Navigate the future of global workforce well-being with our 2024 State of Workforce Mental Health report.
Read the report

Workforce Privacy Notice

Effective Date: December 21, 2023

PURPOSE AND SCOPE

This Privacy Notice (“Notice”) explains how Lyra Health, Inc., Lyra Behavioral Health, Inc., Lyra Health 2, Lyra Health Holdings, LLC, Lyra Clinical Associates P.C., a California professional corporation, Lyra Clinical of MA, P.C., and Lyra Clinical of New Jersey, P.C, and their affiliates and subsidiaries (collectively, “Lyra”) collect and use personal data from employment applicants, prospective employees, employees, interns, contractors, contingent, and other personnel, including Providers (collectively, “Workforce”). For purposes of this Notice, “Providers” means coaches, therapists, or others that provide mental health services on behalf of Lyra.

This Notice also details how to exercise rights that may be available to Workforce regarding their personal data.

Unless otherwise stated, this Notice applies to Lyra Workforce globally.

PERSONAL DATA WE COLLECT

During application, onboarding, and employment, Lyra may collect personal data from you, including: 

  • Profile/contact information, e.g., name, address, phone number, email address, photograph, and biography information.
  • Qualifications, e.g., employment history, education, professional qualifications, certifications and credentials, salary information, financial information related to credit checks, bank details for payroll, information that may be recorded on a resume/CV or application form, language abilities.
  • Information about third parties you elect, e.g., contact information of third parties in case of an emergency and beneficiaries under any insurance policy. 
  • Sensitive or demographic information, e.g., date of birth, passport number, driver’s license number, Social Security number or other government-issued identification number, details of health and disability, including medical information, vaccine status, health insurance information, mental health, medical leave, and maternity leave; information about national origin or immigration status; and optional demographic information such as race, sexual orientation, LGBTQ+ status, and/or veteran status, which helps us achieve our diversity goals.
  • Information collected via Workforce use of Lyra systems and networks. We may collect information automatically from use of Lyra’s systems or networks, such as your Internet protocol (IP) address, inferred location based on your IP address, device identifiers associated with your computer or mobile device, activity logs, and other information about activities you engage in on Lyra property, equipment, accounts, systems and networks. Lyra may monitor and review Workforce uses of Lyra’s equipment, accounts, information technology systems and networks, including its phone networks, computer networks, including those used to access the Internet, videoconferencing systems and other company-provided electronic communications tools. Lyra may access and review electronic files, messages, and emails sent or stored on its information technology systems, including accounts, computers and devices provided to Workforce. 
  • Lyra for Lyrians. If you choose to use Lyra services, which are offered as a benefit to eligible Workforce, personal data will be collected and used in accordance with Lyra’s Privacy PolicyHIPAA Notice (U.S.), and Lyra for Lyrians Health Plan documents. 
  • Surveys. We may send Providers optional surveys that ask about your experience working with Lyra. Information gathered from Provider surveys may be used in sales and marketing materials, in a non-identifiable format.
  • Information from other sources. We may collect or receive information about you from other sources, including through third-party services and organizations to supplement information provided by you. For example, where permitted by law, we may conduct background or credit checks on Workforce prior to employment with Lyra. 

HOW WE USE WORKFORCE PERSONAL DATA 

We process Workforce personal data for a variety of business purposes including:

  • Recruiting and assessing suitability, aptitude, skills, qualifications, and interests for employment with Lyra;
  • Communicating with candidates about the application process;
  • To assist Workforce in obtaining an immigration visa or work permit (where required or requested);
  • Workflow management, including assigning, managing and administering projects;
  • Human Resources operations, including but not limited to performance management;
  • To administer, bill, and collect for the services provided to our clients;
  • To obtain a holistic view of our workforce so that we can ensure that every Lyrian has the support, benefits, and professional growth opportunities they need;
  • To obtain a holistic view of our workforce so that we can identify any potential gaps in community support, benefits, and professional growth opportunities within Lyrian communities;
  • Compensation, payroll, the provision of benefits, and stock plan administration;
  • To pursue our legitimate interests (for example, fraud prevention, network and information security, disclosure to affiliated organizations for administrative tasks, monitoring overtime, Workforce monitoring for safety or management, improving the safety of our workplace, whistleblowing schemes, enforcement of legal claims, and research purposes);
  • Helpdesk and IT support services;
  • Internal and/or external or governmental compliance investigations;
  • Internal or external audits;
  • Where necessary for the establishment or exercise of legal claims or defenses; 
  • To improve our workplace and Worker satisfaction;
  • Diversity and inclusion initiatives;
  • Emergency contacts and services;
  • Workforce safety;
  • Facilities management;
  • Health Plan administration purposes;
  • To comply with our legal obligations;
  • Acquisitions, divestitures, and integrations; and
  • As you otherwise agree or consent. 

HOW WE DISCLOSE WORKFORCE PERSONAL DATA 

We may share your data as described in this Privacy Notice, in our HIPAA Notice (U.S.), or with your permission.

  • Vendors and Service Providers. We may share personal data we receive with vendors and service providers for Human Resources operations and the provision of IT and related services.
  • Disclosures to Protect Us or Others. We may access, preserve, and disclose your personal data if we believe doing so is required or appropriate to: (i) comply with law enforcement requests and legal processes such as court orders or subpoenas; (ii) protect your, our, or others’ rights, property, or safety; (iii) enforce our policies or contracts; (iv) collect amounts owed to us; or (v) assist with an investigation or prosecution of suspected or actual illegal activity. 

Merger, Sale, or Other Asset Transfers. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another entity, your personal data may be transferred as part of such a transaction as permitted by law and/or contract.

INTERNATIONAL DATA TRANSFERS

All data collected via or by Lyra may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States. 

DATA PRIVACY FRAMEWORK

Lyra complies with the EU-U.S. Data Privacy Framework, including the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF (collectively, “DPF”), as set forth by the U.S. Department of Commerce. 

Lyra has certified to the U.S. Department of Commerce that it adheres to the DPF with regard to the processing of Personnel personal data received from the European Union, Switzerland, and the United Kingdom in reliance on the DPF including the DPF principles of 1) Notice, 2) Choice, 3) Accountability for Onward Transfer, 4) Security, 5) Data Integrity and Purpose Limitation, 6) Access, and 7) Recourse, Enforcement, and Liability (the “DPF Principles”). 

The DPF Principles require that we remain potentially liable if any third party processing personal data on our behalf fails to comply with the DPF Principles (except to the extent we are not responsible for the event giving rise to any alleged damage). Lyra’s compliance with the DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.  

Please contact us as described below with any questions or concerns relating to our DPF Certification. In compliance with DPF, Lyra commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the Swiss Federal Data Protection and Information Commissioner (FDPIC), and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of Personnel data received in reliance on the DPF in the context of the employment relationship. 

If there is any conflict between the terms in this privacy policy and the DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

YOUR CHOICES AND RIGHTS

In the EU and UK, you may have the right to: 

  • Request access to or a copy of your personal data, including in a portable format;
  • Request that we delete your data from our systems;
  • Object to or restrict processing of your data;
  • Correct inaccurate or outdated personal data in our systems; 

For more information or to exercise these rights, please contact us as set forth below. Note that the rights that are available to you depend on applicable law.

In California, you have the right to:

  • Request specific pieces of personal information we have collected from you;
  • Request the deletion of personal information that we collected from you;
  • Request the amendment of personal information that we collected from you; and
  • Request that we transmit to another entity the personal information that we collected from you.

For more information about these rights, please contact us as set forth below. To exercise these rights, please click here

Additionally, in California, you have the right to limit the use of your sensitive personal information. To exercise this right, please click here. Please note that Lyra does not “sell” or “share” employee personal information as defined by the CPRA.

We may, however, collect Sensitive Personal Information, as defined by the CPRA, from providers including information pertaining to: race, ethnicity, and/or sexual orientation. We collect this information to support user selection of providers based on these characteristics. If providers choose to provide this information, we will retain it as long as they continue to be a Lyra provider and have not withdrawn their consent to the use of such information. If you would like to limit how we use such information, you can use the Limit the Use of My Sensitive Personal Information form

DATA RETENTION

Lyra retains the personal data we receive as described in this Privacy Notice for as long as necessary to fulfill the purpose(s) for which it was collected, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

SECURITY OF YOUR PERSONAL DATA

We take steps to ensure that your personal data is treated securely and in accordance with this Notice. Unfortunately, we cannot ensure or warrant the security of any data you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure.

SUPERVISORY AUTHORITY

If you are located in the EU or the UK, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable law.

CONTACT US

If you have any questions about our privacy practices or this Privacy Notice, please contact us at [email protected]