Oura says it will only process your sensitive health data, such as reproductive health signals or medical tags, if you have given consent, and it treats certain in-app actions like adding health tags as a form of consent.
This analysis describes what Oura's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy treats behavioral actions within the app, such as adding a health-related tag, as a form of consent to sensitive data processing, which may not constitute the explicit, informed consent required under GDPR Article 9 for special category health data depending on how these actions are presented to users.
Interpretive note: Whether behavioral in-app actions satisfy GDPR Article 9 explicit consent requirements for special category health data depends on regulatory interpretation and how prominently consent disclosures are presented at the point of the triggering action.
Logging health information or adding tags in the Oura App may be treated as consent to processing sensitive health data, so users should be aware that routine app interactions could have consent implications for their most personal health information.
How other platforms handle this
By accessing CL or providing us data, you agree we may use and disclose data we collect as described here or as communicated to you, transmit it outside your resident jurisdiction, and store it on servers in the United States.
Transfer Of Data. We and our affiliates primarily store your Personal Information on servers located and operated within the United States to provide and operate the Platform. By accepting the terms of this Privacy Policy, you acknowledge the transfer to and processing of your Personal Information o...
You must be at least 13 years old (or the minimum legal age required to provide consent for processing of personal data in the country where the child is located). If you are under the age of 18, you must have obtained the consent of your parents or guardian or supervision of a responsible adult to ...
Monitoring
Oura has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Please note that some of the personal data we process, including any data concerning your health, is considered special or sensitive personal data. Under applicable law, such data is processed only if you have given your consent for processing. We process your sensitive personal data only with your consent. In some cases, you can provide your consent to us for processing your data through your actions, such as by adding sensitive personal data into your notes, or by adding health related tags in the Oura App.— Excerpt from Oura's Oura Privacy Policy
REGULATORY LANDSCAPE: This provision directly implicates GDPR Article 9, which requires explicit consent for processing special categories of data including health data. The EDPB has issued guidance indicating that implicit behavioral consent may not satisfy the explicit consent standard for special category data. UK GDPR imposes equivalent requirements. CCPA and CPRA treat precise geolocation, health data, and biometric data as sensitive personal information requiring opt-in consent. The FTC has emphasized that health data collection requires clear and prominent disclosure. GOVERNANCE EXPOSURE: Medium to High. The assertion that in-app behavioral actions such as adding tags constitute consent to sensitive data processing creates interpretive risk under GDPR Article 9's explicit consent standard. If this mechanism does not satisfy explicit consent requirements, Oura's processing of health data on this basis may be unlawful in the EEA and UK regardless of what the policy asserts. JURISDICTION FLAGS: EEA and UK regulators apply strict standards for explicit consent to health data. California's CPRA requires opt-in consent for sensitive personal information. Illinois BIPA requires written consent for biometric data collection. The adequacy of behavioral in-app consent as a mechanism for special category data will depend on how regulators assess the clarity and prominence of disclosure at the point of the triggering action. CONTRACT AND VENDOR IMPLICATIONS: Organizations that process data received from Oura must verify that the underlying consent obtained by Oura is sufficient to support their own processing purposes. A controller-to-controller transfer based on potentially insufficient consent could expose the Data Recipient to independent regulatory risk. COMPLIANCE CONSIDERATIONS: Oura's consent mechanisms for sensitive data should be audited to confirm they meet GDPR Article 9 explicit consent standards, including that users are clearly informed of the processing purpose before the triggering action occurs. Legal teams should assess whether the behavioral consent model creates a gap between what the policy asserts and what applicable law requires.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy treats behavioral actions within the app, such as adding a health-related tag, as a form of consent to sensitive data processing, which may not constitute the explicit, informed consent required under GDPR Article 9 for special category health data depending on how these actions are presented to users.
Logging health information or adding tags in the Oura App may be treated as consent to processing sensitive health data, so users should be aware that routine app interactions could have consent implications for their most personal health information.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Oura.