Peloton · Peloton Privacy Policy · View original document ↗

GDPR and UK GDPR User Rights

Medium severity Medium confidence Inferredfromcontext Rare · 1 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for Peloton Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

EU and UK users have broad legal rights over their Peloton data under GDPR, including the right to get a copy of it, correct it, delete it, or object to how it is used.

This analysis describes what Peloton's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

GDPR provides some of the strongest data protection rights globally, and EU and UK Peloton users can exercise these rights to control health and fitness data collected through their equipment and app.

Interpretive note: The specific verbatim GDPR rights language was not fully accessible due to HTML truncation; this reflects the substance of Peloton's disclosed EU and UK rights framework based on available document content.

Clause Stability Stable

0
Changes
3
Months Monitored
May 10, 2026
First Seen
May 22, 2026
Last Seen
This clause type exists across 3350 other provisions on other platforms.

Consumer impact (what this means for users)

EU and UK users have enforceable rights under GDPR and UK GDPR to access, correct, delete, and restrict processing of their personal data, including health and fitness metrics collected through Peloton's connected hardware.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Export Your Data
    Email privacy@onepeloton.com to submit a GDPR data subject request for access, deletion, correction, portability, or to object to processing. Include your account email and specify which right you are exercising.

How other platforms handle this

Garmin Medium

If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...

Grindr Medium

Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...

Strava Medium

For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.

See all platforms with this clause type →

Monitoring

Peloton has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
If you are located in the European Economic Area or the United Kingdom, you have the right to access personal information we hold about you, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, and the right to object to processing. You may also have the right to lodge a complaint with your local supervisory authority.

— Excerpt from Peloton's Peloton Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision implements GDPR obligations applicable to EU residents (enforced by national data protection authorities and the European Data Protection Board) and UK GDPR obligations for UK residents (enforced by the Information Commissioner's Office). GDPR Article 9 imposes heightened protection for health data, requiring explicit consent as the legal basis for processing, which has direct relevance to Peloton's fitness and health metric collection. Cross-border data transfers from the EU to the US must comply with Chapter V GDPR requirements, including adequacy decisions or Standard Contractual Clauses. GOVERNANCE EXPOSURE: High for EU/UK operations. GDPR enforcement carries fines of up to 4% of global annual turnover for serious violations. The combination of health-adjacent data collection and advertising data sharing creates elevated GDPR risk, particularly regarding the legal basis asserted for processing sensitive personal information and the validity of consent for advertising purposes. JURISDICTION FLAGS: EU member state DPAs and the UK ICO have independent enforcement authority. The lead supervisory authority for Peloton's EU operations should be identified for GDPR purposes. EU-US data transfer arrangements must account for the EU-US Data Privacy Framework or SCCs. UK data transfers to the US are governed by the UK International Data Transfer Agreement or UK Addendum to SCCs. CONTRACT AND VENDOR IMPLICATIONS: Data processing agreements with all processors receiving EU and UK user data must comply with GDPR Article 28 requirements. Sub-processor lists must be maintained and disclosed to users upon request. Any processor receiving health data must operate under explicit consent conditions and be contractually restricted from secondary use. COMPLIANCE CONSIDERATIONS: The legal basis for each processing activity involving EU and UK user health and fitness data should be documented in the Record of Processing Activities. Consent mechanisms for advertising processing should be reviewed against GDPR Article 7 standards. Data subject request fulfillment timelines of one month must be operationally supported. The supervisory authority complaint right disclosure should include the contact details of the relevant DPA.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • State AG
    EU and UK residents should direct complaints to their national data protection authority (e.g., ICO in the UK) rather than a US agency; the State_AG entry here reflects the general consumer protection complaint pathway for non-EU/UK users.
    File a complaint →

Applicable regulations

BIPA
Illinois, USA
CCPA/CPRA
California, USA
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FTC Act Section 5
United States Federal
GDPR
European Union
HIPAA
United States Federal
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
Universal Opt-Out Mechanism Expansion 2026
US

Provision details

Document information
Document
Peloton Privacy Policy
Entity
Peloton
Document last updated
May 5, 2026
Tracking information
First tracked
April 27, 2026
Last verified
May 10, 2026
Record ID
CA-P-009136
Document ID
CA-D-00220
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
e8fc8cb11b93438deea6ca6a3b9483b48da9e48c1c70373df9d2737b0d73f818
Analysis generated
April 27, 2026 14:37 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Peloton
Document: Peloton Privacy Policy
Record ID: CA-P-009136
Captured: 2026-04-27 14:37:01 UTC
SHA-256: e8fc8cb11b93438d…
URL: https://conductatlas.com/platform/peloton/peloton-privacy-policy/gdpr-and-uk-gdpr-user-rights/
Accessed: July 1, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Peloton's GDPR and UK GDPR User Rights clause do?

GDPR provides some of the strongest data protection rights globally, and EU and UK Peloton users can exercise these rights to control health and fitness data collected through their equipment and app.

How does this clause affect you?

EU and UK users have enforceable rights under GDPR and UK GDPR to access, correct, delete, and restrict processing of their personal data, including health and fitness metrics collected through Peloton's connected hardware.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.

Is ConductAtlas affiliated with Peloton?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Peloton.