Effective Date: February 1, 2022

Protecting your privacy is important to us and part of our core values. At Thrivable, we have two fundamental principles:

  • We are thoughtful about the personal information we ask you to provide and the personal information that we collect about you through the operation of our services.
  • We aim to make it as simple as possible for you to understand what information we collect from you, why we collect it, and how we use it. 

Below is our Privacy Policy, which incorporates and clarifies these principles.

Who We Are and What This Policy Covers

Thrivable is an organization dedicated to helping people thrive. Today, we do this by connecting people with health conditions, supporting them, and shining a light on their experiences. 

This Privacy Policy applies to information that you provide to us or that we collect about you when you use:

  • Our websites (including thrivable.app); 
  • Our other Thrivable products, services, and features that are available on or through our websites, such as the Thrivable rapid research platform which is also accessible via SMS and email.

Throughout this Privacy Policy we’ll refer to our websites, mobile applications, and other products and services collectively as “Services.” 

Please note that this Privacy Policy does not apply to any of our products or services that have a separate privacy policy  you should review those policies before using any of these products or services.

Below we explain how we collect, use, and share information about you, along with the choices that you have with respect to that information.


Information We Collect

We only collect information about you if we have a reason to do so–for example, to provide our Services, to communicate with you, or to make our Services better.

We collect information in three ways: when you provide information to us; automatically through operating our Services; and from outside sources. Let’s go over the information that we collect.

Information You Provide to Us

It’s probably no surprise that we collect information that you provide to us. The amount and type of information depends on the context and how we use the information. Here are some examples:

    • Identifiers: We ask for basic information from you in order to set up your account. For example, we require individuals who sign up for a Thrivable account to provide an email address along with a username or name, depending on the service – and that’s it. You may provide us with more information – like your address and other information you want to share – but we don’t require that information to create a Thrivable. You may provide a copy of a government ID so that we may verify your identity in order to participate in market research activities with Thrivable.
    • Billing and Contact Information: If you buy something from us, you will provide additional personal and payment information, such as your name, credit card information, and contact information.
    • Content Information: Depending on the Services you use, you may also provide us with information about you in draft and published content. For example, if you write a forum post that includes biographic information about you, we will have that information, and so will anyone with access to the Internet if you choose to publish the post publicly. This might be obvious to you…but it’s not to everyone!
    • Credentials: Depending on the Services you use, you may provide us with credentials to connect to another application. For example, a user of Thrivable may provide credentials to enable our Services to communicate with your corporate network. 
    • Communications with Us (Hi There!): You may also provide us information when you respond to surveys, communicate with our engineers about a support question, post a question about your site in our public forums, or sign up for a newsletter. When you communicate with us via form, email, phone, website comment, or otherwise, we store a copy of our communications (including any call recordings as permitted by applicable law).
  • Demographic and personal information: You may provide information about your race, gender, ethnicity, health information or personally identifiable information when creating an account or participating in marketing research. We use this information for the purposes of providing market research services.
  • Audio/video data: You may provide audio or video data while participating in marketing research on Thrivable. We use this information for the purposes of providing market research services.
  • Professional or employment-related information: You may provide professional or employment-related information while participating in market research. We use this information for the purposes of providing market research services.
  • Education information: You may provide educational information while participating in market research. We use this information for the purposes of providing market research services.

Information We Collect Automatically

We also collect some information automatically:

  • Log Information: Like most online service providers, we collect information that web browsers, mobile devices, and servers typically make available, such as the browser type, IP address, unique device identifiers, language preference, referring site, the date and time of access, operating system, and mobile network information. We collect log information when you use our Services–for example, when you create or make changes while logged into Thrivable.
  • Usage Information: We collect information about your use of our Services. For example, we collect information about the actions that users and administrators do on Thrivable–in other words, who did what, when and to what thing on a site (e.g., [Thrivable username] updated “[profile field]” at [time/date]). We also collect information about what happens when you use our Services (e.g., page views, support document searches, interactions other parts of our Services) along with information about your device (e.g., screen size, name of cellular network, and mobile device manufacturer). We use this information to, for example, provide our Services to you, as well as get insights on how people use our Services, so we can make our Services better.
  • Location Information: We may determine the approximate location of your device from your IP address. We collect and use this information to, for example, calculate how many people visit our Services from certain geographic regions. We may also collect information about your precise location via our mobile apps if you allow us to do so through your mobile device operating system’s permissions.
  • Stored Information: We may access information stored on your mobile device via our mobile apps. We access this stored information through your device operating system’s permissions. For example, if you give us permission to access the photographs on your mobile device’s camera roll, our Services may access the photos stored on your device when you upload a photo as part of a response to a Thrivable survey.
  • Information from Cookies & Other Technologies: A cookie is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns. Pixel tags (also called web beacons) are small blocks of code placed on websites and emails. Thrivable uses cookies and other technologies like pixel tags to help us identify and track visitors, usage, and access preferences for our Services, as well as track and understand email campaign effectiveness and to deliver targeted ads. 

Information We Collect from Other Sources

We may also get information about you from other sources. For example, if you create or log into your Thrivable account through another service (like Google) or if you connect your website or account to a social media service (like Twitter), we will receive information from that service (such as your username, basic profile information, and friends list) via the authorization procedures used by that service. The information we receive depends on which services you authorize and any options that are available.

We may also get information, such as a mailing address, from third party services about individuals who are not yet our users (…but we hope will be!), which we may use, for example, for marketing and advertising purposes like postcards and other mailers advertising our services.

Categories of Information Sold in the Prior 12 Months

We have sold the following information during the prior year:

  • None

How and Why We Use Information

Purposes for Using Information

We use information about you as mentioned above and for the purposes listed below:

  • To provide our Services–for example, to set up and maintain your account, conduct market research, or compensate you for or charge you for any of our paid Services;
  • To further develop and improve our Services–for example, by adding new features that we think our users will enjoy;
  • To monitor and analyze trends and better understand how users interact with our Services, which helps us improve our Services and make them easier to use;
  • To measure, gauge, and improve the effectiveness of our advertising, and better understand user retention and attrition — for example, we may analyze how many individuals purchased a paid plan after receiving a marketing message or the features used by those who continue to use our Services after a certain length of time;
  • To monitor and prevent any problems with our Services, protect the security of our Services, detect and prevent fraudulent transactions and other illegal activities, fight spam, and protect the rights and property of Thrivable and others, which may result in us declining a transaction or the use of our Services;
  • To communicate with you. For example, we may email you to solicit your feedback, share tips for getting the most out of our products, or keep you up to date on Thrivable; text you to verify your payment; or call you to share offers and promotions that we think will be of interest to you. If you don’t want to hear from us, you can opt out of marketing communications at any time. (Please keep in mind that even if you opt out, we’ll still send you important updates relating to your account); and
  • To personalize your experience using our Services, provide content recommendations, target our marketing messages to groups of our users (for example, those who have a particular plan with us or have been our user for a certain length of time), and serve relevant advertisements.

Legal Bases for Collecting and Using Information

A note here for those in the European Union about our legal grounds for processing information about you under EU data protection laws, which is that our use of your information is based on the grounds that:

(1) The use is necessary in order to fulfill our commitments to you under the applicable terms of service or other agreements with you or is necessary to administer your account — for example, in order to enable access to our website on your device or charge you for a paid plan; or

(2) The use is necessary for compliance with a legal obligation; or

(3) The use is necessary in order to protect your vital interests or those of another person; or

(4) We have a legitimate interest in using your information — for example, to provide and update our Services; to improve our Services so that we can offer you an even better user experience; to safeguard our Services; to communicate with you; to measure, gauge, and improve the effectiveness of our advertising; and to understand our user retention and attrition; to monitor and prevent any problems with our Services; and to personalize your experience; or

(5) You have given us your consent — for example before we place certain cookies on your device and access and analyze them later on..

Sharing Information

How We Share Information

We share information about you in the limited circumstances spelled out below and with appropriate safeguards on your privacy. 

  • Subsidiaries, Employees, and Independent Contractors: We may disclose information about you to our subsidiaries, our employees, and individuals who are our independent contractors that need to know the information in order to help us provide our Services or to process the information on our behalf. We require our subsidiaries, employees, and independent contractors to follow this Privacy Policy for personal information that we share with them.
  • Third Party Vendors: We may share information about you with third party vendors who need to know information about you in order to provide their services to us, or to provide their services to you or your site. This group includes vendors that help us provide our Services to you (like payment providers that process your credit and debit card information, payment providers you use for your ecommerce operations, fraud prevention services that allow us to analyze fraudulent payment transactions, postal and email delivery services that help us stay in touch with you, customer chat and email support services that help us communicate with you, those that assist us with our marketing efforts (e.g. by providing tools for identifying a specific marketing target group or improving our marketing campaigns), and those that help us understand and enhance our Services (like analytics providers). We require vendors to agree to privacy commitments in order to share information with them. Other vendors are listed in our more specific policies.
  • Legal and Regulatory Requirements: We may disclose information about you in response to a subpoena, court order, or other governmental request. 
  • To Protect Rights, Property, and Others: We may disclose information about you when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of Thrivable, third parties, or the public at large. For example, if we have a good faith belief that there is an imminent danger of death or serious physical injury, we may disclose information related to the emergency without delay.
  • Business Transfers: In connection with any merger, sale of company assets, or acquisition of all or a portion of our business by another company, or in the unlikely event that Thrivable goes out of business or enters bankruptcy, user information would likely be one of the assets that is transferred or acquired by a third party. If any of these events were to happen, this Privacy Policy would continue to apply to your information and the party receiving your information may continue to use your information, but only consistent with this Privacy Policy.
  • With Your Consent: We may share and disclose information with your consent or at your direction. For example, we may share your information with third parties with which you authorize us to do so, such as if you would like to be contacted to participate in a market research activity or clinical trial.
  • Aggregated or De-Identified Information: We may share information that has been aggregated or reasonably de-identified, so that the information could not reasonably be used to identify you. For instance, we may publish aggregate statistics about the use of our Services and we may share a hashed version of your email address to facilitate customized ad campaigns on other platforms.

Information Shared Publicly

Information that you choose to make public is–you guessed it–disclosed publicly.

That means, of course, that information like your public profile, posts, other content that you make public on your website, and your “Likes” and comments on other websites, are all available to others.

Public information may also be indexed by search engines or used by third parties.

Please keep all of this in mind when deciding what you would like to share.

Health Insurance Portability and Accountability Act

We are not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996, and its related regulations (“HIPAA”).  We may be considered a “business associate” of a medical provider or facility that transfers us any information that may be protected health information (“PHI”).  If we are considered a “business associate,” then we will protect your PHI and disclose it only in accordance with HIPAA.  If we provide services directly to you without the involvement of a health care provider or facility, then we are not covered by HIPAA, but we comply with other privacy and data security laws that apply.

How Long We Keep Information

How long we keep the personal information we collect depends on the type of information, the purpose for which it is used, how sensitive it is, and similar factors. In general, we will retain your personal information for the length of time reasonably needed to fulfill the purposes outlined in this privacy policy (including for as long as need to provide you or our customer with products and services), unless a longer retention period is required or permitted by law. 

We will also retain and use your information for as long as necessary to resolve disputes and enforce our rights and agreements. We retain your account information for the Services for as long as your account is active. Anonymous and aggregated information may be stored indefinitely.


While no online service is 100% secure, we work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take reasonable measures to do so, such as monitoring our Services for potential vulnerabilities and attacks.


You have several choices available when it comes to information about you:

  • Limit the Information that You Provide: If you have an account with us, you can choose not to provide the optional account information, profile information, and transaction and billing information. Please keep in mind that if you do not provide this information, certain features of our Services — for example, participating in research activities–may not be accessible.
  • Limit Access to Information on Your Mobile Device: Your mobile device operating system should provide you with the ability to discontinue our ability to collect stored information or location information via our mobile apps. If you do so, you may not be able to use certain features (like adding a location to a photograph, for example).
  • Opt-Out of Marketing Communications: You may opt out of receiving promotional communications from us. Just follow the instructions in those communications or let us know. If you opt out of promotional communications, we may still send you other communications, like those about your account and legal notices.
  • Set Your Browser to Reject Cookies: At this time, Thrivable does not respond to “do not track” signals across all of our Services. However, you can usually choose to set your browser to remove or reject browser cookies before using Thrivable’s websites, with the drawback that certain features of Thrivable’s websites may not function properly without the aid of cookies.
  • Close Your Account: While we’d be very sad to see you go, if you no longer want to use our Services, you can close your account. Please keep in mind that we may continue to retain your information after closing your account, as described in How Long We Keep Information above — for example, when that information is reasonably needed to comply with (or demonstrate our compliance with) legal obligations such as law enforcement requests, or reasonably needed for our legitimate business interests.

California Residents

If you are a resident of California, the California Consumer Privacy Act of 2018 (CCPA) law gives you rights with respect to your personal data, subject to any exemptions provided by the law. 

If you are an individual residing in California, you may have additional rights with regard to the information we gather about you. Upon verifiable written request, we will provide to you information regarding the personal information we gather about you, the types of sources from which we obtain the information, the purposes for which the information is gathered, and the types of third parties with which we share or to whom (if any) we sell the information.  In addition, upon verifiable request or when required or otherwise appropriate, and within periods (if any) set by applicable law, we will grant you reasonable access to the personally identifiable information that we hold about you provided that you establish to our reasonable satisfaction that you are the person whose personal information is requested. We may deny such access where the denial is permitted by applicable law and every request from an individual will be assessed on a case-by-case basis.  In the event a request is denied, we will notify you regarding the reasons for the denial in writing.  Consistent with how your personal information is maintained in the ordinary course of our business, we will provide the information in an understandable form, and to the extent feasible in a format that permits you to use the information on other systems. We may impose a reasonable charge when a request is made (e.g., for photocopying or postage) to the extent permitted under applicable law. In addition, we will take reasonable steps to permit you to correct or amend personally identifiable information that is demonstrated to be inaccurate or incomplete. We also will delete personal information we have gathered about you when you make a verifiable request that we do so, except to the extent applicable law permits or requires us to maintain that information.  To guard against fraudulent requests for access, we will require sufficient information to allow us to confirm the identity of the individual making the request before granting access or deleting the information.  We will not discriminate against consumers who exercise their rights under California law. However, we may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided by your personal information and may offer financial incentives to an individual for the collection, sale, or deletion of personal information if the individual provides its prior consent to the terms of those incentives.

Residents of the State of California may request a list of all third parties to which we have disclosed certain personal information (as defined by California law) during the preceding year for those third parties’ direct marketing purposes.  If you are a California resident and want such a list, please contact as indicated below. us via the Contact Us information provided below.   

For all requests, you must put the statement “Your California Privacy Rights” in the body of your request, as well as your name, street address, city, state, and zip code.  In the body of your request, please provide enough information for us to determine if this applies to you.  You need to attest to the fact that you are a California resident and provide a current California address for our response.  Please note that we will not accept requests via the telephone, and we are not responsible for notices that are not labeled or sent properly, or that do not have complete information.

To exercise your rights, you may contact us via our contact page, member@thrivable.app, or call us toll-free at (800) 519-3981. Please leave a message including an explanation of your request and we will respond. 

European Residents 

If you are located in certain countries, including those that fall under the scope of the European General Data Protection Regulation (the “GDPR”), data protection laws give you rights with respect to your personal data, subject to any exemptions provided by the law, including the rights to:

  • Request access to your personal data;
  • Request correction or deletion of your personal data;
  • Object to our use and processing of your personal data;
  • Request that we limit our use and processing of your personal data; and
  • Request portability of your personal data.

You can usually access, correct, or delete your personal data using your account settings and tools that we offer, but if you aren’t able to do that, or you would like to contact us about one of the other rights, scroll down to How to Reach Us to, well, find out how to reach us.

EU individuals also have the right to make a complaint to a government supervisory authority.

Controllers and Responsible Companies

Thrivable’s Services are worldwide. The controller and responsible company is:

Thrivable Inc.
26201 Richmond Rd
Bedford Heights, OH 44146


Privacy of Children on Our Website

We do not knowingly collect or maintain information provided by children under the age of 13.  If a child has provided us with personally-identifying information without parental or guardian consent, the parent or guardian should contact us and we will remove the information.

How to Reach Us

If you have a question about this Privacy Policy, or you would like to contact us about any of the rights mentioned in the Your Rights section above, please email team@thrivable.app. 

Other Things You Should Know (Keep Reading!)

Transferring Information

Because Thrivable’s Services are offered worldwide, the information about you that we process when you use the Services in the EU may be used, stored, and/or accessed by individuals operating outside the European Economic Area (EEA) who work for us, other members of our group of companies (in the future), or third party data processors. This is required for the purposes listed in the How and Why We Use Information section above. When providing information about you to entities outside the EEA, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this Privacy Policy as required by applicable law. 

Ads and Analytics Services Provided by Others

Ads appearing on any of our Services may be delivered by advertising networks. Other parties may also provide analytics services via our Services. These ad networks and analytics providers may set tracking technologies (like cookies) to collect information about your use of our Services and across other websites and online services. These technologies allow these third parties to recognize your device to compile information about you or others who use your device. This information allows us and other companies to, among other things, analyze and track usage, determine the popularity of certain content, and deliver advertisements that may be more targeted to your interests. Please note this Privacy Policy only covers the collection of information by Thrivable and does not cover the collection of information by any third party advertisers or analytics providers.

Third Party Software and Services

We may make available third-party services through our Services. Please note that if you use the third-party service or grant access, your data will be handled in accordance with the third party’s privacy policy and practices. We don’t own or control these third parties, and they have their own rules about collection, use, and sharing of information, which you should review before using the software or services.

Privacy Policy Changes

Although most changes are likely to be minor, Thrivable may change its Privacy Policy from time to time. Thrivbable encourages visitors to frequently check this page for any changes to its Privacy Policy. If we make changes, we will notify you by revising the change log below, and, in some cases, we may provide additional notice (such as adding a statement to our homepage or the Thrivable Blog, or sending you a notification through email or your dashboard). Your further use of the Services after a change to our Privacy Policy will be subject to the updated policy.

Change log

  • May 31, 2022: Removed references to Privacy Shield.
  • February 1, 2021: Added language about HIPAA and confirmed that no personal data has been sold during the prior year. 
  • March 20, 2020: we are keeping a Change Log starting with this update. This major overhaul of the Privacy Policy follows the same principles of our existing policy, focuses on improving readability and comprehensiveness, and offers additional commitments to our users to protect their privacy.

HIPAA - Notice of Privacy Practices (“Notice”)

Appendix to Privacy Policy for Websites 

Last updated - April 1, 2022

A.1 Our Commitment to You

Thrivable is committed to maintaining the privacy of your health information. As part of our services or during your treatment with us, physicians, nurses, and other personnel may collect information about your health history and current health status. This Notice explains how that information, called “Protected Health Information” (PHI), may be used and disclosed to others. The terms of this Notice apply to health information produced or obtained by .

A.2 Our Legal Duties

The HIPAA Privacy Law requires us to provide this Notice to you regarding our privacy practices, our legal duties to protect your health information and your rights concerning health information about you. We are required to follow the privacy practices described in this Notice whenever we use or disclose your protected health information (PHI). Other companies or persons that perform services on our behalf, called Business Associates, must also protect the privacy of your information. Business Associates are not allowed to release your information to anyone else unless specifically permitted by law. 

A.3 Uses and Disclosures of Protected Health Information

A.3.1 What Health Information We Collect

As part of our services or during your treatment with us, physicians, nurses, and other personnel may collect information about your health history and current health status. The information we collect is generally personal information as defined under privacy statutory regulations and protected health information as defined under HIPAA. We collectively refer to this information as personal information in this Notice. 

We may collect directly from you all or some of the following:

Personal Information you may provide

Name, email and contact details

Health Number

Medical History

Add all types of information collected through the ways covered by this notice (website, application etc.)

What do we do with the information?

To provide health services

Can you withdraw your consent?

Yes, at any time by contacting us at member@thrivable.app.

Information we collect automatically from your device is covered through our main “Privacy Policy.” 

A.3.2 How We Use and Disclose Your Health Information

The HIPAA Privacy Law permits to make uses and disclosures of your health information for purposes of treatment, payment and health care operations. We may use or disclose your health information for the purposes outlined in this Notice. 

  • Treatment: We will use and may share health information about you for your health care and treatments or coordinate/manage your treatment. For example, a nurse or medical assistant will obtain treatment information about you and record it in a medical record. Alternatively, one of our physicians may use information about you for a consultation with or a referral to another physician to diagnose your illness and determine which treatment option, such as surgery or medication, will best address your health needs. Except in emergency circumstances, we will make a “good faith effort” to get your permission prior to making disclosures outside for treatment purposes. 
  • Payments: We may use and disclose health information about you to obtain payment for the care and services we have provided. We may use and disclose health information about your treatment and services to bill and collect payment from you, your insurance company or a third-party payer. For example, we may need to give your insurance company information before it approves or pays for the health care services we recommend for you. The insurance company may use that information to determine eligibility or coverage for insurance benefits, review services provided to you for health necessity, and undertake utilization review activities.
  • Healthcare Operations: We may use and share health information about you for ’s health care operations, which include planning, management, quality assessment, and improvement activities for the treatments that we deliver.  For example, we may use your health information to evaluate the skills of our physicians, nurses, and other health care providers in caring for you. We also may use your information to review quality and health outcomes. We will obtain your written permission before making disclosures to others outside for health care operations purposes.
  • Health-Related Benefits, Services and Treatment Alternatives: We may also contact you about new or alternative treatments or other health care services. For example, we may offer to mail you newsletters, coupons, or announcements.
  • Appointment Reminders: We may use and disclose health information to contact you for appointment reminders and to communicate necessary information about your appointment.
  • Law Enforcement: In certain circumstances, we may be legally required to share certain personal information held by us, which may include your health information. We may disclose your health information to a law enforcement official if required or allowed by law, such as gunshot wounds and some burns. We may also disclose information about you to law enforcement that is not a part of your health record for the following reasons:
    • To identify or locate a suspect, material witness, victim of a crime, or missing person
    • About a death we believe may be the result of criminal conduct
    • About criminal conduct at our location 
    • In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
  • Fundraising Communications: We may contact you as part of a fundraising effort.  For example, we may use your information to contact you to raise money for and its operations. We would only release your name, address and phone number, and the dates you received services at . If you do not want us to contact you for fundraising efforts, you must notify in writing.
  • People Assisting in Your Care: In certain limited situations, may disclose essential health information to people such as family members, relatives, or close friends who are helping care for you or helping you pay your health care bills. We will disclose information to them only if these people need to know the information to help you. For example, we may provide limited information to a family member so that they may pick up a prescription for you. Generally, we will ask you prior to making disclosures if you agree to such disclosures. If you are unable to make health-related decisions or it is an emergency, will determine if it would be in your best interest to disclose pertinent health information about you to the people assisting in your care.
  • Research: Federal law permits to use or disclose health information about you for research purposes if the research is reviewed and approved by an institutional review board or a privacy board to protect the privacy of your health information before the study begins. We may disclose your information if we have your written authorization to do so. In some situations, researchers may be allowed to use information about you in a restricted way to determine whether the potential study participants are appropriate. We will make a “good faith effort” to acquire your permission or rejection to participate in any research study prior to releasing any protected information about you.
  • Health Oversight Activities: We must disclose health information to a health oversight agency for activities that are required by federal, state or local law. Oversight activities include investigations, inspections, industry licensures, and government audits. These activities are necessary to enable government agencies to monitor various health care systems, government programs, and industry compliance with civil rights laws. 
  • Public Health Risks: As authorized by law, we may disclose health information about you to public health or legal authorities whose official responsibilities generally include the following:
    • To prevent or control disease, injury or disability;
    • To report births and deaths;
    • To report child abuse or neglect;
    • To report reactions to medications or problems with products;
    • To notify people of recalls of products they may be using;
    • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and
    • To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.
  • Serious Threat to Health or Safety: Consistent with applicable laws, we may disclose your health information if the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. We also may disclose your health information if it is necessary for law enforcement authorities to identify or apprehend an individual.
  • Organ and Tissue Donation: Consistent with applicable law, we may release your health information to organ procurement organizations or others engaged in the transplantation of organs to enable a possible transplant.
  • Specialized Government Functions: If you are a member of the military or a veteran, we will disclose health information about you as required by command authorities; or if you give us your written permission. We may also disclose your health information for other specialized government functions such as national security or intelligence activities.
  • Workers Compensation: If you are seeking compensation due to a work-related injury, we may release health information about you to the extent necessary to comply with laws relating to Workers Compensation claims.
  • Employers: We may release health information to your employer if we provide health treatment to you at the request of your employer, and the health care services are provided either to conduct an evaluation relating to medical surveillance of the workplace or to evaluate whether you have a work-related illness or injury.  In such circumstances, we will provide you with written notice of such information disclosure.  Any other disclosures to your employer will be made only if you sign a specific authorization to release that information.
  • Lawsuits and Disputes: If you are involved in a lawsuit, dispute, or other judicial proceedings, we may disclose health information about you in response to a court order or subpoena, other lawful processes, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
  • Coroners, Medical Examiners, and Funeral Directors: We may release your health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or to determine the cause of death. We may also release your health information to a funeral director, as necessary, to carry out his/her duties.
  • Correctional Facilities: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose health information about you to the correctional institution or law enforcement official only as required by law or with your written permission. We may release your health information for your health and safety, for the health and safety of others, or for the safety and security of the correctional institution.
  • Required by HIPAA Law: The Secretary of the Department of Health and Human Services (HHS) may investigate privacy violations. If your health information is requested as part of an investigation, we are required to share your information with HHS.   

A.3.3 Circumstances Which Require Your Written Consent Prior to Disclosure 

For any purpose other than the ones described above, we may only use or share your health information when you give us your written authorization to do so. For example, you will need to sign an authorization form before sending your health information to your life insurance company. You may revoke your authorization, at any time, in writing, except to the extent that we have taken action in reliance on the authorization. We may not use or disclose your health information without an authorization that is valid as per HIPAA Privacy Rule - “45 CFR § 164.508 - Uses and disclosures for which an authorization is required”. Link: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html

  • Marketing: We must also obtain your written authorization before using your health information to send you any marketing materials. The only exceptions to this requirement are that:
    • We can provide you with marketing materials in a face-to-face encounter or a promotional gift of minimal value if we so choose
    • We may communicate with you about products or services relating to your treatment, to coordinate or manage your care, or provide you with information about different treatments, providers or care settings. 
  • Sale: For any disclosure of your health information, which constitutes a sale of health information.
  • Highly Confidential Information: Federal and state law requires special privacy protections for certain “Highly Confidential Information” about you, including any part of your health information that is about: 
    • Child abuse and neglect
    • Domestic abuse of an adult with a disability 
    • Mental illness or developmental disability treatment or services
    • Alcohol or drug dependency diagnosis, treatment, or referral
    • HIV/AIDS testing, diagnosis, or treatment
    • Sexually transmitted disease
    • Sexual assault
    • Genetic testing
    • In Vitro Fertilization (IVF)
    • Information maintained in psychotherapy notes

Before we share your Highly Confidential Information for a purpose other than those permitted by law, we must obtain your written permission.

  • Other Uses: Other uses and disclosures of your health information, not described above, will be made only with your written authorization. 

A.3.4 Your Rights Regarding Your Health Information

You have certain rights regarding your health information, which are explained below. You may exercise these rights by submitting a request in writing to member@thrivable.app. 

  • Right to inspect and copy: If you would like to inspect or receive a copy of your PHI that is contained in a designated record set (e.g., health and billing records), we are required to provide you access to such information within 30 days after receipt of your request (with up to a 30-day extension if required with notice). We may charge you a reasonable fee to cover duplication, mailing and other costs incurred by us in complying with your request.

We may deny your request for access to your personal information as permitted by HIPAA. For example, we may deny your request if we believe the disclosure will endanger your life or that of another person. Depending on the circumstances of the denial, you may have a right to have this decision reviewed.

  • Right to Request Restrictions on Use and Disclosure: You have the right to request a restriction or limitation on certain uses and disclosures of your health information. To request restrictions, you must make your request in writing to Thrivable, 9450 SW Gemini Dr, PMB 72315,, Beaverton, Oregon 97008-7105 USA. In your request, you must tell us:
    • What information you wish to limit 
    • Whether you wish to limit our use, disclosure, or both
    • To whom you want the limits to apply – for example, if you want to prohibit disclosures for insurance payment, health care operations, for disaster relief purposes, to persons involved in your care, or to your spouse. 

You or your personal representative must sign it. 

We are not required to agree to your request, but we will attempt to accommodate reasonable requests when appropriate. We retain the right to terminate an agreed-to restriction if we believe such termination is appropriate. In the event of a termination by us, we will notify you of such termination. You also have the right to terminate, in writing or orally, any agreed-to restriction. If we agree to the requested restriction, we may not use or disclose your personal information in violation of that restriction unless it is needed to provide emergency treatment.

  • Right to Request Amendment: If you believe that any health information we have about you is incorrect or incomplete, you have the right to ask us to change the information for as long as maintains the information. To request an amendment to your health information, your request must be in writing, signed, and submitted to .

If we deny your request, we will provide you with a written explanation. You may respond with a statement of disagreement that will be maintained with your records. We will respond to your request within 60 days (with up to a 30-day extension if needed with notice). 

  • Right to Receive Confidential Communications: You have the right to request that we communicate with you about your health information in a confidential manner or at a specific location. For example, you may ask that we only contact you via mail to a post office box. You must submit your request in writing to .  We will not ask you the reason for your request. Your request must specify how or where you wish to be contacted. We will accommodate all reasonable requests. 
  • Right to Receive an Accounting of Certain Disclosures: With some exceptions, you have the right to receive an accounting of certain disclosures we have made, if any, of your health information. Your accounting request must be in writing and signed by you or your personal representative and submitted to . Your request must specify the time in which the disclosures were made. You may receive one free accounting in any 12-month period. We will charge you for additional requests.

This right only applies to disclosures for purposes other than treatment, payment or health care operations as described in this Notice. It also excludes disclosures we may have made to you, your family members or friends involved in your care. The right to receive this information is subject to certain exceptions, restrictions and limitations as allowed by HIPAA.

  • Right to Obtain a Copy of this Notice: You have the right to receive a paper copy of this Notice upon request, even if you have agreed to receive the Notice electronically. You may ask us to give you a copy of this Notice at any time.
  • Right to Cancel Authorization to Use or Disclose: Other uses and disclosures of your health information not covered by this Notice or the laws that govern us will be made only with your written authorization. You have the right to revoke your authorization in writing at any time, and we will discontinue future uses and disclosures of your health information for the reasons covered by your authorization. We are unable to take back any disclosures that were already made with your authorization, and we are required to retain the records of the care that we provided to you. 

In addition, you have the right to be notified if you are affected by a breach of unsecured personal information.


If you believe that we have violated your privacy rights, you may file a complaint with us by notifying us at member@thrivable.app. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services if you feel that your rights have been violated. There will be no retaliation from for making a complaint.

Privacy Officer is Ryan Fuchs, COO (ryan@thrivable.app)