Peloton · Peloton Privacy Policy · View original document ↗

Health and Fitness Data Collection

High severity Medium confidence Inferredfromcontext Rare · 1 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for Peloton Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

Peloton collects detailed workout and body data from your equipment and app, including heart rate, performance statistics, and physical measurements you enter.

This analysis describes what Peloton's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Health and fitness data is among the most sensitive categories of personal information, and its collection through always-connected hardware means Peloton builds a detailed picture of your physical condition and activity over time.

Interpretive note: The exact verbatim policy text was not fully accessible due to HTML truncation; the excerpt above reflects the substance of Peloton's disclosed fitness data collection practices based on available document content.

Clause Stability Stable

0
Changes
3
Months Monitored
May 10, 2026
First Seen
May 22, 2026
Last Seen
This clause type exists across 3350 other provisions on other platforms.

Consumer impact (what this means for users)

Your heart rate, workout output, and body metrics are collected every time you use Peloton equipment or the app, and this data is stored and may be used for purposes beyond delivering your fitness experience, including advertising personalization.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Email Peloton's privacy team at privacy@onepeloton.com to request deletion of your health and fitness data. Specify which data categories you want deleted and include your account email address.

How other platforms handle this

Strava Medium

If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.

Calm Medium

With your permission, we may also receive data from your mobile device's health app (like Apple HealthKit or Google Health Connect), including hours of sleep and sleep goals. However, we do not infer any health-related characteristics from this information and only process it consistent with the pur...

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

See all platforms with this clause type →

Monitoring

Peloton has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
We collect information about your fitness activity and health when you use our Products and Services, including workout history, performance data (such as output, cadence, resistance, and pace), heart rate data, and body metrics such as height and weight that you provide.

— Excerpt from Peloton's Peloton Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Fitness and health metrics including heart rate and body weight collected through consumer hardware are not covered by HIPAA because Peloton does not operate as a covered entity or business associate in the clinical sense. However, California's CPRA classifies health and medical information as sensitive personal information subject to additional use restrictions and a right to limit use. Illinois BIPA may be implicated if biometric identifiers such as heart rate patterns are processed in ways that constitute biometric data under that statute, though applicability is fact-specific. Washington's My Health MY Data Act and similar state-level health data laws may also engage depending on collection and use specifics. GOVERNANCE EXPOSURE: High. The collection of health-adjacent metrics through connected hardware at scale creates significant compliance exposure across multiple state privacy frameworks. The sensitivity of this data category, combined with its use for advertising purposes, heightens regulatory scrutiny risk particularly in California, Illinois, and Washington. JURISDICTION FLAGS: California residents have a CPRA right to limit use and disclosure of sensitive personal information including health data. EU and UK users benefit from GDPR Article 9 protections for health data, which require explicit consent for processing. Illinois users may have BIPA claims depending on the specific biometric processing involved. Washington state's My Health MY Data Act creates additional obligations for health data collected from Washington residents. CONTRACT AND VENDOR IMPLICATIONS: Any vendor or analytics partner receiving health and fitness data from Peloton's platform must be assessed for compliance with applicable health data frameworks. Data processing agreements should specify permissible uses of health metrics and restrict secondary use. Procurement teams should confirm that advertising technology partners are not receiving raw health metrics without adequate consent and contractual controls. COMPLIANCE CONSIDERATIONS: Compliance teams should conduct a data inventory to map which specific fitness metrics qualify as sensitive personal information under CPRA and analogous state laws. Consent mechanisms for health data processing should be reviewed for adequacy under GDPR Article 9 for EU and UK users. A legitimate interest assessment or consent review should confirm the legal basis for using health metrics in advertising personalization workflows.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over unfair or deceptive data practices involving health information collected by consumer technology companies that are not HIPAA-covered entities.
    File a complaint →
  • State AG
    California, Illinois, Washington, and other state attorneys general enforce state health and biometric data laws applicable to fitness data collected through consumer hardware.
    File a complaint →

Applicable regulations

BIPA
Illinois, USA
CCPA/CPRA
California, USA
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FTC Act Section 5
United States Federal
GDPR
European Union
HIPAA
United States Federal
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
Universal Opt-Out Mechanism Expansion 2026
US

Provision details

Document information
Document
Peloton Privacy Policy
Entity
Peloton
Document last updated
May 5, 2026
Tracking information
First tracked
April 27, 2026
Last verified
May 10, 2026
Record ID
CA-P-009134
Document ID
CA-D-00220
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
e8fc8cb11b93438deea6ca6a3b9483b48da9e48c1c70373df9d2737b0d73f818
Analysis generated
April 27, 2026 14:37 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Peloton
Document: Peloton Privacy Policy
Record ID: CA-P-009134
Captured: 2026-04-27 14:37:01 UTC
SHA-256: e8fc8cb11b93438d…
URL: https://conductatlas.com/platform/peloton/peloton-privacy-policy/health-and-fitness-data-collection/
Accessed: July 1, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
High
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Peloton's Health and Fitness Data Collection clause do?

Health and fitness data is among the most sensitive categories of personal information, and its collection through always-connected hardware means Peloton builds a detailed picture of your physical condition and activity over time.

How does this clause affect you?

Your heart rate, workout output, and body metrics are collected every time you use Peloton equipment or the app, and this data is stored and may be used for purposes beyond delivering your fitness experience, including advertising personalization.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.

Is ConductAtlas affiliated with Peloton?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Peloton.