Last update: 05/08/2020
We may collect and process the following data about you: • Personal data including, for example, your name, e-mail address, password, and in certain instances, telephone number, data about your usage of the Products and data collected by tracking technologies as further described in section 4 below that may identify you as an individual or allow online contact with you as an individual.
• For individuals who participate in a Headspace Family plan, we may collect additional personal data, for example, home address in order to verify family member status.
• If, as a primary account holder of a Headspace Family plan, you choose to invite additional family members to become subsidiary account holders, we will ask you for their name and email address. We will use this data to invite him or her to join the Products. We store this data for the sole purpose of sending invitations and confirming family member status. If your subsidiary account holder(s) would like us to delete their data, they can do so by contacting the primary account holder of their family plan to be removed.
• Headspace does not collect or process credit or debit card (“Payment Card”) data. Apple and Google collect Payment Card data with respect to in-app purchases made through the Apps, and our payment processor collects Payment Card data with respect to purchases made through the Websites. Such payment processors generally provide us with some limited data related to you, such as a unique, anonymous token that enables you to make additional purchases using the data they’ve stored, and your card’s type, expiration date, billing address, and the last four digits of your card number.
• For individuals using the Products in connection with a Community client account as described in section 6, business data such as your company name, and company email address to the extent that you or your Community provides such data.
• Facebook profile information, such as name, email address, and Facebook ID, if you choose to log in to the Products through Facebook.
• Device information such as operating system version, device type, and system performance data.
• Data collected via tracking technologies, as fully described in section 4.
• If you choose to invite a “Buddy” to use the Products using our Buddy system, we will ask you for their name and email address. We will use this data to invite him or her to join the Products. We store this data for the sole purpose of sending invitations and tracking the success of our Buddy program. If your Buddy would like us to delete his or her data, they can do so by opting-out as described in each invitation or by contacting us at email@example.com.
• If you choose to have your account verified to confirm your status as a student, we may allow a third party platform to access the specific personal data you provide in order to perform the verification. All the information you need to fill in the open text fields during account registration is mandatory. Any failure to complete that information or any response Headspace considers abnormal may result in Headspace refusing (or being unable) to process your request. You agree that the personal data you provide about yourself or subsidiary account holders or “Buddies” to Headspace will be current, accurate, complete and unequivocal.
• If you chose to have your account verified to confirm your status as a US-based healthcare provider, we may collect your National Provider Identifier (“NPI”) in connection with your email address in order to perform the verification.
The security of your personal data is important to us. We follow generally accepted standards to protect the personal data submitted to us, both during transmission and once it is received. If you have any questions about the security of your personal data, you can contact us at firstname.lastname@example.org. Except as described under the “Disclosure of Your Data” section below, we do not provide your personal data to any third party without your specific consent, as defined by applicable law.
If you sign up to receive promotional materials from us via email and/or (push notifications) we will use the data you give us to provide the communications you have requested. If you inform us that you wish to cancel email promotional materials by selecting “unsubscribe” at the bottom of such communication or by emailing us at email@example.com, we will remove you from our mailing list. If you no longer wish to receive push notifications, you may turn them off at the device level.
If you provide your phone number to us directly or through a third-party for the specific purpose of receiving an SMS message with a link to our Apps, you will receive such SMS message (the “SMS Service”). Standard text message rates will apply.
Headspace and our analytics partners use technologies such as cookies, beacons, tags, and scripts to enable a service to recognize your device so you don't have to provide the same data several times during one task, to recognize that you may have already given a username and password so you don't need to do it for every web page requested, and to measure how people are using the Products.
We use local storage, such as HTML5, to store content data and preferences. Third parties with whom we partner to provide certain features on the Products also use HTML5 to collect and store data. Various browsers may offer their own management tools for removing HTML5.
We partner with third parties, such as Facebook and Google, to manage our advertising of the Products on other sites or platforms as well as across your other devices based on your past visits to our Website. Our third party partners may use technologies such as cookies to gather data about your activities within the Products to deliver such advertising to you, such as retargeting ads. We are not always able to respond to do-not-track signals. For more data about interest-based ads, including how to opt-out of having your web-browsing data used for behavioral advertising purposes, please visit www.aboutads.info/choices. Please note that this does not opt you out of being served ads. You may continue to receive generic ads on these third party platforms. You may also opt out of receiving ads across devices by adjusting your ad preference in your Google account.
We use third party trackers to let us know when users have visited the Products by “clicking-through” our sponsored advertising or content hosted on third party platforms. The Products use Google Analytics code to gather statistical data. Google Analytics sets cookies to help us accurately estimate the number of visitors to the Products and the volumes of usage of the Products. This is done to ensure that the Products are available when you want them and are fast. For more data on how Google Analytics processes this data, visit www.google.com/analytics.
We will acquire consent from you in order to use such trackers to the extent required by applicable law.
We use mobile analytics software to allow us to better understand the functionality of our mobile software on your phone. This software may record data such as how often you engage with the Products, the events that occur within the Products, aggregated usage and performance data, and where the Applications were downloaded from. We may link the data we store within the analytics software to any personal data you submit within the mobile application.
As true of most websites, we gather certain data and automatically and store it in log files. This data may include Internet Protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data.
If you receive the HTML-formatted version of our email newsletter, your opening of the newsletter is notified to us and saved. Your clicks on links in the newsletter are also saved. These and the open statistics are used in aggregate form to give us an indication of the popularity of the content and to help us make decisions about future content and formatting.
All data you provide to us through the Products is stored on our secure servers located in the US. Any payment transactions will be encrypted using SSL technology; all payment data is stored with our payment processor and is never stored on Headspace’s servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Products, you are responsible for keeping this password confidential. We ask you not to share a password with anyone, and suggest that your change your password frequently.
Unfortunately, the transmission of data via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Products; any transmission is at your own risk. Once we have received your data, we will use strict procedures and security features to try to prevent unauthorized access.
There is interest by large consumer communities (companies, universities, hospitals, government agencies, etc.) (“Communities”) to introduce the Products to their employees and members. If you have registered to use the Products through a code or other registration credential furnished by a Community (a “Community Subscription”), the Community will have access to your email address, the date you registered to use the Products, and the date on which you last used the Products. The Community will also have access to your Community's aggregated and anonymized general usage data.
Your Community may also have access to your usage data on an individual basis, but only if you have provided appropriate consent under applicable law for such sharing. For example, many Communities are offering incentive programs based on members' participation in health and wellness programs, and desire to better understand how their employees are using the Products.
You may be able to log-in to our Products using sign-in services such as Facebook Connect or an Open ID provider. These services will authenticate your identity, provide you the option to share certain personal data (such as your name and email address) with us, and to pre-populate our sign-up form. Services like Facebook Connect give you to the option to post data about your activities on our Products or to your profile page to share with others within your network.
As you may know, a recent European Union law called the General Data Protection Regulation (“GDPR”) give certain rights to applicable individuals in relation to their personal data. Accordingly, we have implemented transparency and access controls to help such users, including residents of the EU, Switzerland, and the United Kingdom exercise those rights. As required under applicable law, the rights afforded to you are:
A right of access: you have the right to obtain (i) confirmation as to whether personal data concerning you are processed or not and, if processed, to obtain (ii) access to such data and a copy thereof. We provide an easy-to-view snapshot of such data via the “My Data” tab in the Products.
A right to rectification: you have the right to obtain the rectification of any inaccurate personal data concerning you. You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
A right to erasure: in some cases, you have the right to obtain the erasure of personal data concerning you. Upon request, Headspace will permanently and irrevocably anonymize your data such that it can never be reconstructed to identify you as an individual. However, this is not an absolute right and Headspace may have legal or legitimate grounds for keeping such data.
A right to restriction of processing: in some cases, you have the right to obtain restriction of the processing of your personal data.
A right to data portability: you have the right to receive the personal data concerning you which you have provided to Headspace, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance from Headspace. This right only applies when the processing of your personal data is based on your consent or on a contract and such processing is carried out by automated means.
A right to object to processing: you have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you when such processing is based on the legitimate interest of Headspace. Headspace may, however, invoke compelling legitimate grounds for continued processing. When your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of such data. You may, in particular, exercise that right by clicking on the “unsubscribe” link provided at the bottom of any messages received, or by managing your privacy preferences by logging in to your Headspace account and following the instructions here.
A right to lodge a complaint with the competent supervisory authority: you have the right to contact the supervisory authority to complain about Headspace’s personal data protection practices.
A right to give instructions concerning the use of your data after your death: as required by applicable law, you may have the right to give Headspace instructions concerning the use of your personal data after your death. To exercise one or more of these rights, you can email firstname.lastname@example.org.
You may access your personal data to modify or update at any time via an online account, or by emailing email@example.com.
We will respond to your request in a reasonable timeframe in accordance with applicable law.
We use information held about you in the following ways:
In accordance with GDPR, Headspace provides the following information regarding its Article 6 legal bases for personal data processing:
The performance of the contract (the Headspace Terms & Conditions) between you and Headspace for the data processing relating to your use of Headspace’s Products (including your orders and payments);
Headspace’s legitimate interest, more specifically:
We may disclose your personal data to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries.
We may also disclose your personal data to third parties as follows:
In some circumstances, based on your specific requests, we may need to disclose your personal data to a third party so that it can provide a service you have requested from such party, or fulfill a request for data from such party. An example of this is the SMS Service.
In some circumstances, we may disclose the personal data that you have provided to Headspace to a third party that offers and/or provides goods or services complementary to our own for the purpose of enhancing our users’ experiences by offering you integrated or complementary functionality, complementary services or bundled pricing options.
If Headspace’s service providers (like hosting, IT maintenance, market analytics, and payment service providers) require this data to provide services to Headspace. Headspace requires each of its service providers to agree to maintain the confidentiality and security of your personal data.
In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
If Headspace or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation such as to comply with a subpoena, bankruptcy proceedings, similar legal process, or in order to enforce or apply our agreements with you; or to protect the rights, property, or safety of Headspace, our customers, or others. This includes exchanging data with other companies and organizations for the purposes of fraud protection and credit risk reduction.
With your Community, if your subscription is a Community Subscription, as described under Corporate and Other Community Sharing above.
With third parties, such as Facebook, in order to serve Headspace advertisements on such third party platforms, to the extent that you have consented to such practices under applicable law.
If you choose to have your account verified to confirm your status as a student, we may allow a third party platform to access the specific personal data you provide in order to perform the verification.
If you chose to have your account verified to confirm your status as a US-based healthcare provider, we may collect your National Provider Identifier (“NPI”) in connection with your email address in order to perform the verification.
The retention periods applied by Headspace comply with applicable legislation in effect on the date hereof, namely:
For data relating to your account: such data will not be retained beyond your request that your account be deleted.
For transactional data relating to your purchases: such data is kept for the entire period of the contractual relationship, then in accordance with legal obligations and applicable statute of limitation periods. Please note that this data does not include Payment Card information, which is processed by our third-party payment processors, and not Headspace.
For data collected based on your consent to receive our marketing communications: we will use such data until you withdraw consent or applicable law requires that such data is no longer used.
When your data are collected in the context of requests/queries: such data are kept for the period necessary to process and reply to such requests or queries.
When cookies or other trackers are placed on your terminal, they are kept for a period of 12 months.
Other data will be kept as long as necessary for the purposes pursued and in compliance with our legal obligations, including the applicable statute of limitations.
To the extent that you have provided appropriate consent under applicable law to certain processing activities, such consent can be withdrawn at any time by emailing firstname.lastname@example.org.
The Products may, from time to time, contain links to and from the Products of our partner networks, advertisers and affiliates. If you follow a link to any of these external websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these websites or their policies. Please check these policies before you submit any personal data to these external websites.
Our Products include social media features, such as the Facebook Like button, and widgets, such as the “Share This” button, or interactive mini-programs. These features may collect your Internet protocol address, which page you are visiting on or Products, and may set a cookie to enable the feature to function properly. Social media features and widgets are hosted by a third party or hosted directly on our Products. Your interactions with these features are governed by the privacy statement of the company providing it.
Apple iOS users may opt-in to allow the Products to provide data regarding the amount of minutes meditated to the Apple iOS “Health” application for display. This data will not be shared with third parties or used for marketing purposes.
You must be 18 years of age, or the age of majority in your province, territory or country, to sign up as a registered user of the Products. Individuals under the age of 18, or the applicable age of majority, may utilize the Products only with the involvement and consent of a parent or legal guardian, under such person's account.
Headspace users may have the ability to post content to one or more Headspace forums. All such users may request and obtain removal of such posted content by contacting Headspace at email@example.com and specifically identifying the content to be removed. Please be advised that any such removal does not ensure complete or comprehensive removal of all traces of the content posted on the Headspace forum(s).
Our registered agent within the European Economic Area is Tricor, which can be contacted at Tricor Suite, 4th Floor, 50 Mark Lane, London, EC3R 7QR.
Headspace’s physical address is 2415 Michigan Avenue, Santa Monica, CA 90404.
The subsidiaries, service providers or other third parties listed above to whom Headspace may disclose your personal data may be domiciled abroad, and in particular outside the European Union, Switzerland, and the United Kingdom.
In such case, Headspace will require them to take, in accordance with applicable legislation, all organizational and technical measures that permit ensuring an adequate level of protection of your personal data, such the use of Standard Contractual Clauses approved by the European Commission and/or ensuring certification with the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks.
Moreover, we participate in and have certified our compliance with the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks (https://www.privacyshield.gov/). Headspace is committed to subjecting all personal data received from European Union (EU) member countries, Switzerland, and the United Kingdom, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov/list
Headspace is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequent transfers to a third party acting as an agent on its behalf. Headspace complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, Switzerland, and the United Kingdom, including the onward transfer liability provisions.
For personal data covered by Privacy Shield, you have the ability to opt-out of whether such personal data is disclosed to a third-party (apart from service providers) or is to be used for a purpose that is materially different for the purpose for which it was originally collected or subsequently authorized. You can contact Headspace at firstname.lastname@example.org in order to make such choices.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Headspace is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Headspace may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
In May, 2020, Headspace launched the “Be Kind To Your Mind” initiative to provide free Headspace Plus access to certain US-based individuals who meet specific criteria with respect to their employment status.
If you participate in the redemption flow for such initiative, you will be asked to provide certain information, such as the name of your most recent employer, your former role at such employer, the work industry of such employer, your last date of employment, and your zip code. This redemption information is processed by Headspace solely to assess your eligibility under the “Be Kind To Your Mind” initiative. It will not be associated with any personal information or data related to your account.
Headspace may use this information for its internal business purposes, such as product optimization, but it will only do so in aggregate or anonymized fashion.
Effective Date: January 1, 2020 Last Reviewed On: December 20, 2019
Our Products collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, the Products have collected the following categories of personal information from consumers within the last twelve (12) months:
|1. Identifiers.||First and last name, email address, Internet Protocol address, online identifiers.||YES|
|2. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||First and last name.||YES|
|3. Internet or other similar network activity.||Browsing history or information on a consumer’s interaction with the Products or our advertisements on third-party platforms.||YES|
Personal information does not include: (1) deidentified or aggregated consumer information; (2) publicly available information from government records; or (3) information excluded from the CCPA’s scope.
We obtain the categories of personal information listed above from the following categories of sources:
Directly from you. For example, from forms you complete when registering for the Products.
Indirectly from you. For example, from observing your actions on our Products.
We may disclose your personal information to third parties for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not to use it for any purpose except performing the contract.
In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:
Access to Specific Information and Data Portability Rights
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will permanently and irrevocably anonymize your personal information, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
We also provide an easy-to-view snapshot of your personal information that we have processed via the “My Data” tab in the Products.
Response Timing and Format
Upon receiving a request for access, portability, or deletion, we will confirm receipt of the request within 10 days and provide information about our verification process and how we will process the request.
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.
We will deliver our written response to the email address associated with the account for account holders, and to the email address provided with the request submission for non-account holders.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily readable and useable.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Like most companies, we partner with third parties, such as Facebook and Google, to manage our marketing of Headspace on other platforms, where such advertising is based on your past visits to our Products. These third party partners may use technologies, such as cookies, to gather information about your activities on the Products to deliver such advertising to you when you visit their platforms. For instance, if you visit www.headspace.com, a cookie may be attached to your browser in the form of the Facebook Pixel that allows Headspace to deliver advertising to you on the Facebook platform.
We do NOT sell or rent your personal information to any third parties for their own advertising or marketing purposes.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.
We reserve the right to amend this CCPA Addendum at our discretion and at any time. When we make changes to this CCPA Addendum, we will post the updated notice on the Website and update the effective date. Your continued use of our Products following the posting of changes constitutes your acceptance of such changes.