Research Review
What Your Wearable Actually Collects
Modern wearables collect far more than step counts. A typical smartwatch or health ring now records heart rate (continuous or periodic), heart rate variability, sleep duration and staging, blood oxygen saturation (SpO2), skin temperature, respiratory rate, GPS location, elevation, menstrual cycle data, electrodermal activity, and in some cases voice data through built-in microphones. Combined over weeks and months, this creates a remarkably detailed physiological profile of your life, one that can reveal health conditions, emotional states, physical location patterns, and daily routines.
The depth of this data collection is not inherently problematic. It is what enables the health insights that make wearables valuable. The problem is what happens to this data after it leaves your wrist or finger.
Where Your Data Goes: Platform by Platform
Not all wearable companies handle your data the same way. The differences are significant.
Apple (Apple Watch, iPhone Health). Apple has built its health data architecture around on-device processing and end-to-end encryption. Health data synced to iCloud is encrypted in transit and at rest, and Apple states it cannot access the decryption keys. HealthKit data is not used for advertising. Apple does not sell health data to third parties. When apps request access to your health data through HealthKit, each data type requires explicit permission, and Apple enforces strict review guidelines for apps that access health information. Of the major platforms, Apple offers the strongest default privacy protections for consumer health data.
Google and Fitbit. Following Google's acquisition of Fitbit, Fitbit health data is governed by Google's privacy policies. While Google committed to keeping Fitbit data separate from advertising profiles through at least 2024 (per its agreement with the EU), the long-term trajectory is less clear. Fitbit data is stored in the cloud, and Google's privacy policy permits the use of data to "improve services," a broad category. A 2025 systematic analysis of wearable privacy policies published in the Journal of Medical Internet Research flagged Google/Fitbit as having among the most permissive data-sharing terms among major wearable manufacturers.
Oura. Oura stores health data in cloud servers and states that it does not sell personal data to third parties. Oura's privacy policy permits sharing aggregated and de-identified data for research purposes. The Oura API allows users to grant third-party app access to their data through OAuth, giving users control over which apps can read their information. However, cloud storage means your data exists on servers you do not control, and the company's privacy practices are governed by its terms of service, which can change.
Whoop. Whoop stores data in the cloud and has faced scrutiny for its data practices. Whoop's privacy policy permits sharing data with third-party service providers and business partners. The company offers aggregated population-level data for research and commercial purposes. Like most cloud-based wearable platforms, the specifics of data retention and deletion are governed by terms of service rather than regulatory mandate.
The Regulatory Gap: HIPAA Does Not Protect You Here
This is the most important thing most wearable users do not understand: HIPAA almost certainly does not cover your wearable data. HIPAA applies to "covered entities," defined as healthcare providers, health insurers, and healthcare clearinghouses, along with their business associates. Consumer wearable companies are none of these. The heart rate data your Oura Ring records, the sleep data your Apple Watch tracks, the GPS data your Garmin logs: none of it falls under HIPAA protection unless it is shared directly with a covered healthcare provider through a regulated channel.
This means that the health data wearable companies collect about you has fewer federal privacy protections than the data your doctor's office collects. There is no federal requirement for wearable companies to limit how long they retain your data, no requirement to obtain specific consent before sharing it, and no requirement to notify you if it is sold or transferred to another company in an acquisition.
State-Level Laws Are Filling the Gap (Slowly)
In the absence of federal legislation, several states have enacted laws that provide stronger protections for biometric and health data.
Illinois Biometric Information Privacy Act (BIPA). BIPA is the most aggressive biometric privacy law in the United States. It requires informed consent before the collection of biometric identifiers (fingerprints, voiceprints, facial geometry, retina scans), provides a private right of action (meaning individuals can sue), and has resulted in significant settlements against companies that violated its terms. While BIPA's coverage of wearable health metrics like heart rate and HRV is still being tested in courts, it sets the precedent that biometric data requires explicit consent.
California Consumer Privacy Act (CCPA) and CPRA. California law classifies wearable-derived metrics including heart rate, sleep data, and skin temperature as "sensitive personal information." Consumers have the right to know what data is collected, request its deletion, and opt out of its sale. The California Privacy Rights Act (CPRA) added further protections, including requirements for data protection impact assessments.
Washington My Health My Data Act. Enacted in 2023, this law imposes strict consent requirements on any entity collecting health data, regardless of whether it qualifies as a HIPAA-covered entity. It specifically targets the regulatory gap that consumer health apps and wearables fall into.
Anonymized vs. De-identified Data: Why It Matters
Many wearable companies state that they share "anonymized" or "de-identified" data. These terms are not interchangeable, and the distinction matters. De-identified data has had direct identifiers (name, email, device ID) removed, but often retains enough contextual information (location patterns, demographic data, biometric signatures) to be re-identified through cross-referencing with other datasets. Multiple studies have demonstrated that supposedly de-identified health datasets can be re-linked to individuals with surprising accuracy.
True anonymization is technically much harder and involves transforming data so that re-identification is practically impossible. When a wearable company says it shares "de-identified" data for research purposes, that data may still carry meaningful privacy risk, particularly when combined with other data sources.
What to Look for in a Privacy Policy
Most people do not read privacy policies, and wearable companies rely on that fact. If you are going to invest 5 minutes in understanding how your health data is handled, look for these specific things:
- Data storage location. Is your health data stored on your device, in the cloud, or both? On-device storage with encrypted backup is the most private architecture.
- Third-party sharing. Does the policy permit sharing data with "partners," "service providers," or "affiliates"? These broad categories can encompass advertisers and data brokers.
- Data retention. How long does the company keep your data after you delete your account? Some companies retain data for years after account closure.
- Data portability and deletion. Can you export your data? Can you request permanent deletion? Is the deletion process straightforward or deliberately complex?
- Policy change notifications. Does the company commit to notifying users before changing its privacy practices, or can it update the policy at any time without notice?
How Vora Handles Your Data
Vora was designed with the assumption that health data deserves strong protection by default. Vora processes biometric data on-device wherever possible, does not sell user data to third parties, does not use health data for advertising, and provides straightforward data deletion when you choose to remove your account. When data is synced to enable features like cross-device continuity, it is encrypted in transit and at rest. These are not marketing claims; they are architectural decisions built into how the product works.
Ultimately, the best protection for your wearable data is awareness. Know what your device collects, where that data goes, and what rights you have over it. The regulatory landscape is evolving, but right now, the responsibility to protect your health data falls largely on you.