- Online privacy app Surfshark analyzed 16 different fitness apps
- It reported on how much personal data these apps collect, with Fitbit and Strava collecting the most
- Here’s what that means for users of these apps, and a few simple ways to better protect your privacy
It’s fitness season, and now that the holidays are over, many people will be downloading a new fitness app that fits their resolution to get in shape, build muscle, or lose weight in 2026.
But fitness apps are as data-hungry as any, logging and sometimes sharing personal data—including sensitive information you might prefer to keep private.
A study by online security firm Surfshark looked at 16 of the top fitness apps, including Fitbit, Strava, Apple Health, PUSH, Centr and more, using TechRadar’s own list of the best fitness apps along with other sources, and ranked them by how much data they collected.
The locations are based on the different types of data collected, such as location, contact information, health or search history. Surfshark also looked at whether the app used data for tracking.
Apple defines tracking as “associating user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes.
“Tracking also refers to the sharing of user or device data with data brokers.”
The Surfshark report also noted which apps were collecting data that they don’t actually need for app functionality. For example, you would expect a fitness app to collect health and fitness data, but you might not expect it to collect information about your search history or advertising data.
Four apps collect ‘sensitive data’, a category of data relating to racial or ethnic background, sexual orientation, fertility data, genetic information, biometric data or even information about your employment status or union membership.
All information is collected from Apple’s App Store. You can see a screenshot below of Fitbit’s listing in the App Store, which illustrates some of the different types of data collected.
The results
Fitbit tops the list, collecting 24 different types of data, including advertising and sensitive data. Of these, only five types of data are needed for app functionality, with the remaining 19 ranked as “beyond app functionality”. In other words, according to Surfshark, Fitbit is harvesting 19 kinds of data that it doesn’t actually need to run the app.
However, Surfshark states that Fitbit does not use this information for tracking.
Next up is Strava, which is no doubt increasingly hungry for your data. It collects 21 different kinds of data, Surfshark says none of the data collected is essential to run the app. It also shares data for tracking with third parties, according to the report. However, no sensitive data is collected.
Next is Nike Training Club, which collects 20 different kinds of data, including sensitive data, and uses it for tracking purposes.
Centr was found to be at the bottom of the pile with only three kinds of data collected, although it itself shares data for tracking purposes. The report said PUSH stands out as “the least invasive app” that collects data without linking it to users.
What does this mean for users?
While Fitbit being the leader in data collection isn’t necessarily surprising (it’s powered by Google and tied to your Google account, after all, and Google is a famously data-hungry operation), according to the report, it doesn’t share your personal or sensitive data with third parties — possibly because it’s been prevented from doing so.
When Google first bought Fitbit in 2021, there were concerns from leading economists that the merger would “monetize health data and harm consumers”. As a result, the European Commission ruled that the merger could go ahead, but with a 10-year ban on using health data for marketing purposes.
Strava, an app based on sharing your location, has been in hot water due to privacy issues many times. It has accidentally exposed military bases in war zones by releasing heat maps of user activity. Journalists have also used Strava accounts from government officials to predict the whereabouts of heads of state, including Joe Biden and Vladimir Putin, and it was reported by our sister publication Cycling Weekly that hackers can find out where you live on Strava, even if you use tools to hide the start and end of an activity.
Perhaps scariest of all is the potential for some apps to collect and share sensitive data, a class of personal information about your identity and health, including fertility data for people who use apps to track their periods, along with biometric and even genetic data. Although these types of data have extra legal protection in some areas such as the EU, thanks to the GDPR, there is no special protection for this kind of data in the US when shared outside of a medical context.
5 ways to protect your privacy
It is difficult to disconnect from the complex network of shared personal information that is the modern smartphone. Everything is connected, and the more it’s all shared, the easier it is for us to be hacked and tracked. Agreeing to use these apps, which otherwise offer some really great services, means consenting to their use of your information in this way.
However, you can limit what and how much data is collected and retain some control over who gets access to your data.
- New accounts: Instead of using the same email for everything, you can create a new account, one that isn’t tied to your personal life, specifically for logging into data-hungry apps.
- Check your permissions: Update the permission settings on your phone regularly. By doing this, you can deny some apps permission to track your location or personal data when applicable. You can also change the settings on certain apps from Track you all the time to ‘While using the app’ to maintain some level of control.
- Minimize location leaks: Walk or run a distance from your home before starting an activity with location sharing on Strava or a similar app.
- Check out the fine print: When you download apps going forward, always scroll down in the App Store or Play Store to check what data the app collects before accepting its terms of service.
- Multi-factor authentication: To avoid being hacked as a result of a data breach, make sure that all email addresses you use to sign up for these apps have multi-factor authentication enabled. It’s a simple trick that prevents your email account from being hacked up to 99% of the time, according to Microsoft.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
