Thrive Tots

Privacy Policy

Effective Date: 28th May 2025

Welcome to Thrive Tots (“we”, “our”, “us”). We value your trust and are committed to protecting your personal data in accordance with the Personal Data Protection Act (PDPA) 2010, while also aligning with international best practices. This Privacy Policy outlines how we collect, process, store, and protect the data of parents/guardians and children using our services and website.

Scope of Policy

This Privacy Policy applies to:

  • All users of our website: https://thethrivetots.com
  • Clients and potential clients who contact us via WhatsApp, email, social media, or in person
  • Parents or guardians of children receiving services from Thrive Tots

By interacting with us, you consent to the data practices described in this policy

Types of Data We Collect

a. Personally Identifiable Information (PII)

For Parent/Guardian:

  • Full name
  • Email address
  • Phone number
  • Home address

For Child:

  • Name
  • Age
  • Gender
  • Developmental history
  • Therapy records

Communication Records:

  • Messages via WhatsApp, contact forms, email and social media

b. Technical & Device Data

  • IP address, browser type, operating system
  • Session activity on our website (pages visited, duration, etc)
  • Cookies and usage analytics

c. Sensitive Personal Data (with explicit consent)

  • Health or developmental conditions
  • Therapy reports and observations
  • Video or photo data (if used for clinical documentation, and only with consent)

How We Collect Data

  • Directly from you: via contact forms, email, WhatsApp, or during sessions
  • Automatically: through website cookies and analytics tools (e.g. Google Analytics)
  • Indirectly: via social media interactions or referrals (with your consent)

Why We Collect Your Data

We collect and use personal data for the following purposes:

  • To assess a child’s developmental needs and design tailored therapy plans
  • To respond to inquiries and provide consultations
  • To communicate updates and manage appointments
  • To fulfil professional and regulatory obligations
  • To improve service quality, user experience, and website performance
  • To obtain parental/guardian consent for child participation

Legal Basis for Processing

We process data under one or more of the following grounds:

  • Your consent
  • Fulfilment of a contract or service agreement
  • Legal obligations (e.g. documentation for therapy)
  • Protection of vital interests (e.g. children safeguarding)
  • Our legitimate interest in providing and improving services

Children’s Data

We are fully committed to protecting children’s data:

  • Data is collected only with informed and explicit consent from a parent or legal guardian.
  • No person under the age of 18 may independently submit data to us.
  • Therapy records are stored securely and confidentially.

Photography & Media Usage

We respect the privacy and dignity of every child and family we serve. From time to time, we may take photographs or video recordings during therapy sessions, assessments, group activities, or events.

These media may be used for the following purposes:

  • Raising awareness and educating the public about our services
  • Promotional content on our official channels, such as our website and social media platforms (e.g., Instagram, Facebook, Threads)
  • Documentation or internal training purposes (unless otherwise specified)

Important Notes:

  • Consent is always required: We will only capture or publish photographs or videos of children with the explicit written consent of a parent or legal guardian. This is done through a separate Consent Form for Photography During Therapy Sessions in compliance with Malaysia’s Personal Data Protection Act (PDPA) 2010.
  • Identifiable media: No media containing a child’s identifiable image or likeness (e.g., face, name tags, voice, or recognisable context) will be published without prior written permission.
  • Non-consenting children: If consent is not given, no photo or video will be captured of that child, including group settings. We take care to exclude or blur identifiable features as necessary.
  • Right to withdraw: Parents or guardians have the right to withdraw consent at any time by notifying us in writing. Revocation will take effect within fourteen (14) days of our receipt of the request. This will apply to any future use of images. Any content previously shared under valid consent will remain lawful.
  • No third-party use: We do not sell, license, or share children’s photos or videos with third parties (e.g., advertisers, influencers) unless a separate agreement and renewed consent is provided.
  • Secure storage: Media files are stored securely with restricted access. Unused or outdated media is periodically reviewed and deleted. Photographs or media may be retained for up to five (5) years or until the child is no longer a client, whichever is sooner, unless earlier deletion is requested

We are committed to using all media responsibly, respectfully, and in alignment with child safeguarding principles.

Use & Disclosure of Personal Data

We may share data only when necessary and with the following parties:

  • Internal professionals or staff assisting with therapy (bound by confidentiality)
  • Technology providers managing our secure systems (e.g., cloud storage)
  • Legal, governmental, or medical authorities only if required by law

We do not sell, rent, or trade your personal data to third parties for marketing or profiling.

Data Storage & Retention

We use secure systems with encryption and access control to store personal data.

  • Physical records (if any): Kept in locked storage.
  • Retention period:
    • Therapy records: Retained for 7 years after last engagement (as per clinical best practices)
    • General inquiries or form submissions: Up to 24 months

Upon expiry, data is securely deleted or anonymised.

Your Rights Under PDPA

You have the right to:

  • Request access to your personal data
  • Request correction of inaccurate or outdated data
  • Withdraw your consent at any time
  • Request deletion of your data (subject to legal/clinical limitations)
  • Object to certain processing (e.g., direct marketing)

To exercise your rights, contact us at: inquiry@thethrivetots.com

Cookies & Tracking Technologies

We use cookies to:

  • Improve website functionality and user experience
  • Understand visitor behaviour via Google Analytics
  • Optimise page loading speed and content performance

You may disable cookies via browser settings, though this may affect website functionality and performance.

Third-Party Links & Platforms

Our website may link to third-party platforms like Instagram or WhatsApp. We are not responsible for their privacy practices. We recommend reviewing their respective privacy policies before submitting any personal data.

Data Transfers Outside Malaysia

If data is transferred to service providers located outside Malaysia (e.g., cloud-based tools), we ensure:

  • Adequate security and privacy safeguards
  • Compliance with applicable laws and data protections agreements

Data Breach Notification

We take all reasonable steps to safeguard your personal data. However, in the unlikely event of a personal data breach—such as loss, unauthorised access, or disclosure—we are committed to responding promptly and transparently.

If a data breach occurs, we will

  • Immediately assess and contain the breach to prevent further impact
  • Determine the severity and risk to individuals, particularly children, whose data may be involved
  • Notify affected individuals without undue delay, and no later than 72 hours, if the breach is likely to result in harm (e.g., identity theft, reputational damage, or misuse of sensitive health data
  • Communicate via appropriate channels (e.g., email, WhatsApp, or in writing), detailing the nature of the breach, affected data types, potential risks, and steps you can take to protect yourself
  • Report the breach to relevant authorities, where required or advisable under Malaysian law or ethical standards
  • Maintain a breach incident log documenting the nature of the breach, remedial steps taken, and communications made, as part of our accountability measures
  • Conduct a root cause analysis and implement corrective actions to prevent future occurrences

Our team is trained to follow internal protocols to manage and mitigate data breaches effectively and transparently.

Policy Updates

We may update this Privacy Policy from time to time to reflect legal, operational, or service-related changes. The latest version will always be available on our website with the revised effective date.

Contact Information

If you have questions or concerns regarding your personal data or this Privacy Policy, feel free to reach out to us:

📞 WhatsApp: +60 17-417 9338
📧 Email: inquiry@thethrivetots.com
🌐 Website: https://thethrivetots.com