Workforce Privacy Notice

This Privacy Notice (“Notice”) explains how Lyra (comprising Lyra Health, Inc., Lyra Behavioral Health, Inc., Lyra Health 2, Lyra Health Holdings, LLC, Lyra Clinical Associates P.C., a California professional corporation, Lyra Clinical of MA, P.C., and Lyra Clinical of New Jersey, P.C, and their affiliates and subsidiaries, including those companies outside of the United States set out in the Regional Annex at the end of this Notice, collectively, “Lyra”), collect and use personal data from employment applicants, prospective employees, employees, previous employees, agency staff, directors, interns, contractors, contingent, and other personnel, including Providers (collectively, “Workforce”). For purposes of this Notice, “Providers” means coaches, therapists, or others that provide mental health services on behalf of Lyra.

This Notice also details how to exercise rights that may be available to Workforce regarding their personal data. 

Unless otherwise stated, this Notice applies to Lyra Workforce globally. There may also be specific provisions that apply depending on where you are based, some of which are set out in this Notice, and some may be provided as supplemental notices and/or consent forms.  For more information as to what rights are available to you in relation to your personal data, please contact your local Lyra HR contact or [email protected].

Where a Lyra company processes your personal data it will generally be the controller of that personal data and will process such personal data in accordance with this Notice.

This policy is available on our internal confluence website, or at https://www.lyrahealth.com/workforce-privacy-notice/. 

This Notice should be read together with other applicable Lyra group or local policies, including for Workforce based in the US our HIPAA Notice (U.S.).  For more information contact your local Lyra HR contact or [email protected].

Lyra collects your personal data in the following ways: 

• Directly from you when you:
  • provide information by filling out forms on our website, such as job applications;
  • contact us by email, telephone, and through other written and verbal communication.
• From an employment agency. 
• From references. 
• From pension administrators and other government departments. 
• From providers of staff benefits.
• Information collected via Workforce use of Lyra systems and networks.  
• When you engage with Lyra for Lyrians. 
• When you participate in surveys. 
• From third party sources.

Subject to any applicable legal limitations where you are located, Lyra may collect your personal data during application, onboarding, and employment, and following employment.  

Where permitted by local applicable law, the personal data may include: 

• Profile/contact information, e.g., name, address, phone number, email address, photograph, ID, date of birth, marital status, and biography information.
• Employment information, e.g., employment history, education, professional qualifications, certifications and credentials, salary and bonus information, financial information related to credit checks, bank details for payroll, information that may be recorded on a resume/CV or application form, language abilities, performance review, disciplinary reports/investigations.
• Information about third parties you elect, e.g., contact information of third parties in case of an emergency and beneficiaries under any insurance policy. 
• Sensitive or demographic information, e.g., passport number, driver’s license number, Social Security or National Insurance number or other government-issued identification number, background screening data, details of health and disability, including medical information, vaccine status, health insurance information, mental health, medical leave, and maternity or paternity leave; information about national origin or immigration status; and optional demographic information such as sex assigned at birth, gender identity, pronouns, race, ethnicity, sexual orientation, LGBTQIA+ status, caregiver status, veteran status, for example, such personal data which may be voluntarily provided by Workforce under the Lyra Self-ID program or in connection with employee resource groups.
• Information collected via Workforce use of Lyra systems and networks. We may collect information automatically from use of Lyra’s systems or networks, such as your Internet protocol (IP) address, inferred location based on your IP address, device identifiers associated with your computer or mobile device, activity logs, and other information about activities you engage in on Lyra property, equipment, accounts, systems and networks. Lyra may monitor and review Workforce uses of Lyra’s equipment, accounts, information technology systems and networks, including its phone networks, computer networks, including those used to access the Internet, videoconferencing systems and other company-provided electronic communications tools. Lyra may access and review electronic files, messages, and emails sent or stored on its information technology systems, including accounts, computers and devices provided to Workforce. Lyra for Lyrians. If you choose to use Lyra services, which are offered as a benefit to eligible Workforce, personal data will be collected and used in accordance with Lyra’s Privacy Policy, HIPAA Notice (U.S.), and Lyra for Lyrians Health Plan documents. 
• Surveys. We may send Workforce optional surveys that ask about your experience working with Lyra. Information gathered from Provider surveys may be used in sales and marketing materials, in a non-identifiable format.
• Information from other sources. We may collect or receive information about you from other sources, including through third-party services and organizations to supplement information provided by you. For example, where permitted by law, we may conduct background or credit checks on Workforce prior to employment with Lyra. 

This section sets out the purposes for which Lyra processes your personal data.

In addition to these purposes, you may at times receive other supplementary privacy notices while working with Lyra, and in certain cases be asked to consent to the processing of your personal data.

For Workforce located in the European Union (EU), Switzerland and United Kingdom (UK) only, Lyra is also required to identify an appropriate lawful basis for the processing of personal data, as well as an additional legal ground where we process special categories of personal data (such as health data). The lawful basis is referenced in the table below in the column to the right.

We may share your personal data with third parties for the purposes described in this Notice, in our HIPAA Notice (U.S.) as applicable, or with your permission. Those third parties may include, without limitation, those described out below and are subject to change over time.

We may share personal data we receive with vendors and service providers for Human Resources operations and the provision of IT and related services. We may also share personal data we receive with third parties for purposes of managing Lyra’s relationship with its customers and related parties.

In some cases, those parties may process your personal data for their own purposes, e.g. regulators, and in other cases third parties process data on our behalf or assist us in fulfilling our legal, operational, or contractual obligations. We ensure all third parties are subject to appropriate privacy, security and confidentiality obligations and in respect of any sharing will ensure adequate protection in place to ensure your personal data is kept secure and compliant to the relevant legislation.

Disclosures to protect us or others

We may access, preserve, and disclose your personal data if we believe doing so is required or appropriate to: (i) comply with law enforcement requests and legal processes such as court orders or subpoenas; (ii) protect your, our, or others’ rights, property, or safety; (iii) enforce our policies or contracts; (iv) collect amounts owed to us; or (v) assist with an investigation or prosecution of suspected or actual illegal activity.

All data collected via or by Lyra may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States.

Where Lyra transfers personal data outside of the European Economic Area (EEA) or United Kingdom, including to the United States, and to other jurisdictions that have not been deemed to offer “adequate protection” under applicable legal requirements, Lyra will take appropriate steps to ensure that there is an adequate level of protection for personal data in place, including as set out below.

Lyra’s U.S. entities, Lyra Health, Inc. and Lyra Health Holdings, LLC, comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Lyra Health, Inc. and Lyra Health Holdings, LLC have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF. Lyra Health, Inc. and Lyra Health Holdings, LLC have certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Principles require that Lyra US entities remain potentially liable if any third party processing personal data on our behalf fails to comply with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, or Swiss-U.S. DPF Principles (except to the extent Lyra US entities are not responsible for the event giving rise to any alleged damage). Lyra Health, Inc.’s and Lyra Health Holdings, LLC’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.  

Please contact us as described below with any questions or concerns relating to our EU-U.S. DPF Certification, the UK Extension to the EU-U.S. DPF, or Swiss-U.S. DPF. In compliance with the EU-U.S. DPF, the Swiss-U.S. DPF, and the UK Extension to the EU-U.S. DPF, Lyra Health, Inc. and Lyra Health Holdings, LLC commit to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), with regard to unresolved complaints concerning our handling of Personnel data received in reliance on the EU-U.S. DPF, the Swiss-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

Depending on where you are located, you may have specific rights regarding your personal data. Key local rights are set out below. You can also consult your relevant data protection authority as set out below in the Regional Annex to this Notice. For more information as to what rights are available to you, or to exercise any rights, please contact your local HR contact or [email protected].

Lyra retains the personal data we receive as described in this Notice for as long as necessary to fulfill the purpose(s) for which it was collected, including (without limitation) to pursue legitimate business purposes, resolve disputes, establish legal defenses, conduct audits, enforce our agreements, and comply with applicable laws. These periods are set out in the Lyra retention schedule as updated from time to time.  For more information as to specific retention periods please contact your local HR contact or [email protected].

Lyra is committed to protect your personal data and takes steps to implement appropriate technical and organizational security measures and safeguards to protect your personal data from unauthorized access, loss, misuse, alteration or destruction.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its security. If you have any questions about the security of your personal data, you can contact us as described below.

If you are unhappy about how Lyra has handled your personal data, you can make a complaint to our Chief Privacy Officer and local Data Protection Officers using the email address [email protected]. Depending on where you are located, if you are not satisfied with our response, you may have the right to complain to the applicable data privacy authority shown in the Regional Annex below. 

If you have any questions about our privacy practices or this Notice, please contact us as follows: 

• If you are in the United States: [email protected]. 
• If you are outside of the United States, you can also contact: [email protected] or where applicable the local Privacy email address provided in the Regional Annex below.

Lyra may update this Notice, at any time Lyra deems appropriate. It is important that you check this Notice from time to time to ensure that you have reviewed the most current version. It can be found at: https://www.lyrahealth.com/workforce-privacy-notice/.