Privacy Policy
Effective Date: March 13, 2026
1. Introduction
Undervaluable Inc. (“we”, “us”, “our”) operates the ThriveUp mobile application (“the App”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information. We are committed to protecting your privacy and complying with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable regulations.
2. Data Controller
Undervaluable Inc. 131 Continental Dr, Newark, DE 19713, United States Email: hello@thriveupwellness.com
For EU/EEA residents, we act as the data controller for your personal data.
3. Information We Collect
3a. Account Information (required)
When you sign in via Google, Microsoft, or LinkedIn (through AWS Cognito), we receive:
- Email address
- Full name, given name, family name
- Cognito subject identifier
This information is used solely for authentication and to link AI service usage to your account. We do NOT store this information in our own databases — it remains in AWS Cognito.
3b. Device Identifiers
We generate an anonymous installation ID on your device (non-personally-identifiable) used to identify the device for push notifications and AI job tracking.
3c. User-Generated Content (stored on your device only)
The following data is created and stored locally on your device and is NEVER uploaded to our servers unless you explicitly enable Cloud Sync:
- Health profile (height, weight, age, sex, body fat %, TDEE)
- Meal logs with full nutritional detail (macros, micronutrients)
- Weight and body measurement logs
- Workout logs and exercise history
- Sleep data and analysis
- Supplement and medication logs
- Chat messages with AI coach
- Custom tracker entries
- Progress photos (face and body)
- Onboarding questionnaire answers (goals, activity level, diet type, lifestyle factors, lab values, symptoms)
3d. Cloud Sync Data (optional, premium feature)
If you enable Cloud Sync, your journey data is:
- Encrypted with AES-256 server-side encryption
- Stored as a single encrypted JSON blob in AWS S3
- Accessible only with your authenticated account
- Deletable at any time via the Reset Journey feature
3e. Temporarily Processed Data
When you use AI-powered features, the following may be temporarily sent to our servers:
- Photos (food, face, body) for AI analysis
- Health context and profile data for personalized AI responses
- Onboarding answers for generating personalized plans
This data is encrypted in transit (TLS) and at rest (AES-256), processed by Google Gemini AI through our secure server proxy, and automatically deleted from our servers within 15 minutes. AI job records expire and are deleted after 1 hour.
3f. Push Notification Data
If you enable notifications, we store:
- Expo push token
- Device platform (iOS/Android)
- Installation ID and account identifier
- Timezone (for scheduling reminders)
3g. Health Platform Data (on-device only)
With your permission, the App reads data from:
- Apple HealthKit (iOS): steps, active energy, resting heart rate, HRV, VO2 max, SpO2, sleep analysis, workouts
- Google Health Connect (Android): equivalent health metrics
This data stays entirely on your device. We NEVER upload health platform data to our servers.
3h. Oura Ring Data (optional)
If you connect your Oura Ring via OAuth, we access heart rate, sleep data, readiness scores, SpO2, and activity data. The OAuth token is stored on-device only and never sent to our servers.
4. Information We Do NOT Collect
- Location data
- Contact lists
- Advertising identifiers
- Browsing history
- Data from other apps
- Financial information (payments handled by App Store/Play Store)
5. How We Use Your Information
- Provide the Service: Process AI analyses, deliver personalized coaching, sync data across devices
- Authentication: Verify your identity and link AI usage to your account to prevent abuse
- Push Notifications: Send reminders and alerts you’ve configured
- Service Improvement: We use analytics and error monitoring tools to improve service reliability and user experience
- Legal Compliance: Respond to legal requests and enforce our Terms
6. Legal Basis for Processing (GDPR Article 6)
- Consent (Art. 6(1)(a)): For processing health-related data, uploading photos for AI analysis, and optional Cloud Sync
- Contract Performance (Art. 6(1)(b)): To provide the services you’ve requested (authentication, AI features, push notifications)
- Legitimate Interest (Art. 6(1)(f)): For service security, preventing abuse, and maintaining infrastructure
For special category data (health data) under GDPR Article 9, processing is based on your explicit consent.
7. Third-Party Data Processors
| Service | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | Authentication data, encrypted backups, temporary AI job data |
| Google Gemini AI | AI analysis | Temporarily: photos, health context |
| RevenueCat | Subscription management | Anonymous app user ID, subscription status |
| Expo | Push notification delivery | Push tokens, notification content |
| PostHog | Session monitoring, error capture | Anonymous usage data |
| Sentry | Error monitoring | Application error logs |
| Social Identity Providers | Authentication | Email, name (via OAuth/Cognito) |
| Oura | Wearable data integration | Health metrics (user-authorized OAuth) |
8. Advertising
We do NOT display advertisements in the App. We do NOT sell, rent, or share your personal data with advertisers or ad networks. We do NOT use your data for targeted advertising.
9. Data Retention
- On-device data: Persists until you delete the app or use Reset Journey
- AI uploads (photos): Automatically deleted within 15 minutes
- AI job records: Expire and are deleted after 1 hour
- Onboarding sessions: Expire after 14 days
- Cloud Sync backups: Persist until you delete them via Reset Journey or request deletion
- Push notification tokens: Retained while your account is active
- Cognito account: Retained until you request deletion
10. Your Rights
For all users:
- Access: Download all your data through the App
- Deletion: Delete all your data using the Reset Journey feature, or contact us
- Portability: Export your data from the App
Additional rights for EU/EEA residents (GDPR):
- Rectification: Request correction of inaccurate data
- Restriction: Request restriction of processing
- Object: Object to processing based on legitimate interest
- Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
- Complaint: Lodge a complaint with your local Data Protection Authority
Additional rights for California residents (CCPA):
- Know: Request disclosure of personal information collected
- Delete: Request deletion of personal information
- Non-Discrimination: We will not discriminate against you for exercising your rights
- Opt-Out of Sale: We do NOT sell personal information
To exercise any of these rights, contact us at hello@thriveupwellness.com or use the in-app data management features.
11. Data Security
- All data in transit is protected with TLS encryption
- Server-side data is encrypted with AES-256
- Cloud Sync backups use server-side encryption in AWS S3
- AI processing is proxied through our secure servers (API keys never exposed to client)
- Authentication tokens are stored in device secure storage (iOS Keychain / Android Keystore)
- No user passwords are stored (social sign-in only)
- Temporary uploads are automatically purged every 15 minutes
12. International Data Transfers
Our servers are located in the United States (AWS). If you are located outside the United States, your data may be transferred to and processed in the United States. For EU/EEA residents, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and AWS’s compliance with applicable data protection frameworks.
13. Children’s Privacy
The App is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such data, please contact us immediately and we will take steps to delete it.
14. Cookies and Tracking
- The App does not use cookies
- This website does not use cookies or tracking technologies
- We do not engage in cross-app or cross-site tracking
- Our iOS privacy manifest declares NSPrivacyTracking as false
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes through an update notice within the App and by updating the “Effective Date” at the top of this page. Your continued use of the App after changes constitutes acceptance of the updated policy.
16. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights:
Undervaluable Inc. 131 Continental Dr Newark, DE 19713 United States
Email: hello@thriveupwellness.com
For EU/EEA data protection inquiries, you may also contact your local Data Protection Authority.