Data Security

Last updated: June 21, 2026

Your health data is among the most sensitive information you can share. We treat it with the highest standards of security, privacy, and care.

Encrypted at Rest

AES-256 encryption for all stored health data

Encrypted in Transit

TLS 1.3 for all data moving between you and our servers

Access Controls

Role-based permissions — you control who sees your data

Secure Infrastructure

Hosted on Supabase — SOC 2 Type II certified cloud

How We Protect Your Data

Encryption

All health data is encrypted at rest using AES-256, the same standard used by banks and governments
All data transmission uses TLS 1.3 — your information is encrypted the moment it leaves your device
Database backups are encrypted and stored separately from production data
API keys and credentials are never stored in plain text

Access Controls

Row-Level Security (RLS) is enforced at the database level — you can only access your own data
Physicians can only view data for members assigned to them
Partner clinicians see only membership status, not full health records
All admin access is logged and audited
Multi-factor authentication is required for all clinical staff

Infrastructure

Hosted on Supabase — a SOC 2 Type II certified cloud platform built on AWS
Automated daily backups with point-in-time recovery
99.9% uptime SLA with automatic failover
DDoS protection and rate limiting on all API endpoints
Regular third-party security audits and penetration testing

Your Health Data Rights

You own your data

Your health information belongs to you. THRIVE acts as a custodian, not an owner. You can request a full export of all your data at any time.

We never sell your data

We do not sell, rent, or monetise your personal or health information to advertisers, data brokers, insurance companies, or any third party.

AI is private

Conversations with THRIVE AI are stored only for your own reference and to improve your care plan. They are not used to train AI models or shared with third parties.

Right to deletion

You can request deletion of your account and associated data at any time. Health records are retained for 7 years as required by Indian medical regulations, after which they are permanently deleted.

Third-Party Services

We use the following carefully vetted third-party services, each bound by strict data processing agreements:

Service	Purpose	Data Shared
Supabase	Database & Authentication	All platform data (encrypted)
Google Gemini AI	AI Health Assistant	Health context (anonymised where possible)
Cashfree Payments	Payment Processing	Payment details only
Resend	Transactional Email	Name & email only

Security Incident Response

In the unlikely event of a data breach affecting your personal information, we will:

Notify affected users within 72 hours of discovering the breach
Provide clear information about what data was affected and what steps you should take
Report the breach to the relevant authorities as required by law
Take immediate steps to contain the breach and prevent future incidents

Report a Security Issue

If you discover a security vulnerability in our platform, please report it responsibly to security@thrivecore.app. We take all security reports seriously and will respond within 48 hours.

Contact

Data Security Queries: security@thrivecore.app

Privacy Requests: privacy@thrivecore.app

General Support: support@thrivecore.app