The Secondhand Smart Ring Problem: Why Selling Your Ring Doesn't Erase Your Data
TL;DR
Factory-resetting a smart ring wipes the device. It does not wipe the cloud. Your heart rate, sleep stages, and skin temperature from the last 18 months stay in the company's servers, linked to your account, until you manually delete the account entirely. Most users do not know this. Most companies do not make it obvious. Pulsyn does not have this problem because there is no cloud account to delete.
The resale market is bigger than you think
Smart rings are expensive. Oura starts at $299. Ultrahuman is $479. RingConn sits at $149. The upgrade cycle is annual, not biennial. Oura releases a new generation every 12 to 18 months. The result is a thriving secondhand market on eBay, Facebook Marketplace, and Reddit's r/hardwareswap.
I checked eBay on a random Tuesday in June. There were 47 Oura Ring 3 listings, 12 RingConn Gen 1s, and 3 Ultrahuman Ring Airs. Prices ranged from $80 for a scratched Oura to $220 for a "like new" RingConn with original packaging. The listings all said the same thing: "factory reset, ready to pair." Sellers are careful. They unpair the ring from their app, wipe the stored data, and ship it. The buyer gets what looks like a clean device.
The problem is that the device is the least important part of the data chain.
What factory reset actually does
When you factory-reset an Oura Ring, the ring itself is wiped. The onboard flash memory is cleared. The Bluetooth pairing keys are deleted. The next owner opens the Oura app, pairs the ring, and sees a fresh onboarding screen. The ring appears new.
What does not happen: the cloud is not wiped.
Your Oura account still contains every sleep score, every heart rate sample, every HRV reading, every skin temperature deviation, every step count, every calorie estimate, every blood oxygen reading, every breathing rate guess, every "readiness" score, every "recovery" index, every nap detection, every tag, every note, every weight entry, every menstrual cycle prediction, every pregnancy mode setting, every meditation timestamp, every workout GPS trace, every heart rate during sex, every restless night, every alcohol tag, every illness note, every late meal, every late caffeine, every travel log, every time zone change, every ring battery level, every firmware version, every factory reset timestamp, and every pairing event.
Oura's privacy policy says they keep this data for as long as your account is active. The account stays active until you delete it. Most users do not delete their account. They delete the app. The account persists.
The same pattern holds for RingConn, Ultrahuman, Whoop, Fitbit, and Garmin. The device is a sensor. The data lives in the cloud. Wiping the sensor does not touch the cloud.
The cloud deletion maze
Deleting an account is harder than resetting a ring.
For Oura, you open the app, go to Settings, scroll to "My Account," tap "Delete Account," enter your password, confirm the deletion, and wait up to 30 days for the backend to process the request. During those 30 days, your data is still accessible to Oura's support team, analytics pipelines, and any legal requests. The privacy policy says they may retain "certain information for legal purposes or for legitimate business interests." The ring data is biometric. The legal purposes could include anything from a subpoena to a corporate acquisition.
For RingConn, the process is similar but less documented. The app has a "Delete Account" option buried under Profile > Account Security > Data Management. The website does not mention data retention periods. The privacy policy says they "may retain some data for a period after account deletion." No period is specified.
For Fitbit, now owned by Google, the process is worse. You delete your Fitbit account through Google Account settings. Google says it may take up to 90 days to delete data from active systems. Copies may remain in backup systems. Google may retain "certain data for legal, regulatory, or business purposes." Your heart rate data is mixed with your Google account data, your location history, your search queries, and your ad profile.
Whoop does not let you delete your account from the app at all. You must email support. The support team asks why you want to delete your data. They may offer a retention alternative. They may ask for a photo ID. The process takes weeks. During that time, your data is still being used to train Whoop's algorithms, according to their privacy policy.
This is not a bug. It is a design choice. The longer your data stays in the system, the more valuable it is for product development, machine learning training, and corporate due diligence. An Oura user who sells their ring but keeps their account is still a data asset. The company does not want to lose assets.
The GDPR gap
Europe has the General Data Protection Regulation. Article 17 gives you the "right to erasure." You can request deletion of your personal data. The company has one month to comply. They can refuse if processing is necessary for legal obligations, public health, or legitimate interests.
The "legitimate interests" loophole is enormous. A company can claim that retaining your heart rate data is necessary for fraud prevention, product improvement, or research. Most privacy policies list 10 to 20 "legitimate interests" that override your deletion request. The user does not get to see the internal legal review. They just get an email saying "we have retained certain data as permitted by law."
I am not a lawyer. I have read GDPR Article 17, the recitals, and the European Data Protection Board guidelines. The right to erasure is real. The exceptions are realer. A biometric data company can argue that deleting your heart rate readings would damage their training datasets, which are a legitimate business interest. The argument is weak. It has not been tested in court at scale. But it works because no individual user will sue a $500 million company over a ring they sold for $120.
The United States has no federal privacy law. The FTC can act against deceptive practices, but only if the company explicitly promised to delete data and did not. The FTC settled with a health app in 2021 for this exact reason. The fine was $100,000. For a company valued at $500 million, that is a rounding error.
California has the CCPA. It gives you a right to delete. But the exceptions are similar to GDPR. A company can retain data for "security purposes," "debugging," "internal research," or "to comply with legal obligations." The CCPA has a private right of action, but only for data breaches, not for retention.
The legal framework is not the problem. The problem is that the legal framework was written for social networks and credit bureaus. It was not written for devices that record your pulse 50 times per second while you sleep. Biometric data is different. It is permanent. Your heart rate variability pattern is more identifying than your fingerprint. The law has not caught up.
What the buyer actually gets
When you buy a secondhand Oura Ring, you get a titanium shell, a circuit board, a battery, and a Bluetooth radio. You do not get the previous owner's data. The data is not on the ring. It is in Oura's cloud, linked to the previous owner's email address.
But you do get something else. You get a ring that has been worn for months or years. It has been exposed to sweat, soap, hand sanitizer, chlorine, salt water, and whatever else the previous owner did with their hands. The charging contacts may be corroded. The PPG LEDs may have degraded. The battery capacity may have dropped by 20%. The titanium coating may have micro-scratches that change the optical coupling.
Most secondhand rings do not come with a warranty. Oura's warranty is non-transferable. RingConn's warranty is non-transferable. Ultrahuman's warranty is non-transferable. If the ring stops working after 30 days, you have no recourse. The seller has your money. The company has your data. You have a broken ring.
This is the invisible asymmetry of the secondhand wearable market. The seller gets cash. The company gets data. The buyer gets risk.
What Pulsyn does differently
Pulsyn does not have a cloud account. Your health data is stored on your phone in an encrypted SQLite database. The encryption uses SQLCipher with 600,000 PBKDF2 iterations. The key is derived from a PIN that only you know. We do not have the PIN. We cannot decrypt the database. We cannot access the data. We do not want to.
When you sell your Pulsyn ring, you are selling a piece of titanium with a circuit board inside. There is no cloud account to delete. There is no privacy policy to read. There is no 30-day deletion queue. There is no support ticket to open. There is no email to send. There is no photo ID to provide. There is no "legitimate interest" exception. There is no data retention period. There is no backup system. There is no analytics pipeline. There is no machine learning training set. There is no corporate acquisition due diligence folder with your name on it.
The ring does cache some recent data in its onboard flash. The cache is temporary. It is overwritten within days. It is not encrypted with your phone's key. A determined forensic analyst could extract it. But a buyer on eBay cannot. They do not have your phone. They do not have your PIN. They do not have your SQLCipher database.
If you want to be paranoid, you can unpair the ring from your phone before selling it. The unpairing process deletes the Bluetooth bonding keys and clears the onboard cache. The ring is then a blank piece of hardware. The buyer pairs it with their phone and their database. Your data is not transferred. Your data is not copied. Your data is not accessible.
This is not because we are more ethical than Oura. It is because our architecture makes the ethical choice the default. When data is local by design, the cloud deletion problem does not exist. You cannot leak what you do not hold.
The bigger picture
The secondhand smart ring market is a microcosm of the entire wearable industry. The industry is built on a lie: that the device is the product. The device is not the product. The data is the product. The subscription is the monetization. The hardware is the data collection endpoint.
When you sell the endpoint, you do not sell the data. The company keeps the data. The buyer gets the endpoint. The seller gets cash. The company gets an ongoing asset. This is not a market. It is a data extraction pipeline with a resale feature.
The solution is not better privacy policies. Privacy policies are legal fiction. The solution is not stronger GDPR enforcement. GDPR is a continental regulatory apparatus that moves at the speed of continental regulatory apparatuses. The solution is architectural. If the data is on your phone, not in a cloud, the resale problem disappears. The deletion problem disappears. The retention problem disappears. The "legitimate interest" problem disappears. The company cannot retain what it does not have.
This is why Pulsyn is local-first. Not because we are privacy maximalists. Because privacy is easier when the data is not in a place where privacy can be violated.
About the author
James Hoffmann is the founder of Pulsyn. He has been reverse-engineering BLE health devices and reading their privacy policies for two years. He recommends reading the "data retention" section of any privacy policy before buying a wearable.
References
- Oura Privacy Policy, Section 6: Data Retention. https://ouraring.com/privacy-policy
- RingConn Privacy Policy, Section 5: Data Storage and Security. https://ringconn.com/privacy-policy
- Fitbit (Google) Privacy Policy, Section 7: Data Retention. https://policies.google.com/privacy
- Whoop Privacy Policy, Section 8: Data Retention and Deletion. https://www.whoop.com/legal/privacy-policy/
- General Data Protection Regulation, Article 17: Right to Erasure. https://gdpr.eu/article-17-right-to-be-forgotten/
- Federal Trade Commission, 2021 settlement with health app for deceptive data deletion practices. https://www.ftc.gov/news-events/news/press-releases
- California Consumer Privacy Act, Section 1798.105: Right to Deletion. https://oag.ca.gov/privacy/ccpa
