What are the institutional and regulatory implications of this document?

(1) REGULATORY EXPOSURE: This policy engages HIPAA (45 CFR Parts 160 and 164) due to Headspace's role as a business associate to its Care Provider entities, with HHS OCR as primary enforcer; CCPA/CPRA (Cal. Civ. Code §§1798.100–1798.199) for California residents with California AG and California Privacy Protection Agency (CPPA) as enforcers; GDPR (Arts. 6, 9, 13, 17, 20) for EU/EEA users with relevant EU supervisory authorities; UK GDPR for UK users; Washington My Health MY Data Act for Washing…

How does Headspace's Headspace Privacy Policy affect users?

Headspace collects highly sensitive personal data including mental health history, therapy session details, meditation habits, and inferred emotional states, and shares this data with third-party advertising and analytics partners. Users in therapy or using psychiatry services face additional risk as HIPAA-protected data exists alongside non-HIPAA data in the same platform ecosystem, creating potential confusion about what protections apply. You can request deletion of your personal data, opt o…

How often is Headspace's Headspace Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Headspace updates this document?

Yes. Watcher subscribers ($9.99/month) can add Headspace to their watchlist and receive same-day email alerts whenever this document or any other Headspace document changes.

Headspace Privacy Policy — Headspace

10 Total

5 High severity

5 Medium severity

0 Low severity

Summary

This is Headspace's privacy policy explaining how the mental health and meditation app collects and uses your personal data, including sensitive information about your mental health, meditation habits, therapy sessions, and health history. Most importantly, Headspace shares your data — including usage patterns and inferred health interests — with advertising partners, analytics providers, and third-party business partners, and your mental health data may be used to personalise marketing unless you opt out. You can exercise data rights including deletion and opt-out of data sharing by contacting privacy@headspace.com or visiting the privacy settings in your account.

Technical Summary

This document is Headspace's Privacy Policy (effective March 30, 2026), governing the collection, use, and sharing of personal information across its wellness, coaching, therapy, and psychiatry platform, with legal bases including consent, contractual necessity, and legitimate interests varying by jurisdiction. The policy obligates Headspace to provide data access, deletion, correction, and portability rights to users, and requires users to consent to broad data collection including health information, usage behavior, device data, and inferred interests. A notable provision is Headspace's explicit acknowledgment that it operates under HIPAA as a business associate to its Care Provider entities, and that it also maintains a separate Consumer Health Data Privacy Policy and HIPAA Notice of Privacy Practices — creating a multi-layered, context-dependent privacy framework that may confuse users about which protections apply to which data. The policy engages GDPR (EU/UK), CCPA/CPRA (California), HIPAA, Washington My Health MY Data Act, and COPPA, with enforcement exposure spanning the FTC, HHS OCR, state attorneys general, and EU/UK data protection authorities. Material compliance considerations include the breadth of sensitive mental health data collected, the use of that data for advertising and analytics purposes, and the cross-border transfer of health-adjacent data to third-party partners.

Evidence Provenance

Captured April 19, 2026 06:17 UTC

Document ID CA-D-000216

Version ID CA-V-000748

Source URL https://www.headspace.com/privacy-policy

Wayback Machine View archived versions →

SHA-256 92765d24337c337655798edfa3c86ed03e89dce6d38c0cd10fe8dfa6c340f71c

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Institutional Analysis

🔒 Institutional analysis locked

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Upgrade to Professional — $149/mo

Change Timeline

April 11, 2026 — Document updated low

Headspace made a minor update to their privacy policy on April 11, 2026, removing the 'Site Sitemap' and 'Blog Sitemap' navigation links from the footer section of the document. The content of the privacy policy itself was not changed — only the navigational footer links were affected. This is a cosmetic or structural update with no impact on users' privacy rights or data practices.

· 1 modified
View diff → View full record →
ccdbbe1b…
March 31, 2026 — Document updated low

Headspace updated their Privacy Policy on March 31, 2026, adding a structured table of contents that organizes the policy into clearly labeled sections covering data collection, use, sharing, security, your rights, children's privacy, cookies, and contact information. Previously, the policy lacked this navigational structure, making it harder for users to find specific information. This reorganization makes it easier for users to understand how their personal data is handled and to locate relevant privacy rights.

23 added · 4 removed · 45 modified
View diff → View full record →
d0831111…
March 19, 2026 — Initial capture

Initial snapshot — monitoring begins

70ba5fe1…

View full version history (0 captures) →

Analyzed Changes

2 changes analyzed since monitoring began.

Updated April 11, 2026

low

What changed Headspace updated their Headspace Privacy Policy on April 11, 2026. Change detected: 1 sentence(s) modified. Document contained 360 sentences after update.

Consumer impact Headspace removed two navigational footer links — 'Site Sitemap' and 'Blog Sitemap' — from its privacy policy page. This change does not affect any privacy practices, data collection, user rights, or protections. No action is needed from consumers.

Why it matters This change is purely cosmetic and does not affect any privacy rights, data practices, or user protections. No user action or compliance review is needed.

Updated March 31, 2026

low

What changed Headspace updated their Headspace Privacy Policy on March 31, 2026. Change detected: 23 sentence(s) added, 4 sentence(s) removed, 45 sentence(s) modified. Document contained 360 sentences after update.

Consumer impact Headspace reorganized its Privacy Policy to include a clear table of contents with 10 named sections, making it significantly easier for users to locate information about how their personal data is collected, used, and shared. The previous version lacked this structure, which may have made it harder for users to exercise their privacy rights. You can review the updated policy sections — particularly 'Your privacy rights' — to understand what data controls are available to you.

Why it matters Headspace handles sensitive mental health and wellness data, so any changes to how its privacy policy describes data practices carry heightened risk. The structural reorganization improves transparency, but the 45 modified sentences need scrutiny to ensure no material changes to data use were introduced without prominent notice.

Recent Clause-Level Changes Apr 11, 2026

Added (3)

Collection of Sensitive Mental Health Data High

New explicit provision acknowledging Headspace's collection of sensitive mental health information, establishing foundational transparency for health data practices.

GDPR Rights for EU/UK Users High

Addition of dedicated GDPR compliance provision indicates expanded privacy protections for European users beyond previous international data transfer language.

Policy Change Notification Medium

New provision establishes user notification requirements when privacy policy changes, strengthening transparency and user consent management.

Removed (3)

Consumer Health Data Privacy Policy

Removal of standalone consumer health data privacy provision may indicate consolidation into more specific mental health data handling sections rather than elimination of protections.

User Privacy Rights (Access, Deletion, Correction, Opt-Out)

Removal of this standalone provision suggests privacy rights may now be addressed within jurisdiction-specific sections (CPRA, GDPR) rather than as universal user rights.

Employer and B2B Access Programs

Removal of employer/B2B access provision may indicate policy changes to how Headspace handles workplace subscription programs or business customer data access.

Modified (7)

HIPAA Business Associate Status and Dual-Track Data Regime

Previous version referenced basic HIPAA Business Associate relationship; current version explicitly addresses dual-track data regime implications for HIPAA-covered vs. non-covered uses.

Sharing Mental Health Data with Advertising and Analytics Partners

Provision was renamed from generic 'Data Sharing with Advertising and Analytics Partners' to explicitly specify mental health data sharing, emphasizing the sensitive nature of disclosed information.

California CPRA Sensitive Personal Information and Opt-Out Rights

Previous provision addressed general CCPA/CPRA rights; current version specifically targets CPRA's sensitive personal information category and corresponding opt-out mechanisms.

Children's Privacy Restrictions

Provision name and severity level remained consistent between versions with no apparent textual changes.

Cookie and Tracking Technology Disclosure

Provision was renamed from 'Cookies and Tracking Technologies' to emphasize disclosure obligations, suggesting stronger transparency requirements in current version.

3 provisions unchanged.

View full change record →

High Severity — 5 provisions

Collection of Sensitive Mental Health Data

Headspace collects highly sensitive personal information including mental health history, therapy and psychiatry session content, mood and stress data, and meditation habits across its platform. This data is collected both directly from users and inferred from usage patterns.

Added April 1, 2026
Sharing Mental Health Data with Advertising and Analytics Partners

Headspace shares user data — including data inferred from mental health app usage — with third-party advertising networks, analytics providers, and business partners to serve targeted advertising and measure marketing effectiveness.

Added April 1, 2026
HIPAA Business Associate Status and Dual-Track Data Regime

Headspace states it is subject to HIPAA as a business associate of its Care Providers (who provide therapy and psychiatry services), but data collected through the general wellness app (meditation, mood tracking) is NOT covered by HIPAA — two different legal regimes apply to different data on the same platform.

Added April 1, 2026
California CPRA Sensitive Personal Information and Opt-Out Rights

California residents have the right to opt out of the sale or sharing of their personal information, limit the use of sensitive personal information (including health data), and request access, correction, or deletion of their data under the California Privacy Rights Act.

Added April 1, 2026
GDPR Rights for EU/UK Users

EU and UK users have rights under GDPR and UK GDPR to access, correct, delete, restrict processing of, and port their personal data, as well as the right to object to processing and to withdraw consent at any time.

Added April 1, 2026

Medium Severity — 5 provisions

Children's Privacy Restrictions

Headspace states its platform is not directed at children under 13 (or under 16 in some jurisdictions) and does not knowingly collect personal information from children below these age thresholds. If such data is inadvertently collected, Headspace will delete it upon discovery.

Added April 1, 2026
Cookie and Tracking Technology Disclosure

Headspace uses cookies, web beacons, pixels, SDKs, and other tracking technologies on its websites and apps to collect usage data, personalise content, and deliver targeted advertising through third-party partners.

Added April 1, 2026
Data Retention Policy

Headspace retains personal information for as long as necessary to provide its services, comply with legal obligations, resolve disputes, and enforce its agreements — the policy does not specify fixed retention periods for most data categories.

Added April 1, 2026
Cross-Border Data Transfers

Headspace transfers personal information internationally, including from the EU and UK to the United States, and relies on data transfer mechanisms such as Standard Contractual Clauses to legitimise those transfers.

Added April 1, 2026
Policy Change Notification

Headspace reserves the right to update this Privacy Policy at any time and will notify users of material changes, typically by posting the updated policy online and updating the effective date.

Added April 1, 2026

Cross-platform context

See how other platforms handle California CPRA Sensitive Personal Information and Opt-Out Rights and similar clauses.

Compare across platforms →

Applicable Regulations

CCPA/CPRA

California, USA

CFAA

United States Federal

CAN-SPAM

United States Federal

GDPR

European Union

HIPAA

United States Federal