Join Breakthrough 2025—the top mental health conference for HR and benefits leaders!
Register now

Workforce Privacy Notice

Effective Date: September 16, 2024

PURPOSE AND SCOPE

This Privacy Notice (“Notice”) explains how Lyra Health, Inc., Lyra Behavioral Health, Inc., Lyra Health 2, Lyra Health Holdings, LLC, Lyra Clinical Associates P.C., a California professional corporation, Lyra Clinical of MA, P.C., and Lyra Clinical of New Jersey, P.C, and their affiliates and subsidiaries (collectively, “Lyra”) collect and use personal data from employment applicants, prospective employees, employees, interns, contractors, contingent, and other personnel, including Providers (collectively, “Workforce”). For purposes of this Notice, “Providers” means coaches, therapists, or others that provide mental health services on behalf of Lyra.

This Notice also details how to exercise rights that may be available to Workforce regarding their personal data. This policy is available on our internal confluence website, or at https://www.lyrahealth.com/workforce-privacy-notice/

Unless otherwise stated, this Notice applies to Lyra Workforce globally.

PERSONAL DATA WE COLLECT

During application, onboarding, and employment, Lyra may collect personal data from you, including: 

  • Profile/contact information, e.g., name, address, phone number, email address, photograph, and biography information.
  • Qualifications, e.g., employment history, education, professional qualifications, certifications and credentials, salary information, financial information related to credit checks, bank details for payroll, information that may be recorded on a resume/CV or application form, language abilities.
  • Information about third parties you elect, e.g., contact information of third parties in case of an emergency and beneficiaries under any insurance policy. 
  • Sensitive or demographic information, e.g., date of birth, passport number, driver’s license number, Social Security number or other government-issued identification number, details of health and disability, including medical information, vaccine status, health insurance information, mental health, medical leave, and maternity leave; information about national origin or immigration status; and optional demographic information such as race, sexual orientation, LGBTQ+ status, and/or veteran status, which helps us achieve our diversity goals.
  • Information collected via Workforce use of Lyra systems and networks. We may collect information automatically from use of Lyra’s systems or networks, such as your Internet protocol (IP) address, inferred location based on your IP address, device identifiers associated with your computer or mobile device, activity logs, and other information about activities you engage in on Lyra property, equipment, accounts, systems and networks. Lyra may monitor and review Workforce uses of Lyra’s equipment, accounts, information technology systems and networks, including its phone networks, computer networks, including those used to access the Internet, videoconferencing systems and other company-provided electronic communications tools. Lyra may access and review electronic files, messages, and emails sent or stored on its information technology systems, including accounts, computers and devices provided to Workforce. 
  • Lyra for Lyrians. If you choose to use Lyra services, which are offered as a benefit to eligible Workforce, personal data will be collected and used in accordance with Lyra’s Privacy PolicyHIPAA Notice (U.S.), and Lyra for Lyrians Health Plan documents. 
  • Surveys. We may send Providers optional surveys that ask about your experience working with Lyra. Information gathered from Provider surveys may be used in sales and marketing materials, in a non-identifiable format.
  • Information from other sources. We may collect or receive information about you from other sources, including through third-party services and organizations to supplement information provided by you. For example, where permitted by law, we may conduct background or credit checks on Workforce prior to employment with Lyra. 

HOW WE USE WORKFORCE PERSONAL DATA 

We process Workforce personal data for a variety of business purposes including:

  • Recruiting and assessing suitability, aptitude, skills, qualifications, and interests for employment with Lyra;
  • Communicating with candidates about the application process;
  • To assist Workforce in obtaining an immigration visa or work permit (where required or requested);
  • Workflow management, including assigning, managing and administering projects;
  • Human Resources operations, including but not limited to performance management;
  • To administer, bill, and collect for the services provided to our clients;
  • To obtain a holistic view of our workforce so that we can ensure that every Lyrian has the support, benefits, and professional growth opportunities they need;
  • To obtain a holistic view of our workforce so that we can identify any potential gaps in community support, benefits, and professional growth opportunities within Lyrian communities;
  • Compensation, payroll, the provision of benefits, and stock plan administration;
  • To pursue our legitimate interests (for example, fraud prevention, network and information security, disclosure to affiliated organizations for administrative tasks, monitoring overtime, Workforce monitoring for safety or management, improving the safety of our workplace, whistleblowing schemes, enforcement of legal claims, and research purposes);
  • Helpdesk and IT support services;
  • Internal and/or external or governmental compliance investigations;
  • Internal or external audits;
  • Where necessary for the establishment or exercise of legal claims or defenses; 
  • To improve our workplace and Worker satisfaction;
  • Diversity and inclusion initiatives;
  • Emergency contacts and services;
  • Workforce safety;
  • Facilities management;
  • Health Plan administration purposes;
  • To comply with our legal obligations;
  • Acquisitions, divestitures, and integrations; and
  • As you otherwise agree or consent. 

HOW WE DISCLOSE WORKFORCE PERSONAL DATA 

We may share your data as described in this Privacy Notice, in our HIPAA Notice (U.S.), or with your permission.

  • Vendors and Service Providers. We may share personal data we receive with vendors and service providers for Human Resources operations and the provision of IT and related services.
  • Disclosures to Protect Us or Others. We may access, preserve, and disclose your personal data if we believe doing so is required or appropriate to: (i) comply with law enforcement requests and legal processes such as court orders or subpoenas; (ii) protect your, our, or others’ rights, property, or safety; (iii) enforce our policies or contracts; (iv) collect amounts owed to us; or (v) assist with an investigation or prosecution of suspected or actual illegal activity. 
  • Merger, Sale, or Other Asset Transfers. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another entity, your personal data may be transferred as part of such a transaction as permitted by law and/or contract.

INTERNATIONAL DATA TRANSFERS

All data collected via or by Lyra may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States. 

DATA PRIVACY FRAMEWORK

Lyra’s U.S. entities, Lyra Health, Inc. and Lyra Health Holdings, LLC, comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Lyra Health, Inc. and Lyra Health Holdings, LLC have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF. Lyra Health, Inc. and Lyra Health Holdings, LLC have certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Principles require that we remain potentially liable if any third party processing personal data on our behalf fails to comply with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, or Swiss-U.S. DPF Principles (except to the extent we are not responsible for the event giving rise to any alleged damage). Lyra Health, Inc.’s and Lyra Health Holdings, LLC’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Please contact us as described below with any questions or concerns relating to our EU-U.S. DPF Certification, the UK Extension to the EU-U.S. DPF, or Swiss-U.S. DPF. In compliance with the EU-U.S. DPF, the Swiss-U.S. DPF, and the UK Extension to the EU-U.S. DPF, Lyra Health, Inc. and Lyra Health Holdings, LLC commit to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), with regard to unresolved complaints concerning our handling of Personnel data received in reliance on the EU-U.S. DPF, the Swiss-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

YOUR CHOICES AND RIGHTS

In the EU, Switzerland and the UK, you may have the right to:

  • Request access to or a copy of your personal data, including in a portable format;
  • Request that we delete your data from our systems;
  • Object to or restrict processing of your data;
  • Correct inaccurate or outdated personal data in our systems; 

In addition, data subjects have the possibility, under certain conditions, to invoke binding arbitration. Our organization is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that the data subject has invoked binding arbitration by delivering notice to our organization and following the procedures and subject to conditions set forth in Annex I of Principles.

For more information or to exercise these rights, please contact us as set forth below. Note that the rights that are available to you depend on applicable law.

In California, you have the right to:

  • Request specific pieces of personal information we have collected from you;
  • Request the deletion of personal information that we collected from you;
  • Request the amendment of personal information that we collected from you; and
  • Request that we transmit to another entity the personal information that we collected from you.

For more information about these rights, please contact us as set forth below. To exercise these rights, please click here

Additionally, in California, you have the right to limit the use of your sensitive personal information. To exercise this right, please click here. Please note that Lyra does not “sell” or “share” employee personal information as defined by the CPRA.

We may, however, collect Sensitive Personal Information, as defined by the CPRA, from providers including information pertaining to: race, ethnicity, and/or sexual orientation. We collect this information to support user selection of providers based on these characteristics. If providers choose to provide this information, we will retain it as long as they continue to be a Lyra provider and have not withdrawn their consent to the use of such information. If you would like to limit how we use such information, you can use the Limit the Use of My Sensitive Personal Information form

DATA RETENTION

Lyra retains the personal data we receive as described in this Privacy Notice for as long as necessary to fulfill the purpose(s) for which it was collected, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

SECURITY OF YOUR PERSONAL DATA

We take steps to ensure that your personal data is treated securely and in accordance with this Notice. Unfortunately, we cannot ensure or warrant the security of any data you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure.

SUPERVISORY AUTHORITY

You may view a list of supervisory authorities in the EEA, UK and Switzerland and their respective contact information here (however, you have the right to lodge a complaint in the Member State of your habitual residence, place of work or an alleged infringement of the GDPR):

Jurisdiction Data protection authority’s website
EEA https://edpb.europa.eu/about-edpb/board/members_en
United Kingdom https://ico.org.uk/global/contact-us/
Switzerland https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html

CONTACT US

If you have any questions about our privacy practices or this Privacy Notice, please contact us at [email protected]