User Privacy Rights and Data Subject Requests

What it is

Depending on where you live, you may have rights to access, correct, delete, or export your personal data, and you can exercise those rights by submitting a request through Headspace's online form or by emailing their support address.

Why it matters (compliance & governance perspective)

These rights are particularly meaningful on a mental health platform because they allow users to review what sensitive data Headspace holds about them, request corrections to health information, or ask for complete deletion of their mental health records from the platform.

Consumer impact (what this means for users)

Users in the EU, UK, California, and certain other jurisdictions have enforceable rights to access, correct, delete, or port their personal data including mental health information, and can exercise these rights through Headspace's online privacy request form or by emailing help@headspace.com; the availability and scope of these rights depends on your jurisdiction.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Data subject rights disclosures engage GDPR Articles 15 through 22 (access, rectification, erasure, restriction, portability, objection, and automated decision-making rights) for EU and UK users; CCPA and CPRA data subject rights for California residents (access, deletion, correction, portability, opt-out of sale and sharing); and similar rights frameworks in Canada under PIPEDA and in other jurisdictions with supplemental notices. For HIPAA-covered clinical data, patients have separate rights under the HIPAA Privacy Rule including the right to access, amend, and receive an accounting of disclosures. GOVERNANCE EXPOSURE: Medium. The policy commits to honoring data subject rights across multiple jurisdictions but does not specify response timeframes or verification processes in the main policy text, which may create operational compliance gaps particularly under GDPR's 30-day response requirement and CCPA's 45-day response timeline. The existence of both HIPAA and GDPR rights frameworks for the same user in certain circumstances creates potential procedural complexity. JURISDICTION FLAGS: EU and UK users have the most robust enforceable rights under GDPR and UK GDPR, including the right to erasure and data portability. California residents have CCPA and CPRA rights with specific verification and response timelines. Canadian users have PIPEDA rights. Users in jurisdictions without specific data protection legislation have no guaranteed rights under this policy beyond what the company voluntarily provides. CONTRACT AND VENDOR IMPLICATIONS: Honoring deletion requests for mental health data requires that Headspace's data processing agreements with third-party vendors include data deletion and return obligations. If advertising or analytics vendors retain copies of user data, those copies must also be subject to deletion upon valid user request. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that the privacy request intake process has defined response timelines mapped to each applicable jurisdiction, that identity verification procedures are proportionate and not overly burdensome, and that deletion requests cascade to third-party processors and vendors. For HIPAA-covered clinical data, the right of access and amendment process should be tested for consistency with the HIPAA Privacy Rule's specific requirements.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• HIPAA Business Associate Status and Clinical Health Data Governance medium
• Consumer Health Data and Separate Health Data Privacy Policy medium
• Third-Party Advertising and Analytics Data Sharing high
• Collection of Sensitive Health and Mental Health Information high
• Children's Privacy Age Restriction medium
• English Version Prevails Over Translations low