Parallel Labs← Back

Privacy Policy

Version 1.2·Last Updated: March 19, 2026·Effective: March 19, 2026

Key Points — Plain-Language Summary

This summary is for convenience only. The full Privacy Policy below governs how we handle your data.

  • Who we are: Parallel Labs Pte. Ltd. (Singapore) operates the Thrive app.
  • What we collect: Account info (Apple ID, name, email), health questionnaire responses, habit completion data, and (with your permission) Apple HealthKit data.
  • Why we collect it: To provide personalized habit recommendations, track your progress, and improve the App.
  • We do NOT sell your data. We do not sell, rent, or share your personal data with advertisers or data brokers.
  • Health data protection: Your health questionnaire responses and HealthKit data are never shared with advertisers, marketers, or analytics platforms.
  • Your rights: You can access, export, correct, or delete your data at any time. EU/UK users have additional GDPR rights. California users have CCPA/CPRA rights.
  • Data storage: Your data is stored in Supabase (AWS US infrastructure) with encryption at rest and in transit.
  • Consent: We obtain separate consent for health data processing, HealthKit access, and push notifications — never bundled.
  • Contact: support@theparallellab.com or support@theparallellab.com

Thrive, operated by Parallel Labs Pte. Ltd., a company incorporated in the Republic of Singapore ("we," "us," or "our"), provides the Thrive mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App. Please read this Privacy Policy carefully. By downloading, installing, or using the App, you agree to the collection and use of information in accordance with this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

1. Definitions

  • "Personal Data" means any information that identifies, relates to, or could reasonably be linked with you or your household.
  • "Health Data" means information relating to your physical or mental health, including self-reported questionnaire responses, habit completion records, and data obtained from Apple HealthKit.
  • "Usage Data" means information collected automatically when using the App, including device information, interaction data, and diagnostics.
  • "Service Providers" means third-party companies or individuals employed by us to facilitate the App, provide the App on our behalf, or assist us in analyzing how the App is used.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Apple ID Information: Your Apple ID identifier, full name (as provided by Apple Sign-In), and email address (which may be a private relay address if you choose to hide your email).
  • Profile Information: Display name, date of birth, height, and weight.
  • Authentication Tokens: Tokens necessary to maintain your authenticated session.

2.2 Health Questionnaire Data

During onboarding and periodically thereafter, we collect your responses to our health and lifestyle questionnaire. This includes self-reported data about:

  • Sleep quality and duration
  • Energy levels and fatigue
  • Exercise frequency and type
  • Stress levels and mood
  • Dietary habits
  • Supplement and medication use
  • Lifestyle factors relevant to men's health

This data is used to generate your personal wellness score and wellness profile assessment, and to recommend personalized habit protocols.

Important: Your questionnaire responses are classified as sensitive health information. We do not transmit your questionnaire responses to any advertising, marketing, or analytics platform. Questionnaire data is processed and stored exclusively within our core infrastructure (Supabase) and is never shared with third-party marketing or advertising services.

2.3 Habit and Progress Data

As you use the App, we collect:

  • Habit Completion Records: Which habits you completed, when, and any associated notes.
  • Streak Data: Consecutive completion records and streak history.
  • Experience Points (XP): Points earned through habit completion and milestones.
  • Level and Achievement Data: Your current level, achievements unlocked, and progression history.
  • Custom Habits: Any custom habits you create, including their names, descriptions, schedules, and associated images.

2.4 Apple HealthKit Data

HealthKit integration is planned for a future release. The provisions below will apply once this feature becomes available. With your explicit permission, we may read the following data from Apple HealthKit:

  • Step count
  • Sleep analysis data
  • Active energy burned
  • Workout data
  • Other health metrics you explicitly authorize

Important HealthKit Provisions:

  • We will never access HealthKit data without your explicit authorization through the iOS system permission prompt.
  • HealthKit data is used solely to enhance your in-app experience (e.g., auto-completing relevant habits, displaying health insights).
  • We do not use HealthKit data for advertising, marketing, or data mining purposes.
  • We do not sell, share, or disclose HealthKit data to third parties for advertising or marketing.
  • We do not store HealthKit data in iCloud.
  • You may revoke HealthKit access at any time through your device's Settings > Health > Data Access & Devices.

2.5 Subscription and Transaction Data

When subscription features become available, we will collect the following:

  • Subscription Status: Whether you have an active subscription, its type, and renewal date.
  • Transaction Identifiers: Apple-provided transaction IDs for purchase verification.
  • We do not directly collect or store your payment method, credit card number, or billing address. All payment processing is handled by Apple through the App Store.

2.6 Device and Usage Data

We automatically collect:

  • Device Information: Device type, operating system version, Apple Identifier for Vendors (IDFV — a device identifier unique to our App that resets if you delete all of our apps from your device), and timezone. We do not collect the Advertising Identifier (IDFA) or any cross-app tracking identifier.
  • App Usage Data: App launch frequency, feature usage patterns, screen views, and session duration.
  • Push Notification Tokens: Device tokens necessary to deliver push notifications you have opted into.
  • Crash and Diagnostic Data: Error logs and performance data to improve the App.

2.7 Reminder and Notification Preferences

  • Your preferred reminder times and notification settings.
  • Notification opt-in/opt-out status for each notification category (habit reminders, progress updates, motivational content).

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Maintaining the App

  • Create and manage your account.
  • Deliver the core App functionality, including habit tracking, progress monitoring, scoring, and personalized recommendations.
  • Process and verify your subscription status (when subscription features are available).
  • Sync your data across your devices.

3.2 Personalization

  • Generate your personal wellness score and wellness profile.
  • Recommend personalized habit protocols based on your questionnaire responses.
  • Tailor in-app content and insights to your health profile.

3.3 Communication

  • Send push notifications for habit reminders (with your consent).
  • Send progress updates, streak notifications, and motivational content (with your consent).
  • Respond to your support inquiries and requests.
  • Send service-related communications (e.g., account verification, security alerts, policy changes).

3.4 Analytics and Improvement

  • Analyze usage patterns to improve App features and user experience.
  • Monitor and analyze trends, usage, and activities in connection with the App.
  • Identify and fix bugs, errors, and performance issues.

3.5 Legal and Safety

  • Comply with legal obligations.
  • Enforce our Terms and Conditions.
  • Protect the rights, property, or safety of our users and the public.
  • Detect, prevent, and address fraud, abuse, or security issues.

4. How We Share Your Information

We do not sell, rent, or trade your Personal Data to third parties. We share your information only in the following limited circumstances:

4.1 Service Providers

We engage trusted third-party service providers to operate and improve the App. These providers are contractually obligated — through Data Processing Agreements (DPAs) where required by applicable law (including GDPR Article 28) — to use your data only as necessary to provide services to us and to maintain appropriate security measures.

Service ProviderPurposeData SharedDPA in Place
Supabase, Inc.Database hosting, authentication, file storageAccount data, health questionnaire responses, habit data, progress dataYes
RevenueCat, Inc. (to be integrated upon launch of subscription features)Subscription management and analyticsUser ID, subscription status, transaction identifiers, device platformPending
Apple Inc.Authentication (Sign in with Apple), payment processing (App Store), health data (HealthKit)Apple ID, payment transactions (handled by Apple), HealthKit data (on-device only)Per Apple Developer Agreement
Expo (Software Mansion S.A.)App build and update delivery, push notificationsPush notification tokens, device type, OS version, app version, timezoneYes

Specificity of Third-Party Data Collection:

  • RevenueCat (when integrated) will receive a pseudonymous user ID, subscription events (purchase, renewal, cancellation, expiration), device platform (iOS), and currency/price data. RevenueCat will not receive your name, email, health data, or questionnaire responses.
  • Expo receives device tokens for push notification delivery, basic device metadata (device type, OS version) for build compatibility, and app version information for over-the-air updates. Expo does not receive your name, email, health data, or questionnaire responses.

Sub-Processors: Our Service Providers may engage sub-processors to assist in providing their services. Key sub-processors include:

Service ProviderSub-Processor(s)Purpose
SupabaseAmazon Web Services (AWS)Cloud infrastructure hosting
RevenueCat (when integrated)Google Cloud Platform, Amazon Web ServicesSubscription data processing
ExpoAmazon Web Services, Google Cloud PlatformBuild infrastructure and push notification delivery

A current, complete list of sub-processors is available upon request at support@theparallellab.com. We will notify you of any material changes to our sub-processor list that affect the processing of your Personal Data.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government request).

4.3 Business Transfers

If we are involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice in the App at least 30 days before your Personal Data is transferred and becomes subject to a different privacy policy. During this notice period, you will have the opportunity to export your data and/or delete your account before the transfer takes effect. If the acquiring entity's privacy practices are materially less protective than those described in this Privacy Policy, we will seek your consent before transferring your data, where required by applicable law.

4.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

4.5 De-Identified and Aggregated Data

We may create de-identified or aggregated data from the information we collect such that the data no longer identifies or can reasonably be linked to you. We may use such de-identified or aggregated data for internal research, analytics, and product improvement purposes. We do not sell, commercially license, or share de-identified or aggregated data with third parties for their independent use, marketing, or commercial purposes. If we publish aggregated insights (e.g., in blog posts or research summaries), such publications will contain only statistical summaries that cannot be used to identify any individual user.

De-identification Standards and Retention:

  • De-identification is performed using methods consistent with the CCPA's definition of "deidentified" information (Cal. Civ. Code § 1798.140(m)), including implementing technical safeguards to prevent re-identification, business processes to prevent inadvertent re-identification, and contractual prohibitions on re-identification when sharing with third parties.
  • De-identified and aggregated data will be retained for a maximum of 5 years from the date of creation, after which it will be permanently deleted. If we determine that a longer retention period is necessary for specific longitudinal research purposes, we will: (a) disclose the specific research purpose, the extended retention period, and the categories of data involved in an update to this Privacy Policy; (b) notify users of the change at least 30 days in advance; and (c) in no event retain de-identified data for longer than 10 years from the date of creation.
  • We do not attempt to re-identify de-identified data and contractually prohibit any third party with whom we share de-identified data from attempting re-identification.
  • In jurisdictions where de-identified data is still subject to privacy regulation (including under the Connecticut Data Privacy Act and Oregon Consumer Privacy Act), we comply with applicable obligations regarding de-identified data, including maintaining reasonable technical and organizational safeguards against re-identification.
  • Relationship to Individual Deletion Requests: Once data has been de-identified in accordance with the standards described above, it can no longer be linked to your account or identity. Consistent with GDPR Recital 26, truly de-identified data falls outside the scope of individual data subject rights (including the right to erasure), as it no longer constitutes Personal Data. De-identified data is retained solely for aggregate statistical and product improvement purposes.

5. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Below are our retention periods and the legal basis for each:

Data CategoryRetention PeriodLegal Basis
Account DataDuration of account; deleted within 30 days of account deletionPerformance of contract
Health Questionnaire DataDuration of account; deleted upon account deletionExplicit consent (GDPR Art. 9(2)(a))
Habit and Progress DataDuration of account; deleted upon account deletionPerformance of contract
HealthKit DataRaw HealthKit samples are processed in real-time and not stored on our servers. However, habit completion records derived from HealthKit data (e.g., "steps goal met") are stored for the duration of your account as part of your habit and progress data. No raw biometric values are archived.Explicit consent
Subscription DataUp to 3 years after subscription ends (limited to RevenueCat-sourced subscription status, Apple transaction identifiers, and subscription event timestamps retained for tax/accounting compliance; no raw payment data is stored)Legal obligation (tax/accounting)
Usage and Analytics DataRaw usage data: up to 12 months from collection, after which it is anonymized or deleted. Anonymized/aggregated analytics data: up to 2 years from the date of anonymizationLegitimate interests
Push Notification TokensUntil notifications disabled or account deletedConsent
Consent RecordsFor the duration of the processing activity to which the consent relates, plus a minimum of 5 years after account deletion or consent withdrawal (whichever is later), to demonstrate compliance with consent requirements under GDPR Art. 7(1), the California Automatic Renewal Law, and applicable state consumer health data lawsLegal obligation (CA ARL, GDPR Art. 7(1))

We apply the principle of data minimization — we collect only the data necessary for the purposes described in this Privacy Policy and do not retain data longer than required.

6. Data Security

We implement industry-standard technical and organizational measures to protect your Personal Data, including:

  • Encryption in Transit: All data transmitted between the App and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Data stored in our databases is encrypted at rest using AES-256 encryption.
  • Access Controls: We enforce Row-Level Security (RLS) policies on all database tables, ensuring users can only access their own data. Our backend infrastructure uses role-based access controls.
  • Authentication Security: We use Apple Sign-In with secure token management. Authentication tokens are securely stored on-device using the platform's secure storage mechanisms.
  • Infrastructure Security: Our infrastructure is hosted on Supabase, which maintains SOC 2 Type II certification, and uses Amazon Web Services (AWS) infrastructure.
  • Privacy by Design: We incorporate data protection principles into the design of our systems and processes from the outset, in accordance with GDPR Article 25 (Data Protection by Design and by Default).
  • Data Protection Impact Assessments (DPIAs): We conduct DPIAs for processing activities that are likely to result in high risk to individuals' rights and freedoms, including the processing of health-related questionnaire data. Our DPIAs are available to supervisory authorities upon request at support@theparallellab.com.

No method of electronic storage or transmission over the Internet is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. In the event of a data breach, we will notify affected users and relevant authorities in accordance with applicable law (see Section 11).

7. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your Personal Data:

7.1 All Users

  • Access: Request a copy of the Personal Data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete Personal Data.
  • Deletion: Request that we delete your Personal Data (see Section 8).
  • Data Portability and Export: Request a copy of your data in a structured, commonly used, machine-readable format (JSON). You may request a data export by contacting us at support@theparallellab.com, or through the in-app export feature (when available at Settings > Account > Export My Data). Data export requests will be fulfilled within 30 days of the request, or within any shorter period required by applicable law (e.g., GDPR Article 20 — without undue delay and in any event within one month). Your data export will include: (a) account and profile data (display name, date of birth, height, weight); (b) health questionnaire responses; (c) habit completion records and streak history; (d) XP, level, and achievement data; (e) custom habits including names, descriptions, and schedules; (f) notification preferences; and (g) wellness scores and wellness profile data. Raw Apple HealthKit data is not included in the export, as it is processed in real-time and not stored on our servers — this data remains available through Apple's Health app on your device.
  • Withdraw Consent: Withdraw your consent at any time where we rely on consent as the legal basis for processing (see details below).
  • Opt-Out of Notifications: Manage or disable push notifications at any time through the App settings or your device settings.

Granular Consent Withdrawal: Because the App's core functionality — including personalized habit recommendations, wellness scoring, and progress tracking — fundamentally depends on processing your health questionnaire data, withdrawing consent for health data processing is equivalent to discontinuing the App's core services. If you wish to withdraw consent for health data processing:

  • You may delete your account (see Section 8), which will permanently delete all health questionnaire data and associated outputs (wellness scores, wellness profiles, recommendations).
  • Alternatively, you may contact us at support@theparallellab.com to request deletion of your health questionnaire responses while retaining your account in a limited capacity. In this case, your account will revert to basic functionality without personalized recommendations, wellness scores, or wellness profiles, and previously generated outputs based on your questionnaire data will also be deleted.
  • Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

7.2 European Economic Area (EEA), United Kingdom, and Switzerland Residents

Under the General Data Protection Regulation (GDPR) and equivalent laws, you additionally have the right to:

  • Restrict Processing: Request that we restrict the processing of your Personal Data under certain conditions.
  • Object to Processing: Object to our processing of your Personal Data under certain conditions.
  • Lodge a Complaint: File a complaint with your local Data Protection Authority.

Legal Basis for Processing: We process your data under the following legal bases:

PurposeLegal Basis
Account creation and App functionalityPerformance of a contract
Health questionnaire processingExplicit consent (Article 9(2)(a) GDPR)
HealthKit data processingExplicit consent
Push notificationsConsent
Analytics and improvementLegitimate interests (Article 6(1)(f) GDPR)
Legal complianceLegal obligation

Right to Object to Analytics Processing (Article 21(1) GDPR): Where we process your data for analytics and improvement based on legitimate interests, you have the right to object to such processing at any time. To exercise this right, contact us at support@theparallellab.com. Upon receiving your objection, we will cease processing your data for analytics purposes unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms. We have conducted a Legitimate Interest Assessment (LIA) for our analytics processing, balancing our interest in improving the App against your privacy rights. A summary of this assessment is available upon request at support@theparallellab.com.

Right to Object to Direct Marketing (Article 21(2) GDPR): Where we process your data for direct marketing purposes (including profiling related to direct marketing), you have the absolute right to object at any time, and we will cease such processing without exception. To exercise this right, use the unsubscribe mechanism in any marketing communication, adjust your notification preferences in the App at Settings > Notifications, or contact us at support@theparallellab.com. As of the effective date of this Privacy Policy, we do not engage in direct marketing based on profiling. If we introduce such processing in the future, we will obtain your separate consent beforehand.

Data Transfers: Your data may be transferred to and processed in the United States and Singapore, where our Service Providers and infrastructure operate. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

7.3 California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have the right to:

  • Know what Personal Data we collect, use, and disclose.
  • Delete your Personal Data (subject to certain exceptions).
  • Opt-Out of Sale or Sharing: We do not sell or share your Personal Data as defined under the CCPA/CPRA. Therefore, there is no need to opt out, but you may contact us at support@theparallellab.com to confirm. In accordance with California Civil Code § 1798.135, we provide a "Your Privacy Choices" link on our website and within the App at Settings > Privacy that allows you to exercise this right. Because we do not sell or share personal information, this link will confirm our no-sale/no-share status.
  • Limit Use of Sensitive Personal Information: Your health questionnaire responses constitute Sensitive Personal Information under the CPRA. We use this data solely to provide the App's core functionality and do not use it for purposes beyond what is necessary. You have the right to limit our use of Sensitive Personal Information to purposes authorized under CPRA § 1798.121.
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Financial Incentives: We do not offer financial incentives or price or service differences in exchange for the retention or sale of your Personal Data.

Categories of Personal Information Collected (per CCPA):

CategoryExamplesCollected
IdentifiersName, email, Apple ID, device identifiersYes
Personal information (Cal. Civ. Code 1798.80)Name, emailYes
Characteristics of protected classificationsAge, sexYes (date of birth)
Commercial informationSubscription records, purchase historyYes
Internet or network activityApp usage data, interaction dataYes
Geolocation dataTimezoneYes (coarse only)
Sensory dataN/ANo
Professional or employment informationN/ANo
Non-public education informationN/ANo
InferencesWellness score, wellness profile, recommendationsYes
Sensitive personal informationHealth questionnaire responses, HealthKit dataYes

7.4 Right to Appeal

If we deny or are unable to fully fulfill your privacy rights request, you have the right to appeal our decision. To submit an appeal:

  1. Email: Send your appeal to support@theparallellab.com with the subject line "Privacy Rights Appeal."
  2. Include a description of the original request, the date of the original request, and the reason you believe the denial was incorrect.
  3. We will review and respond to your appeal within 45 days of receipt (or within any shorter period required by applicable law, such as 60 days under the Virginia VCDPA, 45 days under the Colorado CPA, or 60 days under the Connecticut CTDPA).
  4. If we deny your appeal, our response will include: (a) an explanation of the reasons for the denial; and (b) information on how to file a complaint with the applicable regulatory authority, including:
    • US State Residents: Your state Attorney General's office.
    • EU/EEA Residents: Your local Data Protection Authority (a list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en).
    • UK Residents: The Information Commissioner's Office (ICO).
    • Brazil Residents: The Autoridade Nacional de Proteção de Dados (ANPD).

7.5 Other Jurisdictions

We comply with applicable privacy laws in all jurisdictions where the App is available. If your jurisdiction provides additional privacy rights not listed above, please contact us and we will honor them to the extent required by applicable law.

8. Account Deletion

You may delete your account and all associated data at any time:

  1. In the App: Navigate to Settings > Account > Delete Account.
  2. By email: Send a deletion request to support@theparallellab.com from the email address associated with your account.
  3. Confirm your intention to delete.
  4. Your account and all associated Personal Data will be permanently deleted within 30 days.

Upon account deletion, we will:

  • Delete your account information, profile data, and authentication tokens.
  • Delete your health questionnaire responses and wellness score data.
  • Delete your habit records, streaks, achievements, and XP data.
  • Delete your custom habits and associated images.
  • Delete your notification preferences and push tokens.
  • Revoke your Apple Sign-In token via Apple's REST API.
  • Request deletion of your data from our Service Providers (Supabase and, when integrated, RevenueCat).

Exceptions: We may retain certain data as required by law (e.g., transaction records for tax/accounting purposes) or to resolve disputes. Any retained data will be anonymized where possible.

Grace Period: You have 14 days after requesting deletion to contact us and cancel the deletion request. If you do not cancel within the 14-day grace period, permanent deletion of your data will be completed within 30 days of your original deletion request (i.e., within 16 days after the grace period expires). The 30-day deletion timeline referenced throughout this Privacy Policy and in our Terms and Conditions runs from the date of your original deletion request, not from the expiration of the grace period.

9. Children's Privacy

The App is intended for users aged 18 years and older. We do not knowingly collect Personal Data from anyone under 18 years of age. During account creation, we verify that users are at least 18 years old.

COPPA Compliance: We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect, use, or disclose personal information from children under 13 years of age. The App is not directed at children under 13, and no part of the App is structured to attract anyone under 13.

If we become aware that we have collected Personal Data from a person under 18 (or under 13 in violation of COPPA), we will take immediate steps to delete that information and terminate the associated account. If you believe we have inadvertently collected information from a minor, please contact us immediately at support@theparallellab.com.

10. Third-Party Links and Services

The App may contain links to third-party websites, services, or content that are not owned or controlled by us. We are not responsible for the privacy practices or content of these third-party services. We encourage you to review the privacy policies of any third-party services you access through the App.

11. Data Breach Notification

We maintain a formal Incident Response Plan (IRP) that defines roles, responsibilities, escalation procedures, and communication protocols for responding to data security incidents. The IRP is reviewed and updated at least annually and after any material security incident.

In the event of a data breach that compromises the security, confidentiality, or integrity of your Personal Data, we will:

  1. Investigate the breach promptly in accordance with our Incident Response Plan and take steps to contain and remediate it.
  2. Notify affected users via email and/or in-app notification within the timeframes required by applicable law:
    • GDPR: Within 72 hours to the relevant supervisory authority; without undue delay to affected individuals if there is a high risk to their rights and freedoms.
    • FTC Health Breach Notification Rule (16 CFR Part 318): If the breach involves unsecured individually identifiable health information (including self-reported health questionnaire data and HealthKit data), we will notify affected individuals, the Federal Trade Commission, and, where the breach affects 500 or more individuals, prominent media outlets, within 60 days of discovery (or within 10 business days for breaches affecting fewer than 500 individuals in the following calendar year), as required by the Rule as amended effective July 29, 2024.
    • US State Laws: Within 30 days or sooner as required by the applicable state law (we default to the most restrictive deadline applicable to affected users). For reference: Colorado, Florida, and Washington require 30 days; most other states require 30 to 60 days.
    • Washington My Health My Data Act: As required for breaches involving Consumer Health Data.
    • Brazil (LGPD): Within a reasonable timeframe as determined by the ANPD, and to the ANPD within 2 business days of becoming aware of the breach.
    • Singapore (PDPA): Upon becoming aware of a data breach, we will assess within 30 calendar days whether it constitutes a notifiable data breach under Part VIA of the PDPA. Within 3 calendar days of determining that a data breach is a notifiable data breach under Part VIA of the PDPA, we will notify the Personal Data Protection Commission (PDPC) using the prescribed form. A data breach is notifiable if it (a) results in, or is likely to result in, significant harm to affected individuals, or (b) affects 500 or more individuals. We will also notify affected individuals as soon as practicable if the breach is likely to result in significant harm, providing: (i) the nature of the breach; (ii) the types of personal data affected; (iii) what steps we are taking; and (iv) what steps affected individuals can take to protect themselves. Notification to individuals will be made via their registered email address and, where feasible, in-app notification.
  3. Notify relevant authorities as required by applicable law.
  4. Provide information about the nature of the breach, the data affected, and the steps we are taking to address it.
  5. Offer remediation to affected users proportionate to the severity and nature of the breach. Depending on the type of data compromised, remediation measures may include: guidance on steps users can take to protect themselves, assistance with monitoring for misuse of compromised data, and where health data is involved, resources for understanding the potential impact of the breach. The specific remediation measures will be communicated to affected users as part of our breach notification.

12. Push Notifications

We send push notifications only with your explicit consent. You may receive the following types of notifications:

  • Habit Reminders: Reminders to complete your daily habits at times you configure.
  • Progress Updates: Notifications about streaks, milestones, level-ups, and achievements.
  • Motivational Content: Encouraging messages to support your health journey.
  • Service Communications: Important account and security notifications.

Managing Notifications:

  • You can manage notification preferences within the App at Settings > Notifications.
  • You can disable all push notifications through your device's Settings > Notifications > Thrive.
  • Disabling notifications will not affect your ability to use the App's core features.

We do not send marketing push notifications without your separate, explicit consent for marketing communications.

13. Cookies and Tracking Technologies

The App does not use browser cookies. However, we may use the following technologies:

  • Device Identifiers: To identify your device for analytics and push notification delivery.
  • Local Storage: To store your preferences and authentication state securely on your device. We minimize the use of third-party analytics tools. As of the "Last Updated" date of this Privacy Policy, all usage analytics are collected and processed through our core infrastructure (Supabase) and the service providers listed in Section 4.1. If we introduce any additional analytics service providers in the future, we will update Section 4.1 of this Privacy Policy and notify users of the change. We do not transmit usage data to any analytics or advertising platform not listed in our service provider table.

We do not use cross-app tracking or participate in advertising identifier frameworks. We respect Apple's App Tracking Transparency (ATT) framework and do not track users across other companies' apps or websites.

EU ePrivacy Compliance: For users in the European Economic Area, United Kingdom, and Switzerland, our use of device identifiers and local storage for authentication and essential App functionality relies on the exemption for strictly necessary storage under Article 5(3) of the ePrivacy Directive (2002/58/EC). We do not use device fingerprinting, cross-device tracking, or non-essential analytics that would require separate ePrivacy consent.

14. International Data Transfers

Your information may be transferred to and maintained on servers located outside your country of residence, including in the United States. If you are located in the EEA, UK, or Switzerland, we ensure that adequate safeguards are in place for such transfers, including:

  • EU-US Data Privacy Framework (DPF): Where our Service Providers are certified under the EU-US Data Privacy Framework (adopted by the European Commission adequacy decision of July 10, 2023), transfers may rely on this framework.
  • Standard Contractual Clauses (SCCs): Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
  • UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or UK Addendum to the EU SCCs, as applicable.
  • Contractual Obligations: Contractual obligations with our Service Providers to maintain equivalent levels of data protection.

14.1 EU Representative (GDPR Article 27)

We are not established in the European Economic Area. GDPR Article 27 requires controllers not established in the EU to designate an EU-based representative when offering goods or services to, or monitoring the behavior of, data subjects in the EU.

As of the effective date of this Privacy Policy, the volume and nature of our processing of EU/EEA residents' personal data does not yet warrant the designation of a formal EU representative. We have assessed this based on the following factors: (a) the App is not specifically targeted at EU/EEA residents through localized marketing, EU-specific pricing, or EU language translations; (b) we do not systematically monitor the behavior of individuals in the EU; and (c) our processing of EU/EEA residents' data is incidental to our global service offering and is not conducted at scale.

Commitment: We will appoint a GDPR Article 27 representative before actively marketing the App in the EU/EEA or once we have established a sufficient user base and revenue in the EU/EEA market to support such appointment. In any event, we will appoint a representative within 90 days of any of the following triggers: (i) our EU/EEA active user base exceeds 500 users; (ii) we introduce EU-specific marketing, pricing, or language localization; or (iii) we receive guidance from any EU/EEA Data Protection Authority indicating that a representative is required for our level of processing. We will update this section with the representative's name and contact details upon appointment.

In the meantime, all GDPR-related inquiries may be directed to our Data Protection Officer at support@theparallellab.com, who will respond within the timeframes required by GDPR Articles 12–13.

14.2 UK Representative (UK GDPR Article 27)

We are not established in the United Kingdom. UK GDPR Article 27 requires controllers not established in the UK to designate a UK-based representative under substantially the same conditions as GDPR Article 27.

As of the effective date of this Privacy Policy, the volume and nature of our processing of UK residents' personal data does not yet warrant the designation of a formal UK representative, based on the same assessment factors described in Section 14.1 above as applied to the UK market.

Commitment: We will appoint a UK GDPR Article 27 representative before actively marketing the App in the UK or once we have established a sufficient user base and revenue in the UK market to support such appointment. In any event, we will appoint a representative within 90 days of any of the following triggers: (i) our UK active user base exceeds 500 users; (ii) we introduce UK-specific marketing, pricing, or language localization; or (iii) we receive guidance from the UK Information Commissioner's Office (ICO) indicating that a representative is required for our level of processing. We will update this section with the representative's name and contact details upon appointment.

In the meantime, all UK GDPR-related inquiries may be directed to our Data Protection Officer at support@theparallellab.com, who will respond within the timeframes required by UK GDPR Articles 12–13.

14.3 Transfer Mechanism Continuity

In the event that any international data transfer mechanism relied upon in this Privacy Policy (including the EU-US Data Privacy Framework, Standard Contractual Clauses, or UK International Data Transfer Agreement) is invalidated, suspended, or otherwise becomes unavailable due to a court ruling, regulatory action, or legislative change, we will promptly implement an alternative lawful transfer mechanism to ensure continuity of data protection for your Personal Data. We will notify affected users of any material change to the transfer mechanism used for their data within 30 days of the change taking effect.

14.4 Transfer Impact Assessments

In accordance with the guidance following the Court of Justice of the European Union's ruling in Schrems II (Case C-311/18), we have conducted Transfer Impact Assessments (TIAs) for international data transfers to the United States and other third countries. These assessments evaluate the legal framework in the recipient country, the nature of the data transferred, and any supplementary measures in place to ensure an adequate level of data protection. Our TIAs are reviewed periodically and updated when there are material changes to the legal framework or our data processing activities. A summary of our TIA findings is available upon request at support@theparallellab.com.

15. Do Not Track Signals

The App does not respond to "Do Not Track" browser signals because the App is a native mobile application and does not operate in a browser context. However, we honor Global Privacy Control (GPC) signals as required by applicable law, including under the California Consumer Privacy Act (CCPA/CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and any other jurisdiction that legally mandates compliance with universal opt-out mechanisms. When a GPC signal is detected, we treat it as a valid opt-out request for any applicable data processing activities.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy in the App with a revised "Last Updated" date.
  • Sending you a push notification or email notification for significant changes.

Consent-Based Processing: For changes that materially affect processing activities based on your consent (including health questionnaire data processing and HealthKit data processing), we will require your express re-acceptance before the changes take effect. You will be presented with the updated terms and must provide affirmative consent before the new processing activities begin. If you do not consent to the updated terms, you may continue using the App under the previous terms until the end of your current billing period, after which your account will be limited to features that do not require the updated consent.

Non-Consent-Based Processing: For changes that affect processing based on other legal bases (contract performance, legitimate interests, legal obligation), your continued use of the App after the effective date of the changes constitutes your acceptance of the updated Privacy Policy. If you do not agree, you must stop using the App and may delete your account.

We encourage you to review this Privacy Policy periodically. We maintain an archive of prior versions and will provide any prior version upon request at support@theparallellab.com.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For privacy rights requests (access, deletion, correction, portability), please email us from the email address associated with your account so we can verify your identity. If you use Apple's "Hide My Email" private relay service, or if we cannot verify your identity through email alone, we may request additional verification, such as: (a) confirming your date of birth and account creation date; (b) verifying through the App while logged in to your account; or (c) other reasonable verification methods consistent with applicable law. We will not require you to create a new account or provide unnecessary personal information solely for the purpose of verification.

We will respond to all privacy-related inquiries within 30 days (or within any shorter period required by applicable law, including GDPR's requirement of "without undue delay and in any event within one month," which may be extended by up to two additional months where necessary given the complexity of the request, with notification to you of any such extension).

18. Supplemental Notices

18.1 Notice to Nevada Residents

We do not sell your Personal Data as defined under Nevada Revised Statutes Chapter 603A. If you are a Nevada resident and wish to submit a verified request, please contact us at the email address above.

18.2 Notice to Virginia, Colorado, Connecticut, Utah, and Other US State Residents

If you are a resident of a US state with a comprehensive privacy law (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and Iowa), you may have additional rights including the right to access, correct, delete, and obtain a copy of your data, as well as the right to opt out of targeted advertising and profiling. We do not engage in targeted advertising or profiling as defined by these laws. To exercise your rights, please contact us using the information above.

18.3 Consumer Health Data Notice (Washington, Nevada, and Other Applicable States)

Under the Washington My Health My Data Act and similar state consumer health data laws, the following applies:

  • Collection: We collect Consumer Health Data (as defined by applicable law) only with your consent, including your health questionnaire responses, habit completion data, and HealthKit data.
  • Purpose: We collect and use Consumer Health Data solely to provide the App's core functionality as described in this Privacy Policy.
  • Sharing: We do not sell Consumer Health Data. We share Consumer Health Data with our Service Providers only as necessary to provide the App's services, pursuant to written contracts requiring equivalent protections.
  • Deletion: You may request deletion of your Consumer Health Data at any time (see Section 8).
  • Authorization: We will obtain your affirmative authorization before collecting, sharing, or using Consumer Health Data for any purpose not disclosed in this Privacy Policy. During the App's onboarding process, you are presented with a separate, conspicuous Health Disclaimer Acknowledgment (as described in our Terms and Conditions) that requires your express, affirmative action (e.g., tapping an "I Understand" button) before you can access the App's core features. This acknowledgment, together with your explicit consent to the processing of health questionnaire data, serves as the affirmative authorization required under the Washington My Health My Data Act (RCW 19.373) and similar state consumer health data laws. Your authorization is recorded with a timestamp and retained in accordance with Section 5 of this Privacy Policy.
  • Geofencing: We do not use geofencing technology around healthcare facilities to collect Consumer Health Data.

18.4 Algorithmic and Automated Decision-Making Disclosure

The App uses proprietary algorithms to generate your wellness score, wellness profile, and habit recommendations based on your questionnaire responses and usage data. These algorithms:

  • Are based on general wellness principles and publicly available health research.
  • Use automated processing of your self-reported data to generate outputs.
  • Do not make decisions that produce legal or similarly significant effects on you.
  • Do not perform clinical diagnostics, medical triage, or safety-critical assessments.
  • May produce outputs that do not accurately reflect your actual health status.
  • Use correlation-based models — outputs indicate potential associations, not causation.

You have the right to request information about the logic involved in automated processing that significantly affects you, to the extent required by applicable law (e.g., GDPR Article 22).

Input Variables: The algorithm uses the following general categories of input: sleep quality and duration responses, exercise frequency and type, dietary habit responses, stress and mood indicators, supplement use, and lifestyle factors. These inputs are weighted using correlation-based models derived from published wellness research. You may request a human review of any algorithmic output by contacting us at support@theparallellab.com.

Apple App Store AI Transparency (effective November 13, 2025): The App's wellness scoring and habit recommendation features use proprietary, on-device algorithmic processing. As of the effective date of this Privacy Policy, the App does not transmit your personal data to any third-party artificial intelligence (AI) or machine learning (ML) service for processing. All algorithmic processing (wellness scoring, profile generation, habit recommendations) occurs within our own infrastructure (Supabase). If we introduce any third-party AI processing in the future, we will: (a) update this Privacy Policy; (b) notify you via in-app notification; and (c) obtain your explicit consent before any personal data is shared with a third-party AI service, in compliance with Apple's App Store Review Guidelines (Section 5.1.2(vi)).

EU AI Act Compliance: To the extent that the App's algorithmic features fall within the scope of the European Union Artificial Intelligence Act (Regulation (EU) 2024/1689), we commit to complying with applicable transparency obligations as they become effective (general provisions from August 2025; full application from August 2026). The App's wellness scoring features are designed as general wellness tools and are not intended to function as high-risk AI systems under Annex III of the EU AI Act. We confirm that the algorithm does not produce legally binding effects or similarly significant decisions affecting users.

18.5 Notice to Latin American Residents

18.5.1 Brazil (LGPD)

If you are a resident of Brazil, the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018) applies to the processing of your personal data. Under the LGPD:

  • Legal Basis for Processing: We process your personal data under the following legal bases: (a) consent (Article 7(I) LGPD) for health questionnaire data and HealthKit data; (b) performance of a contract (Article 7(V) LGPD) for account creation and App functionality; and (c) legitimate interests (Article 7(IX) LGPD) for analytics and improvement, subject to a balancing test.
  • Sensitive Personal Data: Your health questionnaire responses and HealthKit-derived data constitute "sensitive personal data" under Article 11 of the LGPD. We process this data solely based on your explicit consent (Article 11(I) LGPD).
  • Your Rights Under LGPD (Article 18): You have the right to: (a) confirmation of the existence of processing; (b) access to your data; (c) correction of incomplete, inaccurate, or outdated data; (d) anonymization, blocking, or deletion of unnecessary or excessive data; (e) portability of your data to another service provider; (f) deletion of personal data processed with your consent; (g) information about public and private entities with which your data has been shared; (h) information about the possibility of denying consent and the consequences thereof; and (i) revocation of consent.
  • International Data Transfers: Your data is transferred to and processed in the United States. We ensure adequate safeguards for such transfers, including standard contractual clauses and verification that the receiving jurisdiction provides an adequate level of data protection, in accordance with Article 33 of the LGPD and ANPD regulations.
  • Data Protection Officer (Encarregado): For LGPD-related inquiries, contact our Data Protection Officer at support@theparallellab.com.

18.5.2 Mexico (LFPDPPP)

If you are a resident of Mexico, the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations apply. Under Mexican law:

  • Privacy Notice (Aviso de Privacidad): This Privacy Policy serves as our privacy notice under the LFPDPPP. It describes the personal data we collect, the purposes of processing, the recipients of your data, and the means by which you can exercise your ARCO rights.
  • ARCO Rights: You have the right to Access, Rectification, Cancellation, and Opposition (ARCO rights) regarding your personal data. To exercise these rights, send a request to support@theparallellab.com including: your full name, a description of the data and the right you wish to exercise, and any documentation supporting your request. We will respond within 20 business days.
  • Consent: We obtain your express consent for the processing of sensitive personal data (health questionnaire responses and HealthKit data) through the onboarding consent flow. You may revoke your consent at any time by contacting us at support@theparallellab.com.
  • International Transfers: Your data is transferred to the United States for processing. By accepting this Privacy Policy and providing your consent during onboarding, you consent to such transfer in accordance with Articles 36-37 of the LFPDPPP.

18.5.3 Argentina, Colombia, and Other Latin American Jurisdictions

If you are a resident of Argentina, Colombia, or another Latin American country with applicable data protection legislation, we will honor your data protection rights as required by the applicable law of your jurisdiction, including rights of access, rectification, deletion, and objection. To exercise your rights, contact us at support@theparallellab.com. We will respond within the timeframe required by applicable law (generally 10 to 30 business days, depending on your jurisdiction).

18.6 Notice to Singapore Residents (PDPA)

As a company incorporated in Singapore, Parallel Labs Pte. Ltd. is subject to the Personal Data Protection Act 2012 (PDPA), as amended by the Personal Data Protection (Amendment) Act 2020. If you are located in Singapore, the following applies in addition to the rest of this Privacy Policy:

  • Consent: We collect, use, and disclose your personal data only with your consent, or as otherwise permitted under the PDPA (Sections 13–17). During onboarding, you are presented with clear notification of the purposes for which your data will be collected, used, and disclosed, and you provide your consent through affirmative action before your data is processed.
  • Purpose Limitation: We collect, use, and disclose your personal data only for the purposes notified to you and for which you have given consent, or for purposes that a reasonable person would consider appropriate in the circumstances (Section 18 PDPA).
  • Notification Obligation: In accordance with Section 20 of the PDPA, we notify you of the purposes for which we collect, use, and disclose your personal data before or at the time of collection. The purposes are set out in Section 3 of this Privacy Policy.
  • Access and Correction: You have the right to request access to your personal data in our possession or under our control, and to request correction of any inaccurate personal data (Sections 21–22 PDPA). To exercise these rights, contact us at support@theparallellab.com.
  • Accuracy Obligation: We make reasonable efforts to ensure that your personal data in our possession or under our control is accurate and complete, particularly where such data is likely to be used to make a decision that affects you or is disclosed to another organisation (Section 23 PDPA).
  • Data Portability: Under Part VIB of the PDPA, you have the right to request that we transmit your personal data to another organisation in a commonly used machine-readable format, subject to the conditions and exceptions prescribed by the Personal Data Protection Commission (PDPC).
  • Withdrawal of Consent: You may withdraw your consent for the collection, use, or disclosure of your personal data at any time by contacting us at support@theparallellab.com or by deleting your account. Upon receiving your withdrawal request, we will inform you of the likely consequences of withdrawing consent (e.g., inability to provide personalised features) and will cease collecting, using, or disclosing your personal data unless otherwise required or authorised by law (Section 16 PDPA). We may require reasonable notice before giving effect to your withdrawal of consent, in accordance with Section 16(3) of the PDPA. Where applicable, we may also rely on deemed consent under Sections 15 and 15A of the PDPA for certain processing activities.
  • Retention Limitation: We cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer being served by retention, and retention is no longer necessary for legal or business purposes (Section 25 PDPA).
  • Protection Obligation: We protect your personal data in our possession or under our control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks (Section 24 PDPA).
  • Do Not Call (DNC) Registry: We comply with Singapore's DNC Registry provisions under Part IX of the PDPA. We will not send marketing messages to Singapore telephone numbers registered on the DNC Registry unless you have given us clear and unambiguous consent to do so.
  • Spam Control Act (Cap. 311A): We comply with Singapore's Spam Control Act for all commercial electronic messages sent to Singapore recipients, including providing a functional unsubscribe mechanism, accurate sender identification, and clear subject line labelling of commercial messages.
  • Data Protection Officer: We have designated a Data Protection Officer (DPO) as required under Section 11(3) of the PDPA. Our DPO is responsible for ensuring our compliance with the PDPA and is the point of contact for data protection inquiries. You may reach our DPO at support@theparallellab.com. In accordance with PDPC requirements, we will register our DPO's business contact information with the PDPC via the ACRA BizFile+ portal prior to, or within 30 days of, the App's public launch.
  • Complaints: If you have a complaint about our data protection practices, you may contact our Data Protection Officer at support@theparallellab.com. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at https://www.pdpc.gov.sg.
  • Financial Penalties: We are aware that the PDPC may impose financial penalties of up to S$1 million (or 10% of annual turnover for organisations with annual turnover exceeding S$10 million) for breaches of the PDPA. We take our obligations under the PDPA seriously and maintain appropriate compliance measures.
  • Data Protection Management Programme: We maintain a data protection management programme as recommended by the PDPC's Guide to Data Protection Practices, which includes policies and practices for the collection, use, disclosure, and care of personal data, a process for responding to complaints, and regular training for employees who handle personal data.

18.7 Consumer Health Data Privacy Policy Link

In compliance with the Washington My Health My Data Act (RCW 19.373) and similar state laws requiring a separately and prominently published consumer health data privacy policy, we maintain a standalone Consumer Health Data Privacy Policy that specifically addresses the collection, use, sharing, and deletion of Consumer Health Data. This policy is linked from the App's main settings page and any applicable landing page or website. In the event of a conflict between this Privacy Policy and the Consumer Health Data Privacy Policy with respect to Consumer Health Data, the Consumer Health Data Privacy Policy shall prevail.

19. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Singapore, consistent with the governing law provisions set forth in our Terms and Conditions (Section 13).

To the extent that a conflict arises between this Privacy Policy and the mandatory privacy laws of your jurisdiction (including but not limited to the GDPR, UK GDPR, CCPA/CPRA, Brazil's LGPD, Mexico's LFPDPPP, or applicable state consumer health data laws), the mandatory privacy laws of your jurisdiction shall prevail.