WHOOP, INC
Full Privacy Policy

PRIVACY POLICY

1. INTRODUCTION

At Whoop, Inc. (“WHOOP,” “us,” “we,” or “our”), our mission is to unlock human performance. We exist to improve your life, not invade it. We believe this should be the standard for all companies providing wearable devices. We take your privacy seriously and want you to understand how we use, collect, and share Personal Data, and the measures we take to protect your Personal Data.

This Privacy Policy applies to Personal Data we collect about members and other consumers who interact with Whoop or use our services, including by visiting our websites or our social media pages, or using our mobile apps, the WHOOP Strap or another WHOOP device (collectively, the “Services”). This Privacy Policy does not cover the practices of companies that we do not own or control, or people that we do not manage. We are not responsible for the policies and practices of any third parties, and we do not control, operate, or endorse any information, products, or services that may be offered by third parties or accessible on or through the Services.

We have provided supplemental notices below for residents of California and individuals located in the European Economic Area, the United Kingdom, and Switzerland (collectively “Europe” or “European”) and Qatar.

2. HOW WE COLLECT PERSONAL DATA

We collect Personal Data about you from:

  • Yourself, when you provide such information directly to us, such as when completing your profile;
  • WHOOP Strap or another device that you wear;
  • WHOOP Coach when you interact with and receive responses from the WHOOP Coach as described in Section 8 below;
  • Automatic data collection, such as Cookies, local storage objects, web beacons, and other similar technologies in connection with your use of the Services;
  • Customers and partners, such as employers, insurance companies, coaches, teams, or other organizations that engage with our Services;
  • Marketing and advertising partners, such as companies that have entered in joint marketing relationships with us or assist us with marketing or promotional services, which may provide us with data related to how you interact with our Services, advertisements, or communications;
  • Social media, other third-party platforms, and linked accounts, devices, or features , if you interact with our pages on social media sites, post content to their sites using the Services, sign into the Services through a third-party site or service, or otherwise link accounts, devices, or features to your WHOOP account; and
  • Data providers, such as information services and data licensors, when we supplement your data.

3. PERSONAL DATA WE COLLECT

We may collect the following types of Personal Data:

  • Contact details, such as your first and last name, email and mailing address, and phone number;
  • Profile data, such as username and password that you may establish to create a WHOOP account, as well as any photographs or information you choose to include in your WHOOP profile;
  • Communications that we exchange with you, including when you contact us via email, web app, or mobile app with questions, feedback, or reviews;
  • Wellness Data, such as resting heart rate, heart rate variability, skin temperature, blood oxygen saturation level and acceleration; metadata on workouts and sleep; the type of physical activity you engage in and the duration of your activity; data reflecting strain and recovery; your physiological profile, including birthday, gender identity, weight, height, fitness/athlete level (e.g., professional or recreational); and details you choose to submit about your diet, medications, and female health tracking. We may use certain of this information to customize your experience with us as part of our Services;
  • Conversations that you participate in with the WHOOP Coach, as described in Section 8 below;
  • Payment and transactional data needed to complete your orders on the website or through the Services (including name, email address, payment card information, bank account number, billing information) and your transaction history, although WHOOP does not have access to payment card numbers. Our payment processors will collect the financial information necessary to process your payments in accordance with the payment processor’s respective services agreement and privacy policy;
  • Marketing data, such as your preferences for receiving our marketing communications, and details about your engagement with them (e.g., the marketing emails that you open and the links within them that you click);
  • Device data, such as your computer or mobile device operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP Address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state, or geographic area;
  • Geolocation data, such as GPS, IP Address, and movement on certain exercise types if you give permission for WHOOP to do so; and
  • Online activity data, such as pages or screens you view, how long you spent on a page or screen, the website you visited before visiting our website, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access.

4. COOKIES AND SIMILAR TECHNOLOGIES

WHOOP uses cookies and similar technologies such as pixel tags, web beacons, clear GIFs, and JavaScript (collectively, “Cookies”) to enable our servers to recognize your web browser and tell us how and when you visit and use our Services, as well as to analyze trends, learn about our user base, and operate and improve our Services. Cookies are small pieces of data – usually text files – placed on your computer, tablet, phone, or similar device when you use that device to visit our Services. We may also supplement the information we collect from you with information received from third parties, including third parties that have placed their own Cookies on your device(s).

Cookie Usage and Type. WHOOP uses the following Cookies:

  • Essential Cookies: Essential Cookies are required for providing you with features or Services that you have requested. For example, certain Cookies enable you to log into secure areas of our Services. Disabling these Cookies may make certain features and Services unavailable.
  • Functionality Cookies: Functional Cookies are used to record your choices and settings regarding our Services, maintain your preferences over time, and recognize you when you return to our Services. These Cookies help us to personalize our content for you, greet you by name, and remember your preferences (e.g., your region).
  • Performance/Analytical Cookies: Performance/Analytical Cookies allow us to understand how users use our Services by collecting information on how often a user engages with a particular feature of the Services. We use these aggregated statistics internally to improve the Services. Performance/Analytical Cookies also help us measure the performance of our advertising campaigns in order to help us improve our campaigns and the Services’ content for those who engage with our advertising. For example, Google, Inc. (“Google”) uses Cookies in connection with its Google Analytics services. For more information on how Google uses this information, click here.
  • Marketing Cookies:Marketing Cookies collect data about your online activity and identify your interests so that we and our advertising partners can provide marketing that we believe is relevant to you. For more information, please see the section below titled “Interest-based advertisements.

Online tracking opt-outs. There are a number of ways you can opt-out of certain interest-based advertising and other online tracking activities, which we have summarized below.

  • Blocking Cookies in your browser. Most browsers let you remove or reject Cookies, including Cookies used for interest-based advertising. To do this, follow the instructions in your browser settings. Many browsers accept Cookies by default until you change your settings. For more information about Cookies, including how to see what Cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.
  • Blocking advertising ID use in your mobile device settings. Your mobile devices may offer settings that enable you to make choices about the collection, use, or transfer of your advertising ID associated with your mobile device for interest-based advertising purposes.
  • Using privacy plug-ins or browsers.You can block our websites from setting Cookies used for interest-based ads by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, Ghostery, or uBlock Origin, and configuring them to block third party Cookies/trackers. You can also opt out of Google Analytics by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout.
  • Visiting our OneTrust Privacy Preference Center. You can click here to customize your Cookie consent preferences.
  • Platform opt out.
  • Some third-party ad networks, including third-party ad servers, ad agencies, ad technology vendors, and research firms, allow you to opt-out directly by using their opt-out tools. Some of these providers, and links to their opt-out tools, are:
  • Advertising industry opt-out tools.You can also use these opt-out options to limit use of your information for interest-based advertising by participating companies:

Please note that some opt-out features are Cookie-based, meaning that when you use these opt-out features, an “opt-out” Cookie will be placed on your computer or other device indicating that you do not want to receive interest-based advertising from certain companies. If you delete your Cookies, use a different browser, or use a different device, you will need to renew your opt-out choice.

Opting-out of interest-based advertising does not mean that you will no longer receive online ads. It only means that such ads will no longer be tailored to your specific viewing habits or interests. You may continue to see ads on and about the Service.

5. HOW WE USE PERSONAL DATA

We process Personal Data to operate, improve, understand, and personalize our Services. We use Personal Data for the following purposes:

Service delivery, including to:

  • Provide, operate, improve, develop, understand, and personalize the Services and our business, including testing, research, analysis and product development;
  • Satisfy the reason you provided the information to us, including responding to and fulfilling requests;
  • Communicate with you about the Services, including Service announcements, updates, or offers;
  • Provide support and assistance for the Services;
  • Create and manage your account or other user profiles;
  • Customize website content and communications based on your preferences; and
  • Process orders, memberships, or other transactions.

Research and development. We may create and use Aggregated Data, De-identified Data or other anonymous data from Personal Data we collect, including Wellness Data, for our business purpose, including to analyze the effectiveness of the Services, to improve and add features to the Services, and to analyze the general behavior and characteristics of users of the Services. We also use anonymous Wellness Data for research purposes to help us and our research partners answer important questions about human performance and create an even-better experience for our members by identifying cutting-edge insights and providing new content and product features.

Direct marketing and advertising. We may use data from the Personal Data we collect, including Wellness Data and certain data collected when you browse our website, to send you direct offers marketing messages or advertise the Services or other WHOOP product offerings.

  • Interest-based advertising. We engage our advertising partners, including third party advertising companies and social media companies, to advertise our Services. We and our advertising partners may use Cookies and similar technologies to collect information about your interaction over time across the web, our communications, and other online services, and may use that information to serve online ads. We comply with the Digital Advertising Alliance Self-Regulatory Principles for Online Behavioral Advertising. To learn more about the industry self-regulatory programs and other information and choices about interest-based ads, please see the section above entitled “Online tracking opt-outs.

Compliance and protection, including to:

  • Protect against or deter fraudulent, illegal, or harmful actions and maintain the safety, security, and integrity of our Services;
  • Comply with or enforce our legal or contractual obligations, resolve disputes, and enforce our Terms of Use and  Terms of Sale;
  • Audit our internal processes for compliance with legal and contractual requirements and internal policies;
  • Protect our, your, or others’ rights, privacy, safety, or property (including by making and defending legal claims); and
  • Respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

6. HOW WE SHARE PERSONAL DATA

We may share your Personal Data with:

  • Service providers, such as payment processors, vendors who advertise our Services or other WHOOP products, security and fraud prevention consultants, hosting and other technology and communications providers, analytics providers, and staff augmentation and contract personnel, that provide services to us or on our behalf; our service providers also include our third-party Large Language Model (“LLM”) partner that powers WHOOP Coach, as described in Section 8 below;
  • Advertising partners that may collect information on our website through Cookies and other automated technologies, including for the interest-based advertising purposes described above. We do not share your Wellness Data with advertising partners;
  • Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services they render to us;
  • Authorities and others, including law enforcement, government authorities, and private parties we believe in good faith to be necessary or appropriate to comply with the law or legal process; and
  • Business transferees, such as acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale, or other disposition of all or any portion of the business or assets of, or equity interests in, WHOOP or our affiliates (including, in connection with a bankruptcy or similar proceedings).

7. HOW YOU MAY SHARE PERSONAL DATA THROUGH WHOOP

Depending on your use of the Services, you may share Personal Data with:

  • Other users of the Services, such as through our WHOOP Live or WHOOP Teams features, which allow you to share information and content with other users of the Service, and users are by default searchable by other users;
  • Third-party social media platforms, or linked accounts, devices, or features, when you choose to connect your account on those services with WHOOP or post content to social media, such as through the WHOOP Live feature;
  • The Public. When you make Personal Data visible to other users of the Services, including through the WHOOP Live or WHOOP Teams features, it may become publicly available and can be collected, viewed and used by anyone;
  • Managing entities. If your use of the Services is on behalf of or managed by a managing entity, such as a coach, team, organizing body, or other entity with which you are affiliated, your account information and Personal Data may be shared with the managing entity subject to your consent, and you hereby consent to that managing entity allowing that information to be publicly shared, subject to any features of the Services that expressly override that control. The managing entity will determine how the relevant information and content is shared; and
  • Corporate wellness programs. If you use the Services in connection with an employer or organizational corporate wellness program, we may share your information with that organization subject to your consent. Typically, we will share only Aggregated Data with these organizations.

8. WHOOP COACH & THIRD-PARTY AI TECHNOLOGY

WHOOP Coach is a generative AI feature that is intended to help you understand and make progress to your goals, decipher WHOOP concepts and provide educational guidance, and integrate with the rest of the WHOOP experience. WHOOP Coach creates a coaching experience by combining your unique, anonymized WHOOP metrics with the science of WHOOP to help you optimize your health, fitness, and performance.

If you decide to use WHOOP Coach, please note that WHOOP Coach leverages third-party AI technology provided by our LLM partner. This technology is trained on real-world data to generate intelligent and personalized responses in conversations with users. Responses from WHOOP Coach are based on your requests and relevant information collected through your WHOOP metrics. For example, if you ask WHOOP Coach a sleep-related question, then WHOOP Coach will provide personalized tips for improving your sleep based on your anonymized sleep data collected through the Services.

We require our LLM partner to use your anonymized WHOOP metrics only for the purpose of allowing WHOOP Coach to generate responses to your chats. We have ensured that our LLM partner has a “Zero-Retention/Zero Training Policy” with respect to your WHOOP metrics, meaning that our LLM partner will not store or retain any of the anonymized WHOOP metrics they receive trough your use of WHOOP Coach, and our LLM partner will not use any of the anonymized WHOOP metrics they receive for training any algorithms or LLM technology.

We will only share your anonymized WHOOP metrics with our LLM partner. We ask that you refrain from providing any identifying information, such as your name, in conversations with WHOOP Coach.

WHOOP may retain the history of your conversations with WHOOP Coach to ensure you continue to have access to previous conversations while using the feature. When you revisit any topics from previous chats, WHOOP may share the context of your previous conversations with WHOOP Coach to create a better experience for you. You may delete your WHOOP Coach chat data at any time by either tapping the chat icon in WHOOP Coach to view your conversation history and swipe left on conversations you would like to delete or requesting a deletion through Membership Services.

If you agree to use WHOOP Coach, please note that Consistent with our Privacy Principles, WHOOP employees will only access member Personal Data when required to provide services and support, which may include collecting information about your experience with WHOOP Coach to assess the performance of and improve WHOOP Coach and other product offerings. In the case that WHOOP Coach suggests connecting to Membership Services, you can opt in and have your support request automatically filed with our team. In this case, they will only have access to that specific conversation to provide you with the best support.

9. YOUR CHOICES

Access, update, or delete. When you log in to your account, you may access, and, in some cases, edit or delete certain information you’ve provided to us, such as first and last name, username and password, email and mailing address, and other information in your profile. When you update information, however, we may maintain a copy of the unrevised information in our records. You may request access to or a full deletion of your account and corresponding data by contacting support.whoop.com or via the “Data Management” feature available in the WHOOP Privacy Center. You will be asked to complete a verification form in connection with such access or deletion request in order to ensure that you have the authority to access or delete your account. We may need to retain certain Personal Data in our records, as well as Aggregated Data or De-identified Data derived from or incorporating your Personal Data that does not identify you after you update or delete it.

Privacy settings. You can change certain privacy settings, such as whether you are searchable on WHOOP by your name or username, if you scroll down to Settings, located on the Main Menu page of the WHOOP mobile application, and select “Privacy,” where you can choose to make yourself private or searchable.

Push notifications and device permissions. Access, update, or delete. When you log in to your account, you may access, and, in some cases, edit or delete certain information you’ve provided to us, such as first and last name, username and password, email and mailing address, and other information in your profile. When you update information, however, we may maintain a copy of the unrevised information in our records. You may request access to or a full deletion of your account and corresponding data by contacting emailing support.whoop.com or via the “Data Management” feature available in the WHOOP Privacy Center. You will be asked to complete a verification form in connection with such access or deletion request in order to ensure that you have the authority to access or delete your account. We may need to retain certain Personal Data in our records, as well as Aggregated Data or De-identified Data derived from or incorporating your Personal Data that does not identify you after you update or delete it.

Geolocation data. You may allow or disallow WHOOP to collect geolocation data by enabling or disabling location services on your mobile device. If you decline to grant WHOOP access to this data, we will not be able to provide certain Services, capabilities, or features to you.

Wellness Data. You can disable collection of additional Wellness Data by un-pairing your WHOOP device from your mobile device.

WHOOP Coach. You can choose whether or not to enable and interact with  WHOOP Coach. We will only share your anonymized WHOOP metrics with our LLM partner that powers WHOOP Coach if you enable and engage with the feature. If you wish to update your data preferences, you can visit the “Coaching Mode” section of your WHOOP Coach settings. If you no longer wish to use WHOOP Coach, you can simply not interact with the feature, or you can disable the feature entirely from your settings at any time.

WHOOP Teams. If you have joined a WHOOP Team, you may stop the sharing of your Personal Data with the members of the WHOOP Team at any time by accessing your WHOOP mobile application, navigating to the Team view, opening the menu from the Description page, and selecting Leave Team.

Marketing communications. We give you the ability to opt-out of marketing-related emails and other communications by going to our “Data Management” feature available in the WHOOP Privacy Center, or by following the opt-out or unsubscribe instructions contained in the marketing-related message. You cannot opt-out of receiving certain non-marketing emails regarding the Service.

Online tracking opt-outs. There are a number of ways you can opt-out of certain interest-based advertising and other online tracking activities, which we summarize in the “Online tracking opt-outs” section above.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to online services. The Services do not currently support “Do Not Track” requests or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

10. OTHER SITES AND SERVICES

The Services may contain links to websites and other online services operated by Third Parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any Third Party. We do not control mobile applications, websites or online services offered or operated by Third Parties, and we are not responsible for their actions. You can learn about and control how these Third Parties use and share Personal Data about you, including with WHOOP, by reviewing their privacy notices and exercising the privacy choices the Third Party may offer.

11. DATA SECURITY AND RETENTION OF PERSONAL DATA

We employ a number of physical, technical, organizational, and administrative security measures designed to protect the Personal Data we collect. While we endeavor to protect the privacy of your account and other Personal Data we hold in our records, no security measures are failsafe, and we cannot guarantee the security of your Personal Data.

We retain Personal Data for as long as reasonably necessary for the purposes described in this Privacy Policy, while we have a business need to do so, or as required by law (e.g., for tax, legal, accounting, or other purposes), whichever is longer.

12. PERSONAL DATA OF CHILDREN

If you are under the age to consent to data sharing, as applicable based on your jurisdiction, please do not attempt to register for the Services or send any Personal Data about yourself to us. If we learn that we have collected Personal Data from a child under the age to consent to data sharing, as applicable based on jurisdiction, we will delete that information as quickly as possible. If you believe that a child under the age to consent to data sharing, as applicable based on your jurisdiction,, may have provided us Personal Data, please contact us at privacy@whoop.com.

13. CHANGES TO THIS PRIVACY POLICY

We are constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time. We will alert you to changes by placing a notice on the WHOOP website, by sending you an email, and/or by some other means. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes.

14. CONTACT US

If you have any questions or concerns regarding our privacy policies, please send us a detailed message to privacy@whoop.com or at the mailing address below.

Whoop, Inc. Attn: Legal Department One Kenmore Square, #601 Boston, MA 02215

15. PRIVACY NOTICE FOR CALIFORNIA RESIDENTS

We are providing this supplemental privacy notice to consumers in California, pursuant to the California Consumer Privacy Act of 2018 (the “CCPA”).

We do not sell Personal Data. As we explain in this Privacy Policy, we use Cookies and other tracking technologies to analyze website and application traffic and use, and to facilitate advertising. To limit use of Cookies and other tracking technologies, please review the instructions provided in the “Online tracking opt-outs” section. You may also direct us to share your data, as described in the “How You Share Personal Data Through WHOOP” section of the Privacy Policy.

California Privacy Rights. If you are a California resident, you have the following rights:

  • Information: The Privacy Policy describes the types of Personal Data we collect in the “Personal Data We Collect ” section above and the sources through which we collect Personal Data in the “How We Collect Personal Data section above. We describe the purposes for which we use and share this data in the “How We Use Personal Data section above and the “How We Share Personal Data section above.
  • Access: You can request a copy of the personal information that we maintain about you.
  • Deletion: You can ask to delete the personal information that we have collected from you.
  • Opt-out of sale of your Personal Data: We do not sell Personal Data. We offer instructions on how to limit online tracking in the “Online tracking opt-outs” section of the Privacy Policy.

Please note that the CCPA limits these rights by, for example, prohibiting businesses from providing certain sensitive information in response to an access request and limiting the circumstances in which they must comply with a deletion request.

You are entitled to exercise the rights described above free from discrimination.

Exercising your rights. To exercise these rights, you can submit requests as follows:

  • To request access to or deletion of Personal Data collected via your use of the Services, please either (i) contact support.whoop.com; (ii) use the “Data Management” feature available on the WHOOP Privacy Center; or (iii) email us at privacy@whoop.com. privacy@whoop.com.
  • To learn how to opt-out of interest-based ads and other online tracking, see the “Online tracking opt-outs” section of the Privacy Policy.
  • To verify your identity prior to responding to your requests, we may ask you to confirm information that we have on file about you or your interactions with us. Where we ask for additional Personal Data to verify your identity, we will only use it to verify your identity or your authority to make the request on behalf of another consumer.
  • Authorized agents: California residents can empower an “authorized agent” to submit requests on the resident’s behalf. Your authorized agent may submit requests in the same manner, although we may require the agent to present signed written permission to act on your behalf, and you may also be required to independently verify your identity with us and confirm that you have provided the agent permission to submit the request.

16. PRIVACY NOTICE FOR EUROPEAN RESIDENTS

If you are a resident of the European Economic Area, the United Kingdom, or Switzerland (collectively, “Europe”), you may have additional rights under the General Data Protection Regulation (the “GDPR”) or other European data protection legislation.

Controller and European Representatives. WHOOP, Inc. will be the controller of your Personal Data processed in connection with the Services. Our contact information is as follows:

Whoop, Inc. Attn: Data Protection Officer One Kenmore Square, #601 Boston, MA 02215privacy@whoop.com

Our EU representative is:

70 Sir John Rogerson’s Quay Dublin 2 Dublin, D02 R296, Ireland

Our UK representative is:

DP Data Protection Services UK Ltd. Attn: Whoop, Inc. 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom

You may contact any one of the above representatives at: whoop@gdpr-rep.com

Legal bases for processing. The “How We Use Personal Data” section above explains how we use your Personal Data. We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing include consent, contractual necessity and our “legitimate interests” or the legitimate interest of others but will depend on the type of Personal Data and the specific context in which we process it. However, the legal bases we typically rely on for each category of processing activity are set out below.

  • Service delivery: Processing is necessary to perform our contract, or to take steps that you request prior to engaging our Services. Where we cannot process your Personal Data as required to operate the Services on the grounds of contractual necessity, we process your personal information for this purpose based on our legitimate interest in providing you with the products or Services you access and request.
  • Research and development: These activities constitute our legitimate interests.
  • Marketing and advertising: Processing is based on your consent where that consent is required by applicable law. Where such consent is not required by applicable law, we process your personal information for these purposes based on our legitimate interests in promoting our business.
  • Compliance and protection: From time to time we may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.
  • Consent: To the extent that Wellness Data that we collect is considered health data or another special category of Personal Data subject to the GDPR, we ask for your explicit consent to process this data. You can use your account settings and tools to withdraw your consent at any time, including by unpairing your WHOOP Strap, stopping use of a feature, removing our access to a Third-Party service, or deleting your data or your account. In addition, in some cases, such as when you direct us to share it, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, you have the right to withdraw it any time in the manner indicated at the time you give consent or in as listed in our Services.

We may use your Personal Data for reasons not described in this Privacy Policy where permitted by law and where the reason is compatible with the purpose for which we collected it. If we need to use your Personal Data for an unrelated purpose, we will notify you and explain the applicable legal basis.

Retention. To determine the appropriate retention period for your Personal Data, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Data subject rights. You have certain rights with respect to your Personal Data, including:

  • Access. You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. You can also access certain of your Personal Data by logging into your account or via the “Data Management” feature available in the WHOOP Privacy Center.
  • Rectification. If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. You can also correct some of this information directly by logging into your account.
  • Erasure. You can request that we erase some or all of your Personal Data from our systems.
  • Withdrawal of consent. If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Services.
  • Portability. You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.
  • Objection.You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.
  • Restriction of processing: You can ask us to restrict further processing of your Personal Data.
  • Right to file a complaint. You have the right to lodge a complaint about our practices with respect to your Personal Data with the supervisory authority of your country or European Economic Area Member State.

For more information about these rights, or to submit a request, please email whoop@gdpr-rep.com or privacy@whoop.com. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.

Processing of Personal Data in the United States. To provide the Services, we will process your Personal Data in the United States, where WHOOP is based. If such processing involves the transfer of Personal Data to the U.S. in a manner governed by European data protection law, the transfer will be performed pursuant to the applicable requirements of the law, such as standard contractual clauses, the individual’s consent, or other circumstances permitted by European data protection law.

Privacy Shield Certification. WHOOP certified to the EU-U.S. Privacy Shield Framework set forth by the U.S. Department of Commerce regarding the collection and use of Personal Data transferred from the EU to the U.S. For more information about the Privacy Shield Program, and to view our certification, please visit www.privacyshield.gov.

Although WHOOP no longer relies on the Privacy Shield Framework to facilitate cross-border data transfers, WHOOP remains committed to the Privacy Shield Principles of (1) notice, (2) consent, (3) accountability for onward transfer, (4) security, (5) data integrity and purpose limitation, (6) access, and (7) recourse, enforcement, and liability with respect to all Personal Data received from within the EU in reliance on the Privacy Shield before it was invalidated. The Privacy Shield Principles require that we remain potentially liable if any Third-Party processing Personal Data on our behalf fails to comply with these Privacy Shield Principles (except to the extent we are not responsible for the event giving rise to any alleged damage). Our compliance with the Privacy Shield is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Please contact us at privacy@whoop.com with any questions or concerns relating to our Privacy Shield Certification. If you do not receive timely acknowledgment of your Privacy Shield-related complaint from us, or if we have not resolved your complaint, you may also resolve a Privacy Shield-related complaint through JAMS, an alternative dispute resolution provider located in the United States. You can visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim for more information or to file a complaint, at no cost to you. Under certain conditions, you may also be entitled to invoke binding arbitration for complaints not resolved by other means.

If you have any questions about this section or our data practices generally, please contact us at privacy@whoop.com or using the contact information above.

17. PRIVACY NOTICE FOR QATAR RESIDENTS

Data Subject Rights

If you reside in Qatar, you have the following rights:

  • right to protection and lawful processing;
  • right to withdraw consent;
  • right to object to processing in certain circumstances;
  • right to erasure;
  • right to request correction;
  • right to be notified of processing;
  • right to be notified of inaccurate disclosure; and
  • right to access personal data.

If you reside in Qatar, you have the right to lodge a complaint with a supervisory authority, in addition to other rights set out in the Privacy Notice. The details of the supervisory authority is as follows:

National Cyber Governance and Assurance Affairs

Email: privacy@ncsa.gov.qa.

Basis of Lawful Processing

WHOOP processes End User Personal Data on the following grounds:

  • Consent: When you have provided your consent or, in the case of sensitive personal information, when you have provided your explicit consent, to our collection of your information and we have obtained permission from the supervisory authority set out above;
  • Legitimate interests: When WHOOP has a legitimate business or commercial reason for using your information, and your interests and your fundamental rights do not override those interests. We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests. You can obtain information on any of our balancing tests by contacting us using the details set out later in this notice; and/or
  • Legal obligation: When we need to comply with a legal or regulatory obligation.

Before collecting or using any special categories of data (referred to as sensitive personal information in the Privacy Notice), we will only use that information:

  • With your explicit consent; and
  • After having have obtained the permission of the supervisory authority set out above.

WHOOP may process your Personal Data on more than one ground depending on the reason or grounds for using your Personal Data. Please contact us if you need details about the specific grounds we are relying on to process your Personal Data.

Personal Data of Children

If you are under the age of 18, please do not attempt to register for the Services or send any Personal Data about yourself to WHOOP. If we learn that we have collected Personal Data from an unauthorised minor, we will promptly delete that information from our platform. If you believe that an unauthorised minor may have provided us Personal Data, please contact us at privacy@whoop.com.

Security Measures

WHOOP ensures that adequate security measure comprising industry-standard encryption, regular cybersecurity assessments, continuity and disaster recovery testing, and robust access controls are implemented to protect the confidentiality, integrity, and availability of your personal information are implemented. Please contact us if you want more information on how we protect your personal information.

Transfer of Personal Data

In order to provide the Services, WHOOP will transfer your Personal Data to the United States. WHOOP will ensure that adequate safeguards are implemented if and when we need to transfer Personal Data outside of Qatar so that a similar degree of protection is afforded to it. Please contact us if you want more information on how we transfer and protect your Personal Data outside of Qatar.

18. DEFINITIONS

We use some specifically defined terms in our Privacy Policy and when we communicate about our Privacy Policy. We want to be clear on how the terms we use are defined to help you better understand our policies.

WHOOP Coach: WHOOP StrapWHOOP, we, us, ourWellness Data

Aggregated Data: Aggregated Data is data that has undergone a process whereby raw data is gathered and expressed in a summary form for statistical analysis. Raw data can be aggregated over a given time period, across individuals, or both, to provide statistics such as average, minimum, maximum, sum, and count. After the data is aggregated analysis can be performed to gain insights about particular data sets. When data is aggregated across a number of individuals, the resulting aggregation is considered anonymized such that it is no longer Personal Data. See our Privacy Policy here for more information on how we use Aggregated Data.

CCPA: The California Consumer Privacy Act, or CCPA, is a state law that provides California consumers with robust data privacy rights. These rights include the right to know, the right to delete, and the right to opt-out of “sale” of personal information that businesses collect, as well as additional protections for minors. A “sale” under the CCPA is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or to a third party for monetary or other valuable consideration.” See our Privacy Policy here for more details on the information we may share with others.

Cookies: Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular user and website, and can be accessed either by the web server or the user computer. This allows the server to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and is therefore able to carry information from one visit to the website (or related site) to the next. See our Privacy Policy here to learn about cookies and how they are used on our websites.

De-Identified Data: De-Identified Data is data where all the personally identifiable information has been removed, rendering the data anonymous by stripping out information that would allow an individual’s identity to be determined from the remaining data. Data is “de-identified” to protect the privacy and identity of individuals associated with the data. De-identified Data is no longer Personal Data. See our Privacy Policy here for more information on how we use De-identified Data.

GDPR: The General Data Protection Regulation, or GDPR, is a data privacy and security regulation under European law that sets guidelines for the collection and processing of personal information from individuals who live in the European Economic Area, Switzerland and United Kingdom (collectively, “Europe” or “European”). The GDPR provides data protection rights to European residents and applies to any organization that offers goods or services to individuals in Europe, even if that organization is not based in Europe. See our Privacy Policy here for more information on the data rights available to European residents.

IP Address: An IP Address is a unique address that identifies a device on the internet or a local network. It allows a system to be recognized by other systems connected via the internet protocol. An IP Address may be considered Personal Data and is at times used by advertisers to serve interest-based ads. See our Privacy Policy here for details on how we share Personal Data.

Personal Data: Personal Data is any data that identifies or relates to you as a particular individual, including information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules, or regulations. See our Privacy Policy here for an outline of the ways in which we use, collect, and share Personal Data.

Services: Services means, collectively, our websites and mobile apps, any software embedded within the WHOOP Strap, and any features, content, or applications offered, from time to time, by WHOOP in connection therewith.

Third Parties: Third Parties in the context of the relationship between WHOOP, WHOOP Members (our end users), and third parties are entities or businesses involved in an arrangement, contract, deal, or transaction but are not one of the principals (i.e., WHOOP or WHOOP Members). We use Third Parties to enable us to do business with our members, such as charging for transactions or storing data. Third Parties also include advertisers that serve interest-based ads to visitors to our website. See our Privacy Policy here for more information on the Third Parties that do business with WHOOP.

WHOOP Coach: The WHOOP Coach is an advanced generative AI feature that helps members understand and make progress to their goals, deciphers WHOOP concepts and provides educational guidance, and integrates with the rest of the WHOOP experience.

WHOOP Strap: Your WHOOP Strap is a wearable sensor that, when used in connection with the Services, collects certain types of Personal Data.

WHOOP, we, us, our: The terms “WHOOP,” “we,” “us,” or “our” mean Whoop, Inc. and each of its wholly owned subsidiaries.

Wellness Data: Wellness Data is (a) data collected by your WHOOP Strap and sent to the WHOOP platform, including your heart rate, heart rate variability, sleep duration, respiratory rate, skin temperature, blood oxygen saturation level, and data such as the type of activity you engage in and the duration of your physical activity; and (b) any additional information you chose to enter during the use of our Services, such as information about your health and wellness, including information collected from accounts, devices, or features that you link with your WHOOP account. See our Privacy Policy here for additional details on Wellness Data