Meditation apps are not shy about scraping user data in the name of alleviating stress. But between Calm and Headspace, which app is less likely to compromise your privacy and sensitive mental health data?
Based on our analysis, Headspace edges out Calm when it comes to privacy and security, but Headspace isn’t perfect either. Both apps collect reams of data on users, and the personalization component of each app means that, any way you cut it, these meditation and sleep apps thrive on having as much data as possible to personalize your anxiety and stress reduction plans — and they send that info to advertisers, too. While that may be alarming, Headspace’s “My Data” hub allows users to review what data the app has collected, a lesson that might be helpful for Calm to learn too. Read on for more info.
The pandemic has galvanized users to seek out meditation and mindfulness apps to restore tranquility and equanimity in their lives; however, not all mental health apps are equal in how they treat your data or respect your privacy. Two of the most popular apps — Calm and Headspace — cater to groups looking to alleviate stress, deepen relaxation, and address chronic sleep problems.
According to the Centers for Disease Control and Prevention, approximately 70 million Americans struggle with sleep, a problem which can exacerbate mental illness, poor workplace productivity, chronic diseases and contribute to a lower quality of life and shorter lifespan. To that end, both Calm and Headspace provide a salve for those suffering from insufficient or poor quality sleep. Calm lets users in over 190 countries tune into hours of “sleep stories” in seven languages, read by celebrities like Matthew McConaughey, Harry Styles, and LeBron James. Rival app Headspace provides sleep aids in the form of meditation exercises, along with “soothing soundscapes” to lull an insomniac into their long-sought-after slumber.
Additionally, Headspace and Calm both offer mindfulness techniques to help users reduce anxiety, stress, and general unease in their everyday lives. Through a library of mindfulness techniques that help improve psychological wellbeing, users can seek out the tranquilizing sounds of birdsong, or hear a soothing voice to reach better sleep or a better peace of mind.
But to achieve that, it’s important to understand what these apps extract in terms of data and privacy. Calm and Headspace are both personalized apps that depend on users sharing mental health data — in Calm’s case, the app collects highly-sensitive health information on moods, emotions, and physical and mental health — so, how they protect that data is essential.
Like many meditation apps, Calm collects personally identifiable information like geolocation data, sensitive biometric data and health data. Headspace also obtains personal data like a user’s name, email address, app usage, and their Facebook account ID.
Both Headspace and Calm do not track precise locations. The apps say they rely on IP addresses to determine an approximate location, with Headspace saying that it relies on a user’s geolocation instead of their exact longitude or latitude. Headspace says it collects this data to serve specific content, develop analytics on users based on location, and prevent fraudulent sign-ons. Calm tells Mozilla it uses this information for business decisions and to understand where users are located.
Headspace obtains information about you from trackers like cookies, scripts, and web “beacons” (the company uses these web beacons to understand user preferences and determine how visitors are navigating the site, along with information like which pages generate the most traffic). It does this to see how customers use its app and says it does not comply with do-not-track signals. Although Headspace says it only applies trackers if given consent — and offers users an opt-out option — it does not provide a handy and straightforward method to do so.
While Calm says it does not have access to a user’s camera or microphone, the app records data related to which videos users watch or which sleep stories users listen to. With permission from users, the app also records phone and video calls during coaching sessions or market research sessions. The company says it logs a user’s IP address, the time and date a person visited a page or video, and information related to their web browser, prior webpages visited, hardware models and operating systems of devices, and carrier types.
Headspace, meanwhile, says it does not have access to a user’s cameras or microphones and appears to be telling the truth, given that we did not see either activated while using the app.
Meditation and mindfulness apps are increasingly able to obtain sensitive health data that may paint a detailed picture into a user’s physical or mental health. Namely, Calm says this trove of health data can be collected by the app when users directly send feedback or messages to the company.
Given that individually identifiable health information can be accessed by both Calm and Headspace, it is imperative that users gain a right to access, amend, or delete this data if they wish. Consumers should also be alarmed that both apps may have access to information related to poor moods or poor emotional regulation, as revealed through questions asking about a user’s mood and state of relaxation.
So, how and where is information stored? In short, this round goes to Headspace. Here are the details:
Headspace says it stores user data in the U.S. on “secure servers” — but does not explicitly mention data encryption. The company also says payment information is never stored by the company. The company keeps data from cookies and data trackers for a year. Headspace says after a two-year inactivity period, a user’s account data will become permanently anonymous, but users can directly ask the company to anonymize information within 30 days of an email to [email protected].
Importantly, the company says deleting a Headspace account would result in the deletion of all linked data.
In contrast to this, Calm says sensitive data submitted by forms is encrypted, but the company says there is no promise of “absolute security” and says it does not have liability for “unintentional disclosure.” It also does not explicitly mention where data is stored. Payment information like time and date of purchase are stored by Calm, and the company also gets payment information from third-party app stores.
Alarmingly, Calm’s data retention policies do not define a clear length of time after which data, cookies, or data trackers are deleted. The app says it maintains both cached and archived data on users for an ambiguous, undefined timespan after users delete their account. Likewise, there is no information about inactivity periods leading to data deletion.
Nevertheless, Calm says that all users, regardless of geography, have the right to delete their data by directly emailing [email protected]. While this option to delete all data is welcome, there should be a more user-friendly way to do it built into the app.
Both apps permit third parties to access data. Here are some examples of what that looks like:
Headspace is not much better here. It takes data and shares it with third-party platforms like Facebook, Apple, Spotify, and Google for things like targeted ads. For this reason, it might be better to unlink these accounts from the app. Although Headspace does not take data and sell it to other platforms, it still shares a user’s cookies — meaning you can expect information related to your browser, computer, and IP addresses to be shared with the company.
Headspace says that information can be shared with third parties like Facebook or Google for ads, as well as companies offering similar goods or services in order to improve user experiences or provide combined services. The app also reserves a right to advertise to users through other websites and apps on a user’s phone or computer using the personal data they provide.
If a user links their Facebook account with Headspace, the company collects information like their name, email address, and ID. Additionally, Headspace also says it shares user data with other companies for helping fight fraud and reduce credit risks, but does not disclose what that data looks like.
Conveniently, Headspace offers users a central hub for reviewing their collected personal data in the “My Data” tab of the app, displaying the user’s country, user ID, first and last names, email address, language choice, and time zone. The “permissions” tab allows users to disable personalized ads across Facebook, Instagram, Google and Twitter. It’s important to note that customers cannot edit or change their information in the “My Data” section, except for their country.
Calm does not have a central hub for users to access or review their personal data or edit it, except for updating a user’s email address or name in the app.
Headspace says it uses personal data to send targeted emails and ads, but it provides users with the option to opt in or out of these services through the “My Data” section of its app. It’s relatively easy to access this on both the app and website. Deleting an account also erases all the data linked to the account.
Calm says it shares some personally identifiable data with marketers, such as device identifiers, and requires marketers not to transmit the data to others. Users can opt out by directly contacting the company, but there is no direct link for opting out or a dedicated section for this. Given Calm’s inclination to share data with third parties, it is important to wonder if the companies it grants data to uphold the same security protocols (like data encryption), and question what level of security users can reasonably expect to find at Calm itself, particularly in terms of data encryption.
Sabrina Toppa is an award-winning journalist covering tech and politics. She has written for The Guardian, The Washington Post, TIME, The Atlantic, NBC News, and other outlets. Twitter: @SabrinaToppa.