What Happens to Your Health Data When the Company Dies
TL;DR
When Intel shut down Basis in 2016, the devices did not break. The servers did. Two years of continuous heart rate, sleep, and stress data vanished because the cloud backend got a kill order from a balance sheet. The cloud model turns your health history into a loan. The company owns the vault, and the vault disappears when the CFO says so. Pulsyn stores everything on your phone because your phone is the only piece of hardware in this chain that you actually own, and the only one that will still be here in ten years.
When Basis died
I keep a Basis Peak in my desk drawer. It is a chunky black fitness tracker with a square screen and a PPG sensor array that was, in 2014, genuinely impressive. The device still powers on. The heart rate LED still flares red when I press the side button. But it is a brick. On January 1, 2017, Intel shut down the Basis servers, and the app stopped authenticating. The web dashboard became a redirect to an Intel support page. Every run, every nap, every overnight heart rate trace that users had accumulated was still on the servers for a few weeks, then gone.
Basis was not a crowdfunded gamble. It was a $200 product from Intel, a Fortune 500 company with a market cap that hovered around $150 billion at the time. The Peak had received FDA clearance for its optical heart rate technology. It measured perspiration, skin temperature, and heart rate simultaneously, which was rare in 2014. Intel acquired Basis Science for a reported $100 million in 2014 because it wanted a wearable platform for its Quark processors. Then the Quark division missed its targets. Then the wearables group missed its targets. On November 3, 2016, Intel announced it was "discontinuing" the Basis platform. Users got fifty-three days of warning.
The shutdown was not malicious. It was efficient. Maintaining a cloud backend costs money. The database servers, the API endpoints, the authentication layer, and the iOS app updates all require engineering time. When a division is losing money, the first thing that dies is the user-facing infrastructure. The hardware survives because it has no ongoing cost. The data dies because it does.
I did not export my Basis data. I did not know I needed to. The app never warned me that my history was a rental. That is the core deception of the cloud wearable model. The device feels like a purchase. The data feels like a diary. The legal reality is a subscription to a database that can be terminated without cause.
The cloud contract nobody reads
Every wearable company writes the same thing in its Terms of Service, and almost nobody reads it. Fitbit's current terms state that the company can "suspend or terminate your access to the Services at any time, with or without cause, and with or without notice." Oura's terms reserve the right to "discontinue the Services or any portion thereof at any time." Whoop's terms are more direct. If your subscription lapses, "your account and data may be deleted."
The legal language is bland by design. "Discontinue the Services" sounds like a temporary outage. It is not. It means the database can go offline, the app can stop authenticating, and your historical data can be rendered inaccessible without a refund, a download link, or a funeral announcement. You do not own the data in any meaningful sense. You own a license to view it through a client that the company controls, and that license expires when the company's balance sheet says it should.
This is not a theoretical risk. In 2023, Fitbit removed the ability to sync data with third-party apps without warning, breaking integrations that users had relied on for years. In 2024, Google announced it was migrating Fitbit accounts to Google accounts, a process that deleted some users' historical data during the transfer. The company called it a "technical issue." The users called it losing their running logs from 2015.
The cloud model is convenient until the entity that owns the servers decides convenience is no longer profitable. At that point, the data you generated with your own body becomes a liability on someone else's spreadsheet.
The acquisition shuffle
Wearable companies do not just shut down. They get bought, and the buyer's priorities rarely include your historical data.
Jawbone was once the darling of Silicon Valley wearables. It raised $930 million in funding. Its UP trackers were in Target and Best Buy. In 2017, the company entered liquidation. The UP app stopped syncing. The data servers stayed online for a few months, then went dark. Jawbone's user data was not sold to a competitor. It was not transferred to a nonprofit archive. It was erased, because storing it cost money and the liquidator had no obligation to keep paying AWS bills for a dead product.
Misfit followed a different path. Fossil acquired it in 2015 for $260 million. Fossil itself sold its smartwatch IP to Google in 2024. The Misfit app still technically exists, but it has not been updated since 2022, and the community forums are full of users who cannot sync their Shine 2 trackers anymore. The data is not gone yet, but it is stranded on servers that no engineering team maintains.
Pebble is the closest analogue to a happy ending, and it still sucked. When Fitbit acquired Pebble in 2016, the company promised to keep services running. They did, for a while. Then Fitbit was acquired by Google, and Pebble's cloud services were handed to the Rebble community, a volunteer group of fans who reverse-engineered the API and keep it alive on donated server time. Your Pebble data survived only because a handful of people in a Discord server decided to pay the hosting bill. That is not a business model. That is a miracle.
The pattern is consistent. A wearable startup raises venture capital, builds a cloud backend, sells hardware at a loss or with a subscription, and then either dies or gets acquired. In every case, the user data is an afterthought in the transaction. The acquirer buys the brand, the patents, or the engineering team. They do not buy your 2017 sleep archive, and they do not want to pay to store it.
The GDPR paradox
European privacy law is supposed to protect your data. In practice, it sometimes makes company death easier.
The GDPR gives users the right to erasure, also known as the right to be forgotten. It requires companies to delete personal data when it is no longer necessary for the purpose for which it was collected. When a company shuts down, the data is definitely no longer necessary. The liquidator can argue that continuing to store user data violates the GDPR, because there is no active business purpose and no data protection officer to manage the risk. Deletion becomes the legally safer option.
This creates a paradox. The law that was designed to give users control over their data becomes a justification for wiping it out entirely. A company that wanted to be virtuous could transfer its user database to an open archive or a competitor. But the GDPR makes that transfer legally complicated. You need consent for the new data controller. You need a data processing agreement. You need to notify regulators. It is easier, cheaper, and legally safer to just delete everything.
I am not arguing against the GDPR. It is a good law that has forced companies to take privacy seriously. But it was written with active companies in mind, not dead ones. The legal framework for a graceful shutdown of a consumer health database does not really exist. The default outcome is deletion, and the law, in some cases, encourages it.
What local-first actually means
Pulsyn does not have a login screen. There is no user database on a server that we control. When the ring syncs with your phone, the data goes into a SQLCipher database that lives in your phone's sandboxed storage. The encryption key is derived from a PIN that never leaves the device. We do not know the PIN. We do not have a copy of the database. We cannot shut down a server and delete your data because we do not have your data.
This is not a marketing distinction. It is an architectural one. The cloud model requires the company to maintain a backend, pay for storage, manage authentication, and handle GDPR deletion requests. The local-first model requires none of that. The company builds firmware, an app, and a ring. The phone handles the rest.
The tradeoff is real. If you lose your phone and you have not backed up your data, it is gone. I am not going to pretend that local-first is magic. It is a different risk distribution. In the cloud model, you risk the company's solvency. In the local-first model, you risk your own backup discipline. I think the second risk is more manageable because you can control it, but that is an opinion, not a guarantee.
We are building export tools that let you dump your entire database to a SQLite file or a CSV. The file contains every raw sensor reading, every computed score, and every sleep stage annotation. You can open it in Python, import it into Excel, or archive it on a hard drive. We are also building encrypted backup to iCloud or Google Drive, which sounds like a cloud feature but is not. The backup is an encrypted blob that only your phone can decrypt. If Pulsyn disappears, the blob is still in your iCloud account, and you can still open it with the open-source decryption tools we will publish.
The technical details matter here. The database uses SQLCipher with AES-256 encryption. The key is derived from your PIN using PBKDF2 with 600,000 iterations. That is the OWASP 2023 recommendation for HMAC-SHA256. We are not making the number bigger to look serious. The recommendation goes up as hardware gets faster, and we will bump it when OWASP does. The database file is a standard SQLite format. Any SQLite tool can open it if you have the key. We are not building a proprietary format that locks you in. The lock is the encryption, and the encryption key is yours.
The edge cases
Local-first does not solve every problem. It solves the specific problem of company death, but it introduces others.
Phone migration is the first headache. When you buy a new phone, the database needs to transfer. On iOS, this happens automatically if you restore from an iCloud backup. On Android, it depends on the manufacturer's backup tool. We are building a direct phone-to-phone transfer over Bluetooth that does not touch the internet, but it is not ready yet. Until then, the export file is the migration path. You export before you trade in, and you import after you set up the new device.
Multi-device access is harder in a local-first model. If you want to view your Pulsyn data on a tablet or a web dashboard, you need the database to live somewhere accessible from both devices. That somewhere is usually a server, and a server is a cloud dependency we do not want. We are not building a web dashboard for this exact reason. The app is the interface, and the app lives on the phone that has the database. A web dashboard would require a sync server, and a sync server is a company asset that can be shut down. We would rather limit where you can view your data than introduce a new point of failure.
Company death also affects firmware. If Pulsyn dies, the app will still work on your phone for as long as the OS supports it. The ring will still collect data. But firmware updates will stop. If a future iOS or Android version breaks the Bluetooth stack in a way that breaks our BLE protocol, the ring might stop syncing. This is a real risk, and I do not have a perfect answer for it. Open-sourcing the firmware and the app is the only long-term mitigation I can think of, and we are committed to doing that if the company ever shuts down. The hardware would outlive the company only if the software is preserved.
The premium tier adds a wrinkle. The optional $10 per month cloud AI tier does store data on a server, because that is what cloud AI requires. We are designing it so that the cloud only sees the data you explicitly choose to send, and you can cancel the premium tier without losing your local data. The local database is the source of truth. The cloud is an optional mirror. If the premium tier dies, you lose the AI features, not your history. Your sleep scores from last year do not evaporate because you stopped paying for cloud analysis.
Then there is the data broker problem. Even if a company does not shut down, it might sell your data. This is not a hypothetical. Fitbit's data-sharing partnerships with insurance companies and health research firms have been documented for years. Oura's 2025 Pentagon contract is a matter of public record. When your data lives on a server, the company can monetize it in ways you did not agree to, or at least did not read the agreement for. When your data lives on your phone, the only way to monetize it is to steal your phone, and that is a much harder crime.
I am not sure if local-first is the right model for every health device. A hospital needs centralized records. A research study needs aggregate data. But for a consumer wearable, the local-first model is the only one that makes the user a customer instead of a data source. We are building the ring we want to exist, and we want to exist without asking anyone to trust our runway.
About the author
James Hoffmann is the founder of Pulsyn. He started reverse-engineering BLE health devices in 2023 and has been trying to build a wearable company that does not require its users to trust its balance sheet.
References
- Intel Basis Peak discontinuation notice, November 3, 2016.
- Fitbit Terms of Service, Section 12: Termination.
- Oura Terms of Service, Section 9: Modifications and Termination.
- Whoop Terms of Service, Section 8: Subscription and Cancellation.
- "Jawbone UP trackers officially stop working as company liquidates," The Verge, June 2017.
- "Fitbit acquisition by Google completes," Google Blog, January 2021.
- "Rebble: How Pebble fans saved a smartwatch," Wired, 2019.
- General Data Protection Regulation, Article 17: Right to erasure.
