Privacy Policy

Last Updated: June 27, 2024

We are Lyra Health, Inc., a company focused on helping people feel emotionally healthy at work and at home. As an employer-sponsored benefit that connects employees and their dependents with effective and convenient care for their mental and emotional well-being, we combine technology, research-backed therapeutic methods, and top support providers such as coaches and therapists (“Providers”) to offer personalized care. Within this policy, we will refer to the employers and other entities who sponsor employee and member access to our services as “Lyra Benefit Sponsor”.

1. SCOPE

General Scope. This Privacy Policy (“Policy”) describes how Lyra uses, and discloses personal information collected via our website at lyrahealth.com, any affiliated “micro-sites” set up for our customers (e.g., www.benefit sponsor.lyrahealth.com), our Provider Portal (provider.lyrahealth.com), our mobile applications, sessions with Lyra Providers, our events, and any other online or offline offering of ours that posts this Policy (collectively, the “Services”). If you do not agree with our privacy practices, please do not provide us with personal information, use our Services, or access our website.

Definition of “Lyra” within the United States. In the United States, we work closely with a number of affiliates to deliver and facilitate coaching and clinical services, including Lyra Behavioral Health, Inc., Lyra Health 2, Lyra Health Holdings, LLC, Lyra Clinical Associates P.C., a California professional corporation, Lyra Clinical of MA, P.C., and Lyra Clinical of New Jersey, P.C. This Policy covers the activities of all of these entities (collectively, “Lyra”) for services delivered in the United States.

Outside of the United States. Outside of the United States, Lyra only provides coaching and technology services. In this context, therefore, “Lyra” means Lyra Health, Inc. only.

Jurisdiction-Specific Disclosures. If you are located or reside in any of the following jurisdictions, please see the Jurisdiction-Specific Disclosures linked directly below or shown at the end of this Policy for additional information related to rights you may have under the applicable privacy laws of your jurisdiction and disclosures required by the privacy laws of particular jurisdictions. Note the remainder of this Privacy Policy applies to all jurisdictions.

If you are in the United States and receive clinical services via our Services: See our HIPAA Notice of Privacy Practices for how Lyra and our Providers specifically use and disclose Protected Health Information (“PHI”).
If you reside in California, please see our Supplemental Notice for California Residents at Section 13.
If you are in the European Economic Area (EEA), the United Kingdom (UK) or Switzerland, please see our Supplemental EEA Privacy Notice at Section 14.
If you are in Australia, please see our Supplemental Australian Privacy Notice at Section 15.
If you are in Canada, please see our Supplemental Canadian Privacy Notice at Section 16.

Additional Policies from Providers. Some Providers may have additional Privacy Policies or Informed Consent documents that describe their data practices; see those documents for more information on how your Provider may use your personal information during care.

Additional Requirements from Benefit Sponsors. As part of setting up Lyra services at their organization, some Lyra Benefit Sponsors may require or choose to add additional or different limitations or restrictions on data practices related to their Lyra offerings (i.e., Lyra Benefit Sponsors may add additional privacy restrictions or limitations above and beyond what is described in this Policy). Any such additional restrictions or limitations on data practices that have been agreed to between Lyra and Lyra Benefit Sponsors will be reflected in written agreements between them, and such terms will control.

2. PERSONAL INFORMATION WE COLLECT

The categories of personal information we collect depend on how you interact with us or use our Services and the requirements of applicable law. We collect information that you provide to us, information we obtain automatically when you use our Services, information from other sources such as your Lyra Benefit Sponsor, and third-party services and organizations, as described below.

CLIENTS

Registering as a Lyra Client. If you register as a Lyra client, we may collect information from you including your name, postal address, location (if you choose to provide it in our “find a Provider” feature), email address, phone number, username, password, demographic information (such as your gender and date of birth, as well as race, ethnicity, religious affiliations, sexual orientation and/or pronouns if you choose to disclose such information), information about your mood, mental or physical health, or emotional state, as well as other information you directly give us through the Services.

Using Lyra Services. Depending on the Lyra Services you use, you may be asked to complete additional forms (e.g. intake form, initial assessment, Consent for Therapy) which may ask for personal information such as your name, contact information, information about your current or historical health or mental health and treatment, and information on your lifestyle.

Communicating with Us. If you communicate with us by email, phone, text, chat, or within our app, we will collect personal information from you, such as your name, contact information, and information you provide within your communication to us. If you are a Lyra client, you have the option of using our secure electronic communication portal as described in Section 4 of this Policy. Note that calls to Lyra’s Care Team may be recorded.

Surveys. We may periodically send you optional surveys to collect your feedback on your experience with Lyra. Understanding outcomes is central to our mission of providing effective, evidence-based care, and data can help inform Lyra’s approach to treatment and assessment of progress.

Information We Get from Your Lyra Benefit Sponsor. We may receive information from your Lyra Benefit Sponsor to enable us to confirm your eligibility or the eligibility of your dependents or household member(s), contact you in order to inform you of the availability of Lyra benefits, help us measure the effectiveness of the Lyra benefit, or better support communications with you, your Provider, or other individuals to support your care as permitted by law.

PROVIDERS

Registering as a Provider. If you register as a Lyra Provider, we may collect information from you including your name, photo, email address, phone number, postal address, date of birth, Social Security or social insurance number, Tax Identification number, your bank account information to receive payment, copies of your identification, and information about your education, experience, and practice, including licensure information. We also collect optional demographic information including your race, disability status, and sexual orientation.

For more information on our data practices with regard to Providers, refer to Lyra’s Workforce Privacy Notice (available within the Provider Portal). If you need help accessing your Provider Portal, please contact us as described below.

ALL SERVICE USERS

Information We Get from Interactive Features. We may collect personal information that you submit or make available through our interactive features (e.g., messaging and chat features, commenting functionalities, forums, blogs, and social media pages). Any personal information you elect to make publicly available on our Services, such as posting comments on our blog page, will be available to others. Any information you provide on the public sections of these features will be considered “public”, unless otherwise required by applicable law, and is not subject to all of the privacy protections referenced herein.

Information We Get from Others. We may get information about you from other sources, such as your Benefit Sponsor,third-party care providers or other third parties who may be involved with your care. For example, Lyra may collect demographic information, such as your name and telephone number, from a friend, colleague or relative who refers you to Lyra for Services.

We may combine the information that we collect with data obtained from third parties or through our products and Services. Additionally, you may also be able to access your Lyra account by signing on through various third-party services, such as Google. Signing on through such third-party services is voluntary. If you choose to sign on through a third-party service, Lyra may collect certain information from your account including your public profile, user name, email address, birthday, stated location, city, contact lists, and other interactions on that platform (such as interests and likes). The information we may have access to will vary by platform and is controlled by your privacy settings and account settings on that platform. Your use of services on third-party platforms are governed by the privacy statement and other terms of use for that third-party platform, until such information is disclosed to us, and then such information is also subject to this Policy. Please note that you should obtain necessary consents before providing us with personal information regarding another individual.

Voice and Video Information. If you consent, we may collect your voice and video image for ongoing quality improvement and quality assurance of our Services. The consent form you are provided before agreeing to provide video to us will provide additional information on how video data is collected, used, and retained.

Information Automatically Collected. We automatically log information about you and your computer, phone, tablet, or other devices you use to access the Services. In particular, when visiting the Services, we log your computer or device identification, operating system type, browser type, browser language, the website you visited before browsing to our website, pages you viewed, how long you spent on a page, access times, and information about your use of and actions on the Services. How much of this information we collect depends on the type and settings of the device you use to access the Services.

Cookies. We, as well as third parties that provide content, advertising, or other functionality on the Services, may log information using cookies, pixel tags, web server logs, web beacons, and other technologies (“Technologies”) to automatically collect information through your use of our Services. This information is collected to make the Services more useful to you and to tailor the experience with us to meet your special interests and needs. Note that advertising technologies are not used on sites where clients login to access our services and/or search for care (e.g., benefit sponsor.lyra health.com), they are only used on Lyra’s corporate website: lyrahealth.com.

Cookies. Cookies are small data files stored on your hard drive by a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer until you delete them) to provide you with a more personal and interactive experience on the Services.
Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects information about engagement on the Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular webpage or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.

Our uses of these Technologies fall into the following general categories:

Operationally Necessary. This includes Technologies that allow you access to the Services, applications, and tools that are required to identify irregular website behavior, prevent fraudulent activity, and improve security or that allow you to make use of our functionality.
Performance-Related. We may use Technologies to assess the performance of the Services, including as part of our analytics practices to help us understand how individuals use the Services (see Analytics below).
Functionality-Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using the Services. This may include identifying you when you sign into the Services or keeping track of your specified preferences, interests, or past items viewed.
Advertising or Targeting-Related. We may use first-party or third-party Technologies to deliver content, including ads relevant to your interests, on lyrahealth.com or on third-party websites.

Note that advertising technologies are not used on sites where clients login to access our services and/or search for care (e.g., benefitsponsor.lyrahealth.com), they are only used on Lyra’s corporate website: lyrahealth.com.

Analytics. We may use Technologies and other third-party tools to process analytics information on the Services. Some of our analytics partners include:

Google Analytics. For more information, please visit Google Analytics’ Privacy Policy. To learn more about how to opt-out of Google Analytics’ use of your information, please click here.
Mixpanel. For more information about Mixpanel, please visit Mixpanel’s Privacy Policy

Social Media Platforms. The Services may contain buttons to social media platforms such as Twitter, Facebook and LinkedIn (that might include widgets such as the “share this” button or other interactive mini programs). These features may collect your IP address, which page you are visiting on the Services, and may set a cookie to enable the feature to function properly. Your interactions with these platforms are governed by the privacy policy of the company providing the widget.

LYRA GATHER

If you choose to enroll or participate in live events, such as Lyra Gather sessions, Learning Sessions, or Workshops, we will use and share certain information you provided when registering for Lyra, including your name and email address, to register you for the sessions. These sessions are conducted via videoconference, and you may choose whether to display your name in the videoconferencing tool, and whether to have your camera on or image displayed.

3. USE OF PERSONAL INFORMATION

How we use the information we collect depends in part on which Services you use, how you use them, and any preferences you have communicated to us. Below are the purposes for which we use the information we collect about you.

To provide and secure the Services and personalize your experience: We use information about you to provide the Services to you, including to:

Help establish and verify the identity and eligibility of users;
Conduct outreach to potential clients if they are referred to Lyra by a friend, colleague, or relative.
Open, maintain, administer, and manage profiles and accounts for registered users;
Provide search results and notifications that are most relevant for you;
Recommend Providers and Services that may be a good fit for you;
Provide you with customized products, Services, content, offers, or materials;
Provide, deliver, operate and maintain the Services and other products and services that you request, including those from our selected partners;
Link or combine user information with other personal information, such as when you use services offered by Lyra Clinical Associates P.C. or our other contracted providers of clinical services;
Respond to comments and questions and provide customer service or technical support;
Process applications to become a Lyra Provider;
Allow you to register for events;
Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and prosecute those responsible for that activity;
Ensure internal quality control and safety;
Debug or identify and repair errors with the Services;
Audit interactions, transactions and other compliance activities;
Communicate with you about your account, including confirmations, notices, notifications, updates, security alerts, and support and administrative messages. If you are communicating with Lyra about your care, these communications may contain medical information.

Understand and improve our Services, provided the agreement we have with your employer permits use of personal information for this purpose, such as to:

Measure and understand engagement with the Services;
Research and develop products, Services, marketing, or internal processes;
Short-term, transient use, such as contextual customization of ads;
Improve, repair, upgrade, or enhance the Services.

To protect our legitimate business interests and legal rights, such as to:

Enforce our agreements and policies;
Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and prosecute those responsible for that activity;
Ensure internal quality control and safety;
Protect your safety or vital interests, or the safety or vital interests of others; and
Comply with our legal obligations.

Advertising: With your consent, we use information about how you have interacted with our corporate website (lyrahealth.com) to target and serve personalized online ads to you.

With your consent: We may use information about you in other ways or for other purposes, where you have given us consent to do so for a specific purpose not listed above.

De-identified and Aggregated Information: We may use personal information and other information about you to create de-identified and/or aggregated information, such as de-identified demographic information, location information, information about the device from which you access the Services, or other data sets we may create. In some cases, we use aggregated, de-identified clinical data to provide our customers with insight into how their employees are using our Services and to improve our services.

4. DISCLOSURES OF PERSONAL INFORMATION

We only disclose your information to third parties as described below.

Your Providers. If you seek care, treatment or other services from a Provider available through the Services, your Provider will have access to the personal information that you have provided through your completed intake form and initial assessment in order to provide you with their services. If you switch Providers, we may disclose your personal information to your new Provider to facilitate a consistent care experience.

Your Lyra Benefit Sponsor. To the extent permitted under applicable laws, we may provide necessary data to your Lyra Benefit Sponsor to enable them to manage, administer and evaluate its health and wellness programs. Unless permitted under applicable laws or authorized by you, we will not disclose any of the information you provide in intake forms, assessments or sessions with Providers to your Lyra Benefit Sponsor.

Affiliates. Note that sometimes we receive information from and share information among the Lyra entities.

Other Lyra Users. Some of Lyra’s Services, such as Lyra Gather, may allow you to communicate with other Lyra Users, in which case our Services facilitate the direct disclosure of personal information from you to such other Lyra users at your direction.

Service Providers. We disclose your personal information to our third-party service providers, such as IT and related services, payment processors, customer service providers, and other vendors that support our provision of the Services. These service providers will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed.

De-identified and Aggregated Information. We may share de-identified and aggregated information (such as de-identified usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) with third parties who help us understand the usage patterns for certain Services and those of our partners. Lyra may also share with your Lyra Benefit Sponsor the outcomes and impact of the Services, which would consist solely of de-identified and aggregated data or analytics. We will use de-identified information as part of our machine learning and artificial intelligence initiatives to improve our services. Non-personally identifiable information may be stored indefinitely.

Advertising Partners. With your consent, we may disclose your personal information to third-party advertising partners. These third-party advertising partners may include Technologies and other tracking tools on our corporate website (lyrahealth.com) to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising” or “personalized advertising.” Note that advertising technologies are not used on sites where clients login to access our services and/or search for care (e.g., benefitsponsor.lyrahealth.com), they are only used on Lyra’s corporate website (lyrahealth.com).

Disclosures to Protect Us and Others: We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate: to comply with law enforcement or national security requests and legal process, such as a court order or subpoena; when required by health oversight agencies for legally authorized health oversight activities; to protect your, our or others’ rights, property, or safety, including to protect the security or integrity of the Services and any facilities or equipment used to make the Services available; to enforce our policies or contracts; to collect amounts owed to us or any Lyra Provider; or to assist with an investigation or prosecution of suspected or actual illegal activity or in an emergency.

What Happens in the Event of a Change of Control: We may buy or sell/divest/transfer our company (including any shares in the company), or any combination of its products, services, assets and/or businesses. We may also sell, assign, or otherwise transfer such information in the course of corporate divestitures, mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of Lyra. Your information such as names and email addresses, and other information related to the Services may be among the items transferred in these types of transactions.

5. SECURITY OF PERSONAL INFORMATION

We are committed to protecting your privacy and data. We have taken steps to implement safeguards and security measures to help prevent your personal information from being lost, used or accessed in an unauthorized way, altered or disclosed. However, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its security. If you have any questions about the security of the Services, you can contact us as described below.

Any text, email or other transmission you send unencrypted through the Internet cannot be completely protected against unauthorized interception. In particular, we want to make you aware that personal email may be unsecure. You are not required to authorize the use of your personal email for purposes of communicating with Lyra; a decision not to consent or to opt out of receiving these emails will not restrict your ability to access care from your Provider. You can choose to receive email from Lyra using our secure electronic communication system instead of your personal email. Our secure electronic communication system will require you to log into a separate portal to access the email that is being sent.

6. DATA RETENTION

We retain personal information pursuant to statutory requirements, for as long as needed to provide the Services or fulfill the purpose for which it was collected, and to comply with our legal and compliance obligations (including auditing), resolve potential or actual disputes, conduct research and development for the Services (provided the agreement we have with your employer permits use of personal information for this purpose), or enforce our agreements.

7. INTERNATIONAL DATA TRANSFER

By using the Services, your personal information will be stored within the United States, where privacy rules differ and may be less stringent than those of the country in which you reside.

8. THIRD-PARTY WEBSITES/APPLICATIONS

The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services/applications are not controlled by us. We encourage our users to read the privacy notices and policies of each website and application with which they interact.

9. CHILDREN

Lyra’s online and web-based Services are not directed to children under 13 (or other age as required by local law), and we do not knowingly collect or maintain the personal information shared by children under 13.

If you believe that Lyra has inappropriately received information about a child under the age of 13, please contact us as described below. If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected, unless we have a legal obligation to keep it, and terminate the child’s account if applicable.

10. YOUR PRIVACY CHOICES AND RIGHTS

Your Privacy Choices. You have a number of choices you can make regarding your personal information, including as follows:

Email Communications. If you receive an unwanted email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and the Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to our Terms or this Privacy Policy).

Text Messages. You may opt out of receiving text messages from us at any time by following the instructions in the text message/replying “STOP” to a text message you have received from us, by updating your communications preferences within your Lyra profile, or by contacting us as described below.

Mobile Devices. We may send you push notifications through our mobile application. You may opt out from receiving these push notifications by changing the settings on your mobile device.

Cookies and Interest-Based Advertising. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your browser or devices preferences, as they permit. However, if you adjust your preferences, the Services may not work properly or certain features may not be available. Please note that cookie-based opt-outs may not be effective on mobile applications. However, you may opt-out of personalized advertisements on some mobile applications by following the instructions for Android, iOS and others.

If you wish to opt out of targeted advertising, you may do so here.

The online advertising industry also provides websites from which you may opt out of receiving targeted ads from data partners and other advertising partners that participate in self-regulatory programs. You can access these and learn more about targeted advertising and consumer choice and privacy by visiting the Network Advertising Initiative, the Digital Advertising Alliance, the European Digital Advertising Alliance, and the Digital Advertising Alliance of Canada. Please note you must separately opt out in each browser and on each device.

Your Privacy Rights. In accordance with applicable law, you may have the right to:

Access Personal Information about you, including: (i) confirming whether we are processing your personal information; (ii) obtaining access to or receiving a copy of your personal information; and (iii) receiving an electronic copy of personal information that you have provided to us, or (iv) asking us to send that information to another company (the “right of data portability”);

Request Correction of your personal information where it is inaccurate or incomplete. In some cases, we may provide self-service tools that enable you to update your personal information;

Request Deletion of your personal information;

Request Restriction of or Object to our processing of your personal information; and

Withdraw your Consent to our processing of your personal information.

You may submit requests regarding your personal information by clicking here or contacting us as described below. If you have such rights and your request complies with applicable legal requirements, we will give effect to your rights and respond within any mandatory timeframes as required by law.

11. CHANGES TO THIS PRIVACY POLICY

We may change this Policy and our privacy practices, so please check this page occasionally. If we make any changes, we will change the Last Updated date above and/or notify you or seek your consent as required by applicable law.

12. CONTACT INFORMATION

To contact us, please use the contact information below.

Lyra Health, Inc.
270 E. Lane
Burlingame, California 94010
[email protected]

13. SUPPLEMENTAL NOTICE FOR CALIFORNIA RESIDENTS

This Supplemental California Privacy Notice only applies to our processing of personal information about California individuals.

Do Not Track. We currently do not support the Do Not Track (“DNT”) browser setting or respond to DNT signals. DNTis a preference you can set in your browser to let the websites you visit know that you do not want them collecting certain information about you. For more details about DNT, including how to enable or disable this preference, visit https://termsfeed.com/do-not-track.

The California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), provides California residents with the right to know what categories of personal information Lyra has collected about them and whether Lyra disclosed that personal information for a business purpose (e.g., to a service provider) in the preceding 12 months. California residents can find this information below:

Category of Personal Information Collected by Lyra	Category of Third Parties Information is Disclosed to for a Business Purpose
Identifiers. A real name, alias, postal address, online identifier, Internet Protocol address, email address, or other similar identifiers.	Data storage and hosting providers Business operations, communications, and collaboration tools Sales and marketing tools Internet Service Providers Product infrastructure tools
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) A name, address, telephone number, employment, employment history, medical information.	Data storage and hosting providers Business operations, communications, and collaboration tools Sales and marketing tools Internet Service Providers Product infrastructure tools
Protected classification characteristics under California or federal law Age, race, ancestry, marital status (in relation to how family members are related), medical condition, physical or mental disability, sex (including gender, gender identity, gender expression).	Data storage and hosting providers Business operations, communications, and collaboration tools Sales and marketing tools Internet Service Providers Product infrastructure tools
Internet or other electronic network activity Browsing history, search history, information on a consumer’s interaction with an internet website, application, or advertisement.	Data storage and hosting providers Business operations, communications, and collaboration tools Sales and marketing tools Internet Service Providers Product infrastructure tools
Geolocation data Physical location or movements.	Data storage providers Business operations, communications, and collaboration tools Sales and marketing tools Internet Service Providers Product infrastructure tools
Audio, electronic, visual, thermal, olfactory, or similar information Photos and video	Data storage providers Business operations, communications, and collaboration tools Internet Service Providers Product infrastructure tools
Professional or employment-related information Current or past job history	N/A
Inferences. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	Data storage providers Business operations, communications, and collaboration tools Sales and marketing tools Internet Service Providers Product infrastructure tools

The categories of sources from which we collect personal information and our business and commercial purposes for using personal information are set forth above in Section 2 (“Personal Information We Collect”).

As indicated in Section 2, we may also collect Sensitive Personal Information, as defined under the CCPA, as amended, including race or ethnicity, geolocation, and health data.

Race/Ethnicity Data. We collect race/ethnicity data for clinical data and research purposes. We may also use aggregate race/ethnicity data for customer reporting purposes.
Location Data. We limit the uses of the geolocation data and health data we collect to those that are necessary to provide Lyra’s services to our clients, such as helping clients find a Provider near them.

You have the right to request that we limit the use of your Sensitive Personal Information. If you would like to limit how we use this information, please select Limit the Use of My Sensitive Personal Information on the form here. Lyra will maintain this data as long as you: 1) remain a Lyra client and 2) have not affirmatively withdrawn your consent.

Submitting Requests to Know, Delete, Amend, Port, Opt Out of Selling or Sharing and Limit the Use of Sensitive Personal Information. The CPRA gives California residents rights to request:

Specific pieces of personal information we have collected
Deletion of personal information
Amendment of personal information
That we transmit personal information to another entity
To opt out of selling or sharing the information we collect
To limit the use of Sensitive Personal Information that we collect

You may submit a verifiable consumer request to us to exercise any of these rights by clicking here or emailing us at the contact details above. We will process such requests in accordance with applicable laws.

Verification. To protect your and others’ privacy, we will take steps to verify your identity before fulfilling your request. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. We verify consumer requests by matching personal information that you provide with information in our possession, in order to confirm your identity. Any additional information you provide will be used only to verify your identity and not for any other purpose.

“Sales” or “Sharing” of Personal Information under the CPRA. Under the CCPA’s broad definitions, Lyra may “sell” or “share” personal information through the use of advertising and analytics-related cookies and pixels on our corporate website. We use these cookies and pixels for the sole purposes of analytics and for providing targeted behavioral advertising based on your interest in Lyra. You may adjust your cookie preferences on your device or remove them by adjusting your browser or devices preferences, as they permit, and you may use this Do Not Sell or Share My Personal Information form here to request that we do not collect or use your personal information for behavioral advertising. Lyra does not otherwise, in any way, “sell” or “share” your personal information. We also do not have actual knowledge of any “sale” or “sharing” of personal information of minors under 16 years of age.

Category of Personal Information Collected by Lyra	Category of Third Parties Information is Shared With
Identifiers. A real name, alias, postal address, online identifier, Internet Protocol address, email address, or other similar identifiers.	Advertising networks and providers Analytics providers
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) A name, address, telephone number, employment, employment history, medical information.	Advertising networks and providers Analytics providers
Protected classification characteristics under California or federal law Age, race, ancestry, marital status (in relation to how family members are related), medical condition, physical or mental disability, sex (including gender, gender identity, gender expression).	Advertising networks and providers Analytics providers
Internet or other electronic network activity Browsing history, search history, information on a consumer’s interaction with an internet website, application, or advertisement.	Advertising networks and providers Analytics providers Product infrastructure tools
Geolocation data Physical location or movements.	Advertising networks and providers Analytics providers
Audio, electronic, visual, thermal, olfactory, or similar information Photos and video	N/A
Professional or employment-related information Current or past job history	N/A
Inferences. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	Data storage providers Business operations, communications, and collaboration tools Sales and marketing tools Internet Service Providers Product infrastructure tools

Non-Discrimination. California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.

Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may designate an authorized agent to make requests on your behalf. You must provide an authorized agent written permission to submit a request on your behalf, and we may require that you verify your identity directly with us. Alternatively, an authorized agent that has been provided power of attorney under Probate Code sections 4000-4465 may submit a request on your behalf. To designate an authorized agent, please contact us as described below.

Accessibility. This Privacy Policy uses industry-standard technologies and was developed in line with the World Wide Web Consortium’s Web Content Accessibility Guidelines, version 2.1. If you wish to print this policy, please do so from your web browser or by saving the page as a PDF.

14. SUPPLEMENTAL EEA+ PRIVACY NOTICE

This Supplemental EEA+ Privacy Notice applies if you are located in the European Economic Area, the United Kingdom, or Switzerland.

DATA CONTROLLER

Lyra Health, Inc. is the data controller (“Lyra”, “we”, “us”). They are located at 270 E. Lane, Burlingame, California 94010 ([email protected]).

CATEGORIES OF PERSONAL DATA, PURPOSES OF PROCESSING AND SOURCE

See Section 2 for categories of personal data that Lyra collects, for the purposes Lyra uses your personal data and, if applicable, the source from which the personal data originated.

SPECIAL CATEGORY DATA

Special categories of personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, data concerning an individual’s sex life or sexual orientation, genetic data, and biometric data processed for the purpose of identifying an individual.

With your consent, and if you choose to provide it, we may collect special category data, such as in our intake forms and initial assessments, and in your communications to Lyra and its Providers.

We process this personal data, including disclosing this personal data to your selected Providers, solely for the purposes of facilitating your receipt of coaching services via our technological Services, in accordance with your explicit consent per Article 9(2)(a) GDPR. You can withdraw your consent at any time with future effect.

If there is a life-threatening emergency and the data subject is physically or legally incapable of giving consent, we may process personal data that falls within these special categories as necessary to protect the vital interests of the data subject or another individual per Art. 9(2)(c) GDPR.

LAWFUL BASES FOR PROCESSING

We rely on the following legal bases to process personal data of yours that does not fall within special categories, as appropriate:

According to your consent per Article 6(1)(a) GDPR (“Consent Legal Basis”)
Necessary for us to perform a contract with you or take steps at your request prior to entering into a contract per Article 6(1)(b) GDPR (“Contract Performance Legal Basis”)
Necessary for us to comply with an applicable legal obligation per Article 6(1)(c) GDPR (“Legal Obligations Legal Basis”)
Necessary in order to protect the vital interests of the data subject or another natural person per Article 6(1)(d) GDPR (“Vital Interests Legal Basis”), or
Necessary for us to realize a legitimate interest based on an assessment of that interest and your privacy and other fundamental interests per Article 6(1)(f) GDPR (“Legitimate Interest Legal Basis”), where the legitimate interests could be in particular:
- open, maintain, administer, and manage profiles and accounts for registered users;
- ensuring internal quality control and safety;
- improving our Services;
- managing and conducting our relationships with third parties in a business or professional capacity;
- managing and administering our business;
- debugging to identify and repair errors with the Services;
- enforcing our agreements and policies;
- detecting security incidents;
- protecting against malicious, deceptive, fraudulent or illegal activity; and
- prosecuting those responsible for that activity; ensuring internal quality control and safety; protecting your safety or vital interests, or the safety or vital interests of others.

We rely on the following legal bases to process personal data which falls within special categories:

Pursuant to your explicit consent
Necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

If we rely on your consent, you can withdraw your consent at any time with future effect by contacting us at the contact details listed below. For additional details regarding the lawful bases of processing your personal data specifically, please contact [email protected].

CATEGORIES OF RECIPIENTS

See Section 4 for information on the categories of recipients that Lyra shares your personal data with.

EU-U.S. DATA PRIVACY FRAMEWORK

Lyra complies with the EU-U.S. Data Privacy Framework, including the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF (collectively, “DPF”), as set forth by the U.S. Department of Commerce.

Lyra has certified to the U.S. Department of Commerce that it adheres to DPF with regard to the processing of personal data received from the European Union, Switzerland, and the United Kingdom pursuant to DPF, including the DPF Principles of 1) Notice, 2) Choice, 3) Accountability for Onward Transfer, 4) Security, 5) Data Integrity and Purpose Limitation, 6) Access, and 7) Recourse, Enforcement, and Liability (the “DPF Principles”).

The DPF Principles require that we remain potentially liable if any third party processing personal data on our behalf fails to comply with these DPF Principles (except to the extent we are not responsible for the event giving rise to any alleged damage). Lyra’s compliance with the DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Please contact us as described below with any questions or concerns relating to our DPF certification. In compliance with the DPF, Lyra commits to refer unresolved complaints concerning our handling of personal data received in reliance on DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you. Under certain conditions, you may also be entitled to invoke binding arbitration for complaints not resolved by other means. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern.

To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

YOUR CHOICES

There is no law or contract between you and us stating that individuals in the EEA or UK or have to use our Services. We ask you to provide your name, organization, and eligibility information to verify your eligibility to receive certain Services from us, certain essential details about yourself and your lifestyle in an intake form and initial questionnaire so that we may recommend Providers and a coaching program to you, and your payment details to administer our late-cancellation and no-show policies. We cannot provide you with a recommendation or access to coaching services unless you provide such information. You do not have to provide personal data that is not shown as required to receive our Services (as indicated within the platform); the only consequence of not providing this personal data is that it will not be taken into consideration when we recommend coaching services to you and when you receive such services. You do not have to consent to our use of personal data for advertising purposes. If you do not allow us to collect the data we automatically collect from users of our Services, some of our Services may not work properly or be as tailored to you as they could otherwise be, but they will still generally be usable.

To the extent that you have given consent, you can withdraw your consent at any time with future effect by contacting us as described below. Such a withdrawal will not affect the lawfulness of the processing prior to the withdrawal of consent.

DATA RETENTION

See Section 6 for information on Lyra’s data retention practices. Generally, your personal data will be stored by us/our service providers only to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the personal data is collected. Afterwards, we will securely destroy or delete your personal data unless we need to retain information, including personal data, to comply with legal or regulatory obligations to which we are subject (which can result from, e.g., the Commercial Code or the Tax Code and usually contain retention periods from 6 to 10 years, or if we need it to preserve evidence within the statutes of limitation, which is usually 3 years but can be up to 30 years).

YOUR RIGHTS

In the EEA, Switzerland and the UK you have the following rights relating to your personal data, subject to the conditions under the GDPR and/or applicable local data protection law:

Right to request access to personal data: You have the right to obtain from us confirmation as to whether your personal data is being processed, and, where that is the case, to request access to that personal data and details about how we process your personal data, including the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients, the existence of automated decision-making, including profiling and you have the right to obtain copies of the personal data. However, this is not an absolute right and the interests of other individuals may restrict your right of access.
Right to rectification: You have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (right to be forgotten): You have the right to ask us to erase your personal data.
Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time, to the processing of your personal data, including profiling, by us. This includes the right to object to our processing of your personal data where we are pursuing our legitimate interests or those of a third party. If we process your personal data based on our legitimate interests or those of a third party, you can object to this processing, and we will cease processing your personal data, unless the processing is based on compelling legitimate grounds or is needed for legal reasons.

Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.

Right to restriction of processing: In limited circumstances, you have the right to request restriction of processing of your personal data, in which case, it would be marked and processed by us only for certain purposes.
Right to data portability: You have the right to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit the personal data to another entity without hindrance from us.
You also have the right to lodge a complaint with a supervisory authority (only for EEA and UK).
In some jurisdictions such as France, if applicable pursuant to local law, you also have the right to provide us with guidelines as to the processing of your personal data after your death.

You can exercise your rights by completing this form.

You may view a list of supervisory authorities in the EEA, UK and Switzerland and their respective contact information here (however, you have the right to lodge a complaint in the Member State of your habitual residence, place of work or an alleged infringement of the GDPR):

Jurisdiction	Data protection authority’s website
EEA	https://edpb.europa.eu/about-edpb/board/members_en
United Kingdom	https://ico.org.uk/global/contact-us/
Switzerland	https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html

15. SUPPLEMENTAL AUSTRALIAN PRIVACY NOTICE

Personal Information collected and held

Lyra Health may hold personal information in a number of formats, including electronic records, and in various types of storage facilities, such as cloud service providers, which may be owned by Lyra Health or third party service providers.

Consequences if personal information is not collected

If you do not provide us with the information we request, we may not be able to fulfill the applicable purpose of collection, such as to make our Services available to you or respond to your queries.

Complaints

If you have any concerns or complaints about how we handle your personal information, or if you have any questions about this Privacy Policy, please contact us as described below.

Where you have a complaint or a request, in most cases we will ask that you put it in writing to us. We will investigate your complaint and will use reasonable endeavors to respond to you in writing within 30 days of receiving the written complaint. If we fail to respond to your complaint within 30 days of receiving it in writing or if you are dissatisfied with the response that you receive from us, you can contact the Office of the Australian Information Commissioner.

16. SUPPLEMENTAL PRIVACY NOTICE FOR CANADA

This Supplemental Privacy Notice for Canada applies to Lyra’s handling of personal information, including personal health information, of individuals in the Canadian provinces of Ontario, British Columbia, and Quebec.

Contact Us. Lyra Health, Inc. is located at 270 E. Lane, Burlingame, California 94010, [email protected]. If you have any questions or complaints relating to the contents of our Privacy Policy, Supplemental Privacy Notice for Canada, or our handling of your personal information or personal health information, you can contact Lyra’s Data Protection Officer at [email protected].

Consent to the Collection, Use, and Disclosure of Personal Information. By using the Services, you are representing to Lyra that you have reached the age of majority in the Canadian province in which you reside, such that you can lawfully enter into agreements with Lyra and provide your informed and express consent with respect to Lyra’s collection, use, and disclosure of your personal information and personal health information. If you have not reached the age of majority in your province of residence, you may not use or access our Services or otherwise share your personal information or personal health information with us, unless your parent or another person lawfully entitled to give or refuse consent in the place of your parent has provided us with express consent on your behalf.

International Data Transfers. By using the Services, you acknowledge that your personal information, including personal health information, will be transferred outside of the Canadian province in which it was collected and outside of Canada, and will be stored on servers in the United States. We take measures to ensure that recipients in other jurisdictions (i) provide an adequate level of protection; (ii) will not use your personal information for purposes other than those described in this Privacy Policy.

Personal Health Information. To access or request a correction of any personal health information collected by Lyra in its provision of the Services, please contact Lyra’s Data Protection Officer at [email protected]. Our Data Protection Officer is also available to describe how you can file a complaint with the applicable regulator regarding our handling of your personal health information.

Accuracy of Personal Information. We will keep your personal information as accurate, complete and up-to-date as necessary for the purposes for which it is to be used pursuant to this Privacy Policy.

ADDITIONAL CONSENT AND PRIVACY REQUIREMENTS IN THE PROVINCE OF QUEBEC

If you reside in the Canadian province of Quebec, please be advised that the following provisions apply to the collection of your personal information.

Personal Information We Get from Others. We collect personal data from your Lyra Benefit Sponsor and, in some cases, from your care Provider.

Service Providers. Where Lyra transfers your personal information to third-party service providers, Lyra shall use safeguards to ensure that such third-party service providers will take necessary security measures with respect to the protection of your personal information that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.

Language. The parties have expressly requested and required that this Privacy Policy and all other related documents be drawn up in the English language. Les parties conviennent et exigent expressément que cette politique ainsi que tous les documents qui s’y rapportent soient rédigés en anglais.