What are the institutional and regulatory implications of this document?

1) REGULATORY LANDSCAPE: This policy engages GDPR and UK GDPR (lawful basis requirements for special-category health data under Article 9, data subject rights under Articles 15-22), CCPA/CPRA (California residents' rights to know, delete, correct, and opt out of sale or sharing of personal information), and potentially state-level biometric and health data laws such as Washington's My Health MY Data Act and Illinois BIPA, depending on the nature of data collected and user geography. The FTC Act…

How does Oura's Oura Privacy Policy affect users?

The agreement establishes that Oura collects physiological measurements, sleep scores, activity data, location data, and user-provided notes, and processes this data for service delivery, improvement, marketing, and third-party integrations. Under the Oura Platform terms, once a user consents to share their biometric data with a Data Recipient such as an employer or researcher, that recipient becomes an independent data controller and Oura's direct privacy obligations do not govern that recipie…

How often is Oura's Oura Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Oura updates this document?

Yes. Monitor subscribers ($19/month) can add Oura to their watchlist and receive same-day email alerts whenever this document or any other Oura document changes.

CA-D-000738

Oura Privacy Policy

Oura

Last change detected June 16, 2026 Privacy policy

SHA-256: 2b4d61bf3387865a692… 3 versions captured 2 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Oura ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

9 Total

1 High severity

7 Medium severity

1 Low severity

Summary

Oura's privacy policy governs how the company collects, uses, and shares personal data generated by the Oura Ring, Oura App, and related services, covering physiological measurements (heart rate, body temperature, respiration, movement), sleep and activity scores, location data, and user-provided profile and note data. The most operationally significant provision is the Oura Platform data-sharing mechanism, under which users who consent to share their biometric and health data with an employer, researcher, coach, or other third-party Data Recipient cause that recipient to become an independent data controller responsible for their own subsequent processing of that data, outside Oura's direct obligations. The policy also states that Oura uses cookies and similar technologies for online advertising on behalf of Oura and its partners, and that users can opt out of direct marketing communications and manage cookie preferences through Oura's Cookie Policy.

Technical / Legal Breakdown

This document is Oura Health's privacy policy (dated April 20, 2026), governing the collection, processing, and sharing of personal data by Oura Health Oy and Ouraring Inc. across the Oura Ring hardware, Oura App, Oura on the Web, and associated services; the policy invokes contract, consent, legitimate interest, and legal obligation as its stated lawful bases under GDPR and UK data protection law. The agreement states that Oura collects and processes a broad range of data categories including contact information, user-provided profile data, device identifiers and location data, physiological measurements (heart rate, temperature, respiration, movement), calculated health and sleep metrics, and user-generated notes and tags; the terms authorize use of this data for service delivery, customer service, product improvement, analysis, marketing, third-party integrations, and legal compliance. The policy discloses that when users participate in the Oura Platform feature, once consent is given to share data with a Data Recipient (employer, researcher, coach, or other entity), that Data Recipient becomes an independent data controller, meaning Oura's obligations do not extend to that recipient's subsequent processing; the policy also states that Oura does not sell personal data but authorizes sharing with advertising and analytics partners through cookie-based tracking under a separate Cookie Policy. The policy engages GDPR, UK GDPR, CCPA/CPRA, and state-level US privacy frameworks; EU and California residents are granted explicit rights including access, correction, deletion, portability, objection, and opt-out of data sale or sharing, while the scope of health data protections under HIPAA depends on whether Oura qualifies as a covered entity or business associate in a given context, which the document does not address. Material compliance considerations include the employer/researcher data-controller transfer via Oura Platform, the reliance on legitimate interest for marketing and service improvement involving sensitive health-adjacent data, and the adequacy of consent mechanisms for special-category health data across multiple jurisdictions.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

2 important changes detected

3 versions captured · Last updated: June 2026

June 16, 2026

medium

What changed Oura's June 16, 2026 privacy policy update adds explicit disclosure of AI and machine learning features used in the service, including the Oura Advisor assistant and algorithmic suggestions. The updated policy now specifically describes how personal data is processed to develop and refine AI-powered features, whereas the previous version referenced only general improvement and insight generation. The policy clarifies that users can choose whether to engage with or share data with partner services when AI-driven suggestions are offered.

Why this matters The updated policy explicitly discloses that Oura uses artificial intelligence and machine learning in the service, including an AI assistant called Oura Advisor that provides personalized wellness guidance based on information you submit or that Oura collects. The revised terms state that Oura may use AI and algorithmic analysis to suggest partner services and may use personal data to develop or refine AI-powered health features. The policy establishes that you retain choice about whether to engage with these AI features or share personal data with partner services when suggestions are offered.

View full change record →

May 15, 2026

low

What changed Oura updated a single sentence in its privacy policy on May 15, 2026, changing the reference point for account deletion instructions. The updated language now directs users to the 'Oura Member Care Center' instead of the 'Oura Help Center' for instructions on removing account data. This is a procedural clarification that does not alter user rights or deletion mechanisms, only where to find the relevant instructions.

Why this matters The updated policy directs users seeking to delete their Oura account to the 'Oura Member Care Center' rather than the 'Oura Help Center' for step-by-step deletion instructions. The deletion process itself and the email contact method (dataprotection@ouraring.com) remain unchanged. Users can still request deletion via email or follow instructions in the Oura App or Oura On the Web, with the updated instructions now located in a renamed or reorganized help resource.

View full change record →

Recent Provision Changes Jun 16, 2026

Added (3)

User Data Rights and Deletion Request Mechanism Low

This addition provides users with explicit notification of their GDPR and privacy law rights and a direct mechanism to exercise them, replacing the previous version's opposition-to-legal-authority provision.

Data Retention and Deletion Upon Account Closure Medium

This addition clarifies user control over data upon account termination and establishes conditions for data deletion exceptions, improving transparency about data retention practices.

No Sale of Personal Data Medium

This addition directly addresses consumer concerns about data commercialization and provides an explicit commitment that may satisfy privacy law requirements in jurisdictions like California.

Removed (4)

Oura Platform Controller Transfer and Liability Disclaimer

The removal of guidance to review Data Recipient privacy policies and Oura's liability disclaimer reduces transparency about responsibilities when data is transferred to third-party controllers.

Reproductive Health Data Processing

The removal of this reproductive health acknowledgment eliminates explicit recognition of processing highly sensitive health data, which may have reassured users about Oura's understanding of data sensitivity.

Legal Authority Data Request Opposition

The removal of this strong commitment to oppose surveillance requests and notify users eliminates a significant privacy protection pledge that differentiated Oura's stance on government data access.

California Resident Privacy Rights

This provision was replaced by a more generalized 'Advertising and Marketing Data Processing' provision that removes specific mention of California resident protections, reducing targeted privacy regulation compliance clarity.

Modified (5)

Oura Platform Third-Party Data Controller Transfer

Removed language about Data Recipient's own privacy practices, the instruction to review their privacy policy, and the incomplete liability disclaimer statement, making the provision more concise but less informative about user obligations.

Sensitive and Special-Category Health Data Consent

Removed the redundant statement 'We process your sensitive personal data only with your consent' and completed the truncated sentence with 'in the Oura App' instead of the incomplete 'in'.

Location Data Collection and Consent

Provision name changed from 'Location Data Processing and Consent' to 'Location Data Collection and Consent' but the excerpt text remains identical.

Legitimate Interest as Legal Basis for Marketing and Service Improvement

Provision name changed from 'Legitimate Interest Basis for Marketing and Service Improvement' to 'Legitimate Interest as Legal Basis for Marketing and Service Improvement' but the excerpt text remains identical.

Third-Party Integrations Data Processing

Provision name changed from 'Third-Party Integration and Data Sharing' to 'Third-Party Integrations Data Processing' but the excerpt text remains identical.

View full change record →

High — 1 provision

Oura Platform Third-Party Data Controller Transfer Compare →

When a user consents to share their Oura health and biometric data with a Data Recipient (employer, researcher, coach, doctor, or other entity) via the Oura Platform, that recipient becomes an independent data controller, and Oura's direct privacy obligations do not govern the recipient's subsequent processing of that data.

Added May 7, 2026 Standard Seen across 284 platforms

Medium — 7 provisions

Sensitive and Special-Category Health Data Consent Compare →

The policy states that health data, including physiological measurements and health-related notes and tags, is classified as special-category personal data and is processed only on the basis of user consent; consent may be provided through in-app actions such as adding health tags or notes rather than solely through an explicit consent dialogue.

Added May 21, 2026 Standard Seen across 262 platforms
Advertising and Marketing Data Processing Compare →

The policy states that Oura processes personal data for online advertising on behalf of Oura and its partners, using cookies and similar technologies to create advertising audiences, and authorizes direct marketing communications with an opt-out option.

Added May 21, 2026 Standard Seen across 284 platforms
Location Data Collection and Consent Compare →

The policy states that Oura may collect approximate or precise device location via GPS, Wi-Fi, or network ID for location-based features, only with user consent, and that users may withdraw consent at any time through device settings, with the consequence that certain features may no longer be accessible.

Added May 21, 2026 Standard Seen across 284 platforms
Legitimate Interest as Legal Basis for Marketing and Service Improvement Compare →

The policy states that Oura relies on legitimate interest as the lawful basis for processing personal data for marketing, customer service, and service improvement purposes, asserting that a balancing test has been conducted against user privacy rights.

Added May 21, 2026 Standard Seen across 284 platforms
Third-Party Integrations Data Processing Compare →

The policy states that Oura enables integrations with third-party services including Google Health Connect and Apple HealthKit on a consent basis, and processes data received from these integrations according to the third parties' applicable terms, including the Google Health Connect Permissions policy and Google Limited Use requirements.

Added May 21, 2026 Standard Seen across 284 platforms
Data Retention and Deletion Upon Account Closure Compare →

The policy states that users may request account closure and personal data deletion, and that Oura will delete or anonymize data unless a legal basis for retention exists, including legal obligations or protection of Oura's legal interests.

Added May 21, 2026 Standard Seen across 284 platforms
No Sale of Personal Data Compare →

The policy states that Oura does not sell personal data, which under CCPA/CPRA includes the exchange of personal information for monetary or other valuable consideration.

Added May 21, 2026 Standard Seen across 284 platforms

Low — 1 provision

User Data Rights and Deletion Request Mechanism Compare →

The policy states that users have rights to access, rectify, erase, and port their personal data, and to object to or restrict processing, exercisable by emailing privacy@ouraring.com.

Added May 21, 2026 Standard Seen across 284 platforms

Monitoring

Oura has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Cross-Border Data Transfers and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

ePrivacy Directive

European Union

View official text ↗

Archival ProvenanceSource & Archival Record

Last Captured June 16, 2026 01:27 UTC

Capture Method Automated scheduled archival capture

Document ID CA-D-000738

Version ID CA-V-003895

Source URL https://ouraring.com/privacy-policy

Wayback Machine View external archival references →

SHA-256 2b4d61bf3387865a69290822c9f40cf41d660d8dd9ebd711a39c3a0d4af8fd13

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Oura Privacy Policy

June 16, 2026

May 15, 2026

Recent Provision Changes Jun 16, 2026

Mapped Governance Frameworks

Monitor governance changes across the platforms you rely on.