Headspace Privacy Policy — Headspace

10 Total

5 High severity

5 Medium severity

0 Low severity

Summary

This is Headspace's privacy policy explaining how the mental health and meditation app collects and uses your personal data, including sensitive information about your mental health, meditation habits, therapy sessions, and health history. Most importantly, Headspace shares your data — including usage patterns and inferred health interests — with advertising partners, analytics providers, and third-party business partners, and your mental health data may be used to personalise marketing unless you opt out. You can exercise data rights including deletion and opt-out of data sharing by contacting privacy@headspace.com or visiting the privacy settings in your account.

Technical Summary

This document is Headspace's Privacy Policy (effective March 30, 2026), governing the collection, use, and sharing of personal information across its wellness, coaching, therapy, and psychiatry platform, with legal bases including consent, contractual necessity, and legitimate interests varying by jurisdiction. The policy obligates Headspace to provide data access, deletion, correction, and portability rights to users, and requires users to consent to broad data collection including health information, usage behavior, device data, and inferred interests. A notable provision is Headspace's explicit acknowledgment that it operates under HIPAA as a business associate to its Care Provider entities, and that it also maintains a separate Consumer Health Data Privacy Policy and HIPAA Notice of Privacy Practices — creating a multi-layered, context-dependent privacy framework that may confuse users about which protections apply to which data. The policy engages GDPR (EU/UK), CCPA/CPRA (California), HIPAA, Washington My Health MY Data Act, and COPPA, with enforcement exposure spanning the FTC, HHS OCR, state attorneys general, and EU/UK data protection authorities. Material compliance considerations include the breadth of sensitive mental health data collected, the use of that data for advertising and analytics purposes, and the cross-border transfer of health-adjacent data to third-party partners.

Institutional Analysis

(1) REGULATORY EXPOSURE: This policy engages HIPAA (45 CFR Parts 160 and 164) due to Headspace's role as a business associate to its Care Provider entities, with HHS OCR as primary enforcer; CCPA/CPRA (Cal. Civ. Code §§1798.100–1798.199) for California residents with California AG and California Pr…

🔒

Compliance intelligence locked

Regulatory exposure, material risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Evidence Provenance

Captured March 31, 2026 06:04 UTC

Document ID CA-D-000216

Version ID CA-V-000398

Source URL https://www.headspace.com/privacy-policy

Wayback Machine View archived versions →

SHA-256 d08311112c9f9ff3c77fa4959e702784d8e9994eceb686d4a382ea7f5ed58b1d

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Change Timeline

March 31, 2026 — Document updated low

Headspace updated their Privacy Policy on March 31, 2026, adding a structured table of contents with clearly labeled sections covering data collection, use, sharing, security, your privacy rights, children's privacy, cookies, and how to contact them. Before the update, the policy opened with a list of privacy-related links and a language translation notice but lacked this organized navigation structure. This change makes it easier for users to find specific information about how their personal data is handled, which is a positive step toward transparency.

23 added · 4 removed · 45 modified
View changes → View record →
d0831111…
March 19, 2026 — Initial capture

First snapshot archived

70ba5fe1…

Analyzed Changes

1 change analyzed since monitoring began.

Updated March 31, 2026

low

What changed Headspace updated their Headspace Privacy Policy on March 31, 2026. Change detected: 23 sentence(s) added, 4 sentence(s) removed, 45 sentence(s) modified. Document contained 360 sentences after update.

Consumer impact Headspace reorganized their Privacy Policy with a clear table of contents, making it significantly easier to navigate and find information about how your personal data is collected, used, and shared. The addition of dedicated sections on children's privacy and your privacy rights signals a more structured approach to transparency. You can visit Headspace's updated Privacy Policy directly to review the section on 'Your privacy rights' to understand what controls and opt-out options may be available to you.

Why it matters A restructured privacy policy with clearly labeled sections makes it easier for users to understand how Headspace collects, uses, and shares their personal data. However, the 45 modified sentences may contain substantive changes that affect user rights or data practices beyond the structural improvements.

High Severity — 5 provisions

Collection of Sensitive Mental Health Data
Headspace collects highly sensitive personal information including mental health history, therapy and psychiatry session content, mood and stress data, and meditation habits across its platform. This data is collected both directly from users and inferred from usage patterns.

Added April 1, 2026
Sharing Mental Health Data with Advertising and Analytics Partners
Headspace shares user data — including data inferred from mental health app usage — with third-party advertising networks, analytics providers, and business partners to serve targeted advertising and measure marketing effectiveness.

Added April 1, 2026
HIPAA Business Associate Status and Dual-Track Data Regime
Headspace states it is subject to HIPAA as a business associate of its Care Providers (who provide therapy and psychiatry services), but data collected through the general wellness app (meditation, mood tracking) is NOT covered by HIPAA — two different legal regimes apply to different data on the same platform.

Added April 1, 2026
California CPRA Sensitive Personal Information and Opt-Out Rights
California residents have the right to opt out of the sale or sharing of their personal information, limit the use of sensitive personal information (including health data), and request access, correction, or deletion of their data under the California Privacy Rights Act.

Added April 1, 2026
GDPR Rights for EU/UK Users
EU and UK users have rights under GDPR and UK GDPR to access, correct, delete, restrict processing of, and port their personal data, as well as the right to object to processing and to withdraw consent at any time.

Added April 1, 2026

Medium Severity — 5 provisions

Children's Privacy Restrictions
Headspace states its platform is not directed at children under 13 (or under 16 in some jurisdictions) and does not knowingly collect personal information from children below these age thresholds. If such data is inadvertently collected, Headspace will delete it upon discovery.

Added April 1, 2026
Cookie and Tracking Technology Disclosure
Headspace uses cookies, web beacons, pixels, SDKs, and other tracking technologies on its websites and apps to collect usage data, personalise content, and deliver targeted advertising through third-party partners.

Added April 1, 2026
Data Retention Policy
Headspace retains personal information for as long as necessary to provide its services, comply with legal obligations, resolve disputes, and enforce its agreements — the policy does not specify fixed retention periods for most data categories.

Added April 1, 2026
Cross-Border Data Transfers
Headspace transfers personal information internationally, including from the EU and UK to the United States, and relies on data transfer mechanisms such as Standard Contractual Clauses to legitimise those transfers.

Added April 1, 2026
Policy Change Notification
Headspace reserves the right to update this Privacy Policy at any time and will notify users of material changes, typically by posting the updated policy online and updating the effective date.

Added April 1, 2026