.
Art. 21
Right to Object
Object to processing based on legitimate interests or direct marketing.
Art. 18
Right to Restriction
Request restricted processing in certain circumstances.
Indian residents — under DPDPA 2023:
§ 11
Right to Information
Know what personal data is being processed, for what purpose, and by which processors.
§ 12
Right to Correction & Erasure
Request correction of inaccurate data or erasure when no longer necessary for the stated purpose.
§ 13
Right to Grievance Redressal
Lodge a grievance with us, to be acknowledged within 48 hours and resolved within 30 days.
§ 14
Right to Nominate
Nominate another individual to exercise your data rights in the event of death or incapacity.
Exercise your rights
Email om@thrivefinity.uk with the subject line “Data Rights Request”. We will respond within one calendar month for GDPR requests and within 48 hours for DPDPA grievances. You can also use our Privacy Centre.
Cookies
We use only strictly necessary localStorage and sessionStorage (not cookies) for theme preference and loading state. We do not use advertising, analytics, or tracking cookies. See our Cookie Policy for full details.
How to complain
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the relevant supervisory authority:
- UK clients: Information Commissioner’s Office (ICO) — ico.org.uk/make-a-complaint
- EEA clients: your local data protection authority (listed at edpb.europa.eu).
- Indian residents: the Data Protection Board of India (once constituted under DPDPA 2023); in the interim, you may write to the Ministry of Electronics and Information Technology (MeitY), Government of India.
We would always appreciate the opportunity to address your concern before you escalate — please contact om@thrivefinity.uk first.
Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by email to active clients and flagged in Friday Notes. The “Last updated” date at the top of this page indicates the most recent revision. Continued use of our services following a material update constitutes acceptance of the revised policy.
Questions about your data?
We respond within one business day. If you’d prefer a direct conversation, book a call on our contact page.