NOOP
OverviewEvery screen, one tour DevicesWHOOP, Oura and more vs WHOOP & OuraThe honest comparison DownloadMac, Android, iPhone ChangelogWhat's new
The ScienceAlgorithms and method FAQCommon questions WikiGuides and internals AboutThe project and its stance
Redditr/NOOPApp GitHubRead and contribute DiscussionsAsk and share Press & mediaFor journalists DonateKeep NOOP free

Help

SupportHow to get help ContactReach the team Report an issueOn GitHub SecurityReport a vulnerability AccessibilityHow we keep it usable

Legal

Privacy Policy Terms of Use Cookie Policy Health Notice Data Use Acceptable Use Licences
Donate Download

Security

Security

NOOP keeps everything on your device. There are no accounts, no servers and no telemetry, so there is very little to attack. Here is our security model and how to report a problem.

Last updated: 30 June 2026

The short version

  • There is very little to breach: NOOP collects nothing, has no accounts and runs no servers.
  • All analysis happens on your device. Nothing is uploaded.
  • The code is open source, so anyone can audit it.
  • Found a security bug? Email thenoopapp@gmail.com and give us reasonable time before going public.

1. Our security model

Most security risk comes from data sitting on a server, accounts that can be hijacked, and traffic that can be intercepted. NOOP avoids almost all of that by design.

  • On-device only. NOOP reads your WHOOP or Oura over Bluetooth and does every calculation on your phone or Mac. Your health data never leaves the device, so there is no central store for an attacker to break into.
  • No server to attack. We run no backend. There is no API holding your data, no database to leak, no admin panel to compromise.
  • No account or password to steal. NOOP has no login. There is nothing to phish, no credentials to reuse, no password database to spill.
  • No network permission on Android. The Android build does not request the internet permission at all. It physically cannot send your data anywhere, and you can confirm that yourself in the app's permission list.
  • Open source. The full source is public. Anyone can read it, build it, and check that it does exactly what we say. You do not have to take our word for it.

2. Releases and supply chain

The other place things can go wrong is in how software gets built and delivered. We try to keep that chain tight and verifiable.

  • The signing key is kept offline. The key used to sign releases is not stored on any build server. That limits the blast radius if a build machine were ever compromised.
  • Releases are public. Every release is published openly on GitHub and mirrored on noop.fans. There is no hidden update channel and no silent push.
  • You can verify what you download. Because the source is open and the releases are out in the open, you can match a build to its source and check it before you install it.

3. Reporting a vulnerability

If you find a security problem in NOOP, please tell us. We would much rather hear it from you first.

  • Email thenoopapp@gmail.com with the details.
  • Include enough to reproduce it: which app and version, the platform (macOS, iPhone or Android), the steps to trigger it, what you expected, and what actually happened. A proof of concept helps.
  • Give us reasonable time to fix it before you disclose it publicly. We will work with you on timing.
  • We will credit you if you would like the credit. You are also welcome to stay anonymous.
  • There is no paid bug bounty. NOOP is a free project run by a small team. We cannot pay for reports, but we are genuinely grateful for them.

4. Scope

In scope for disclosure:

  • The NOOP apps for macOS, iPhone and Android.
  • This website.

Out of scope (please report these to the relevant provider, not to us):

  • Third-party services such as GitHub or the noop.fans mirror host.
  • Sideloading and signing tools you use to install the iPhone build.
  • Your operating system, your Bluetooth stack, or the strap or ring firmware itself.

5. What we will never do

  • We will never ask for a password. Not your bank, not your strap or ring account, not your Apple or Google password. NOOP does not need any of them and will never ask.
  • We will never phone home. No telemetry, no analytics, no background uploads. The website sets no cookies and runs no analytics. It stores only two functional values in your browser (noop-theme and noop-privacy-ack), and those never leave it.
  • We will never sell your data. We do not have it to sell. There are no accounts, no servers and no ads.

NOOP is an independent, open-source project run by a small team. It is not affiliated with WHOOP or Oura, and it is not a medical device. Licence: PolyForm Noncommercial.

Questions?

Email us at thenoopapp@gmail.com. See also our Privacy Policy.

The app

Overview Devices Download Changelog

Learn

The Science vs WHOOP & Oura FAQ Wiki

Project

About Press & media GitHub noop.fans mirror

Community

Reddit Discussions Contribute Donate

Support

Support Contact Report an issue Security

Legal

Privacy Policy Terms of Use Cookie Policy Health Notice Data Use Acceptable Use Licences Accessibility

NOOP

An independent, on-device companion for your WHOOP and Oura. Built in the open by a small team, free forever, powered entirely by donations. No ads, no accounts, no data selling, ever.

Powered by donations: Bitcoin Ethereum Cardano
Copyright © 2026 NOOP. All rights reserved.
Privacy Terms Cookies Site Map
English · Global

1. NOOP is an independent, open-source project. It is not affiliated with, endorsed by, or connected to WHOOP, Inc. or Oura Health Oy. "WHOOP" and "Oura" are trademarks of their respective owners, used here only to describe compatibility.

2. NOOP is not a medical device. It does not diagnose, treat, cure, or prevent any condition. All figures are estimates for general wellbeing and education only. Always speak to a qualified clinician about your health. See the health notice.

3. The iPhone build is experimental and is installed by sideloading with your own free Apple ID. Some Apple-only features may be unavailable on a sideloaded build. See the download page for details.