By wearing WHOOP and using the app, you consent to WHOOP continuously collecting sensitive health data about your body including your heart rate, sleep patterns, and physical strain.
This analysis describes what Whoop's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric and physiological health data is among the most sensitive categories of personal information and, once collected, cannot be changed if misused; understanding how WHOOP uses and shares this data is critical for any user.
Interpretive note: The full scope of data use and third-party sharing is deferred to the Privacy Policy, meaning the complete disclosure framework cannot be assessed from the Terms of Use alone.
WHOOP continuously collects biometric health data including heart rate variability, sleep stages, and strain metrics from your body every time you wear the device, and your consent to this collection is a condition of using the service.
How other platforms handle this
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
With your permission, we may also receive data from your mobile device's health app (like Apple HealthKit or Google Health Connect), including hours of sleep and sleep goals. However, we do not infer any health-related characteristics from this information and only process it consistent with the pur...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Whoop has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"WHOOP collects biometric and health data from your use of the WHOOP hardware and Service, including heart rate, heart rate variability, sleep data, activity data, and other physiological metrics. By using the Service, you consent to WHOOP's collection, use, and processing of this data as described in our Privacy Policy.— Excerpt from Whoop's Whoop Terms of Use
REGULATORY LANDSCAPE: Continuous collection of physiological health data engages multiple regulatory frameworks. Under GDPR Article 9, health data and biometric data used for unique identification qualify as special category data requiring explicit legal basis for processing; the document references a separate Privacy Policy for EU users which compliance teams should review alongside these terms. Illinois BIPA regulates collection and storage of biometric identifiers including physiological data, and several other states (Texas, Washington, New York) have enacted or are considering similar biometric privacy legislation. HIPAA is unlikely to apply directly as WHOOP is not a covered entity, but the FTC has taken enforcement action against health data companies under Section 5 of the FTC Act for misuse of sensitive health information. GOVERNANCE EXPOSURE: High. Continuous biometric data collection from a wearable device creates significant governance exposure given the sensitivity of the data, the volume of collection, and the evolving state-level biometric privacy landscape. The document's reference to the Privacy Policy for the full scope of data use means these terms alone do not provide complete disclosure, which could create a fragmented consent record. JURISDICTION FLAGS: Illinois BIPA creates heightened exposure for biometric data collection if WHOOP users in Illinois are subject to its provisions; BIPA's private right of action and statutory damages have been the basis for significant class action litigation. California CCPA and CPRA classify precise geolocation and health data as sensitive personal information subject to opt-out rights. EU and UK GDPR require explicit consent or another valid legal basis for processing special category health data, and data protection impact assessments may be required. CONTRACT AND VENDOR IMPLICATIONS: Data processing agreements with third-party analytics and cloud service providers handling biometric data must satisfy GDPR processor requirements and, where applicable, BIPA contractual obligations. Procurement teams should assess whether third-party vendors receiving this data have adequate security and data minimization controls. COMPLIANCE CONSIDERATIONS: Legal and compliance teams should conduct a data mapping exercise to document every category of biometric and health data collected, the legal basis for processing in each jurisdiction, retention periods, and third-party recipients. The consent mechanism at account creation should be reviewed to ensure it satisfies the explicit consent standard required for special category data under GDPR, and BIPA compliance counsel should assess whether Illinois-specific consents and data destruction policies are in place.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric and physiological health data is among the most sensitive categories of personal information and, once collected, cannot be changed if misused; understanding how WHOOP uses and shares this data is critical for any user.
WHOOP continuously collects biometric health data including heart rate variability, sleep stages, and strain metrics from your body every time you wear the device, and your consent to this collection is a condition of using the service.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Whoop.