WHOOP, INC

Privacy

At WHOOP, our mission is to unlock human performance. We exist to improve your life, not invade it. We believe this should be the standard for all companies providing wearable devices.

We take your privacy seriously and want you to understand how we use, collect and share personal data, and the measures we take to protect your personal data. We have invested heavily, and will continue to invest, in features and security to protect the privacy and security of your personal data. We continually evaluate our privacy practices to align them with applicable privacy laws including the California Consumer Privacy Act (“CCPA”) and the General Data Protection Regulation (“GDPR”). You can find more detailed information about ways in which we use, collect, and share personal data in our full Privacy Policy.

1. WHOOP MEMBERS CONTROL THEIR PERSONAL DATA

We believe you should be in control of your personal data. Consistent with this belief:

• We will delete your personal data if you ask us to, including if asked when you cancel your membership.
• We will provide you with access to your personal data if you ask us to, including if asked when you cancel your membership.
• Our Privacy Policy describes how we share personal data. We will otherwise share your personal data with others only if you ask us to. For example, we would share it with an organization managing a corporate wellness program if you specifically authorized us to do so.

2. WHOOP EMPLOYEES ONLY ACCESS MEMBER PERSONAL DATA WHEN REQUIRED TO PROVIDE SERVICES AND SUPPORT

We prioritize the accountability and the security of your personal data. Our policy is that a member’s personal data is not to be accessed or shared by anyone at WHOOP without an explicit need to do so. Consistent with these priorities and our policy:

• WHOOP membership services representatives, management team members, data scientists and technical team members are not permitted to access your personal data without a legitimate business need.
• We maintain a log that tells us who has accessed member personal data and when.
• We actively evaluate data access logs and investigate any anomalies for data access.

3. WHOOP DOES NOT SELL MEMBER PERSONAL DATA

Our business model is to provide highly valuable product experiences and services to our members in exchange for membership fees. As such, we never sell our members’ personal data. This is our promise. Because of how broadly the CCPA defines “sale,” we want to be clear that we use third party cookies and other tracking technologies.

4. WHOOP USES ONLY AGGREGATED OR DE-IDENTIFIED WELLNESS DATA TO BETTER UNDERSTAND HUMAN PERFORMANCE

Our members provide us with an unprecedented amount of accurate physiological data that is collected by their WHOOP strap. This information includes heart rate, heart rate variability, sleep duration, respiratory rate, skin temperature, blood oxygen saturation level, data such as the type of activity engaged in and the duration of physical activity, and any additional information members chose to enter when using WHOOP services (collectively, “wellness data”).We use aggregated or de-identified wellness data that no longer identifies a particular individual (and is thus no longer personal data) to help answer important questions about human performance and further explore what it means to be optimal. We believe we have a responsibility to create an ever-better experience for our members by identifying and sharing cutting edge insights. We will always look to provide new content and product features, improve and customize our services (including determining and reporting on trends, sleep, strain, and recovery), and develop thought leadership in the area of human performance. We hope your experience with WHOOP will improve over time as our membership base grows and we continue with our mission to unlock human performance.

5. WHOOP BELIEVES THAT THIRD PARTIES SHOULD BE PREVENTED FROM INVADING OUR MEMBERS’ LIVES BY ACCESSING THEIR WHOOP DATA.

Like all other companies, WHOOP may from time to time receive requests for member data from third parties, like governmental entities (including law enforcement) and private parties engaged in civil litigation. Here are the key principles we stand by when evaluating these requests:

• WHOOP will never voluntarily disclose member data in response to a request by a governmental entity or civil litigant.
• WHOOP will never provide any governmental entity or civil litigant with direct access to our members data.
• WHOOP will never provide copies of member data held by WHOOP to any governmental entity or civil litigant without a valid, narrowly tailored, and legally-binding request (e.g., subpoena, warrant or court order).
• If WHOOP receives a request for a members data, we will provide notice to the member by sending an email to the email address we have on file for that member.
• WHOOP is prepared to fight to protect our members privacy in court if necessary. We will reject, challenge or object to any data access request from a governmental entity or civil litigant that we believe is invalid, overly broad, unclear or otherwise inappropriate.

If you are concerned about the privacy of your WHOOP data, you can delete it at any time by exercising our self-serve options, either in the WHOOP app or navigating to the data management section of whoop.com.We know privacy and security are important to you. We are committed to making WHOOP the best tool to monitor and understand the body. We will continue to be transparent about our privacy and security practices as we grow alongside our membership.

For more information about how these principles apply to WHOOP Coach, please read here.

WHOOP Patents

The WHOOP®  products listed below are covered by at least the indicated US patents. Additional US patent applications and non-US patents may cover these products. 

WHOOP 4.0 

• 11,410,765
• 11,185,241
• 10,750,958
• 11,185,292
• D977115 
• D973584

WHOOP 4.0 & WHOOP App

• 11,602,279
• 11,627,946
• 9,596,997

WHOOP Body

• D977116

AGGREGATED DATA

Aggregated Data is data that has undergone a process whereby raw data is gathered and expressed in a summary form for statistical analysis. Raw data can be aggregated over a given time period, across individuals, or both, to provide statistics such as average, minimum, maximum, sum, and count. After the data is aggregated analysis can be performed to gain insights about particular data sets. When data is aggregated across a number of individuals, the resulting aggregation is considered anonymized such that it is no longer Personal Data. See our Privacy Policy here for more information on how we use Aggregated Data.

CCPA

The California Consumer Privacy Act, or CCPA, is a state law that provides California consumers with robust data privacy rights. These rights include the right to know, the right to delete, and the right to opt-out of “sale” of personal information that businesses collect, as well as additional protections for minors. A “sale” under the CCPA is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or to a third party for monetary or other valuable consideration.” See our Privacy Policy here for more details on the information we may share with others.

COOKIES

Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular user and website, and can be accessed either by the web server or the user computer. This allows the server to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and is therefore able to carry information from one visit to the website (or related site) to the next. See our Privacy Policy here to learn about cookies and how they are used on our websites.

DE-IDENTIFIED DATA

De-Identified Data is data where all the personally identifiable information has been removed, rendering the data anonymous by stripping out information that would allow an individual’s identity to be determined from the remaining data. Data is “de-identified” to protect the privacy and identity of individuals associated with the data. De-identified Data is no longer Personal Data. See our Privacy Policy here for more information on how we use De-identified Data.

GDPR

The General Data Protection Regulation, or GDPR, is a data privacy and security regulation under European law that sets guidelines for the collection and processing of personal information from individuals who live in the European Economic Area, Switzerland and United Kingdom (collectively, “Europe” or “European”). The GDPR provides data protection rights to European residents and applies to any organization that offers goods or services to individuals in Europe, even if that organization is not based in Europe. See our Privacy Policy here for more information on the data rights available to European residents.

IP ADDRESS

An IP Address is a unique address that identifies a device on the internet or a local network. It allows a system to be recognized by other systems connected via the internet protocol. An IP Address may be considered Personal Data and is at times used by advertisers to serve interest-based ads. See our Privacy Policy here for details on how we share Personal Data.

PERSONAL DATA

Personal Data is any data that identifies or relates to you as a particular individual, including information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules, or regulations. See our Privacy Policy here for an outline of the ways in which we use, collect, and share Personal Data.

SERVICES

Services means, collectively, our websites and mobile apps, any software embedded within the WHOOP Strap, and any features, content, or applications offered, from time to time, by WHOOP in connection therewith.

THIRD PARTIES

Third Parties in the context of the relationship between WHOOP, WHOOP Members (our end users), and third parties are entities or businesses involved in an arrangement, contract, deal, or transaction but are not one of the principals (i.e., WHOOP or WHOOP Members). We use Third Parties to enable us to do business with our members, such as charging for transactions or storing data. Third Parties also include advertisers that serve interest-based ads to visitors to our website. See our Privacy Policy here for more information on the Third Parties that do business with WHOOP.

WHOOP STRAP

Your WHOOP Strap is a wearable sensor that, when used in connection with the Services, collects certain types of Personal Data.

WHOOP, WE, US, OUR

The terms “WHOOP,” “we,” “us,” or “our” mean Whoop, Inc. and each of its wholly owned subsidiaries.

WELLNESS DATA

Wellness Data is (a) data collected by your WHOOP Strap and sent to the WHOOP platform, including your heart rate, heart rate variability, sleep duration, respiratory rate, skin temperature, blood oxygen saturation level, and data such as the type of activity you engage in and the duration of your physical activity; and (b) any additional information you chose to enter during the use of our Services, such as information about your health and wellness, including information collected from accounts, devices, or features that you link with your WHOOP account. See our Privacy Policy here for additional details on Wellness Data.

At WHOOP, we take the privacy of our Members and Customers seriously. We do not sell personal information.

Our Services provide and our partners use automated technologies, such as cookies, to understand how people use our products and Services and to support advertising. You can learn how to limit the use of these technologies in our Privacy Policy.

The CCPA also provides the following rights if you are a resident of the state of California: (1) the right to know how your personal information is collected and used; (2) the right to have access to and request the personal information collected; (3) the right to have your personal data deleted; and (4) 4he right to stop your personal information from being sold or shared. The CCPA limits these rights by, for example, prohibiting businesses from providing certain sensitive information in response to an access request and limiting the circumstances in which they must comply with a deletion request.

For privacy rights requests or questions about your privacy rights, please email us at privacy@whoop.com. Click here more on data management.

INTRODUCTION

The high quality of Whoop, Inc. (“WHOOP”) products and services (collectively, “Products”) is the direct result of our investment in innovation, engineering and design. WHOOP has spent years building an aspirational brand with high perceived value and strong recognition. WHOOP also recognizes that our success is tied to the success of our network of resellers, distributors, sales representatives or dealers (collectively, “Resellers”). We want to protect our Resellers investments in delivering an extraordinary customer experience, while also discouraging price-based advertising that would be detrimental to our Resellers’ service and support efforts. Therefore, WHOOP has unilaterally established this Minimum Advertised Price Policy (“MAP Policy”) for certain WHOOP Products sold by Resellers in the United States.

MAP POLICY

1. The Minimum Advertised Price for each WHOOP Product shall be no less than the minimum advertised price as set forth on Schedule A (the “Minimum Advertised Price”). This Minimum Advertised Price established by WHOOP may be adjusted by WHOOP at such time and in such amounts as it may determine at its sole discretion.

2. This MAP Policy does not establish maximum advertised prices. Resellers may offer WHOOP Products at any price in excess of the Minimum Advertised Price.

3. A Reseller shall not list WHOOP Products on any third-party website (including without limitation Amazon, eBay, Overstock, etc.), without first obtaining written consent from WHOOP. A Reseller may sell WHOOP Products on its own website associated directly with its store(s) so long as the Reseller adheres to this MAP Policy.

4. This MAP Policy applies to all advertisements of WHOOP Products in any and all media, including without limitation email newsletters, email solicitations, internet or other electronic media, television, radio, public signage, posters, flyers, coupons, mailers, inserts, newspapers, magazines, catalogs, or mail order catalogs. This MAP policy is not applicable to any in-store advertising that is displayed only in the store and not distributed to any customers.

5. If pricing is displayed anywhere other than a brick-and-mortar-retail store, any strike-through or other alteration of the Minimum Advertised Price is prohibited.

6. Including free or discounted products in advertising with any WHOOP Product covered by this MAP Policy is contrary to this MAP Policy if it has the effect of discounting the advertised price of the covered WHOOP Product below the Minimum Advertised Price.

7. The MAP policy does not limit a Reseller’s ability to advertise in general that they have “the lowest prices” or will “match or beat a competitors’ price” or phrases of similar meaning as long as the price advertised or listed for the WHOOP Product is not less than the Minimum Advertised Price and the Reseller otherwise complies with this MAP Policy.

8. WHOOP maintains the right to run a temporary sale on any WHOOP Product at its sole discretion. In the case of any such sale, the Minimum Advertised Price for the applicable WHOOP Product will be the same as the temporary sale price for the applicable time period.

9. If a Reseller with multiple store locations violates this MAP Policy at any single store location, or on any associated website, then WHOOP will consider this to be a violation of this MAP Policy by the Reseller.

10. WHOOP may monitor the advertised prices of Resellers, either directly or via the use of third party agencies or tools.

11. WHOOP is solely responsible for determining whether a violation of the MAP Policy has occurred and determining appropriate sanctions. WHOOP marketing or sales personnel are not authorized to negotiate, amend, modify, waive or grant exceptions to the MAP Policy.

12. WHOOP will enforce this MAP Policy in its sole discretion and without notice. A Reseller has no right to enforce the MAP Policy. In addition to any available remedies WHOOP may have at law, violations of this MAP Policy may result in sanctions such as notification of a violation, cancellation of pending Reseller orders, restrictions on future Reseller orders, suspension of a Reseller’s account, cancellation of pending Reseller orders, or termination of any agreement with the Reseller.

SCHEDULE A TO MAP POLICY

• 12-month upfront subscription (includes WHOOP 4.0, device, battery, and strap). Minimum Advertised Price is $239.00.
• SuperKnit Band. Minimum Advertised Price is $49.00
• SuperKnit Luxe Band. Minimum Advertised Price is $99.00
• Battery Pack 4.0. Minimum Advertised Price $49.00

How WHOOP handles security vulnerabilities

At WHOOP, our mission is to unlock human performance.  We exist to improve the lives of our members, not invade their lives.  Like all companies providing wearable devices and health monitoring services, WHOOP manages personal and sensitive data of our members. We take privacy seriously, and understand that we have a responsibility to protect the privacy of our members’ data. We understand that secure products are instrumental in maintaining the trust that members place in WHOOP, and we strive to create innovative products that improve our members' lives.

This site provides information for researchers and security professionals.

If you are a WHOOP member and are experiencing a security issue with your account please contact Membership Services.

Reporting security issues

WHOOP openly accepts vulnerability reports for our WHOOP platform and products. If you believe you have discovered a vulnerability in a WHOOP platform or product, or if you have a security incident to report, please contact us our vulnerability disclosure form below. Upon receipt of your message, we will send a reply that includes a tracking identifier.  WHOOP will not engage in legal action against individuals who in good faith submit vulnerability reports through the methods listed above.

WHOOP Vulnerability Disclosure Policy

At WHOOP, we believe that vulnerability disclosure is a two-way street - both WHOOP and security researchers must act responsibly. This is why WHOOP adheres to a 90-day disclosure deadline (the “Deadline”). We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after the Deadline, or sooner if the vendor releases a fix. That Deadline can vary in the following ways:

• If a Deadline is due to expire on a weekend or U.S. public holiday, the Deadline will be moved to the next regular work day.
• Before the Deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the Deadline, we will delay the public disclosure until the availability of the patch.
• When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action - within 7 days - is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.

As always, we reserve the right to bring the Deadline forward or backward based on extreme circumstances. We remain committed to treating all vendors strictly equally. WHOOP expects to be held to the same standard.

This policy aligns with our desire to improve industry response times to security bugs, but also results in softer landings for bugs marginally over the Deadline. WHOOP calls on all security researchers to adopt disclosure deadlines in some form, and welcomes security researchers to use this policy if you find our policy compelling. Creating pressure towards reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, vulnerability disclosure policies such as ours result in greater overall safety for users of the Internet.

To request access to or deletion of Personal Data collected via your use of the Services, please either (i) use the “Data Management” feature available on the WHOOP Privacy Center privacy.whoop.com; or (ii) email us at privacy@whoop.com.

Our Privacy Officer (and equivalent roles globally) is Travis Lang, General Counsel, who can be reached at privacy@whoop.com.  

This Messaging Program Privacy Policy explains how WHOOP collects and uses information about you in relation to its text message marketing program (the “Messaging Service”). We use Iterable to provide the Messaging Service to you. For the purposes of the Messaging Service, Iterable acts as our service provider and data processor of your information.

Collection of Information

We collect various information on our behalf from and about you, including information you directly provide when you use the Messaging Service. For example, we collect the phone number and email address you provided when signing up for the Messaging Service. When you send messages via the Messaging Service, we will also collect your messaging history and any information included in those messages.

We may also collect information about you using cookies or similar technologies. Cookies are pieces of information that are stored by your browser on the hard drive or memory of your device. Cookies enable personalization of your experience on the Messaging Service (e.g., sending you personalized text messages such as shopping cart reminders).

If you participate in a contest, sweepstakes, research study, or email survey associated with the Messaging Service, we will collect basic contact information and any other information you choose to provide in connection with these activities. We will also collect your contact information if you contact us with questions about the Messaging Service or for customer service.

Use of Information

We use your information to deliver, analyze, maintain and support the Messaging Service. We may also use your information to enhance the Messaging Service features and customize and personalize your experiences on the Messaging Service.

Sharing of Information

We may share, transfer, or disclose your information, if you consent to us doing so, as well as in the following circumstances:

• Service Providers. We may share your information with third parties to help us provide the Messaging Service to you.
• Legal Requirement and Protection of Iterable and Others. We may disclose your information as we believe such disclosure is necessary or appropriate to: (i) comply with applicable law and legal processes; (ii) respond to requests from public and government authorities, including public and government authorities outside your country of residence; (iii) enforce a contract with us; (iv) protect our rights, privacy, safety, or property, and/or that of our affiliates, you or others; and (v) allow us to pursue available remedies or limit the damages that we may sustain.

From time to time, we may share aggregate or de-identified information about use of the Messaging Service and such aggregated or de-identified information may be shared with any third party, including advertisers, promotional partners, and sponsors.

Protection of Information

We take a variety of physical, technical, administrative, and organizational security measures based on the sensitivity of the information we collect to protect your information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. Unfortunately, no online activity can be guaranteed to be 100% secure. While we strive to protect your information against unauthorized use or disclosure, we cannot ensure or warrant the security of any information you provide. We do not accept liability for unintentional disclosure.

Retention of Information

We retain your information for as long as you participate in the Messaging Service or as needed to comply with applicable legal obligations. We will also retain and use your information as necessary to resolve disputes, protect us and our customers, and enforce our agreements.

Choices and Controls

Consent to receive automated marketing text messages is not a condition of any purchase. You can opt-out of receiving further commercial text messages via the Messaging Service by responding to any of our text messages with any of the following replies: STOP, END, CANCEL, UNSUBSCRIBE, or QUIT. For additional opt-out information, please review our Terms.

Main Privacy Policy

By signing up to receive text messages from us, you also agree to our main Privacy Policy.