If you wear a fitness tracker or smart ring, it’s quietly building one of the most detailed health records that exists about you — heart rate, sleep stages, blood oxygen, skin temperature, activity levels, sometimes even early signs of illness before you feel sick. It’s genuinely useful data. It’s also, in most cases, not protected the way you’d assume health data should be.
A note your doctor writes in your chart is covered by HIPAA, with strict rules about who can access it and how it can be shared. The far more detailed, continuous stream of biometric data your smartwatch or ring collects every night is generally not — because the company that makes it isn’t a HIPAA-covered entity. That gap has become a bigger deal as wearables have moved from step-counters to devices that track things closer to medical-grade health metrics.
The HIPAA Gap, Explained
HIPAA applies to “covered entities” — health plans, healthcare providers, and the businesses that handle data on their behalf. Consumer wearable companies like Fitbit, Garmin, Apple, Whoop, and Oura don’t fall into those categories, even though the data they collect can look a lot like medical information.
This means the same data point — say, your resting heart rate trend over a month — has very different legal protections depending on whether it was recorded by a doctor’s office device or a consumer wearable. The wearable version sits in what’s been described as a largely unregulated privacy gap at the federal level: covered by the company’s own privacy policy and terms of service, and by general consumer protection law, but not by the framework built specifically for health information.
There’s a push to close this gap — legislation has been proposed that would extend HIPAA-like protections to wearable health data — but as of now, it remains proposed rather than in effect.
Where This Data Actually Goes
Wearable companies generally don’t sell your raw biometric data to data brokers in the way some other industries do, but the data does move in ways that are worth understanding.
It’s used to power the product itself — sleep scores, readiness scores, and trend analysis all require your historical data to be stored and processed, often in the cloud rather than only on the device.
It can be shared with “service providers” and partners — analytics companies, advertising partners, and other third parties named in privacy policies, depending on the specific terms each company has agreed to. Whoop currently faces a class-action lawsuit in California alleging its data-sharing practices with advertising partners violate the state’s privacy laws.
Retention after account deletion isn’t always immediate or complete. Oura faces a lawsuit in Illinois alleging it retains biometric data — including heart-rate signatures that can function like a fingerprint — indefinitely even after a user deletes their account, in alleged violation of that state’s biometric privacy law.
These are allegations working through the courts, not settled facts about every company’s practices — but they illustrate the kind of data-handling questions that exist in a category without a dedicated regulatory framework.
The Insurance Question
The part of this that tends to surprise people most is insurance.
Some insurers already run voluntary programs where sharing wearable data — steps, activity, sometimes sleep — can lead to discounts on premiums. Framed as a wellness benefit, these programs are opt-in, and many people enjoy the discounts they offer.
The concern is about the direction this could go. In 2025, the National Association of Insurance Commissioners issued guidance warning that using consumer wearable data — including fitness tracker data — in insurance underwriting raises “significant concerns about unfair discrimination.” That guidance is non-binding, and as of now, no state has passed legislation specifically restricting how insurers can use fitness tracker data obtained outside of a formal wellness program.
In practice, this means there’s currently no federal law preventing an insurer from using wearable health data — if they can obtain it — to inform decisions about your rates, beyond the voluntary, opt-in wellness programs that already exist. The gap isn’t that this is definitely happening at scale today; it’s that the guardrails against it happening are still mostly non-binding guidance rather than enforceable law.
What You Can Actually Do
You don’t have to stop using a wearable to be more deliberate about how its data is handled.
Read the data-sharing section of the privacy policy, not just the headline summary. The specific language about “service providers,” “partners,” and “advertising” is where the actual scope of sharing is defined — and it’s often more expansive than the marketing copy suggests.
Check what happens to your data if you delete your account. Some companies describe a clear deletion process; others are vaguer about retention timelines. If this matters to you, it’s worth checking before you’ve accumulated years of nightly data.
Be cautious about connecting wearable data to insurance programs beyond what you’ve explicitly opted into. Voluntary wellness discounts are one thing; broader data-sharing integrations between a wearable account and an insurer’s systems are worth understanding fully before enabling.
Export and keep your own copy of your data. Most wearable platforms let you export your historical data — sleep reports, activity summaries, health trends — as files. Having your own copy means you’re not solely dependent on the company’s retention policy for access to your own health history, and it gives you a record independent of any future changes to the company’s terms.
Where daftei Fits
If you export reports or summaries from a fitness tracker — a PDF of your annual health trends, screenshots of meaningful milestones, or data exports you want to keep for your own records — where you store that matters. A general cloud drive or photo library mixes these health-adjacent files in with everything else, subject to whatever AI features and indexing that service applies by default.
daftei gives you a private place for exports like these, separate from your everyday photo library. Everything is encrypted in transit with TLS 1.3 and at rest with AES-256, never used to train AI, never sold, and never shown to advertisers — a meaningfully different posture for data that, while not legally classified as a medical record, is about as personal as data gets.
The Bigger Picture
Wearable devices have gotten remarkably good at measuring the body — often catching things people wouldn’t otherwise notice. The data they generate deserves to be treated with the same care as other sensitive personal information, even though the law hasn’t fully caught up to that yet.
Until it does, the practical move is the same one that applies to most personal data: understand where it goes by default, use the export tools available to keep your own copy, and be thoughtful about which integrations — especially with insurers — you opt into beyond the basics.