Data Processing Agreement

This Data Processing Agreement is between THRIVLY LTD, company number 17111377, registered office 57 Stanborough Avenue, WD6 5LX, United Kingdom, and the customer organisation using Thriv-Ly.

For the purposes of this DPA, the customer is the controller and THRIVLY LTD acts as processor when processing personal data on the customer's behalf through Thriv-Ly. This DPA does not apply to processing where THRIVLY LTD acts as controller for its own account, billing, legal, support, or direct customer relationship purposes.

The subject matter of the processing is the provision of the Thriv-Ly platform and related support, communication, analytics, automation, and AI-assisted service features.

Processing will continue for as long as THRIVLY LTD provides services to the customer and for any additional retention period required to comply with law, resolve disputes, or complete agreed deletion or return steps.

Processing may include collection, storage, organisation, retrieval, analysis, disclosure by transmission, and deletion of personal data in order to:

• host and operate the Thriv-Ly service;
• manage conversations, leads, bookings, cases, and related workflows;
• support customer knowledge-base and document processing;
• enable owner and staff access, authentication, and session management;
• send notifications and operational communications where enabled;
• generate AI-assisted responses and operational insights;
• support security, troubleshooting, monitoring, and abuse prevention.

Data subjects may include:

• the customer’s owners, staff, and authorised users;
• the customer’s leads, prospects, website visitors, customers, and contacts;
• demo users where the customer is participating in a demo or onboarding flow.

Personal data may include:

• names, email addresses, phone numbers, business details, and account details;
• conversation content, booking requests, lead details, case details, and notes;
• uploaded documents and business knowledge content;
• authentication, session, and access-related information;
• technical metadata, delivery attempts, and operational logs.

THRIVLY LTD will process personal data only on documented instructions from the customer, except where required to do otherwise by applicable law. The customer instructs THRIVLY LTD to process personal data as necessary to provide the Thriv-Ly service and related support.

THRIVLY LTD will ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.

THRIVLY LTD will implement appropriate technical and organisational measures designed to protect personal data, taking into account the nature of the data and the risks presented by the processing.

These measures may include access controls, authentication controls, hashed magic-link tokens, HTTP-only session cookies, infrastructure and storage controls, logging, and delivery monitoring.

The customer authorises THRIVLY LTD to use subprocessors to support the service. Current subprocessors are listed on the Thriv-Ly Subprocessors page.

THRIVLY LTD will remain responsible for the acts and omissions of its subprocessors to the extent required by applicable law and contract.

Taking into account the nature of the processing, THRIVLY LTD will provide reasonable assistance to the customer in responding to requests to exercise data subject rights and in meeting applicable obligations relating to security, breach response, impact assessments, and regulator cooperation.

Where personal data is transferred outside the UK, THRIVLY LTD will aim to ensure that appropriate transfer safeguards are used where required by applicable law.

On termination of the services, THRIVLY LTD will, at the customer’s choice where reasonably practicable, delete or return personal data, unless retention is required by law or for legitimate record-keeping, security, dispute resolution, or enforcement purposes.

THRIVLY LTD will make available information reasonably necessary to demonstrate compliance with this DPA and applicable processor obligations, subject to confidentiality, security, and proportionality limits.

If there is a conflict between this DPA and another written agreement between the parties in relation to the processing of personal data, this DPA will prevail to the extent of that conflict.