Peloton Privacy Policy

This is Peloton's privacy policy explaining what personal information the company collects when you use its bikes, treadmills, and apps, and how that information is used and shared. The most important thing to know is that Peloton collects sensitive fitness data including heart rate, cadence, and workout output — and may share this data with third-party advertising and analytics companies. You can request deletion of your personal data or opt out of certain data sharing by visiting Peloton's privacy settings or contacting their privacy team at privacy@onepeloton.com.

This document is Peloton's global Privacy Policy governing the collection, use, and disclosure of personal data from users of its connected fitness hardware, software applications, and digital content platform, operating under a consent and legitimate interest legal basis framework that varies by jurisdiction. The policy creates obligations for Peloton to provide data access, deletion, and correction rights to users, while simultaneously authorizing broad data collection including workout metrics, heart rate data, location, device identifiers, payment information, and behavioral analytics across the Peloton ecosystem. Notably, the policy permits sharing of personal data — including health-adjacent fitness data such as heart rate, cadence, and output — with third-party advertising partners and analytics vendors, which deviates from the heightened protection typically expected for biometric and health-proximate data. The policy engages GDPR (EU/UK), CCPA/CPRA (California), and potentially HIPAA-adjacent considerations given the nature of physiological data collected, though Peloton explicitly does not characterize itself as a HIPAA-covered entity. Material compliance considerations include the adequacy of consent mechanisms for cross-border data transfers, the sufficiency of opt-out controls for data sharing with advertising partners, and the treatment of sensitive fitness metrics under evolving US state privacy laws.