Privacy Policy

ThankRightNow ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have over your data. It applies to all users of ThankRightNow — patients, caregivers, and hospital administrators.

Who We Are
Information We Collect
How We Use Your Information
Caregiver Profiles
Patient & Sender Data
Hospital Administrator Data
Data Sharing & Disclosure
Data Retention
Security
Your Rights
Cookies & Tracking
Children's Privacy
International Transfers
Changes to This Policy
Contact Us

1. Who We Are

ThankRightNow is a gratitude platform that enables patients, families, and peers to send direct appreciation messages to healthcare workers. The platform also provides caregivers with a portable, permanent professional gratitude profile. ThankRightNow is operated by ThankRightNow Ltd.

For questions about this Privacy Policy or your data, contact us at privacy@ThankRightNow.com.

2. Information We Collect

Information you provide directly

Caregivers: Name, job title, department, hospital or facility, profile photo (optional), email address, and professional credentials you choose to display.
Patients & message senders: Your name or chosen display name, and the content of your thank-you message. Email address, used only to verify message authenticity — not stored for marketing.
Hospital administrators: Name, job title, institutional email address, and contact information provided during onboarding.

Information collected automatically

Device type, operating system, and browser type
IP address (used for security and abuse prevention, not linked to your identity)
Pages visited, time spent, and interactions within the platform
QR code scan events (hospital-level aggregates only — not linked to individuals)

Information we do not collect

We do not collect medical information, treatment records, diagnoses, or any Protected Health Information (PHI) as defined under HIPAA. We do not collect payment card information. We do not track patients across healthcare settings.

3. How We Use Your Information

We use the information we collect for the following purposes:

To operate and deliver the ThankRightNow platform and deliver messages to caregivers
To create and maintain caregiver gratitude profiles
To verify message authenticity and prevent abuse
To provide hospitals with aggregate, anonymized engagement data
To operate our monthly prize raffle and contact winners
To send caregivers platform notifications they have opted into
To improve our platform through aggregated usage analytics
To comply with legal obligations

We do not sell your personal data. We do not use your data for targeted advertising. We do not share individual caregiver performance data with hospital management.

4. Caregiver Profiles

Caregivers on ThankRightNow create and control their own profiles. Your profile is yours — not your employer's.

Voluntary participation: Caregivers opt in to ThankRightNow independently. Hospitals cannot force a caregiver to participate or remove a caregiver from the platform.
Profile portability: Your gratitude profile and all messages you have received remain accessible to you regardless of where you work. When you change employers, your profile travels with you.
Message filtering: All messages are reviewed before delivery. Messages containing complaints, negative content, identifying information about patients, or any content that violates our guidelines are blocked and never delivered or stored in your profile.
No hospital access to individual data: Hospitals receive only aggregate, anonymized data (e.g. total messages sent this month). No hospital administrator can access your individual message content, your profile activity, or data about which patients thanked you.
Unit wall: When you receive a thank-you, a version of the message may appear on your unit's shared gratitude wall. You may opt out of unit wall display in your profile settings.

5. Patient & Sender Data

We take particular care with data from people who are patients or in a care setting.

No account required: Senders do not need to create an account to send a thank-you. We do not build profiles of senders.
Email verification: We may ask for an email address to verify that a message is genuine and prevent spam. This email is used solely for that verification and is not retained for marketing or shared with any third party.
Message content: The content of thank-you messages is stored as part of the recipient caregiver's profile. Sender names are included only as the caregiver opts to display them. Senders may choose to remain anonymous.
No medical data: We never ask for, store, or infer any health-related information about senders. Our platform is expressly designed to avoid contact with PHI.
Raffle entries: Sending a thank-you automatically enters the recipient into our monthly prize raffle. No sender data is required or collected for raffle participation.

6. Hospital Administrator Data

Hospital and health system administrators who partner with ThankRightNow receive access to an administrative dashboard. This dashboard provides:

Aggregate, anonymized engagement statistics (messages sent, scan rates, unit-level totals)
No individual caregiver performance rankings or comparisons
No access to message content from individual caregivers
No patient or sender identification data

Administrator account data (name, email, role) is retained for the duration of the partnership and deleted within 90 days of contract termination upon request.

7. Data Sharing & Disclosure

We do not sell, rent, or trade personal data. We share data only in the following limited circumstances:

Service providers

We work with trusted third-party vendors (cloud hosting, email delivery, analytics) who process data on our behalf under strict data processing agreements. These vendors are prohibited from using your data for any purpose other than providing services to us.

Prize fulfillment

When a caregiver wins our monthly prize raffle, we share their name and contact details with our prize fulfillment partner solely for the purpose of delivering their prize.

Legal requirements

We may disclose information if required to do so by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of ThankRightNow, our users, or the public.

Business transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred as part of that transaction. We will notify affected users before any such transfer occurs.

8. Data Retention

Caregiver profiles: Retained for as long as your account is active. You may delete your account and all associated data at any time by contacting us at privacy@ThankRightNow.com.
Thank-you messages: Permanently stored as part of the caregiver's profile unless the caregiver chooses to remove individual messages or deletes their account.
Sender verification data: Email addresses used for verification are deleted within 30 days of message delivery.
Usage logs: Anonymized usage logs are retained for up to 24 months for security and analytics purposes.
Hospital administrator data: Retained for the duration of the partnership agreement and deleted within 90 days of termination.

9. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include:

Encryption of data in transit (TLS 1.2+) and at rest
Access controls limiting who within ThankRightNow can access personal data
Regular security reviews and vulnerability assessments
Secure, audited third-party infrastructure

No system is perfectly secure. In the event of a data breach that affects your rights, we will notify you and relevant authorities in accordance with applicable law.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your data ("right to be forgotten").
Portability: Request your data in a portable, machine-readable format.
Objection: Object to certain types of processing, including direct marketing.
Restriction: Request that we restrict processing of your data in certain circumstances.
Withdraw consent: Where processing is based on your consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@ThankRightNow.com. We will respond within 30 days. We may need to verify your identity before processing your request.

Caregivers in the European Union and United Kingdom have additional rights under GDPR and UK GDPR respectively. Israeli users have rights under the Protection of Privacy Law, 5741-1981. We honor all applicable rights regardless of jurisdiction.

11. Cookies & Tracking

We use a minimal set of cookies and similar technologies:

Strictly necessary cookies: Required for the platform to function (session management, security tokens). These cannot be disabled.
Analytics cookies: Anonymized usage data to help us understand how the platform is used. No personal identifiers are attached. You may opt out via your browser settings.

We do not use advertising cookies, third-party tracking pixels, or cross-site behavioral advertising. We do not use fingerprinting or other tracking technologies that identify you without a cookie.

12. Children's Privacy

ThankRightNow is not directed to children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe we may have data about a child, please contact us at privacy@ThankRightNow.com.

Patients under the age of 16 may use the thank-you sending feature with parental awareness — however, we collect no data that identifies the sender as a minor, and we do not retain sender data.

13. International Data Transfers

ThankRightNow operates with infrastructure in the United States, the European Union, and Israel. If you are located outside these regions, your data may be transferred to and processed in a country with different data protection laws than your own.

When transferring data internationally, we use appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, and other lawful transfer mechanisms as required.

Israel has been recognized by the European Commission as providing an adequate level of data protection.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify registered caregivers via email at least 14 days before changes take effect
For significant changes, display a notice on the platform

Your continued use of ThankRightNow after changes take effect constitutes your acceptance of the revised policy.

15. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days.

Contents