What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages HIPAA (covering clinical Care Provider services, with Headspace acting as a business associate), GDPR and UK GDPR (for EU and UK users respectively, with supplemental notice), CCPA and CPRA (for California residents, with supplemental notice addressing sale and sharing opt-out rights), PIPEDA (for Canadian users), and potentially Washington State's My Health MY Data Act and similar state consumer health data laws given the existence of a separate Consum…

How does Headspace's Headspace Privacy Policy affect users?

The policy establishes that Headspace collects therapy session content, psychiatric care records, mood data, sleep information, and usage patterns, with sharing permissions varying by data classification: HIPAA-governed clinical data operates under restricted sharing rules, while non-clinical wellness data is authorized for use with third-party advertising and analytics partners. Data subjects may manage tracking preferences through the cookie consent tool and exercise access and deletion right…

How often is Headspace's Headspace Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Headspace updates this document?

Yes. Watcher subscribers ($9.99/month) can add Headspace to their watchlist and receive same-day email alerts whenever this document or any other Headspace document changes.

CA-D-000216

Headspace Privacy Policy

Headspace

Last change detected April 19, 2026 Privacy policy

SHA-256: 92765d24337c3376557… 4 versions captured 4 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Headspace ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

2 High severity

5 Medium severity

1 Low severity

Summary

This document establishes Headspace's data collection, use, and sharing practices across its meditation, mental health coaching, therapy, and psychiatry services. The policy designates clinical data delivered through Care Providers as subject to HIPAA protections with restricted sharing, while wellness and behavioral data collected outside clinical contexts is authorized for sharing with service providers, advertising technology vendors, and analytics partners. Users may adjust cookie and tracking preferences through the OneTrust consent tool and submit data access, correction, or deletion requests via the privacy rights request form.

Technical / Legal Breakdown

This document is Headspace's global Privacy Policy (effective March 30, 2026) governing the collection, use, and sharing of personal information across its websites, mobile applications, coaching, psychotherapy, and psychiatry services, with stated legal bases including consent, legitimate interests, and contractual necessity depending on jurisdiction. The policy states that Headspace collects a broad range of data including name, contact details, payment information, health and mental health information, device and usage data, and inferred characteristics; the terms authorize use of this data for service delivery, personalization, analytics, marketing, and product improvement, including sharing with affiliated Care Providers, third-party service providers, advertising partners, and analytics vendors. Notably, the policy explicitly acknowledges HIPAA applicability because Headspace's Care Providers are classified as covered entities and Headspace operates as their business associate, creating a layered regulatory structure where both this policy and a separate HIPAA Notice of Privacy Practices may govern the same user's data depending on service context; the policy also maintains a separate Consumer Health Data Privacy Policy, suggesting collection of health data outside HIPAA-covered contexts that may fall under state-level consumer health data laws such as Washington's My Health MY Data Act. The policy engages GDPR and UK GDPR for European and UK users respectively, CCPA and CPRA for California residents, PIPEDA for Canadian users, and HIPAA for users of clinical services; supplemental notices address these jurisdictions with specific rights disclosures. Material compliance considerations include the dual-track health data governance structure (HIPAA-covered clinical data alongside non-HIPAA consumer health data), the breadth of third-party advertising and analytics data sharing relative to the sensitivity of mental health context, and the policy's assertion that the English version prevails in case of conflict with translated versions, which may create compliance tension under GDPR's transparency requirements in non-English-speaking EU member states.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

4 important changes detected

4 versions captured · Last updated: April 2026

April 19, 2026

low

What changed Headspace's privacy policy footer was reorganized on April 19, 2026. Navigation links were moved and reformatted, but the substantive privacy commitments and disclosures in the policy itself remain unchanged. This appears to be a structural update to the page layout rather than a change to privacy practices or user rights.

Why this matters This change is a reorganization of the privacy policy webpage footer and navigation structure. The substantive privacy commitments, data handling practices, and user rights disclosed in Headspace's privacy policy remain unchanged. No action is required on your part.

View full change record →

April 11, 2026

low

What changed Headspace made a formatting change to its privacy policy footer on April 11, 2026, removing the 'Site Sitemap' link duplication that appeared earlier in the navigation structure. The substantive privacy policy terms remain unchanged. This appears to be a technical cleanup with no impact on what data Headspace collects, how it uses your information, or your privacy rights.

Why this matters This change is a technical reorganization of website footer navigation with no impact on Headspace's data collection, use, or your privacy rights. The substantive privacy policy terms and disclosures remain unchanged. No action is required.

View full change record →

March 31, 2026 low

Headspace reorganized its privacy policy with a clearer table of contents and restructured 45 existing sentences for readability. The company added 23 new sentences and removed 4 existing ones, bringing …

View change record →

March 19, 2026 low

Headspace restructured its privacy policy on March 19, 2026, removing the detailed table of contents and adding navigation links to related privacy documents including a Consumer Health Data Privacy Policy …

View change record →

Recent Provision Changes Mar 31, 2026

10 provisions unchanged.

View full change record →

High — 2 provisions

Third-Party Advertising and Analytics Data Sharing Compare →

Headspace shares user data with advertising technology companies, analytics providers, and social media platforms, and acknowledges this may legally qualify as selling or sharing personal information under privacy laws like California's CCPA.

Added May 10, 2026 Standard Seen across 246 platforms
Collection of Sensitive Health and Mental Health Information

Headspace collects detailed health information including mental health history, medications, emotional state, and stress levels that you provide directly when using its services.

Added May 10, 2026 Rare

Medium — 5 provisions

HIPAA Business Associate Status and Clinical Health Data Governance Compare →

When you use Headspace's therapy or psychiatry services, your clinical health information is protected by HIPAA, and Headspace itself is bound by HIPAA rules as a business associate of the treating providers.

Added May 10, 2026 Standard Seen across 198 platforms
Consumer Health Data and Separate Health Data Privacy Policy Compare →

Headspace maintains a separate privacy policy specifically for health data collected outside of HIPAA-covered clinical services, reflecting that some mental health and wellness data may be regulated under newer state consumer health data laws.

Added May 10, 2026 Standard Seen across 262 platforms
Children's Privacy Age Restriction Compare →

Headspace restricts its services to users 13 and older and does not intentionally collect data from children under 13; if such data is collected accidentally, Headspace states it will delete it.

Added May 10, 2026 Standard Seen across 262 platforms
User Privacy Rights and Data Subject Requests Compare →

Depending on where you live, you may have rights to access, correct, delete, or export your personal data, and you can exercise those rights by submitting a request through Headspace's online form or by emailing their support address.

Added May 10, 2026 Standard Seen across 262 platforms
Cookies and Tracking Technologies Compare →

Headspace uses cookies and tracking technologies on its platform to personalize your experience, remember your preferences, serve you ads on other websites, and analyze how you use the service.

Added May 10, 2026 Standard Seen across 251 platforms

Low — 1 provision

English Version Prevails Over Translations

Headspace's privacy policy is officially written in English, and translated versions are for reference only; if there is any difference between the English and a translated version, the English version controls.

Added May 10, 2026 Rare

Monitoring

Headspace has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle California CPRA Sensitive Personal Information and Opt-Out Rights and similar clauses.

Compare across platforms →