The policy states that health data, including physiological measurements and health-related notes and tags, is classified as special-category personal data and is processed only on the basis of user consent; consent may be provided through in-app actions such as adding health tags or notes rather than solely through an explicit consent dialogue.
This analysis describes what Oura's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that behavioral in-app actions (adding notes or health tags) may constitute consent for processing special-category health data. Compliance teams should evaluate whether this mechanism satisfies GDPR Article 9's requirement for explicit consent and whether users are adequately informed that these actions constitute a consent signal.
Interpretive note: Whether behavioral in-app actions satisfy GDPR Article 9 explicit consent requirements is subject to regulatory interpretation and may vary by EU supervisory authority.
Under this clause, adding health-related notes or tags within the Oura App constitutes consent for Oura to process those entries as sensitive personal data. Users can withdraw consent and request deletion of sensitive data by contacting privacy@ouraring.com.
How other platforms handle this
If you consent to receive calls and SMS text messages from Redfin, that consent is exclusive to Redfin and its partners and affiliates, and is collected solely for the purpose of obtaining your permission to call or text you as part of providing you with the Services or to send you marketing message...
By creating an Affirm account or using the Services, you consent to receive electronically all communications, agreements, documents, notices and disclosures (collectively, 'Communications') that Affirm provides in connection with your Affirm account and use of the Services. Communications include, ...
If you choose to open an Account, Afterpay may send you SMS messages. You agree to receive SMS messages at any time of day to each telephone number provided by you to Afterpay, regardless of whether such telephone number is on a corporate, state or federal do-not-call registry. You certify, represen...
Monitoring
Oura has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Please note that some of the personal data we process, including any data concerning your health, is considered special or sensitive personal data. Under applicable law, such data is processed only if you have given your consent for processing. In some cases, you can provide your consent to us for processing your data through your actions, such as by adding sensitive personal data into your notes, or by adding health related tags in the Oura App.— Excerpt from Oura's Oura Privacy Policy
1) REGULATORY LANDSCAPE: This provision directly implicates GDPR Article 9 (processing of special categories of personal data) and the explicit consent requirement under Article 9(2)(a). UK GDPR imposes equivalent requirements. The Finnish DPA and relevant EU supervisory authorities have enforcement jurisdiction. US state health data laws including Washington's My Health MY Data Act may also apply depending on user geography and data type. 2) GOVERNANCE EXPOSURE: Medium. The characterization of in-app behavioral actions (adding tags or notes) as constituting consent for special-category data processing may face scrutiny under GDPR's explicit consent standard, which generally requires a clear affirmative act with full awareness of the processing purpose. The adequacy of this mechanism as explicit consent is a recognized area of regulatory attention for health and wellness app operators. 3) JURISDICTION FLAGS: EU/EEA and UK users are the primary exposure group given Article 9 explicit consent requirements. US users in states with biometric or health data statutes (Illinois, Washington, Texas) may be subject to additional consent requirements depending on the specific data types processed. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers deploying Oura for employee wellness programs should assess whether the in-app consent mechanism satisfies their own obligations to employees regarding health data processing, and whether additional consent documentation is required. 5) COMPLIANCE CONSIDERATIONS: Legal teams should review whether the in-app behavioral consent mechanism is documented in Oura's consent records, whether users are presented with clear notice at the point of adding health tags or notes, and whether the withdrawal mechanism is as accessible as the consent mechanism. Data mapping should separately classify special-category data flows from standard biometric measurement data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that behavioral in-app actions (adding notes or health tags) may constitute consent for processing special-category health data. Compliance teams should evaluate whether this mechanism satisfies GDPR Article 9's requirement for explicit consent and whether users are adequately informed that these actions constitute a consent signal.
Under this clause, adding health-related notes or tags within the Oura App constitutes consent for Oura to process those entries as sensitive personal data. Users can withdraw consent and request deletion of sensitive data by contacting privacy@ouraring.com.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Oura.