What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: The policy engages CCPA/CPRA (enforced by the California Privacy Protection Agency and California AG), GDPR and UK GDPR (enforced by EU supervisory authorities and the UK ICO respectively), and Canada's PIPEDA. The collection of fitness metrics such as heart rate and body weight through connected hardware engages state-level sensitive data frameworks, including the California Consumer Privacy Act's definition of sensitive personal information. While HIPAA does not apply to…

How does Peloton's Peloton Privacy Policy affect users?

The policy establishes that fitness and health data collected through Peloton's connected hardware and application may be shared with advertising and marketing partners for personalized advertising and analytics purposes. Users who wish to restrict such sharing must affirmatively opt out through Peloton's privacy settings or the 'Do Not Sell or Share My Personal Information' mechanism; absent such action, the policy permits such sharing and use.

How often is Peloton's Peloton Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Peloton updates this document?

Yes. Watcher subscribers ($9.99/month) can add Peloton to their watchlist and receive same-day email alerts whenever this document or any other Peloton document changes.

CA-D-000220

Peloton Privacy Policy

Peloton

Last change detected April 19, 2026 Privacy policy

SHA-256: dc94d4de5c0a32807eb… 2 versions captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Peloton ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

2 High severity

5 Medium severity

1 Low severity

Summary

This document establishes Peloton's practices for collecting, using, and sharing personal information from users of its fitness equipment, mobile application, and website. The policy authorizes collection of fitness and health data including heart rate, workout performance metrics, and body weight information, and permits disclosure of personal information to advertising partners and third parties for marketing purposes. California residents are authorized to opt out of the sale or sharing of personal information through account privacy settings or a designated link on the website.

Technical / Legal Breakdown

This document is Peloton's consumer-facing Privacy Policy, governing the collection, use, disclosure, and retention of personal data across its hardware products (Bike, Tread, Row), digital platform, mobile applications, and website, with legal basis rooted in consent, contractual necessity, and legitimate interests depending on jurisdiction. The policy states that Peloton collects a broad range of personal data including identifiers, fitness and health-related metrics (heart rate, workout output, body weight), geolocation data, device and usage data, financial information, and user-generated content, and the terms authorize sharing this data with service providers, business partners, affiliated companies, and third-party advertisers for purposes including marketing and analytics. Notable among the policy's provisions is its collection of health and fitness data that, while not constituting protected health information under HIPAA in this consumer context, nonetheless carries significant sensitivity; the policy also asserts broad behavioral analytics and advertising data sharing practices, including through cookies and tracking technologies, that engage state-level consumer privacy frameworks beyond CCPA. The policy engages CCPA/CPRA for California residents, GDPR and UK GDPR for EU and UK users respectively, and Canada's PIPEDA for Canadian users, with jurisdiction-specific rights sections addressing deletion, portability, correction, and opt-out of sale or sharing of personal information. Material compliance considerations include the sensitivity of fitness and biometric-adjacent data collected through connected hardware, the adequacy of consent mechanisms for behavioral advertising, and the cross-border data transfer arrangements required for Peloton's multi-jurisdiction operations.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

High — 2 provisions

Health and Fitness Data Collection Compare →

Peloton collects detailed workout and body data from your equipment and app, including heart rate, performance statistics, and physical measurements you enter.

Added May 10, 2026 Standard Seen across 251 platforms
Third-Party Advertising Data Sharing Compare →

Peloton may share your personal data including device identifiers and usage behavior with outside advertising companies so they can show you targeted ads.

Added April 3, 2026 Standard Seen across 246 platforms

Medium — 5 provisions

Cookie and Tracking Technology Use Compare →

Peloton and its partners use cookies and similar tracking tools to monitor how you use the website and app, and this data can be used to show you personalized ads.

Added April 27, 2026 Standard Seen across 251 platforms
California Resident Rights (CCPA/CPRA)

California residents have the right to see, delete, correct, and opt out of the sale of their personal information, including the right to limit how sensitive health data is used.

Added May 10, 2026 Rare
GDPR and UK GDPR User Rights Compare →

EU and UK users have broad legal rights over their Peloton data under GDPR, including the right to get a copy of it, correct it, delete it, or object to how it is used.

Added May 10, 2026 Standard Seen across 262 platforms
Data Retention Compare →

Peloton keeps your personal data for as long as it needs to, based on the purpose it was collected for, without specifying fixed retention periods for most data types.

Added May 10, 2026 Standard Seen across 223 platforms
Cross-Border Data Transfers Compare →

Peloton may move your personal data to the United States or other countries, which may have weaker privacy laws than your home country.

Added April 27, 2026 Common Seen across 122 platforms

Low — 1 provision

Children's Privacy Compare →

Peloton's services are not meant for children under 16, and the company says it will delete any data it discovers it has collected from children under that age.

Added May 10, 2026 Standard Seen across 262 platforms

Monitoring

Peloton has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle Children's Data and Age Restrictions and similar clauses.

Compare across platforms →