WHOOP collects continuous physiological measurements including heart rate, heart rate variability, respiratory rate, blood oxygen levels, skin temperature, sleep data, and activity data via the wearable device and app, which are used to generate personalized health insights.
This analysis describes what Whoop's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The agreement discloses collection of a range of physiological and biometric-adjacent data categories on a continuous basis; the handling of this data is governed primarily by the Privacy Policy rather than these Terms, and the Terms incorporate the Privacy Policy by reference without reproducing its data sharing or retention provisions here.
Interpretive note: The full text of WHOOP's health data collection and use disclosures is contained in the Privacy Policy rather than these Terms; the operational scope of data sharing and retention cannot be fully assessed from the Terms alone.
The agreement establishes that WHOOP collects heart rate, heart rate variability, respiratory rate, blood oxygen, skin temperature, sleep, and activity data continuously through the device and app. Data practices including sharing, retention, and user rights over this data are governed by the separately maintained Privacy Policy, which is incorporated by reference.
How other platforms handle this
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
With your permission, we may also receive data from your mobile device's health app (like Apple HealthKit or Google Health Connect), including hours of sleep and sleep goals. However, we do not infer any health-related characteristics from this information and only process it consistent with the pur...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Whoop has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"WHOOP collects physiological data including heart rate, heart rate variability, respiratory rate, blood oxygen levels, skin temperature, sleep data, and activity data through the WHOOP device and application. This data is used to provide personalized health and fitness insights and is subject to WHOOP's Privacy Policy.— Excerpt from Whoop's Whoop Terms of Use
1) REGULATORY LANDSCAPE: Collection of physiological data including heart rate variability, blood oxygen, and skin temperature may implicate state biometric privacy statutes including Illinois BIPA and Texas CUBI, depending on whether these measurements are characterized as biometric identifiers under those statutes. CCPA applies to California residents with respect to health and biometric data categories. GDPR applies to EU/EEA users and classifies health data as a special category requiring explicit consent and a lawful basis for processing. WHOOP is not described as a HIPAA-covered entity, but the sensitive nature of the data warrants evaluation of applicable state health data statutes. 2) GOVERNANCE EXPOSURE: High. Continuous collection of physiological data from a large consumer subscriber base creates sustained regulatory exposure under multiple overlapping state and international frameworks, particularly as states continue to enact biometric and health data privacy statutes. 3) JURISDICTION FLAGS: Illinois BIPA creates a private right of action for biometric data collection without informed written consent and a compliant retention and destruction schedule; the applicability of BIPA to sensor-derived physiological metrics from wearable devices is an active area of legal development. Texas, Washington, and other states with biometric privacy statutes create additional jurisdiction-specific exposure. EU users' health data is a special category under GDPR requiring explicit consent. 4) CONTRACT AND VENDOR IMPLICATIONS: Employers deploying WHOOP as a corporate wellness benefit should conduct a data processing impact assessment and confirm through the Privacy Policy whether WHOOP processes employer-sponsored user data as a data processor or independent controller. Data processing agreements may be required for EU deployments. 5) COMPLIANCE CONSIDERATIONS: Legal teams should review the WHOOP Privacy Policy in detail to map data sharing partners, retention periods, and user rights mechanisms for health and physiological data categories. Whether sensor-derived measurements qualify as biometric identifiers under Illinois BIPA or analogous statutes should be assessed with state-specific counsel.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The agreement discloses collection of a range of physiological and biometric-adjacent data categories on a continuous basis; the handling of this data is governed primarily by the Privacy Policy rather than these Terms, and the Terms incorporate the Privacy Policy by reference without reproducing its data sharing or retention provisions here.
The agreement establishes that WHOOP collects heart rate, heart rate variability, respiratory rate, blood oxygen, skin temperature, sleep, and activity data continuously through the device and app. Data practices including sharing, retention, and user rights over this data are governed by the separately maintained Privacy Policy, which is incorporated by reference.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Whoop.