8 Total
2 High severity
5 Medium severity
1 Low severity
Summary

This document establishes Headspace's data collection, use, and sharing practices across its meditation, mental health coaching, therapy, and psychiatry services. The policy designates clinical data delivered through Care Providers as subject to HIPAA protections with restricted sharing, while wellness and behavioral data collected outside clinical contexts is authorized for sharing with service providers, advertising technology vendors, and analytics partners. Users may adjust cookie and tracking preferences through the OneTrust consent tool and submit data access, correction, or deletion requests via the privacy rights request form.

Technical / Legal Breakdown

This document is Headspace's global Privacy Policy (effective March 30, 2026) governing the collection, use, and sharing of personal information across its websites, mobile applications, coaching, psychotherapy, and psychiatry services, with stated legal bases including consent, legitimate interests, and contractual necessity depending on jurisdiction. The policy states that Headspace collects a broad range of data including name, contact details, payment information, health and mental health information, device and usage data, and inferred characteristics; the terms authorize use of this data for service delivery, personalization, analytics, marketing, and product improvement, including sharing with affiliated Care Providers, third-party service providers, advertising partners, and analytics vendors. Notably, the policy explicitly acknowledges HIPAA applicability because Headspace's Care Providers are classified as covered entities and Headspace operates as their business associate, creating a layered regulatory structure where both this policy and a separate HIPAA Notice of Privacy Practices may govern the same user's data depending on service context; the policy also maintains a separate Consumer Health Data Privacy Policy, suggesting collection of health data outside HIPAA-covered contexts that may fall under state-level consumer health data laws such as Washington's My Health MY Data Act. The policy engages GDPR and UK GDPR for European and UK users respectively, CCPA and CPRA for California residents, PIPEDA for Canadian users, and HIPAA for users of clinical services; supplemental notices address these jurisdictions with specific rights disclosures. Material compliance considerations include the dual-track health data governance structure (HIPAA-covered clinical data alongside non-HIPAA consumer health data), the breadth of third-party advertising and analytics data sharing relative to the sensitivity of mental health context, and the policy's assertion that the English version prevails in case of conflict with translated versions, which may create compliance tension under GDPR's transparency requirements in non-English-speaking EU member states.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

5 important changes detected

5 versions captured · Last updated: June 2026

June 24, 2026

unknown
What changed Headspace updated their Headspace Privacy Policy on June 24, 2026. Change detected: 1 sentence(s) modified. Document contained 360 sentences after update.
View full change record →
What changed Headspace's privacy policy footer was reorganized on April 19, 2026. Navigation links were moved and reformatted, but the substantive privacy commitments and disclosures in the policy itself remain unchanged. This appears to be a structural update to the page layout rather than a change to privacy practices or user rights.
Why this matters This change is a reorganization of the privacy policy webpage footer and navigation structure. The substantive privacy commitments, data handling practices, and user rights disclosed in Headspace's privacy policy remain unchanged. No action is required on your part.
View full change record →

April 11, 2026 low

Headspace made a formatting change to its privacy policy footer on April 11, 2026, removing the 'Site Sitemap' link duplication that appeared earlier in the navigation structure. The substantive privacy …

View change record →
March 31, 2026 low

Headspace reorganized its privacy policy with a clearer table of contents and restructured 45 existing sentences for readability. The company added 23 new sentences and removed 4 existing ones, bringing …

View change record →
March 19, 2026 low

Headspace restructured its privacy policy on March 19, 2026, removing the detailed table of contents and adding navigation links to related privacy documents including a Consumer Health Data Privacy Policy …

View change record →

Recent Provision Changes Jun 24, 2026

Added (3)
Consumer Health Data and Separate Health Data Privacy Policy Medium

Headspace now explicitly references a separate Consumer Health Data Privacy Policy for state-regulated consumer health data, creating a dual-track governance framework distinct from HIPAA coverage.

User Privacy Rights and Data Subject Requests Medium

New consolidated provision provides jurisdiction-agnostic privacy rights enumeration (access, correction, deletion, restriction, objection, portability, consent withdrawal) with direct exercise mechanism.

English Version Prevails Over Translations Low

New provision establishes English-language precedence and translation disclaimer, potentially limiting liability for non-English translation inaccuracies.

Removed (6)
Sharing Mental Health Data with Advertising and Analytics Partners

This provision was replaced with more detailed 'Third-Party Advertising and Analytics Data Sharing' provision that explicitly characterizes the practice as potential CCPA/CPRA 'sale' or 'sharing'.

California CPRA Sensitive Personal Information and Opt-Out Rights

Removal of CPRA-specific provision suggests consolidation into jurisdiction-neutral 'User Privacy Rights and Data Subject Requests' provision rather than state-specific enumeration.

GDPR Rights for EU/UK Users

Removal of GDPR-specific provision indicates shift to jurisdiction-agnostic privacy rights language in consolidated provision, potentially reducing explicitness of European regulatory obligations.

Data Retention Policy

Absence of explicit data retention policy in current version may indicate removal or relocation to separate policy document, reducing transparency about retention timelines.

Cross-Border Data Transfers

Removal of cross-border data transfer provision eliminates explicit disclosure of international data movement mechanisms and legal frameworks.

Modified (5)
HIPAA Business Associate Status and Clinical Health Data Governance

Severity downgraded from high to medium and provision expanded with detailed HIPAA coverage explanation and reference to additional Care Provider privacy notices.

Collection of Sensitive Health and Mental Health Information

Provision now includes specific enumerated examples of sensitive data categories (physical health, medications, emotional state, stress levels) with explicit mental health information specification.

Third-Party Advertising and Analytics Data Sharing

New provision explicitly identifies data sharing categories (advertising technology vendors, analytics providers, social media platforms) and explicitly references CCPA/CPRA 'sale' or 'sharing' classification.

Children's Privacy Restrictions

Provision significantly expanded with detailed age restriction statement, affirmative guidance to children, and explicit deletion protocol for inadvertently collected child data.

Cookie and Tracking Technology Disclosure

Provision now includes specific enumerated cookie purposes (login recognition, preference retention, third-party advertising delivery, usage analytics, product improvement) with formal term definition.

View full change record →
High — 2 provisions
Medium — 5 provisions
Low — 1 provision

Monitoring

Headspace has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle California CPRA Sensitive Personal Information and Opt-Out Rights and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
HIPAA
United States Federal
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured June 24, 2026 00:28 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000216
Version ID CA-V-004171
SHA-256 ac2247b7c5c297c70f99d429af588e1c61c8e206f76827920b2190a0b554d7d0
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans