About 12 out of 15 of the best fitness apps actively share your personal data with third parties, de-facto selling out your privacy. Among these, Strava and Fitbit are the most data-hungry, collecting 84% of all potential data points.
These are some of the worrying findings from new research released by Surfshark, one of the best VPN services on the market, after looking at data collection and sharing practices of the most popular fitness mobile applications.
“Our research shows that free apps share significantly more data with third parties compared to paid apps, highlighting the importance of evaluating privacy implications,” said Tomas Stamulis, Chief Security Officer at Surfshark.
The hidden price of at-home training
To determine the real price of (often free) at-home training, the Surfshark team analyzed the 15 top fitness mobile applications around. These include exercise trackers, workout apps, and personal training platforms.
Experts sourced the data collection information for each app from its Apple App Store page on December 30, 2024. The App Store provides a list of 35 unique data points categorized into 16 unique data point categories. The team looked at the data set according to the number, type, and handling of the data points collected by each app.
Surfshark unveiled a pretty worrying scenario for mobile fitness fanatics. As mentioned earlier, 80% of the analyzed apps share users’ tracked data with third parties. These details include device locations, emails, user IDs, device IDs, or profiles. Nike Training Club leads the category, with four types of tracking data shared with third parties. These are coarse location (approximate, generally within a city block), some sensitive info, device ID, and product interaction.
In Apple’s own words, “Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.”
Most apps (13 out of 15) also collect health and fitness information directly linked to users – Centr and Peloton are the only two applications that don’t.
Overall, as the graph above shows, the analyzed apps collect an average of 12 different types of information out of the 35 potential data points available – with the least privacy-friendly storing nearly twice as much.
Let’s look at the data. Strava and Fitbit came out as the most data-hungry apps, for example, both gathering 21 unique types of data. In comparison, the most private workout application, Centr, collects just three types of data (User ID, Product Interaction, and Crash Data) with only one of these contributing to user tracking.
Worse still, three apps collect some very sensitive information such as racial or ethnic background, sexual orientation, pregnancy or childbirth details, disability status, religious or philosophical beliefs, trade union membership, political opinions, genetic information, or biometric data. These include the Nike Training Club app.
Location data is another piece of information many fitness apps collect. Four apps, including popular running applications like Runna and Strava, collect precise location data linked to the user. Five apps collect only coarse location data, with two of these (Nike Training Club and Peloton) sharing this information with third parties.
As mentioned earlier, free applications collect and share the most data. After all, the only way they can make a profit is to sell your data to data brokers or run invasive ads on the app. This is why Stamulis from Surfshark suggests upgrading to a paid subscription whenever possible.
He also recommends considering whether the app can function without granting permissions that may not be truly necessary. “If such options aren’t provided, it raises important questions about the intent behind the data collection,” he added.