Headspace may transfer your personal data to other countries where data protection laws may differ from your own, and they use mechanisms like standard contractual clauses to make these transfers lawful under GDPR.
If you are in the EU or UK, your mental health and personal data may be transferred to countries with weaker privacy protections, and you should understand the legal safeguards in place.
International data transfers from the EU/UK must comply with GDPR Chapter V requirements, relying on adequacy decisions, standard contractual clauses (SCCs), or binding corporate rules. Post-Schrems II compliance requires transfer impact assessments (TIAs) for SCCs, and legal teams should verify that Headspace's vendor data transfer mechanisms satisfy current regulatory guidance from relevant Data Protection Authorities.
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.
Headspace collects highly sensitive personal data including mental health information, therapy session details, and behavioral data from your use of their app, and may share this with advertising partners and third-party service providers. Users in therapy or psychiatry programs are subject to HIPAA protections, but general app users should be aware their meditation habits and wellness data may be used for targeted advertising. You can request deletion of your personal data or opt out of certain data sharing by visiting Headspace's privacy rights portal or emailing privacy@headspace.com.