Privacy & Terms

Data controller: Your Future Impact Ltd, a private limited company registered in England and Wales.

• Company number: 17265605
• Registered office: 59 Alton Road, Poole, BH14 8SP, United Kingdom
• ICO registration number: ZB019002
• Privacy contact email: privacy@thrive.fit

ThriveFit® is a registered trade mark of Your Future Impact Ltd.

We are not currently required to appoint a statutory Data Protection Officer (DPO) under UK GDPR Article 37 or EU GDPR Article 37. Our Director is responsible for all privacy matters — contact privacy@thrive.fit.

This policy covers personal data we collect through:

• the ThriveFit website at thrive.fit and its subdomains (including dev.thrive.fit and staging.thrive.fit, which are restricted internal environments);
• the ThriveFit assessment and report (the quiz, the young person's report PDF, and the adult guide PDF);
• emails we send relating to ThriveFit (transactional emails such as the welcome email and report delivery, and the optional pre-launch drip sequence);
• checkout interactions through our payment provider where the ThriveFit purchase is the subject.

It does not cover Your Future Impact's wider services (1-to-1 coaching, school programmes, masterclasses, the Skool community), which are governed by the separate privacy notice at yourfutureimpact.co.uk.

3.1 From the adult buyer (parent, guardian, or other purchasing adult)

• Name (first and last) — for receipts and email greetings.
• Email address — to deliver the access code, the report, and any communications you've asked for.
• Billing information processed by our payment provider (card details, billing address, country). We do not see or store full card numbers; our payment provider does. We receive a confirmation, the last 4 digits, and the receipt total.
• Purchase metadata — order ID, the access code we issued, date and time of purchase, the amount and currency.

3.2 From the young person taking the assessment

• First name — used to address them in the report.
• Age band — we ask whether the young person is 13 or older. We do not store their full date of birth. (See Section 7 for the under-13 path.)
• Quiz answers — the choices they make across the assessment. These are deleted within 7 days (see Section 9).
• Assessment profile and report — the scored output of the quiz: archetype, secondary archetype, strengths, values, and environment fit. This is what we generate from the answers and what the report is built from.

3.3 Collected automatically when you use the Service

• Technical information — IP address, browser type and version, device type, operating system, referring URL, language settings.
• Usage information — pages visited, timestamps, and the audit trail of key events (e.g. quiz started, scoring completed, report generated, email sent). We log these to detect fraud and abuse, to diagnose problems, and to demonstrate that the Service worked.
• Strictly necessary cookies and similar technologies — see Section 11.

3.4 What we deliberately do not collect

We have designed ThriveFit to minimise data. We do not ask for or store:

• the young person's full date of birth (only an age band);
• the young person's surname;
• the young person's email address, phone number, school, or home address;
• any special category data under UK/EU GDPR Article 9 — no health, ethnicity, religion, sexuality, or political views;
• any data from children under 13 (those visitors are redirected away from the live product; see Section 7).

Under UK GDPR Article 6 and EU GDPR Article 6, we must have a lawful basis for every use of your personal data. Here is what we do, and why:

4.1 To deliver the ThriveFit assessment and report

What: issue the access code, present the quiz, score it, generate the report PDFs, store them so you can re-download, and email them to the buyer.
Lawful basis: contract performance (UK/EU GDPR Art 6(1)(b)) — we cannot deliver what you paid for without this data.

4.2 To take payment and prevent fraud

What: receive payment, issue receipts, refund where required, detect and block fraudulent purchases.
Lawful basis: contract performance for the payment itself; legitimate interests (Art 6(1)(f)) for fraud prevention. Our legitimate interest is keeping the Service trustworthy and not paying fraudulent chargebacks; the impact on you is minimal.

4.3 To meet legal and accounting obligations

What: retain enough information to file accurate UK tax returns, respond to lawful regulator requests, and honour our statutory record-keeping duties.
Lawful basis: legal obligation (Art 6(1)(c)).

4.4 To improve the Service

What: review anonymised, aggregated usage patterns to fix bugs, improve the quiz wording, and make the report more useful. We do this in aggregate; we do not use it to evaluate or make decisions about any individual.
Lawful basis: legitimate interests (Art 6(1)(f)) — we have a clear interest in improving the product; the impact on you is minimal because we work in aggregate.

4.5 To send you optional marketing and product news

What: if you tick the box, we send you ThriveFit launch updates, new resources, and related YFI content by email.
Lawful basis: consent (Art 6(1)(a)). You can withdraw consent at any time using the unsubscribe link in any email, or by emailing privacy@thrive.fit.

4.6 What we don't do

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects, as defined in UK/EU GDPR Article 22. The quiz scoring is rules-based, not AI-driven, and it produces a discussion report for the young person and their adult — it does not gate access to anything, score them against other users, or make decisions about them.

Most of the data described in Section 3 you provide directly: by buying ThriveFit, taking the quiz, or opting into emails. We also collect technical information automatically when you use the Service (Section 3.3). We do not buy lists or enrich your data from third-party data brokers.

We share personal data only with the service providers we need to run ThriveFit. They act as “processors” on our written instructions under UK and EU GDPR, except for our payment provider, which is an independent controller for the card payment itself.

Categories of recipients:

• Hosting and infrastructure. Hosts our website, application, database and report files. Our database and report files are configured to reside in the EU.
• Email delivery. Sends our transactional email (welcome, report delivery) and, if you opt in, our product-news email, from an EU sending region.
• Payment processing: Stripe. Stripe processes your card payment, issues your receipt, and handles refunds. Stripe is an independent controller for the card information you provide at checkout. See stripe.com/gb/privacy.

We may also share personal data:

• with our professional advisers (accountants, lawyers) on a need-to-know basis;
• with law enforcement or regulators where we are legally required to do so;
• with a successor entity in the unlikely event we sell or transfer the ThriveFit business, in which case we would tell you in advance.

We have written data processing agreements (or equivalent terms incorporated by reference) with each of our processors. You can ask for the name of the specific provider in any category at privacy@thrive.fit.

We never sell personal data, never share it with advertisers, and do not use it to train external AI models.

ThriveFit is designed to be used by young people, typically aged 13 to 17, with their parent or guardian as the purchaser (“the buyer”). The current version of the Service is not for children under 13.

7.1 How we protect children's data

• We collect the minimum data we can to deliver a useful report: first name, age band, and quiz answers.
• We do not collect the young person's surname, email, or contact details.
• We do not collect any special category data about the young person.
• We do not show third-party advertising and do not run behavioural advertising trackers.
• We use plain, age-appropriate language in the quiz and the report.

7.2 Parent/guardian involvement

The adult who buys ThriveFit is the named account holder and is the person we email. The buyer is responsible for confirming that they have the authority to involve their young person in the assessment. The adult guide PDF is written for the buyer; the report PDF is written for the young person.

7.3 Age gate

Before the assessment starts, the user must confirm they are 13 or older. If they indicate they are under 13, they are not allowed to start the assessment and are pointed to a wait-list page for a future under-13 product. We do not store identifying information from that interaction.

7.4 Rights when the data subject is a child

Where a young person under 18 is the data subject, a parent or guardian may exercise data subject rights (Section 10) on their behalf, and the young person may also exercise those rights directly once they understand them. We will respond in language appropriate to the requester.

7.5 Organisation buyers and report access

Some buyers are organisations — for example a school, college, or youth service — that purchase ThriveFit access codes in bulk and pass them to young people to redeem. When a young person redeems a code that an organisation bought, the organisation's authorised buyer (the account holder for the billing email on the order) can sign in to the organisation dashboard at org.thrive.fit and re-open the personalised report produced for that redemption. This is the same report that is delivered to the young person on completion; the buyer does not receive a different or additional report.

We provide this access so the organisation can administer the codes it has purchased — for instance to confirm a code was used and to support the young person with their results. Access is limited to reports generated under that organisation's own codes; a buyer can never see reports from codes purchased by a different organisation, or reports from individual consumer purchases. Each time a buyer opens a report we record an entry in our audit log (Section 12). The young person and their parent or guardian keep all the rights set out in Section 10 over that report.

7.6 Our commitment under the Children's Code

We have designed ThriveFit to follow the principles of the ICO's Age Appropriate Design Code (the “Children's Code”): data minimisation, age-appropriate language, high-privacy defaults, no behavioural advertising, and no use of a young person's data in ways that are detrimental to them. We are completing a Data Protection Impact Assessment (DPIA) for ThriveFit and review it as the Service changes. You can ask for a summary at privacy@thrive.fit.

Some of our processors are headquartered outside the UK and EEA — primarily in the United States. When personal data is transferred outside the UK or EEA, we rely on appropriate safeguards under UK GDPR Article 46 / EU GDPR Article 46:

• EU Standard Contractual Clauses (SCCs) for transfers from the EEA;
• the UK International Data Transfer Addendum to those SCCs for transfers from the UK;
• additional safeguards where required by transfer-impact assessment (e.g. encryption in transit and at rest, role-based access controls, audit logging).

Where a recipient is in a country covered by a UK or EU adequacy decision, we rely on that decision.

The contents of our database and our report files are configured to reside in the EU, not the US, even though our hosting provider itself is US-headquartered.

You can ask us for a copy of the safeguards in place for any specific transfer at privacy@thrive.fit.

We keep personal data only for as long as we need it. Specifically:

When the relevant period ends, we either delete the data, or anonymise it so it can no longer be linked to you.

Under UK GDPR and EU GDPR you have the following rights in relation to your personal data:

• Right of access (Art 15): to know what personal data we hold about you and get a copy.
• Right to rectification (Art 16): to correct inaccurate or incomplete data.
• Right to erasure / “right to be forgotten” (Art 17): to have your data deleted, subject to limited exceptions (e.g. we may need to keep some accounting records).
• Right to restrict processing (Art 18): to pause our use of your data in defined circumstances.
• Right to data portability (Art 20): to receive data you provided in a structured, commonly used, machine-readable format.
• Right to object (Art 21): to object to processing based on legitimate interests (Section 4) or to direct marketing (which we will always honour).
• Right to withdraw consent: where we rely on consent (e.g. marketing email), you can withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
• Rights in relation to automated decision-making (Art 22): we do not carry out automated decision-making that produces legal or similarly significant effects (Section 4.6), so this right does not normally apply, but you can ask us to confirm.

To exercise any of these rights, email privacy@thrive.fit. We will respond within one month, and may extend that by up to a further two months for complex requests (we will tell you if so). We don't usually charge a fee.

We may ask for information to verify your identity before acting on a request, so we don't disclose personal data to the wrong person.

Right to complain

If you think we have got something wrong, please tell us first at privacy@thrive.fit — we'll work to put it right. You also have the right to complain to a supervisory authority:

• UK: the Information Commissioner's Office (ICO) — ico.org.uk — phone 0303 123 1113.
• EEA: the data protection authority in the country where you live or work, or where the issue arose. A list is at edpb.europa.eu.

We use a small number of cookies and similar technologies. We categorise them as follows:

11.1 Strictly necessary

These are required to deliver the Service securely. They include:

• a session cookie so the quiz remembers where you are between pages;
• Cloudflare security cookies (e.g. __cf_bm) used to distinguish humans from bots and protect the site from abuse;
• a CSRF protection token used by our admin area.

Strictly necessary cookies do not require consent under PECR / ePrivacy rules.

11.2 Analytics

We currently use only first-party, aggregated logs (kept for 30 days; see Section 9). We do not use third-party analytics that profile individuals (no Google Analytics, no Meta Pixel, no LinkedIn Insight Tag) on the live Service.

11.3 Advertising

We do not run advertising cookies or trackers.

11.4 Marketing emails

Our optional marketing and product-news emails are sent through Resend — the same provider as our transactional email. Where email open- or click-tracking is enabled, we use it only to measure how emails perform and to honour your unsubscribe; you can unsubscribe at any time.

If we ever change this — for example by adding analytics that profile individuals — we will update this policy and, where required, ask for your consent first via a cookie banner.

We take security seriously:

• All connections to the Service are encrypted in transit (HTTPS / TLS).
• Personal data at rest is held in Cloudflare D1 (database) and Cloudflare R2 (file storage), configured to the EU jurisdiction.
• Access to internal admin tools is restricted by Cloudflare Access with an explicit allowlist and email one-time-password sign-in. Production data is not freely accessible to staff.
• Secrets (API keys, signing keys, payment provider credentials) are stored as environment variables, never in source code.
• Report download links are signed with HMAC-SHA-256 and expire after 30 days.
• We log key events (quiz start, scoring, PDF generation, email send) so we can investigate any data incident.

No system is 100% secure. If we discover a personal data breach affecting your rights and freedoms, we will notify the ICO within 72 hours where required, and notify you directly if the risk to you is high.

The Service may link to third-party websites we don't control (for example, the thrive.fit blog or partner sites). This policy doesn't apply to those sites — please check their own privacy notices.

We may update this policy from time to time — for example if we add a new feature, change a processor, or update the law. When we do:

• the “Last updated” date at the top will change;
• significant changes that affect you will be notified by email (where we have one) and prominently on the site;
• you can always see the current version at thrive.fit/privacy.

Where required, we will ask for your fresh consent before making changes that affect a basis of consent.

For all privacy questions and rights requests: privacy@thrive.fit

Postal address:
Your Future Impact Ltd
59 Alton Road, Poole, BH14 8SP, United Kingdom

If you live in the EU/EEA, you can also raise concerns with your local data protection authority (see Section 10).

ThriveFit® is sold and operated by Your Future Impact Ltd, a private limited company registered in England and Wales. Our company registration number and registered office are set out in our Privacy Policy. ThriveFit® is a registered trade mark of Your Future Impact Ltd.

To buy ThriveFit you must be at least 18 years old and legally able to enter into a contract. By purchasing, you confirm you are the parent, guardian or other responsible adult for the young person who will take the assessment, and that you have authority to involve them.

ThriveFit is sold to you directly by Your Future Impact Ltd. Your contract for the sale is with us. Card payment is processed by Stripe on our behalf; see Section 3 for detail.

We currently sell ThriveFit only to buyers in the United Kingdom. If you are outside the UK and would like to buy, you can join our overseas wait-list and we will let you know when ThriveFit is available where you are.

For anything about your order, contact hello@thrive.fit; for anything about your data, contact privacy@thrive.fit.

ThriveFit is a one-off purchase of a single assessment for one young person. When the young person completes the assessment you receive:

• their profile to read on screen straight away;
• a PDF report written for the young person; and
• a separate PDF guide written for the supporting adult.

ThriveFit is a discussion and reflection tool. It is not careers advice, a diagnosis, or a guarantee of any particular result, and it does not make decisions about the young person.

As digital content, ThriveFit must be as described, of satisfactory quality, and fit for purpose under the Consumer Rights Act 2015. If it is faulty or not as described, you are entitled to a repair, replacement, or a price reduction or refund as the Act provides.

ThriveFit costs £24.99 for one assessment (one profile, one young person).

Payment

Card payment is processed on our behalf by Stripe. The price you see at checkout (£24.99) is the total amount payable. Your Future Impact Ltd is currently below the UK VAT registration threshold, so no VAT is added. Your card details are handled by Stripe; we never see or store your full card number.

Sales to the United Kingdom only

We currently sell ThriveFit only to buyers in the United Kingdom. Checkout is gated to UK billing addresses; if you are outside the UK you can join our overseas wait-list and we will email you when ThriveFit is available in your country.

Your right to cancel

ThriveFit is digital content. Under the Consumer Contracts Regulations 2013 you normally have 14 days to cancel a purchase of digital content. At checkout we ask you to expressly consent to us starting delivery straight away, and to acknowledge that by doing so you lose your 14-day right to cancel once the assessment has begun. We confirm this to you in writing in your order confirmation email. If you do not give that consent, you keep the 14-day cancellation right, but the assessment cannot begin until the 14 days end or you consent. Once the report has been generated, the right to cancel no longer applies.

Refunds

If something has gone wrong (for example your access code did not work, or you have not yet used it), contact us at hello@thrive.fit and we will help, and refund where appropriate. Refunds are processed back through Stripe to the card you paid with. Nothing in these Terms affects your legal rights as a consumer.

ThriveFit is for personal, non-commercial use by the buyer and their young person. When you use ThriveFit, please:

• use each access code for one young person and one assessment (codes are single-use);
• do not resell, share, or transfer your code or report for profit;
• do not copy, scrape, or try to extract the ThriveFit method, questions, or content; and
• give honest answers, and do not misrepresent who is taking the assessment.

All intellectual property in ThriveFit — including the assessment, the questions, the scoring method, the archetypes, and the report and guide templates — belongs to Your Future Impact Ltd. When you buy ThriveFit you receive a personal, non-transferable licence to use your own report and guide for personal, non-commercial purposes. You may share the young person's own report with people supporting them (for example a parent, teacher, or careers adviser), but you may not republish or commercialise it.

We may suspend or withdraw access if a code is misused or if these Terms are breached.

We take your privacy seriously and only collect the minimum data we need to deliver ThriveFit. How we collect, use, store, and share personal data — and the rights you and the young person have under UK and EU data protection law — is set out in full in our Privacy Policy, which forms part of these Terms.

In short: quiz answers are deleted within 7 days, the report is kept for 12 months so you can re-download it, we do not sell your data, and we do not run advertising trackers.

ThriveFit gives the young person a discussion report to reflect on with a supporting adult. It is not careers advice, a diagnosis, or a prediction, and we do not guarantee any particular outcome. Decisions about study, work, or career remain yours.

We provide ThriveFit with reasonable care and skill. We do not exclude or limit our liability where it would be unlawful to do so — including liability for death or personal injury caused by our negligence, for fraud, or for your statutory rights as a consumer under the Consumer Rights Act 2015. Subject to that, our total liability to you for any claim connected with ThriveFit is limited to the amount you paid for it.

We are not responsible for decisions you or the young person make based on the report.

These Terms, and any dispute arising out of them or your purchase, are governed by the law of England and Wales, and the courts of England and Wales have jurisdiction. If you live elsewhere in the UK or in the EU, you keep the benefit of any mandatory consumer-protection rules of the country where you live.

Questions about these Terms or your order: hello@thrive.fit. Questions about your data: privacy@thrive.fit. We aim to reply within a few working days.

Complaints. If something has gone wrong, please tell us first at hello@thrive.fit and we will try to put it right. If we cannot resolve it, your statutory rights are unaffected and you can seek help from the relevant consumer body. Data concerns can also be raised with the Information Commissioner's Office (see our Privacy Policy).