Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This document establishes Headspace's data collection, use, and sharing practices across its meditation, mental health coaching, therapy, and psychiatry services. The policy designates clinical data delivered through Care Providers as subject to HIPAA protections with restricted sharing, while wellness and behavioral data collected outside clinical contexts is authorized for sharing with service providers, advertising technology vendors, and analytics partners. Users may adjust cookie and tracking preferences through the OneTrust consent tool and submit data access, correction, or deletion requests via the privacy rights request form.
This document is Headspace's global Privacy Policy (effective March 30, 2026) governing the collection, use, and sharing of personal information across its websites, mobile applications, coaching, psychotherapy, and psychiatry services, with stated legal bases including consent, legitimate interests, and contractual necessity depending on jurisdiction. The policy states that Headspace collects a broad range of data including name, contact details, payment information, health and mental health information, device and usage data, and inferred characteristics; the terms authorize use of this data for service delivery, personalization, analytics, marketing, and product improvement, including sharing with affiliated Care Providers, third-party service providers, advertising partners, and analytics vendors. Notably, the policy explicitly acknowledges HIPAA applicability because Headspace's Care Providers are classified as covered entities and Headspace operates as their business associate, creating a layered regulatory structure where both this policy and a separate HIPAA Notice of Privacy Practices may govern the same user's data depending on service context; the policy also maintains a separate Consumer Health Data Privacy Policy, suggesting collection of health data outside HIPAA-covered contexts that may fall under state-level consumer health data laws such as Washington's My Health MY Data Act. The policy engages GDPR and UK GDPR for European and UK users respectively, CCPA and CPRA for California residents, PIPEDA for Canadian users, and HIPAA for users of clinical services; supplemental notices address these jurisdictions with specific rights disclosures. Material compliance considerations include the dual-track health data governance structure (HIPAA-covered clinical data alongside non-HIPAA consumer health data), the breadth of third-party advertising and analytics data sharing relative to the sensitivity of mental health context, and the policy's assertion that the English version prevails in case of conflict with translated versions, which may create compliance tension under GDPR's transparency requirements in non-English-speaking EU member states.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial5 important changes detected
5 versions captured · Last updated: June 2026
Headspace made a formatting change to its privacy policy footer on April 11, 2026, removing the 'Site Sitemap' link duplication that appeared earlier in the navigation structure. The substantive privacy …
View change record →Headspace reorganized its privacy policy with a clearer table of contents and restructured 45 existing sentences for readability. The company added 23 new sentences and removed 4 existing ones, bringing …
View change record →Headspace restructured its privacy policy on March 19, 2026, removing the detailed table of contents and adding navigation links to related privacy documents including a Consumer Health Data Privacy Policy …
View change record →Headspace now explicitly references a separate Consumer Health Data Privacy Policy for state-regulated consumer health data, creating a dual-track governance framework distinct from HIPAA coverage.
New consolidated provision provides jurisdiction-agnostic privacy rights enumeration (access, correction, deletion, restriction, objection, portability, consent withdrawal) with direct exercise mechanism.
New provision establishes English-language precedence and translation disclaimer, potentially limiting liability for non-English translation inaccuracies.
This provision was replaced with more detailed 'Third-Party Advertising and Analytics Data Sharing' provision that explicitly characterizes the practice as potential CCPA/CPRA 'sale' or 'sharing'.
Removal of CPRA-specific provision suggests consolidation into jurisdiction-neutral 'User Privacy Rights and Data Subject Requests' provision rather than state-specific enumeration.
Removal of GDPR-specific provision indicates shift to jurisdiction-agnostic privacy rights language in consolidated provision, potentially reducing explicitness of European regulatory obligations.
Absence of explicit data retention policy in current version may indicate removal or relocation to separate policy document, reducing transparency about retention timelines.
Removal of cross-border data transfer provision eliminates explicit disclosure of international data movement mechanisms and legal frameworks.
Severity downgraded from high to medium and provision expanded with detailed HIPAA coverage explanation and reference to additional Care Provider privacy notices.
Provision now includes specific enumerated examples of sensitive data categories (physical health, medications, emotional state, stress levels) with explicit mental health information specification.
New provision explicitly identifies data sharing categories (advertising technology vendors, analytics providers, social media platforms) and explicitly references CCPA/CPRA 'sale' or 'sharing' classification.
Provision significantly expanded with detailed age restriction statement, affirmative guidance to children, and explicit deletion protocol for inadvertently collected child data.
Provision now includes specific enumerated cookie purposes (login recognition, preference retention, third-party advertising delivery, usage analytics, product improvement) with formal term definition.
Monitoring
Headspace has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle California CPRA Sensitive Personal Information and Opt-Out Rights and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.