9 Total
1 High severity
7 Medium severity
1 Low severity
Summary

Oura's privacy policy governs how the company collects, uses, and shares personal data generated by the Oura Ring, Oura App, and related services, covering physiological measurements (heart rate, body temperature, respiration, movement), sleep and activity scores, location data, and user-provided profile and note data. The most operationally significant provision is the Oura Platform data-sharing mechanism, under which users who consent to share their biometric and health data with an employer, researcher, coach, or other third-party Data Recipient cause that recipient to become an independent data controller responsible for their own subsequent processing of that data, outside Oura's direct obligations. The policy also states that Oura uses cookies and similar technologies for online advertising on behalf of Oura and its partners, and that users can opt out of direct marketing communications and manage cookie preferences through Oura's Cookie Policy.

Technical / Legal Breakdown

This document is Oura Health's privacy policy (dated April 20, 2026), governing the collection, processing, and sharing of personal data by Oura Health Oy and Ouraring Inc. across the Oura Ring hardware, Oura App, Oura on the Web, and associated services; the policy invokes contract, consent, legitimate interest, and legal obligation as its stated lawful bases under GDPR and UK data protection law. The agreement states that Oura collects and processes a broad range of data categories including contact information, user-provided profile data, device identifiers and location data, physiological measurements (heart rate, temperature, respiration, movement), calculated health and sleep metrics, and user-generated notes and tags; the terms authorize use of this data for service delivery, customer service, product improvement, analysis, marketing, third-party integrations, and legal compliance. The policy discloses that when users participate in the Oura Platform feature, once consent is given to share data with a Data Recipient (employer, researcher, coach, or other entity), that Data Recipient becomes an independent data controller, meaning Oura's obligations do not extend to that recipient's subsequent processing; the policy also states that Oura does not sell personal data but authorizes sharing with advertising and analytics partners through cookie-based tracking under a separate Cookie Policy. The policy engages GDPR, UK GDPR, CCPA/CPRA, and state-level US privacy frameworks; EU and California residents are granted explicit rights including access, correction, deletion, portability, objection, and opt-out of data sale or sharing, while the scope of health data protections under HIPAA depends on whether Oura qualifies as a covered entity or business associate in a given context, which the document does not address. Material compliance considerations include the employer/researcher data-controller transfer via Oura Platform, the reliance on legitimate interest for marketing and service improvement involving sensitive health-adjacent data, and the adequacy of consent mechanisms for special-category health data across multiple jurisdictions.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

2 important changes detected

3 versions captured · Last updated: June 2026

June 16, 2026

medium
What changed Oura's June 16, 2026 privacy policy update adds explicit disclosure of AI and machine learning features used in the service, including the Oura Advisor assistant and algorithmic suggestions. The updated policy now specifically describes how personal data is processed to develop and refine AI-powered features, whereas the previous version referenced only general improvement and insight generation. The policy clarifies that users can choose whether to engage with or share data with partner services when AI-driven suggestions are offered.
Why this matters The updated policy explicitly discloses that Oura uses artificial intelligence and machine learning in the service, including an AI assistant called Oura Advisor that provides personalized wellness guidance based on information you submit or that Oura collects. The revised terms state that Oura may use AI and algorithmic analysis to suggest partner services and may use personal data to develop or refine AI-powered health features. The policy establishes that you retain choice about whether to engage with these AI features or share personal data with partner services when suggestions are offered.
View full change record →
What changed Oura updated a single sentence in its privacy policy on May 15, 2026, changing the reference point for account deletion instructions. The updated language now directs users to the 'Oura Member Care Center' instead of the 'Oura Help Center' for instructions on removing account data. This is a procedural clarification that does not alter user rights or deletion mechanisms, only where to find the relevant instructions.
Why this matters The updated policy directs users seeking to delete their Oura account to the 'Oura Member Care Center' rather than the 'Oura Help Center' for step-by-step deletion instructions. The deletion process itself and the email contact method (dataprotection@ouraring.com) remain unchanged. Users can still request deletion via email or follow instructions in the Oura App or Oura On the Web, with the updated instructions now located in a renamed or reorganized help resource.
View full change record →

Recent Provision Changes Jun 16, 2026

Added (3)
User Data Rights and Deletion Request Mechanism Low

This addition provides users with explicit notification of their GDPR and privacy law rights and a direct mechanism to exercise them, replacing the previous version's opposition-to-legal-authority provision.

Data Retention and Deletion Upon Account Closure Medium

This addition clarifies user control over data upon account termination and establishes conditions for data deletion exceptions, improving transparency about data retention practices.

No Sale of Personal Data Medium

This addition directly addresses consumer concerns about data commercialization and provides an explicit commitment that may satisfy privacy law requirements in jurisdictions like California.

Removed (4)
Oura Platform Controller Transfer and Liability Disclaimer

The removal of guidance to review Data Recipient privacy policies and Oura's liability disclaimer reduces transparency about responsibilities when data is transferred to third-party controllers.

Reproductive Health Data Processing

The removal of this reproductive health acknowledgment eliminates explicit recognition of processing highly sensitive health data, which may have reassured users about Oura's understanding of data sensitivity.

Legal Authority Data Request Opposition

The removal of this strong commitment to oppose surveillance requests and notify users eliminates a significant privacy protection pledge that differentiated Oura's stance on government data access.

California Resident Privacy Rights

This provision was replaced by a more generalized 'Advertising and Marketing Data Processing' provision that removes specific mention of California resident protections, reducing targeted privacy regulation compliance clarity.

Modified (5)
Oura Platform Third-Party Data Controller Transfer

Removed language about Data Recipient's own privacy practices, the instruction to review their privacy policy, and the incomplete liability disclaimer statement, making the provision more concise but less informative about user obligations.

Sensitive and Special-Category Health Data Consent

Removed the redundant statement 'We process your sensitive personal data only with your consent' and completed the truncated sentence with 'in the Oura App' instead of the incomplete 'in'.

Location Data Collection and Consent

Provision name changed from 'Location Data Processing and Consent' to 'Location Data Collection and Consent' but the excerpt text remains identical.

Legitimate Interest as Legal Basis for Marketing and Service Improvement

Provision name changed from 'Legitimate Interest Basis for Marketing and Service Improvement' to 'Legitimate Interest as Legal Basis for Marketing and Service Improvement' but the excerpt text remains identical.

Third-Party Integrations Data Processing

Provision name changed from 'Third-Party Integration and Data Sharing' to 'Third-Party Integrations Data Processing' but the excerpt text remains identical.

View full change record →
High — 1 provision
Medium — 7 provisions
Low — 1 provision

Monitoring

Oura has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Cross-Border Data Transfers and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

ePrivacy Directive
European Union
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured June 16, 2026 01:27 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000738
Version ID CA-V-003895
SHA-256 2b4d61bf3387865a69290822c9f40cf41d660d8dd9ebd711a39c3a0d4af8fd13
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans