Thriveo Health

Privacy Policy

Last updated: March 9, 2026

Thriveo Health ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Luxembourg's data protection legislation.

On this page

  1. 1. Data Controller
  2. 2. Data We Collect
  3. 3. Legal Basis
  4. 4. Health Data (Art. 9)
  5. 5. How We Use Data
  6. 6. Technology & Processing
  7. 7. Data Sharing
  8. 8. International Transfers
  9. 9. Storage & Security
  10. 10. Data Retention
  11. 11. Your Rights
  12. 12. Cookies
  13. 13. Children's Privacy
  14. 14. Supervisory Authority
  15. 15. Changes
  16. 16. Contact

1. Data Controller

The data controller is Thriveo Health, operated by Vinicius Serrano, based in Luxembourg. For any data protection inquiries, contact us at hello@thriveo.health. As a small-scale data controller, we are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, but all data protection requests are handled personally by the founder.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, and authentication credentials
  • Health and fitness data: training goals, injury history, physical measurements, readiness scores, workout performance, wellness check-ins, nutrition and dietary data, blood test and biomarker results, and menstrual cycle data. This constitutes special category data under Article 9 GDPR (see Section 4).
  • Wearable and health app data: if you connect a device or health app (e.g. Oura Ring, Apple Health, Samsung Health, Garmin, WHOOP), we receive activity, sleep, heart rate variability (HRV), recovery scores, and other metrics you authorize via the provider's API
  • Usage data: app interactions, session duration, and feature usage
  • Payment data: processed securely by Stripe. We never store your card details.
  • Progress photos: stored securely if you choose to upload them
  • Communication data: messages sent through the in-app chat

3. Legal Basis for Processing (Article 6 GDPR)

We process your data based on:

  • Contract performance (Art. 6(1)(b)): to deliver the performance and longevity service you subscribed to
  • Consent (Art. 6(1)(a)): for optional features like progress photos, analytics cookies, and wearable device integrations
  • Legitimate interest (Art. 6(1)(f)): to improve our platform, prevent fraud, and ensure platform security

4. Health Data — Special Category (Article 9 GDPR)

Some data we collect (injury history, physical measurements, readiness scores, wearable health metrics, nutrition and dietary data, blood test results, menstrual cycle data) qualifies as health data under Article 9 GDPR. We process this data under:

Explicit consent (Art. 9(2)(a)): you provide explicit consent during registration specifically for the processing of your health and fitness data

You may withdraw your consent at any time by contacting us at hello@thriveo.health or by deleting your account. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

We apply additional safeguards for health data: encryption at rest and in transit, row-level security policies, access restricted to your assigned trainer, and no use for marketing purposes.

5. How We Use Your Data

Your data is used to:

  • Create and refine your personalized training programs
  • Provide nutritional guidance and meal suggestions
  • Analyze blood test results and track biomarker trends
  • Track your progress and provide insights
  • Communicate with you about your training
  • Improve our platform and features
  • Process payments and manage subscriptions

6. Technology and Automated Processing (Article 22 GDPR)

Our platform uses technology, including artificial intelligence, to support your personal trainer in delivering a comprehensive performance and longevity service. Your trainer leads your program; technology helps refine it with greater precision. Specifically:

  • Program personalization: your trainer designs your training program using data from your onboarding, readiness scores, and progress history. Technology assists by analyzing this data to suggest refinements in periodization, volume, and exercise selection
  • Nutrition support: technology helps create nutritional guidance and meal suggestions based on your goals, dietary preferences, and activity level
  • Biomarker analysis: technology assists in interpreting blood test results and tracking health markers over time
  • Workout adjustments: based on your daily readiness and recovery data, the platform may suggest adjustments to your trainer for review
  • In-app assistant: an AI-powered chatbot helps answer common questions about your program, nutrition, and training

Your training programs are designed by a certified personal trainer. Technology provides data-driven analysis to support more precise personalization, but all program decisions are made by your trainer. No fully automated decisions with legal or similarly significant effects are made without human involvement.

We do not use your data for automated profiling that produces legal effects. Technology is used solely as a tool to support your trainer in delivering more precise, personalized programs.

7. Data Sharing and Sub-processors

We share data only with the following service providers (sub-processors), each under a Data Processing Agreement (DPA):

ProviderPurposeLocationData Shared
SupabaseDatabase hostingFrankfurt, EUAll account and training data
VercelApplication hosting & CDNGlobal (EU primary)Application content, analytics
StripePayment processingEUEmail, subscription details
AnthropicAI-assisted data analysisUnited StatesAnonymized training profile

Wearable and health app providers (Oura, Apple Health, Samsung Health, Garmin, WHOOP, Strava, Polar Flow, etc.) — only if you choose to connect your device or app. Data flows from them to us, not the reverse.

We never sell your personal data to third parties.

8. International Data Transfers

Your data is primarily stored in the EU (Frankfurt, Germany). However, some of our sub-processors are based outside the European Economic Area (EEA):

  • Anthropic (United States): AI processing is covered by Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection
  • Vercel (global CDN): application content may be cached at edge locations worldwide for performance. Core data remains in EU.

For all international transfers, we ensure adequate safeguards are in place, including SCCs, encryption in transit, and data minimization. You can request a copy of the applicable SCCs by contacting us at hello@thriveo.health.

9. Data Storage and Security

Your data is stored in EU data centers (Frankfurt, Germany) using Supabase with PostgreSQL. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). We implement row-level security policies to ensure you can only access your own data. Access to client data is restricted to the assigned trainer and platform administrators.

10. Data Retention

We retain your data for as long as your account is active. After account deletion, all personal data is permanently removed within 30 days. Anonymized, aggregated data may be retained for analytics. Payment records may be retained for up to 10 years to comply with Luxembourg tax obligations (Article 16 of the Luxembourg Commercial Code).

Data CategoryRetention PeriodReason
Account dataWhile account is activeService delivery
Health & fitness dataWhile account is active + 30 daysTraining personalization
Payment recordsUp to 10 yearsLuxembourg tax obligations
Anonymized analyticsIndefinitePlatform improvement
Deleted account dataPermanently removed within 30 daysGDPR compliance

11. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Access (Art. 15): request a copy of all your personal data
  • Rectification (Art. 16): correct inaccurate data
  • Erasure (Art. 17): delete your account and all associated data
  • Portability (Art. 20): export your data in a machine-readable format (JSON)
  • Object (Art. 21): opt out of processing based on legitimate interest
  • Restriction (Art. 18): limit how we process your data
  • Withdraw consent (Art. 7(3)): you may withdraw consent at any time for any processing based on consent, without affecting the lawfulness of prior processing

You can exercise these rights directly from your account settings (data export and account deletion) or by contacting us at hello@thriveo.health. We will respond within 30 days of receiving your request.

Providing your account data (name, email) is necessary to use the platform. Providing health data is optional but required to receive personalized training programs. You will not be disadvantaged for choosing not to provide optional data.

12. Cookies

We use essential cookies required for the platform to function (authentication, session management). Analytics cookies are optional and only enabled with your consent. You can change your cookie preferences at any time via the cookie settings in your account.

13. Children's Privacy

Thriveo Health is designed for adults aged 18 and over. We do not knowingly collect data from children under 18. If we become aware that we have collected data from a minor, we will delete it immediately.

14. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD), Luxembourg's data protection authority (cnpd.public.lu). You also have the right to seek judicial remedy.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or in-app notification at least 14 days before taking effect. Continued use of the platform after the effective date constitutes acceptance.

16. Contact

For any questions about this Privacy Policy or your personal data, contact us at:

Thriveo Health

hello@thriveo.health

Luxembourg

Terms of Service →