By wearing WHOOP and using the app, you consent to WHOOP continuously collecting sensitive health data about your body including your heart rate, sleep patterns, and physical strain.
This analysis describes what Whoop's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric and physiological health data is among the most sensitive categories of personal information and, once collected, cannot be changed if misused; understanding how WHOOP uses and shares this data is critical for any user.
Interpretive note: The full scope of data use and third-party sharing is deferred to the Privacy Policy, meaning the complete disclosure framework cannot be assessed from the Terms of Use alone.
WHOOP continuously collects biometric health data including heart rate variability, sleep stages, and strain metrics from your body every time you wear the device, and your consent to this collection is a condition of using the service.
How other platforms handle this
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
We may collect information about your location, including precise geolocation information, when you use our Services. We use this information to provide location-based services, such as showing you products available in your area, and for other purposes described in this Privacy Policy.
Monitoring
Whoop has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"WHOOP collects biometric and health data from your use of the WHOOP hardware and Service, including heart rate, heart rate variability, sleep data, activity data, and other physiological metrics. By using the Service, you consent to WHOOP's collection, use, and processing of this data as described in our Privacy Policy.— Excerpt from Whoop's Whoop Terms of Use
REGULATORY LANDSCAPE: Continuous collection of physiological health data engages multiple regulatory frameworks. Under GDPR Article 9, health data and biometric data used for unique identification qualify as special category data requiring explicit legal basis for processing; the document references a separate Privacy Policy for EU users which compliance teams should review alongside these terms. Illinois BIPA regulates collection and storage of biometric identifiers including physiological data, and several other states (Texas, Washington, New York) have enacted or are considering similar biometric privacy legislation. HIPAA is unlikely to apply directly as WHOOP is not a covered entity, but the FTC has taken enforcement action against health data companies under Section 5 of the FTC Act for misuse of sensitive health information. GOVERNANCE EXPOSURE: High. Continuous biometric data collection from a wearable device creates significant governance exposure given the sensitivity of the data, the volume of collection, and the evolving state-level biometric privacy landscape. The document's reference to the Privacy Policy for the full scope of data use means these terms alone do not provide complete disclosure, which could create a fragmented consent record. JURISDICTION FLAGS: Illinois BIPA creates heightened exposure for biometric data collection if WHOOP users in Illinois are subject to its provisions; BIPA's private right of action and statutory damages have been the basis for significant class action litigation. California CCPA and CPRA classify precise geolocation and health data as sensitive personal information subject to opt-out rights. EU and UK GDPR require explicit consent or another valid legal basis for processing special category health data, and data protection impact assessments may be required. CONTRACT AND VENDOR IMPLICATIONS: Data processing agreements with third-party analytics and cloud service providers handling biometric data must satisfy GDPR processor requirements and, where applicable, BIPA contractual obligations. Procurement teams should assess whether third-party vendors receiving this data have adequate security and data minimization controls. COMPLIANCE CONSIDERATIONS: Legal and compliance teams should conduct a data mapping exercise to document every category of biometric and health data collected, the legal basis for processing in each jurisdiction, retention periods, and third-party recipients. The consent mechanism at account creation should be reviewed to ensure it satisfies the explicit consent standard required for special category data under GDPR, and BIPA compliance counsel should assess whether Illinois-specific consents and data destruction policies are in place.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric and physiological health data is among the most sensitive categories of personal information and, once collected, cannot be changed if misused; understanding how WHOOP uses and shares this data is critical for any user.
WHOOP continuously collects biometric health data including heart rate variability, sleep stages, and strain metrics from your body every time you wear the device, and your consent to this collection is a condition of using the service.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Whoop.