Privacy policy
Quick summary for people who fill in a client business's contact form: the business you contacted is the data controller for your enquiry. Thrive Studio (The Collective Software Group Ltd) is the data processor. Your enquiry is emailed to the business owner and also stored in their private Thrive Studio dashboard so they can reply to you later. The owner can view or delete it at any time. We retain it for 12 months unless the owner deletes it sooner, then it is automatically removed.
This policy explains how The Collective Software Group Ltd (company registered in Northern Ireland), trading as thrivestudio.ai ("we", "us"), handles personal data collected through thrivestudio.ai and through the contact forms we build for client businesses.
Short version: we collect the details you type into our contact form, we use them to reply to your enquiry, we don't sell them, and you can ask us to delete them at any time.
1. Who is the data controller?
When you contact us through thrivestudio.ai, The Collective Software Group Ltd is the data controller. Our registered address is in Belfast, Northern Ireland. We are registered with the UK Information Commissioner's Office (ICO registration number: [ICO-NUMBER-PLACEHOLDER]).
When a client business uses a website we have built for them, that client is the data controller for their own contact-form submissions. Thrive Studio acts as a data processor on their behalf, handling form submissions and email delivery under a written processing agreement.
2. What data we collect
From the thrivestudio.ai contact form
- Business name
- Your name
- Phone number or email address (whichever you give)
- Your message (if you write one)
- The date and time of submission
- The IP address the form was submitted from (for spam prevention only; discarded after 30 days)
From client-site contact forms
The same fields. Enquiries submitted through a website we build for a client business are:
- Emailed to the business owner in real time, and
- Stored in the owner's private Thrive Studio dashboard so they can view, reply to, and manage enquiries over time.
Enquiries are not just emailed and forgotten — the dashboard keeps a searchable, per-business record so owners don't lose track of leads. Each enquiry is kept for a maximum of 12 months, after which it is automatically deleted. The business owner can delete any individual enquiry sooner from the dashboard.
In this workflow the client business is the data controller (they decide what to do with the enquiry and how to respond), and The Collective Software Group Ltd (thrivestudio.ai) is the data processor operating under a written UK-GDPR data-processing agreement.
What we do not collect
We do not use tracking cookies, analytics scripts or advertising pixels. The website is served without any third-party tracking.
3. How we use your data
- To reply to your enquiry and build your free preview.
- To follow up once, by the channel you gave us, if we haven't heard back.
- To prevent spam and abuse (IP rate-limiting only).
We do not add you to a mailing list, sell your data, share it with advertisers, or use it for automated profiling.
4. Legal basis
We rely on legitimate interest (UK GDPR Article 6(1)(f)) to reply to a message you have proactively sent us. If we ever need to contact you for anything beyond answering that enquiry, we will ask for your explicit consent first.
5. Who we share data with
Only the service providers we need to run the site and reply to you:
- Cloudflare — hosting and form handling (data stays in the EU/UK).
- Resend — transactional email delivery for our reply.
- Google Workspace — our mailbox once we reply.
All three operate under UK-GDPR-compliant data processing agreements. We do not share your data with anyone else.
6. How long we keep it
- Enquiries submitted through client-business contact forms: stored in the owner's dashboard for up to 12 months, then automatically deleted. The owner can delete any enquiry sooner at any time.
- Enquiries sent directly to thrivestudio.ai: up to 24 months from last contact, then deleted.
- IP addresses: 30 days for spam prevention, then deleted.
- Auth events on the dashboard (login attempts, code sends, lockouts): 30 days, then automatically deleted.
- Client relationships: for as long as the client relationship runs, plus 6 years for accounting records (HMRC requirement).
7. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Correct anything that's inaccurate.
- Delete your data ("right to be forgotten").
- Object to further processing.
- Restrict how we use it.
- Port your data to another service.
- Complain to the ICO at ico.org.uk if you think we've mishandled your data.
To exercise any of these rights, email privacy@thrivestudio.ai. We will reply within 30 days.
8. Cookies
thrivestudio.ai does not set any cookies. We do not use session storage, local storage, or any form of browser-side tracking. If that ever changes we will ask for your consent via a clear banner before any non-essential cookie is set.
9. Children
Our services are aimed at business owners. We do not knowingly collect personal data from anyone under 18.
10. Security
All traffic to thrivestudio.ai is encrypted with TLS. Form submissions are transmitted over HTTPS and stored in access-controlled Cloudflare infrastructure. We use multi-factor authentication on every account with access to customer data.
11. Changes to this policy
If we make material changes we will update the "Last updated" date above and, where practicable, notify existing clients by email. The current version will always be at thrivestudio.ai/privacy.
12. Contact us
For any privacy question: privacy@thrivestudio.ai.
Postal address available on request. The Collective Software Group Ltd, Belfast, Northern Ireland.