Privacy Policy
Effective Date: March 15, 2026
1. Introduction
Undervaluable Inc. (“we”, “us”, “our”) operates the ThriveUp mobile application (“the App”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information. We are committed to protecting your privacy and complying with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable regulations.
ThriveUp is built on a device-first architecture. Your wellness data is created, stored, and processed on your device whenever possible. Data is only transmitted to our servers when necessary to power the AI features you choose to use, and is protected by encryption at every stage.
2. Data Controller
Undervaluable Inc. 131 Continental Dr, Newark, DE 19713, United States Email: hello@thriveupwellness.com
For EU/EEA residents, we act as the data controller for your personal data.
3. Information We Collect
3a. Account Information (required for sign-in)
When you sign in via Google, Microsoft, or LinkedIn (through AWS Cognito), we receive:
- Email address
- Full name
- Cognito subject identifier
This information is stored in AWS Cognito and is used solely for authentication and to securely link your use of AI features to your account. We do not store your password.
3b. Device Identifiers
We generate a random, anonymous installation identifier on your device. This is used to associate AI processing requests and push notification delivery with your device. It is not linked to advertising identifiers.
3c. On-Device Wellness Data
The following data is created and stored locally on your device:
- Health profile (height, weight, age, sex, body fat %, TDEE)
- Meal logs with full nutritional detail (macros, micronutrients)
- Weight and body measurement logs
- Workout logs and exercise history
- Sleep data and analysis
- Supplement and medication logs
- Chat messages with AI coach
- Custom tracker entries
- Progress photos (face and body)
- Onboarding questionnaire answers (goals, activity level, diet type, lifestyle factors, lab values, symptoms)
This data remains on your device unless you interact with features that require server-side processing (see Section 3e) or choose to enable Cloud Sync (see Section 3d).
3d. Cloud Sync Data (optional, premium feature)
If you choose to enable Cloud Sync, your full journey data is:
- Encrypted with AES-256 server-side encryption
- Stored as a single encrypted document in AWS S3
- Accessible only with your authenticated account
- Deletable at any time via the App’s Account Center or Reset Journey feature
Cloud Sync is disabled by default and requires both a premium subscription and your explicit enablement.
3e. Data Transmitted for AI-Powered Features
When you use AI-powered features (coaching, food scanning, body analysis, plan generation, wellness insights), relevant portions of your on-device data are securely transmitted to our servers for processing. Depending on the feature, this may include:
- Photos you submit for analysis (food, face, body composition)
- Health profile and plan context needed to personalize AI responses (e.g., your nutrition targets, dietary preferences, recent meals, activity data)
- Recent chat messages to maintain conversation context with your AI coach
- Onboarding answers used to generate your initial wellness plan
This data is:
- Encrypted in transit using TLS
- Encrypted at rest using AES-256
- Processed through our secure server infrastructure — your data is proxied through our own servers to the AI provider; it is never sent directly from your device to third-party AI services
- Automatically purged — uploaded files are deleted within 15 minutes; AI job records expire within 1 hour
We do not retain this data beyond what is needed to deliver your results.
3f. Health Metrics for Notifications and Insights
To provide personalized notifications and health insights, the App transmits aggregated health metrics to our servers, including:
- Resting heart rate, HRV, SpO2, and sleep data (from Apple HealthKit, Google Health Connect, or Oura Ring with your permission)
- Recent nutrition summaries for coaching notifications
This data is encrypted in transit and at rest, associated with your anonymous account identifier, and used solely to generate and deliver your personalized notifications and insights.
3g. Push Notification Data
If you enable notifications, we store:
- Expo push token
- Device platform (iOS/Android)
- Installation ID and account identifier
- Timezone (for scheduling reminders)
3h. Health Platform Data
With your explicit permission, the App reads data from:
- Apple HealthKit (iOS): steps, active energy, resting heart rate, HRV, VO2 max, SpO2, sleep analysis, workouts
- Google Health Connect (Android): equivalent health metrics
This data is read into the App on your device. Aggregated health metrics may be transmitted to our servers as described in Section 3f to power personalized notifications and insights.
3i. Oura Ring Data (optional)
If you connect your Oura Ring via OAuth, we access heart rate, sleep data, readiness scores, SpO2, and activity data. Your OAuth credentials are stored securely on your device using the platform’s secure storage (iOS Keychain / Android Keystore) and are never sent to our servers.
4. Information We Do NOT Collect
- Location data
- Contact lists
- Advertising identifiers
- Browsing history
- Data from other apps
- Financial information (payments handled by App Store/Play Store)
- Microphone or camera data (beyond photos you explicitly capture for AI analysis)
5. How We Use Your Information
- Deliver the Service: Process AI analyses, provide personalized coaching, generate wellness plans, deliver notifications and insights
- Authentication: Verify your identity and securely link AI usage to your account
- Push Notifications: Send reminders, coaching check-ins, and alerts you’ve configured
- Service Reliability: Monitor application health and diagnose errors using privacy-respecting analytics and error monitoring tools
- Legal Compliance: Respond to legal requests and enforce our Terms
We do NOT use your data for advertising, marketing to third parties, or training AI models.
6. Legal Basis for Processing (GDPR Article 6)
- Consent (Art. 6(1)(a)): For processing health-related data when you use AI features, uploading photos for analysis, enabling Cloud Sync, and connecting health platforms
- Contract Performance (Art. 6(1)(b)): To provide the services you’ve requested (authentication, AI features, push notifications)
- Legitimate Interest (Art. 6(1)(f)): For service security, preventing abuse, error monitoring, and maintaining infrastructure
For special category data (health data) under GDPR Article 9, processing is based on your explicit consent, which you provide when you sign in and use the relevant features.
7. Third-Party Data Processors
We use a limited number of trusted third-party processors, each bound by data processing agreements:
| Service | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Secure cloud infrastructure (Cognito, S3, DynamoDB, Lambda) | Authentication data, encrypted backups, encrypted temporary processing data, health metrics |
| Google Gemini AI | AI analysis and coaching | Temporarily: photos, health context, and conversation context — transmitted exclusively via our secure server proxy |
| RevenueCat | Subscription management | Anonymous app user ID, subscription status only |
| Expo | Push notification delivery | Push tokens, notification content |
| PostHog | Privacy-respecting product analytics | Pseudonymized usage events, session data with masked inputs and images |
| Sentry | Error monitoring (server-side) | Application error logs (no personal health data) |
| Social Identity Providers | Authentication | Email, name (via OAuth 2.0 / OpenID Connect) |
We do NOT sell, rent, or share your personal data with advertisers, data brokers, or any third parties for their own purposes.
8. Advertising
We do NOT display advertisements in the App. We do NOT sell, rent, or share your personal data with advertisers or ad networks. We do NOT use your data for targeted advertising. We do NOT use advertising identifiers.
9. Data Retention
| Data Type | Retention |
|---|---|
| On-device wellness data | Until you delete the App or use Reset Journey |
| AI uploads (photos) | Automatically deleted within 15 minutes |
| AI job records | Expire and are deleted within 1 hour |
| Onboarding sessions | Expire after 14 days |
| Health metric snapshots | Retained while your account is active; deleted on account deletion |
| Cloud Sync backups | Until you disable Cloud Sync, delete via Reset Journey, or delete your account |
| Push notification tokens | Retained while your account is active |
| Cognito account | Until you request account deletion |
You can delete all server-side data at any time using the “Delete Account” feature in the App.
10. Your Rights
For all users:
- Access: View and export all your data through the App
- Deletion: Delete all your data using the in-app Delete Account feature or Reset Journey, or by contacting us
- Portability: Export your data in a standard format from the App
Additional rights for EU/EEA residents (GDPR):
- Rectification: Request correction of inaccurate data
- Restriction: Request restriction of processing
- Object: Object to processing based on legitimate interest
- Withdraw Consent: Withdraw consent at any time (without affecting the lawfulness of prior processing)
- Complaint: Lodge a complaint with your local Data Protection Authority
Additional rights for California residents (CCPA):
- Know: Request disclosure of personal information collected
- Delete: Request deletion of personal information
- Non-Discrimination: We will not discriminate against you for exercising your rights
- Opt-Out of Sale: We do NOT sell personal information
To exercise any of these rights, contact us at hello@thriveupwellness.com or use the in-app data management features.
11. Data Security
We implement multiple layers of security to protect your data:
- Encryption in transit: All data transmitted between your device and our servers is protected with TLS encryption
- Encryption at rest: All server-side data is encrypted with AES-256
- Secure authentication: OAuth 2.0 with PKCE flow; tokens stored in device secure storage (iOS Keychain / Android Keystore)
- No stored passwords: Social sign-in only — we never handle or store your password
- Secure AI proxy: AI requests are routed through our own servers — API keys and credentials are never exposed to the client
- Automatic data purging: Temporary uploads and processing artifacts are automatically deleted on schedule
- API protection: Rate limiting, request throttling, and concurrency controls on all server endpoints
- Minimal data collection: We only transmit the minimum data necessary to deliver the feature you’re using
12. International Data Transfers
Our servers are located in the United States (AWS). If you are located outside the United States, your data may be transferred to and processed in the United States. For EU/EEA residents, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and AWS’s compliance with applicable data protection frameworks.
13. Children’s Privacy
The App is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such data, please contact us immediately and we will take steps to delete it.
14. Cookies and Tracking
- The App does not use cookies
- This website does not use cookies or tracking technologies
- We do not engage in cross-app or cross-site tracking
- We do not use advertising identifiers
- Our iOS privacy manifest declares NSPrivacyTracking as false
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes through the App and by updating the “Effective Date” above. If a policy change requires your re-consent, you will be prompted within the App. Your continued use of the App after changes constitutes acceptance of the updated policy.
16. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights:
Undervaluable Inc. 131 Continental Dr Newark, DE 19713 United States
Email: hello@thriveupwellness.com
For EU/EEA data protection inquiries, you may also contact your local Data Protection Authority.