About 12 in 15 of the top fitness apps actively share your personal data with third parties, de facto selling your privacy. Among them, Strava and Fitbit are the most data consuming, collecting 84% of all potential data points.
These are some of the worrying findings of new research published by Surfshark, one of the best VPN services on the market, after analyzing the data collection and sharing practices of the most popular mobile fitness apps.
“Our research shows that free apps share significantly more data with third parties compared to paid apps, highlighting the importance of evaluating privacy implications,” said Tomas Stamulis, chief security officer at Surfshark.
The hidden price of training at home
To determine the real price of (often free) home training, the Surfshark team analyzed the 15 best mobile fitness apps out there. These include fitness trackers, workout apps, and personal training platforms.
Experts obtained the data collection information for each app from its Apple App Store page on December 30, 2024. The App Store provides a list of 35 unique data points categorized into 16 unique data point categories. The team examined the data set based on the number, type, and handling of data points collected by each application.
Surfshark revealed a rather worrying scenario for mobile fitness fans. As mentioned above, 80% of the analyzed applications share tracked user data with third parties. These details include device locations, emails, user IDs, device IDs, or profiles. Nike Training Club leads the categorywith four types of tracking data shared with third parties. This involves approximate location (approximate, usually within a city block), certain sensitive information, device identification, and product interaction.
In Apple’s words, “Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising.” or for advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.”
Most applications (13 of 15) also collect health and fitness information directly linked to users – Centr and Peloton are the only two apps that don’t do this.
In general, as the previous graph shows, the applications analyzed collect an average of 12 different types of information of the 35 potential data points available, and the least privacy-friendly one stores almost twice as much.
Let’s look at the data. Strava and Fitbit turned out to be the ones that consume the most data apps, for example, that collect 21 unique types of data. In comparison, the most private training app, Centr, collects only three types of data (user ID, product interaction and crash data) and only one of them contributes to user tracking.
Even worse, Three applications collect very sensitive information. such as racial or ethnic origin, sexual orientation, details of pregnancy or childbirth, disability status, religious or philosophical beliefs, union membership, political opinions, genetic information or biometric data. These include the Nike Training Club app.
Location data is another piece of information that many fitness apps collect. Four apps, including popular running apps like Runna and Strava, collect precise location data linked to the user. Five apps collect only approximate location data, and two of them (Nike Training Club and Peloton) share this information with third parties.
As mentioned above, free apps collect and share the most data. After all, the only way they can make a profit is to sell your data to data brokers or serve invasive ads on the app. That’s why Surfshark’s Stamulis suggests upgrading to a paid subscription whenever possible.
He also recommends considering whether the app can function without granting permissions that may not really be necessary. “If such options are not provided, important questions arise about the intent behind data collection,” he added.
