When you share your Oura health data with an employer, coach, doctor, or researcher through the Oura Platform, that party takes full control of your data and Oura no longer bears any responsibility for how they use it or keep it secure.
This analysis describes what Oura's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause means that highly sensitive biometric and health data, including heart rate, sleep stages, and reproductive health indicators, can be accessed by third parties such as employers, and Oura explicitly disclaims responsibility for what happens to that data afterward.
The updated policy explicitly discloses that Oura uses artificial intelligence and machine learning in the service, including an AI assistant called Oura Advisor that provides personalized wellness guidance based on information you submit or that Oura collects. The revised terms state that Oura may use AI and algorithmic analysis to suggest partner services and may use personal data to develop or refine AI-powered health features. The policy establishes that you retain choice about whether to engage with these AI features or share personal data with partner services when suggestions are offered.
View change record →The removal of guidance to review Data Recipient privacy policies and Oura's liability disclaimer reduces transparency about responsibilities when data is transferred to third-party controllers.
View full change record →Once you accept an Oura Platform invitation and share your health data, your employer, coach, or researcher operates as an independent data controller and Oura takes no responsibility for that data's security or use, meaning your protections under Oura's policy no longer apply to that copy of your data.
How other platforms handle this
We may disclose certain information, in connection with or during negotiations or closing of any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
We may share your information in connection with, or during negotiations of, any merger, sale of company assets, financing, acquisition, or dissolution, transaction, or proceeding involving all or a portion of our business.
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
Monitoring
Oura has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Once your data is shared to the Oura Platform, the Data Recipient becomes the controller of your personal data. The Data Recipient is responsible for its use and processing of your personal data in accordance with all applicable data protection and privacy laws. Your personal data may be used by the Data Recipient in accordance with its own privacy practices, so please review the Data Recipient's privacy policy carefully before accepting the invite and opting-in to Oura Platform. Oura is not responsible for the Data Recipient's processing of your data or the security of any personal data that the Data Recipient has extracted from the Oura Platform.— Excerpt from Oura's Oura Privacy Policy
REGULATORY LANDSCAPE: This provision implicates GDPR Articles 4(7) and 26-28, which govern independent controllers and controller-to-controller relationships. For EEA users, this transfer may require a controller-to-controller data transfer agreement and, where international transfers are involved, appropriate safeguards under GDPR Chapter V. CCPA and CPRA impose independent obligations on organizations that receive and control California consumer health data. Illinois BIPA may apply if biometric identifiers are involved and the Data Recipient operates in Illinois. GOVERNANCE EXPOSURE: High. The explicit disclaimer of responsibility for Data Recipient processing creates a significant accountability gap, particularly in employer wellness or occupational health contexts where employees may face implicit pressure to share sensitive biometric data. Organizations deploying Oura Platform bear independent controller obligations and should not assume Oura's compliance posture extends to their own processing. JURISDICTION FLAGS: EU and EEA organizations receiving data via Oura Platform must conduct their own GDPR compliance analysis as independent controllers. California-based employers receiving employee health data via the Platform may face heightened CPRA obligations. Illinois BIPA exposure exists if biometric data is included in the shared data set. Washington My Health MY Data Act may apply to Washington state residents. CONTRACT AND VENDOR IMPLICATIONS: Procurement and HR teams at organizations considering Oura Platform deployment should ensure a direct data processing or controller-to-controller agreement is in place. The policy's disclaimer that Oura is not responsible for Data Recipient security represents a liability shift that may not align with regulatory expectations in the EU or California. Organizations should assess whether their own privacy notices disclose the receipt and use of Oura-sourced biometric data. COMPLIANCE CONSIDERATIONS: Legal teams should conduct a data protection impact assessment before deploying Oura Platform in any employment or research context. Consent mechanisms should be reviewed to ensure they are genuinely voluntary, particularly in employer-employee relationships where power imbalance may affect consent validity under GDPR. Organizations should update their internal data inventories and privacy notices to reflect the receipt of biometric and health data from Oura.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause means that highly sensitive biometric and health data, including heart rate, sleep stages, and reproductive health indicators, can be accessed by third parties such as employers, and Oura explicitly disclaims responsibility for what happens to that data afterward.
Once you accept an Oura Platform invitation and share your health data, your employer, coach, or researcher operates as an independent data controller and Oura takes no responsibility for that data's security or use, meaning your protections under Oura's policy no longer apply to that copy of your data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Oura.