Smart Ring Data Privacy 2026: Where Does It Go?

Smart ring biometric data privacy compared: Oura, Ultrahuman, RingConn, Samsung. GDPR rights, cloud vs on-device processing, deletion paths.

Data privacy lock symbolising biometric data security on smart rings
Updated How we review →
By Rob Griffiths13 June 2026 · 9 min read

A smart ring sits on your finger 24/7 and captures the most intimate biometric signals you produce - resting heart rate, heart rate variability, blood oxygen, sleep stages, sometimes menstrual cycle - and almost all of this data leaves your finger and reaches a cloud server within minutes of being measured. Where that data goes, who can read it, what rights you have to delete it, and how the brand monetises the aggregate signal all differ meaningfully between the major smart ring brands. This guide compares the privacy positions of Oura, Ultrahuman, RingConn, and Samsung Galaxy Ring against the UK Data Protection Act 2018 and the EU's GDPR framework.

How do the four major smart ring brands compare on data privacy?

Oura Ring 4Ultrahuman Ring (Air + Pro)RingConn (Gen 2 + Gen 3)Samsung Galaxy Ring
Parent companyOura Health Oy (Finland - EU)Ultrahuman Healthcare Pvt Ltd (India)RingConn Co Ltd (China - parent); RingConn US Inc (US distribution)Samsung Electronics Co Ltd (South Korea)
EU/UK data locationEU AWS data centres (Ireland)Global AWS (US-East/EU-West) with EU residency optionUS data centres primarily; EU residency request availableSamsung EU data centres (Frankfurt)
GDPR controllerOura Health Oy under Finnish DPA supervisionUltrahuman with EU representativeRingConn US Inc for EU/UK usersSamsung Electronics (UK) Ltd for UK users
On-device vs cloudCloud-processed - raw signal uploaded for analysisCloud-processed for advanced metrics, on-device for raw sensorCloud-processed for analytics, on-device for raw sensorHybrid - core processing on Galaxy phone, sync to Samsung Health cloud
Deletion processIn-app: Settings > Privacy > Delete Account (immediate)Email [email protected] OR in-app deletionIn-app Settings > Account > Delete Account OR email privacy teamSamsung Health app: Settings > Privacy > Delete Data + account
Data exportGDPR-compliant CSV/JSON export via appJSON export via app + privacy requestCSV export via appSamsung Health export (XML/CSV)
Aggregate data useAnonymised research partnerships disclosed in privacy policyUsed for PowerPlugs algorithm training (anonymised)Limited disclosure - check the live privacy policySamsung Health Research opt-in research participation
Third-party sharingApple Health / Google Fit only if you opt inApple Health / Google Fit if you opt in; PowerPlugs partnersApple Health / Google Fit only if you opt inWithin Samsung ecosystem by default; explicit consent for external apps

What rights do UK and EU users have under GDPR?

The UK Data Protection Act 2018 and the EU's GDPR grant smart ring users specific rights that apply regardless of where the brand is headquartered, provided the brand processes data of UK or EU residents.

Right of access (Article 15). You can request a copy of all biometric data the brand holds about you. Smart ring brands typically fulfil this via in-app export functions; if the in-app export is incomplete, you can submit a Subject Access Request via email to the brand's privacy team. Response must be provided within 30 days.

Right to data portability (Article 20). You can request your biometric data in a structured, commonly-used, machine-readable format (typically JSON or CSV). This right lets you migrate your data to a different smart ring brand or to a personal health record without losing history.

Right to erasure (Article 17 - 'right to be forgotten'). You can request deletion of all biometric data the brand holds about you. The brand must comply within 30 days unless they have a specific legal basis to retain (typically there isn't one for smart ring data). After deletion, your historical sleep and HRV data is permanently gone - take an export first if you want to preserve it.

Right to restrict processing (Article 18). You can pause processing while disputes are resolved. Useful if you're querying inaccurate data or want to stop aggregate research use without full deletion.

Right to object to automated decision-making (Article 22). If a smart ring brand uses your data for automated profiling that produces legal or significant effects on you (typically not the case for current brands), you can object.

On-device vs cloud processing - what's the practical difference?

The trade-off between on-device processing and cloud processing is genuine for smart rings and affects both privacy and battery life.

On-device processing means the raw sensor data (PPG signal, accelerometer, skin temperature) is processed into useful metrics (heart rate, sleep stages, HRV) on the ring itself or on your phone before being synced to the cloud. The cloud sees the derived metrics, not the raw signal. Privacy advantage: less raw biometric signal leaves your body. Battery cost: more processing per session, marginal battery drain.

Cloud processing means the raw signal (or a richer subset of it) is uploaded to the brand's servers, where the analysis happens. Privacy cost: more granular data sits on the brand's infrastructure. Engineering advantage: the brand can improve the analysis algorithms over time and re-process historical data when models improve.

The current state of the market in 2026:

  • Cloud-heavy: Oura, RingConn (raw signal uploaded; analysis happens server-side)
  • Hybrid: Ultrahuman (raw sensor on-device, advanced metrics in cloud), Samsung Galaxy Ring (core processing on Galaxy phone, sync to Samsung Health)
  • Fully on-device: No major smart ring brand currently operates fully on-device. Apple has implied a roadmap commitment to this for future Apple Health products but none of the smart ring brands have made the same commitment.

For users who want maximum privacy on derived health metrics, the hybrid approach (Ultrahuman or Samsung) is the current best available. For users who want the brand to be able to apply algorithm improvements retroactively, the cloud-heavy approach (Oura) is a feature rather than a privacy concern.

How does aggregate data use compare across brands?

Beyond storing your individual data, smart ring brands use aggregated anonymised biometric data for two main purposes: algorithm improvement (training the sleep-stage classifier on millions of nights) and research partnerships (publishing population-scale studies). Each brand handles this differently.

Oura has the most transparent disclosure - their privacy policy specifically describes anonymised research partnerships with academic institutions including ongoing studies on sleep stages, menstrual cycle physiology, and COVID-19 early warning. Users can opt out of research use without losing core features.

Ultrahuman uses aggregated anonymised data for PowerPlugs algorithm training. The metabolism PowerPlug specifically depends on aggregate training data from CGM-paired users to refine the inference from HRV + skin temperature to glucose patterns. Less explicit about academic research partnerships.

RingConn has limited public disclosure on aggregate use. Their privacy policy mentions analytics and improvement but doesn't specify research partnerships. Users wanting precision should read the current privacy policy.

Samsung uses biometric data within the Samsung Health Research programme (opt-in only). Outside that programme, aggregate use is limited to algorithm improvement and the Samsung Health platform itself.

The cleanest privacy framing in 2026 is Oura's: explicit, opt-out-able, with named research partnerships disclosed in the policy. Users prioritising transparency over feature set should weight this strongly.

Frequently asked questions

Q01Can I delete my smart ring data permanently?
Yes - GDPR Article 17 gives UK and EU users the right to erasure for all major smart ring brands. The deletion process is typically a single in-app button (Settings > Account > Delete Account or similar) plus a confirmation email. After deletion, your historical biometric data is permanently removed within 30 days. Export the data first via the in-app export tool if you want to keep a personal copy.
Q02Where is my Oura Ring data physically stored?
For UK and EU users, Oura processes data in AWS EU (Ireland) data centres. For US users, data is in AWS US-East. Oura's Finnish controller status means EU/UK users are protected by both Finnish DPA supervision and direct GDPR rights, which is the strongest legal framework available for smart ring data.
Q03Does Ultrahuman send data to India?
Ultrahuman's parent company is based in India and processes data globally. For EU/UK users, the data residency option keeps storage in EU AWS, but some processing may still touch India under the parent company's operational structure. India's DPDP 2023 law provides some protections but is not currently considered GDPR-adequate. Users wanting strict EU data residency may prefer Oura.
Q04Is RingConn's Chinese parent company a privacy concern?
It depends on your threat model. For UK and EU users, RingConn's US distribution entity (RingConn US Inc) is the GDPR controller, and data is stored primarily in US data centres rather than China. RingConn has not published a SOC 2 or equivalent third-party audit, so independent verification of their data handling is limited. Users with specific concerns about Chinese-headquartered tech should weight this; users without those concerns get a credible smart ring at competitive pricing.
Q05Does my biometric data get shared with insurance companies?
Not without your explicit consent. No major smart ring brand currently shares individual user biometric data with insurance companies, employers, or health-related third parties without explicit user opt-in. Some users voluntarily share Oura data with insurance wellness programmes (UnitedHealthcare, John Hancock Vitality) for premium discounts - this is opt-in and you control the data flow.
Q06Which smart ring has the strongest privacy position in 2026?

Oura Ring 4 has the strongest combination of explicit policy transparency, EU data residency, opt-out research participation, and Finnish DPA supervision. Samsung Galaxy Ring is a close second for users in the Samsung ecosystem who prefer hybrid on-device processing. Ultrahuman and RingConn are competent but have more opaque parent-company arrangements that may matter to privacy-sensitive users.

Related guides

Smart Ring Health Metrics Explained

Smart Ring Health Metrics Explained

What each smart ring sensor actually measures - HRV, SpO2, sleep stages - and how the metrics map to insight.
Smart Ring Sleep Apnea Tracking

Smart Ring Sleep Apnea Tracking

FDA clearances and clinical pathway for sleep apnea screening on smart rings.
Smart Ring vs CGM

Smart Ring vs CGM

What each device measures and the regulatory framing - relevant to data privacy too.
Ultrahuman Ring Air vs Ring Pro

Ultrahuman Ring Air vs Ring Pro

Same-brand upgrade decision plus the Ultrahuman data and PowerPlugs marketplace context.