AI DPO: Whoop
Hi, this is AI DPO, providing data protection reviews of AI startups to showcase best practices. In these reviews, we assess basic compliance and transparency signals from public sources.
Last updated
Hi, this is AI DPO, providing data protection reviews of AI startups to showcase best practices. In these reviews, we assess basic compliance and transparency signals from public sources.
Last updated
Whoop is not an AI company but offers AI features. However, as they are a technology company that handles health information (sensitive personal information), we thought it still was a great fit for this series to show best practices. If you are an Apple Watch or Garmin user, you’ve likely heard of . With a screen-less bracelet and subscription model, Whoop provides insights into your movement, and health condition. With the latest version of the bracelet, users can gain insights into their sports performance recovery quality, sleep quality, stress, and body efficiency (e.g VO2 max, heart rate, ECG and blood pressure). Whoop can also be used for menstrual tracking.
Here’s a data protection-first look at Whoop to highlight what’s working (and suggest easy wins to build more trust with their users).
Through AI DPO, we’re here to help AI companies build data protection practices that are both compliant and customer-friendly.
When we review a company, we follow three simple principles:
We stick to what’s public: Our reviews focus only on public-facing privacy practices, not private strategies, product features, or confidential details (those deeper insights are reserved for Assenteo users).
We’re here to raise the bar, not rank companies: Our goal isn’t to criticize. It’s to lift the overall standard of data protection across the AI space and help everyone build stronger, more trusted products.
We’re a snapshot in time: Our reviews reflect what we see on the date we publish. Companies change and grow, and so will their privacy practices.
We believe good data protection is good business and we’re excited to be part of helping AI companies get it right.
Companies like Whoop therefore must ensure data protection practices are transparent as they have a higher responsibility under law. Outside of law land however, highly sensitive data categories are also the areas that matter the most to people and society. To not protect these data types could damage customer trust giving rise to the social responsibility Whoop has.
Whoop is taking steps to help inform their customers about data practices, however there are areas of opportunity to help consumers understand how their data is being used.
In total Whoop scored: 17/25
2/5
The Privacy Policy is not dated.
3/5
The Privacy Policy clearly how the data is collected.
The Privacy Policy clearly lists the data categories collected, including account information, wellness (health) data, communications when speaking with Whoop, payment data and app usage data.
It is not possible to Means of using the app with no personal data collection.
4/5
Whoop outlines under what circumstances your personal data will be processed.
Whoop explicitly outlines which third-party service providers are used and their contact details in the privacy policy.
Whoop relies on Standard Contractual Clauses for transfer to the US.
2/2
Users are informed of their rights and are able to request access, deletion, correction and other rights despite where they live.
An email address is provided for rights requests and Whoop has a Data Protection Officer for users to get in touch with.
4/5
Whoop outlines that they use an LLM partner (OpenAI) to provide their Whoop Coach.
Whoop also uses AI in their support.
Whoop also has stated their training policy - Zero-Retention/Zero Training Policy. Only anonymized data is shared with OpenAI and this data is not stored or used in training.
Whoop mentions to not provide personal data while also stating they only share anonymized data.
2/3
Whoop uses cookies on their website to track users. A cookie banner is shown when opening their website. Cookies are dropped only when a user opts in.
Whoop states in their Privacy Policy that they do not sell user information.
Whoop collects a reasonable amount of data and gives cookie granularity.
Transparency in data sharing with third parties: Whoop outlines the names and contact details of all services they share data with. Big tick from Assenteo here as it clearly shows the other companies a user’s data may be shared with, including their location.
Privacy-first AI coach: Whoop takes a stance to not allow the data retention or training by OpenAI in providing their AI powered feature, their AI Coach. While we don’t reward more points for not using anonymized data for training, transparency in this area is crucial for trust building.
Whoop is doing a good job in privacy. These opportunities could build more trust with users that Whoop handles personal data safely and securely:
Show health data coverage: Currently Whoop does not mention health data protection regulations on their website such as HIPAA, however they do refer to collecting and processing data that may constitute health data. While Whoop is not mandated to have a HIPAA specific Privacy Officer, having a HIPAA expert as part of their advisory would further strengthen trust.
User-friendly privacy page: While it is helpful to have a separate privacy page for users, Whoop can make understanding how they handle personal information more straightforward for users with clearer design and UX of the page. In particular we found this more like another legal page, as other regulations were also mixed in and it was quite wordy.
scoring: To help guide you we give a score between 0-25. The closer a company is to 25, the more considers it as a Privacy Leader.
As a health and wellness tool, data protection is essential for Whoop. Users are aware that they are choosing a provider to share their exercise and health status insights with and therefore need to be reassured of their practices for their privacy. Under EU and US laws, insights about our health (including sleep quality, stress, performance) is health data, as it relates to a user’s health. Menstruation data, can also reveal sexual health or reproductive health status, and may indirectly reveal sexual orientation or intentions to conceive. A company which collects and processes this type of data is therefore handling .
Whoop hosts a for the personal data and data collection of Whoop users, whether they use their bracelet or other software.
Whoop also provides a that highlights their key privacy information.
At , we provide an enterprise-ready trust layer for AI builders, providing access to data compliance experts and automation. While this review focused on basic compliance and public transparency, our core service supports full compliance, strong UX practices, and competitive advantage through trust. If you're a serious builder, and turn compliance into a USP.
