Padme

Contact

+44 7557561697
Mail

ori.das@padme.services

When a Wellness App Becomes a Medical Device

Three decades of working with tech businesses have taught me that legal risks are rarely in the T&Cs of the App. It is often on the homepage, the investor decks and the LinkedIn post the founder wrote at midnight.

Ori Das

Padme Law

Feature image

I have spent three decades as a technology lawyer - advising big tech, large pharmaceutical companies, health tech start-ups and everyone in between. For several of those years, I was embedded within the Digital and Technology team of a major health company that had allocated a large sum of money to experiment with digital health technology. The mandate was ambitious: review scores of wellness apps and digital products, put them through a rigorous fail-fast diligence process, and identify which were fit for acquisition or partnership.

My role was to guide the team on the legal, regulatory, and compliance dimension of every product they considered. I reviewed app after app – each one carefully tested, assessed, and marked as passed or failed. That experience gave me a front-row seat to a pattern that I have seen play out in boardrooms and product meetings ever since. I have sat with product teams at 11pm finalising the App Store copy. I have been in the room when a BD lead says:

we just need something that sounds more clinical.

I have watched stakeholders nod along, assuming a disclaimer at the bottom of the page will cover it. It rarely does.

The tightrope every health tech business walks

Here is the fundamental tension I see repeatedly. You have built something genuinely useful – it tracks sleep, supports mental wellbeing, helps users manage stress. The science behind it is real. Your investors want growth. Your sales team needs language that converts. And so, gradually, the copy evolves.
Helps you relax” – becomes – “regulates your nervous system.
Sleep tracker” – becomes – “clinically validated sleep recovery.
Stress support” – becomes – “reduces anxiety.
Feature image

Each change feels like a small commercial decision. From a regulatory perspective, it can create unintended risks. This is the tightrope any business needs to walk. On one side, you need to extol the virtues of your product to help differentiate it from the hundreds of others health apps so that it is differentiated, science-backed and compelling. On the other, that same language can push you squarely into medical device territory.

I saw this pattern repeatedly during my years embedded within that pharmaceutical group’s digital team – conducting diligence on the apps they were considering. The commercial pressure to make a product sound impressive was present in virtually every single one of them. It was rarely malicious. It was almost always instinctive.

The hardware misconception

The first thing I address with most new clients in this space is a persistent misconception: that medical device regulation only applies to physical products like – wearables, IoT devices, scanners, implants etc. I guess the word “device” causes that confusion. However, that assumption is no longer safe. Across the EU, US and UK, regulators now recognise that software alone can constitute a regulated medical device. The EU Medical Device Regulation, the UK’s MHRA framework and the US FDA all take the same functional approach – what matters is not what your product is made of, but what it does and what you say it does.

If it performs a medical function, suggesting that “it’s only an app” is not a defence!

Marketing copy – legal exposure

Having watched others step on such regulatory landmines (and nearly having stepped on them myself), I have learnt that in such situations the legal & regulatory risk is seldom in the T&Cs. It is often found on the homepage, impressive investor decks, the eye-catching LinkedIn posts etc. This is because increasingly regulators assess intended purpose by looking at the totality of how a product is presented – website content, app store descriptions, onboarding flows, investor decks, social media.
I have seen legal teams spend months on their privacy policy & disclaimers and very little on their app store description. Little realising that the privacy policy rarely triggers regulatory scrutiny. The app store description sometimes does.

Stickers Don’t Stick

Often I see the same response to regulatory risk: disclaimer “stickers” on the website:

“This product is not a medical device.”
“Not intended to diagnose or treat any condition.”
“For informational purposes only.”
I understand why businesses use them. It feels legally compliant and simple. In my experience these disclaimer stickers rarely ever stick. During my diligence work, I reviewed dozens of apps that carried them. The disclaimer was almost always there. It was rarely the thing that gave us – or the regulator – any real comfort.
Regulators assess the whole picture. A business cannot promise clinical outcomes in bold on the homepage and expect fine print to neutralise it. The two recent enforcement examples illustrate this dynamic.

In 2023, the FTC settled with BetterHelp — the online counselling platform — requiring it to pay $7.8 million after finding it had shared users’ sensitive mental health data with platforms including Facebook and Snapchat for advertising purposes, despite repeatedly promising users their data would be kept private. The privacy assurances were there, prominently made. That did not help insulate the business from regulatory risks.

A similar pattern emerged with Flo Health, the fertility-tracking app, which settled FTC allegations that it had shared users’ sensitive health data with third-party marketing and analytics firms — including Facebook and Google. Their own privacy representations said to the contrary. This failed to persuade the regulator and as part of the settlement, Flo was required to obtain users’ affirmative consent before sharing health information and to instruct any third party that had already received that data to destroy it.

This approach was well captured by the Director of FTC’s Bureau of Consumer Protection when he said:
“We are looking closely at whether developers of health apps are keeping their promises….”
In both cases, the businesses had privacy policies, terms of service and other such policies. What they did not have was alignment between what their documents & policies said and how their products actually operated. That gap is precisely where regulators look.

AI adds a second layer of complexity

Many of the health apps I now advise on are not mere static tools. These days AI is used to adapt, personalise, infer emotional states, generate risk scores and deliver recommendations that evolve with the user. The BD team loves this - and rightly so, it is impressive technology. But once a product starts doing these things, the legal picture changes materially - and in ways many businesses do not anticipate. A static app that delivers the same output to every user is one thing.

Feature image
An app that observes your behaviour, infers your emotional state, adapts its recommendations accordingly and then continues to learn from the results is something else entirely.
From a regulatory standpoint, in the above example the second product is not just an app performing a function. It is a system making decisions about a person’s health – repeatedly, invisibly, and at scale. The distinction between a static app and one driven by AI matters for three concrete reasons.
  1. If the system’s outputs cannot be explained — if neither the user nor a clinician can understand why a particular recommendation, risk score or intervention was generated — there is no meaningful way to assess whether it is accurate, appropriate or safe. Regulators under the EU AI Act and UK ICO guidance are already requiring businesses to demonstrate that they understand how their own systems work. Opacity is not a technical feature. It is a liability
  2. A system that continues learning through its life cycle is constantly evolving and is no longer the product that was originally designed, tested or marketed. If it has evolved in ways that were not anticipated, assessed or disclosed, the business may be operating outside the boundaries of whatever regulatory position it originally staked out — without knowing it.
  3. The same BD instinct that drives a team to sharpen their marketing claims can also drive them to make AI-based apps sound more capable than they are. Ask in-house lawyers and they will let you know that they have sat in such meetings where they have had to routinely scale back marketing embellishments. As “Our algorithm predicts…” sounds better than “our algorithm suggests…”. From a regulatory perspective both of them are not the same claim, and regulators will not treat them as such.
These are not mere theoretical concerns – regulators are already asking such questions, and in some cases, already acting on them

What I tell founders

After all these years – and having assessed more apps than I can count through that fail-fast diligence process – the questions I encourage stakeholders to consider are:
Could a regulator reasonably view our product as a medical device – based not on what we intend, but on what we say it does?
Are our claims, across every channel, consistent with the regulatory category we believe we occupy?
Are we making compliance decisions at product design stage, or retrofitting them before a funding round?
The digital wellness and health sector has transformed healthcare and is here to stay. Many of the best apps will operate close to the regulatory line. That is not a problem. Operating near the line may be fine, but pretending the line does not exist is where businesses get into serious difficulty. By the time a regulator draws that line for you, the conversation is rarely in the company’s favour.

General commentary only — not legal advice and no solicitor-client relationship is created. Written by Orijit Das, a solicitor of England and Wales (SRA No. 342008). Full regulatory information: padme.services/disclaimer

EXPLORE ALL RESOURCES
Customize Consent Preferences

We use cookies to deliver the best possible experience on our website. However you can change your cookie settings at any time.
By accepting you consent to our use of cookies. To respect your privacy rights, we have given you the option to choose not to allow some types of cookies.
For more detailed information, please check our Privacy Policy and Cookie Policy

Strictly necessary cookies

These cookies are essential to enable you to move around our websites and to allow the features of the sites to work correctly. Without these, services you request – such as navigating between pages – cannot be provided and you may experience some problems in using our website. These cookies cannot be switched off in our systems. However, you can manage your browser settings to block or alert you about these cookies. These cookies do not store any information that directly identifies you.