Headspace restructured its privacy policy on March 19, 2026, removing the detailed table of contents and adding navigation links to related privacy documents including a Consumer Health Data Privacy Policy and HIPAA Notice of Privacy Practices. The previous version organized privacy disclosures under ten numbered sections (Collection, Use, Sharing, Security, Rights, Children's Privacy, Cookies, Changes, and Contact). The updated version removes this structural organization, integrating related policies through links instead of a single comprehensive document.
Headspace reorganized how it presents privacy information on March 19, 2026. Rather than a single policy with ten numbered sections covering data collection, use, sharing, security, rights, children's privacy, cookies, and contact information, the updated structure directs users to separate documents: a Consumer Health Data Privacy Policy, a HIPAA Notice of Privacy Practices, and a Cookie Policy. The substantive privacy disclosures and protections described in these sections remain available but are now distributed across multiple linked documents rather than consolidated in one location.
The updated privacy policy structure changes how users navigate privacy disclosures and obligations. Rather than consulting a single numbered policy, users seeking information about data collection, retention, security, children's privacy, or their own rights must now reference multiple linked documents. This change is operationally significant for compliance teams monitoring Headspace as a vendor, as privacy obligations are now distributed across at least three separate documents (main privacy policy, Consumer Health Data Privacy Policy, HIPAA Notice), requiring verification that all linked disclosures are accessible and complete.
→ Review the linked Consumer Health Data Privacy Policy if you use Headspace for health-related purposes
→ Consult the HIPAA Notice of Privacy Practices if your data may be subject to HIPAA protections
→ Bookmark or bookmark the navigation links to all three privacy documents for future reference
→ Users may not discover privacy disclosures specific to health data processing if they do not access the separate Consumer Health Data Privacy Policy
→ Those with HIPAA-protected information may miss important protections disclosed only in the HIPAA Notice of Privacy Practices if they rely solely on the main privacy policy
Removed unified table of contents; introduced separate Consumer Health Data Privacy Policy and HIPAA Notice instead of single comprehensive policy
Added explicit link to separate Consumer Health Data Privacy Policy, indicating health data processing is now documented in a dedicated policy
Added link to HIPAA Notice of Privacy Practices, suggesting Headspace may process protected health information subject to HIPAA requirements
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
This change restructures the architecture of privacy disclosure rather than materially altering substantive privacy rights or obligations. Headspace removed a single-document table of contents and introduced navigation links to separate policies including a Consumer Health Data Privacy Policy and HIPAA Notice. Organizations that monitor Headspace's privacy compliance posture should note that detailed privacy obligations may now be distributed across multiple documents rather than consolidated in a single policy. This affects how privacy obligations are tracked and indexed but does not appear to eliminate or restrict previously disclosed privacy rights. Compliance teams should verify that all linked policies are accessible and that the consolidated privacy obligations remain transparent to users.
HIPAA (to the extent Headspace processes protected health information), GDPR (EU users), CCPA (California residents), FTC Act Section 5 (unfair or deceptive practices related to privacy disclosures)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001884.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorHeadspace's privacy policy footer was reorganized on April 19, 2026. Navigation links were moved and reformatted, but the substantive privacy …
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the …
TikTok's data collection extends to device sensors, clipboard content, geolocation, and cross-site tracking. Here is what their Privacy Pol…
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.