Oura Ring’s Legal Terms: The Hidden Fine Print
Whether you’re buying one, gifting one, or recommending one to clients, there are a few quiet terms worth understanding first.
Oura made headlines earlier this year when TikTok exploded with claims that Oura was selling user info to the department of defense. (Spoiler alert: it’s not. A great reminder that not everything on the Tok is true!)
But…
The headlines made my inner investigator start bubbling up like champagne, because I can tick off a list of several people I know that wear an Oura ring. And I can’t resist an opportunity to uncover some hidden fine print.
So let’s look at Oura’s terms and privacy policy for a quick lesson on how modern wellness tech actually works, especially when personal health data is involved.
I’m Maria Spear Ollis, aka The Lunar Lawyer, and I’m going to shine some light on Oura Ring’s terms and conditions and legal policies.
Oura doesn’t sell your info, but your health data can legally leave Oura’s control (And here’s what happens when it does.)
The Oura x Department of Defense Rumor
Let’s address the obvious, first: Oura isn’t selling your data to the DoD. (At least, according to its documents.)
And I quote:
Oura does not sell or rent your personal information, and only shares your personal data with certain trusted service providers and partners so that we can provide and improve our services, to provide partner services and other offerings, and to operate our business.
Per the Privacy Policy, they can use personal data to:
• Provide services
• Improve products
• Perform analysis
• Develop features
These are all “commercial uses” because the end goal is commercial (improving their product). But, and I emphasize: They say they do not sell personal data. They do use:
• Aggregated data
• Website usage data for marketing
• Service improvement analytics
So your data isn’t sold and remains your property, but they do have pretty broad leeway to use it, analyze it, and learn from it to improve their offerings.
When data leaves Oura’s control
One interesting feature Oura offers is your ability to opt into Oura Platform. This allows you to share your Oura data with your provider, coach, or employer.
Once that access is activated, the recipient becomes the data controller, not Oura.
This means:
• Oura is no longer responsible for how that data is used, the provider/coach/employer is; and
• The provider/coach/employer’s own data or privacy policy now governs your sleep, HRV, temp, activity, etc.
But I can always withdraw my consent, right?
Yes, you can. But like with many apps, withdrawing consent does not undo what the provider/coach/employer already downloaded or had access to.
If Your’e A Coach/Provider
Think through what happens to user data after you’re finished working with a particular client. Do you want to hold onto it? What happens to it after one, or three, or six months? These are things that should ideally be communicated to your clients so they don’t come back to you asking for their data a month after you’ve deleted or destroyed their data asking about it.
If You’re An Oura User
Oura tracks a ton of stuff, way beyond step count. (IP address, heart rate, even ovulation-related data) and their transfer policy allows your coach or provider access to all of it.
Once your data is shared to the Oura Platform, the Data Recipient becomes the controller of your personal data. The Data Recipient is responsible for its use and processing of your personal data in accordance with all applicable data protection and privacy laws. Your personal data may be used by the Data Recipient in accordance with its own privacy practices, so please review the Data Recipient's privacy policy carefully before accepting the invite and opting-in to Oura Platform. Oura is not responsible for the Data Recipient’s processing of your data or the security of any personal data that the Data Recipient has extracted from the Oura Platform.
In other words: familiarize yourself with a coach or provider’s own policies when it comes to retaining your data, and know that you might have to request that they delete all or any of your Oura Ring data after you’ve concluded your relationship. Because remember, just because you stop sharing doesn’t mean they stop using what they already pulled.
Damaged? Your Recourse is Limited.
Oh snap. It’s the LIMITATION OF LIABILITY clause. Otherwise known as the C.Y.A. clause.
Limitation of Liability clauses aren’t bad per se. You might have one in your own contract. It does what it says… limits liability or responsibility for things that could possibly go wrong or cause damage.
Well, Oura takes the concept of limiting liability and escalates it by 100, you might say.
And I quote:
IN NO EVENT SHALL ŌURA BE LIABLE FOR ANY CLAIM, WHETHER IN CONTRACT, TORT, OR UNDER ANY OTHER THEORY OF LIABILITY, IN EXCESS OF $100.
Translation: something goes wrong… someone (even Oura) breaches this contract… the most you’ll get from Oura is $100. That is, unless you’re in a state that limits this somehow.
Your Data Is Your Data
It would be pretty bold of Oura to claim that your data wasn’t yours anymore simply by using its product. But all of this serves as a good reminder that access to your data is just as important as ownership
Conclusion
If you’re a provider or coach that’s encouraging your clients to use an Oura Ring, it’s important to understand what you’re asking them to sign up for. And, start thinking through a client offboarding process so that you’re not accidentally storing sensitive data longer than you need to. Finally, let your clients know how you’re using their data! A solid coaching agreement is a must.