Oura says it will only process your sensitive health data, such as reproductive health signals or medical tags, if you have given consent, and it treats certain in-app actions like adding health tags as a form of consent.
This analysis describes what Oura's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy treats behavioral actions within the app, such as adding a health-related tag, as a form of consent to sensitive data processing, which may not constitute the explicit, informed consent required under GDPR Article 9 for special category health data depending on how these actions are presented to users.
Interpretive note: Whether behavioral in-app actions satisfy GDPR Article 9 explicit consent requirements for special category health data depends on regulatory interpretation and how prominently consent disclosures are presented at the point of the triggering action.
The updated policy explicitly discloses that Oura uses artificial intelligence and machine learning in the service, including an AI assistant called Oura Advisor that provides personalized wellness guidance based on information you submit or that Oura collects. The revised terms state that Oura may use AI and algorithmic analysis to suggest partner services and may use personal data to develop or refine AI-powered health features. The policy establishes that you retain choice about whether to engage with these AI features or share personal data with partner services when suggestions are offered.
View change record →Logging health information or adding tags in the Oura App may be treated as consent to processing sensitive health data, so users should be aware that routine app interactions could have consent implications for their most personal health information.
How other platforms handle this
Customers should know what they're getting when they download or buy your app, so make sure all your app metadata, including privacy information, your app description, screenshots, and previews accurately reflect the app's core experience and remember to keep them up-to-date with new versions.
If you consent to receive calls and SMS text messages from Redfin, that consent is exclusive to Redfin and its partners and affiliates, and is collected solely for the purpose of obtaining your permission to call or text you as part of providing you with the Services or to send you marketing message...
By creating an Affirm account or using the Services, you consent to receive electronically all communications, agreements, documents, notices and disclosures (collectively, 'Communications') that Affirm provides in connection with your Affirm account and use of the Services. Communications include, ...
Monitoring
Oura has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Please note that some of the personal data we process, including any data concerning your health, is considered special or sensitive personal data. Under applicable law, such data is processed only if you have given your consent for processing. We process your sensitive personal data only with your consent. In some cases, you can provide your consent to us for processing your data through your actions, such as by adding sensitive personal data into your notes, or by adding health related tags in the Oura App.— Excerpt from Oura's Oura Privacy Policy
REGULATORY LANDSCAPE: This provision directly implicates GDPR Article 9, which requires explicit consent for processing special categories of data including health data. The EDPB has issued guidance indicating that implicit behavioral consent may not satisfy the explicit consent standard for special category data. UK GDPR imposes equivalent requirements. CCPA and CPRA treat precise geolocation, health data, and biometric data as sensitive personal information requiring opt-in consent. The FTC has emphasized that health data collection requires clear and prominent disclosure. GOVERNANCE EXPOSURE: Medium to High. The assertion that in-app behavioral actions such as adding tags constitute consent to sensitive data processing creates interpretive risk under GDPR Article 9's explicit consent standard. If this mechanism does not satisfy explicit consent requirements, Oura's processing of health data on this basis may be unlawful in the EEA and UK regardless of what the policy asserts. JURISDICTION FLAGS: EEA and UK regulators apply strict standards for explicit consent to health data. California's CPRA requires opt-in consent for sensitive personal information. Illinois BIPA requires written consent for biometric data collection. The adequacy of behavioral in-app consent as a mechanism for special category data will depend on how regulators assess the clarity and prominence of disclosure at the point of the triggering action. CONTRACT AND VENDOR IMPLICATIONS: Organizations that process data received from Oura must verify that the underlying consent obtained by Oura is sufficient to support their own processing purposes. A controller-to-controller transfer based on potentially insufficient consent could expose the Data Recipient to independent regulatory risk. COMPLIANCE CONSIDERATIONS: Oura's consent mechanisms for sensitive data should be audited to confirm they meet GDPR Article 9 explicit consent standards, including that users are clearly informed of the processing purpose before the triggering action occurs. Legal teams should assess whether the behavioral consent model creates a gap between what the policy asserts and what applicable law requires.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy treats behavioral actions within the app, such as adding a health-related tag, as a form of consent to sensitive data processing, which may not constitute the explicit, informed consent required under GDPR Article 9 for special category health data depending on how these actions are presented to users.
Logging health information or adding tags in the Oura App may be treated as consent to processing sensitive health data, so users should be aware that routine app interactions could have consent implications for their most personal health information.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Oura.