Depending on your jurisdiction, you have additional rights that apply to you under your jurisdiction's privacy laws. We provide the supplemental information in this section in our efforts to comply with those additional privacy laws and inform you about your rights. If you do not see your jurisdiction below please do not interpret that to mean that we do not respect your privacy and we encourage you to still contact us using the contact details above with your questions or concerns. Please note that Headspace is a US based company and your personal information will be stored within the US.
(a) Privacy Notice for EU and the UK
- Headspace, Inc.
- Ginger.io, Inc.
- Ginger.io of California Medical P.C.
If you have any questions or concerns regarding our personal information collection, use, and sharing practices as described in this Privacy Policy you may reach us using emailing help@headspace.com. We will investigate the matter and resolve any issues, if we can. In compliance with the EU-U.S. DPF, its UK Extension, and the Swiss-U.S. DPF, Headspace commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, its UK Extension, and the Swiss-U.S. DPF to the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the ICDR/AAA are provided at no cost to you.
In the event that we are unable to resolve your issues through the above channels, you may be able to invoke binding arbitration, under certain conditions and as permitted by the EU-U.S. DPF, its UK Extension, or the Swiss-U.S. DPF. For more information, visit the Data Privacy framework website. Headspace is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Headspace is mindful of its responsibility and potential liability for onward transfers of personal data to third parties where Headspace deems such transfers necessary and those transfers are subject to the applicable EU-U.S. DPF, its UK Extension, or the Swiss-U.S. DPF.
Legal basis. Headspace relies on one or more legal bases to process your personal information under applicable law, including:
- (i) with your consent, which you may withdraw at any time;
- (ii) when the processing is necessary to perform our contractual obligations to you, like under our Terms;
- (iii) when necessary to pursue our legitimate interests as further detailed below;
- (iv) when necessary for our compliance with our legal obligations such as a request or order from courts, law enforcement or other government authorities.
Legitimate business interests. We may collect, process, and maintain personal information to pursue the legitimate business interests outlined below. To determine these legitimate interests, we balance our legitimate interests against the legitimate interests and rights of you and others, and only process personal information in accordance with those interests where they are not overridden by your data-protection interests or fundamental rights and freedoms. Our legitimate interests generally include:
- Providing you with our Platform, including functionality of features or Websites you interact with or so that we can provide you the Services.
- Providing you with customer service and support, including to send you messages and provide user support, and to facilitate other communications that you request or are required to render our Products and Services to you. This may include providing you with information about new products and other opportunities we offer that we believe may be of interest to you based upon your interactions with us, and to personalize, measure, and improve such offers.
- Maintaining and improving the quality of the Products and Services that we offer, including to customize our features to better fit your needs as a user, develop new sites and products, to perform internal analytics for new and existing products (such as our user accounts and related features) and to conduct research and development. This also includes sharing personal information with our trusted service providers that provide services on our behalf.
- Protecting you and others, as well as, to create and maintain a trusted environment, such as to ensure compliance our agreements with you and other third parties, to ensure safe, secure, and reliable sites and products, and to detect and prevent wrongdoing and crime, assure compliance with our policies, and protect and defend our rights, interests, and property.
- To provide, personalize, measure and improve our marketing, including to send you promotional messages and other information that may be of interest to you with your consent. We may also use personal information to understand our user base and the effectiveness of our marketing. This processing is done pursuant to our legitimate interest in undertaking marketing activities to offer products or services that may be of interest to you.
- For risk management purposes, including compliance with our legal and regulatory obligations and for fraud detection, prevention and investigation, including “know your customer,” anti-money laundering, conflict and other necessary onboarding and ongoing client checks, due diligence and verification requirements, credit checks, credit risk analysis, compliance with sanctions procedures or rules, and tax reporting.
- Complying with laws and regulations applicable to us, including any legal or regulatory guidance, codes, or opinions and to other legal process and law enforcement requirements, including any internal policy based on or reflecting legal or regulatory guidance, codes, or opinions. We may also respond to subpoenas, court orders, or legal process, and establish and exercise our legal rights or defenses against legal claims.
Privacy rights. Individuals in the EU and UK have privacy rights under the GDPR and the UK equivalent. We will work to respond to your verified request within a month’s time unless we request an extension. Section 5 above generally covers these privacy rights but EU and UK residents also have the following:
- Right to object to processing - You may have the right to request that Headspace Health restrict the use of your personal data in certain circumstances.
- Right not to be subject to automated decision making - You have the right not to be subject to a decision based solely on automated processing. Please know that we do not currently make decisions about you in this manner.
- Right to lodge a complaint - You may also have the right to lodge a complaint about our data collection and processing actions with the appropriate supervisory authority. If you are in the EU, you can view the contact information for your data protection authority here. If you are in the UK, please visit this page. We ask that you contact us first to see if we can resolve your issue.
Exceptions may still apply as described in Section 5. Representatives: Individuals and the data protection supervisory authorities in the EU/EEA and individuals and the data protection supervisory authority (“ICO”) in the UK may also contact our data protection representatives according to Article 27 GDPR: EU: DP-Dock GmbH, Attn.: Headspace, Inc., Ballindamm 39, 20095 Hamburg, Germany UK: DP Data Protection Services UK Ltd., Attn.: Headspace, Inc., 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom www.dp-dock.com headspace@gdpr-rep.com Our data protection officer can be reached at privacy@headspace.com.