Samsung says they only collect your health data when you actively use their health features. But the Samsung Health app has permission to read your body sensors and track your location in the background — meaning it can monitor your heart rate, blood oxygen, and where you are around the clock, even when you're not using the app. Samsung was just caught by the Texas Attorney General secretly collecting TV viewing data every half-second and selling it to Google and Twitter without properly informing customers. They used the same trick with their TV that they use with the Galaxy Ring — bury the real privacy implications behind a single 'agree' button, where understanding what you're actually agreeing to would require reading 200+ screens of fine print.
What they claim: Samsung's Consumer Health Data Privacy Statement says they collect health data only 'when you use a service or specific feature that collects consumer health data' and states data is 'safely protected by Samsung Knox.'
What we found: Samsung Health app requests BODY_SENSORS_BACKGROUND permission, enabling continuous biometric data collection even when the app is not actively in use. Combined with ACCESS_BACKGROUND_LOCATION and FOREGROUND_SERVICE_HEALTH, the app can collect heart rate, blood oxygen, skin temperature, and location data 24/7 without the user actively opening the app. The policy frames collection as user-initiated, but the permissions enable passive, continuous surveillance.
What they claim: Samsung's Customisation Service privacy notice describes collecting data to 'provide customized content and recommend products and services that may be of interest to you' — framing it as a personalization feature.
What we found: The Customisation Service actually collects: browsing history, search history, call logs, text message analysis, contacts (to determine 'closest relationships'), photo metadata (location and time), music listening habits, installed apps, device settings, and precise location. Samsung Health includes Google Firebase Analytics, Google CrashLytics, Google Tag Manager, and Samsung CMS trackers. The combination means biometric data from the Galaxy Ring (heart rate, sleep patterns, stress levels, menstrual cycles) flows through the same Samsung account ecosystem as the Customisation Service's behavioral profiling and advertising infrastructure.
What they claim: Galaxy Ring FCC filing shows the device uses BLE 5.4 only — no Wi-Fi, no cellular, no GPS — suggesting a privacy-respecting minimal design.
What we found: Despite the Ring's minimal radio capabilities, the paired Samsung Galaxy phone connects to Samsung endpoints including shealth.samsung.com, analytics.samsunghealth.com, push.samsungdm.com, and log-config.samsungrs.com. Mozilla's Privacy Not Included review confirms Samsung wearable data collection 'is not limited to product requirements.' The Ring's BLE-only design is not a privacy feature — it simply means all data exfiltration happens through the paired phone, where Samsung has far more permissions and tracking capabilities than the ring hardware alone would suggest.
What they claim: Samsung's product page promotes Galaxy Ring as having 'health insights enhanced by Galaxy AI' and emphasises 'precise monitoring with three sensors' — positioning it as a health and wellness tool.
What we found: CVE-2025-21042 and CVE-2025-21043 demonstrate that Samsung Galaxy devices are actively targeted by state-sponsored spyware (LANDFALL campaign) via zero-click exploits. The Galaxy Ring cannot function without a paired Samsung phone, and all biometric data passes through that phone. A phone compromised via these critical vulnerabilities gives attackers complete access to continuous heart rate, blood oxygen, skin temperature, sleep stages, stress levels, and menstrual cycle data — the most intimate health surveillance possible. Samsung's marketing makes no mention of the security risks inherent in routing all biometric data through a phone with known actively-exploited vulnerabilities.
What they claim: Samsung's Gulf support page states: 'All the health data measured by the Galaxy Ring is stored in your Health app and is safely protected by Samsung Knox.'
What we found: The Galaxy Ring requires Samsung Cloud sync (enabled by default in Samsung Health) — health data is transmitted to Samsung servers at shealth.samsung.com and api.samsunghealth.com. The Ring stores data locally in only 8MB of RAM with no persistent local storage capacity for long-term data. Samsung Health sends data to analytics.samsunghealth.com and log-config.samsungrs.com — analytics and configuration endpoints that have no health monitoring function. The claim that data stays 'in your Health app' protected by Knox is misleading when the app actively transmits data to multiple Samsung cloud endpoints.
What they claim: Samsung's privacy policy states: 'We may share your personal information with affiliates and subsidiaries, business partners, and service providers.' Samsung's Consumer Health Data Privacy Statement frames health data collection as transparent and consent-based.
What we found: Samsung was forced to settle with the Texas Attorney General on February 26, 2026 over its smart TV ACR data collection, which captured viewing data every 500 milliseconds and shared it with Google and X (formerly Twitter) for advertising without informed consent. Samsung's consent mechanism required one click during setup but reviewing the privacy implications required navigating 200+ separate screens. This established pattern of deceptive consent practices applies directly to Galaxy Ring — the Customisation Service that collects wearable behavioral data is also enabled with a single toggle during Samsung account setup.
What they claim: Samsung Health app collects 36 permissions and 4 trackers, including Google Firebase Analytics, Google Tag Manager, and Samsung CMS for the stated purpose of providing health monitoring services.
What we found: Samsung's Consumer Health Data Privacy Statement lists collection of 'reproductive or sexual health information (such as menstrual cycle information)' and 'bodily functions, vital signs, symptoms.' Post-Dobbs, menstrual cycle tracking data collected by a South Korean conglomerate that participates in the EU-US Data Privacy Framework raises profound legal exposure risks. Samsung's privacy policy permits sharing with 'service providers' and in response to 'legal process.' The 4 embedded trackers (including Google services) mean menstrual cycle data derived from Galaxy Ring temperature and heart rate sensors potentially flows through Google's analytics infrastructure before any legal protection can apply.
What they claim: Samsung's privacy policy states they process data to 'provide, maintain and improve our Services' and for 'safety and security' purposes.
What we found: Samsung Health requests READ_PHONE_STATE permission, which Samsung claims is needed 'to verify the unique device identifier for the Together feature.' Community testing confirms Samsung Health works perfectly without this permission. READ_PHONE_STATE can access phone number, IMEI, carrier information, and call state — data that serves device fingerprinting and advertising attribution, not health monitoring. Samsung Health also requests REQUEST_IGNORE_BATTERY_OPTIMIZATIONS and RECEIVE_BOOT_COMPLETED, ensuring the app runs continuously from device startup — behavior consistent with persistent tracking, not on-demand health monitoring.
What they claim: Galaxy Ring is positioned as Samsung's entry into the wellness wearable market, competing with Oura Ring on simplicity and health focus.
What we found: Samsung Health embeds Google Tag Manager — a tool designed specifically for marketing analytics, conversion tracking, and advertising attribution. Google Tag Manager has no health monitoring function. It enables Samsung to track user behavior patterns, segment users for advertising, and attribute marketing campaign effectiveness. Combined with Google Firebase Analytics and Samsung CMS trackers, the Galaxy Ring's companion app functions as much as an advertising data collection tool as a health monitoring application. The Oura Ring's companion app (by comparison) has 2 trackers; Samsung Health has 4, including marketing-specific infrastructure.
What they claim: Galaxy Ring is marketed as a simple wellness tracker — 'health tracking on your finger is more comfortable than ever' — with Samsung emphasising it as a minimal, unobtrusive device.
What we found: Samsung Health app requests 36 permissions including READ_CONTACTS, WRITE_CONTACTS, READ_CALENDAR, WRITE_CALENDAR, READ_PHONE_STATE, CAMERA, and READ_MEDIA_IMAGES/VIDEO. A 'simple ring' that measures heart rate and sleep has no legitimate need to access contacts, calendar events, phone call state, camera, or media files. The Galaxy Ring itself has only BLE 5.4 (confirmed by FCC filing A3LSMQ503) and cannot function without the Samsung Health app, making these excessive app permissions an unavoidable part of using the ring.