Fitness apps today behave more like data platforms than simple step counters, quietly turning intimate details about your body, habits, and even beliefs into a lucrative data stream. This article unpacks what they really collect, how that data is used, the risks involved, and what you can realistically do to protect yourself while still enjoying digital health tools.
The Scale of the Fitness App Boom
Health and fitness apps aren’t a niche anymore; they are mainstream infrastructure for how people move, sleep, and eat. Global downloads of health and wellness apps reached about 3.6 billion in 2024, up roughly 6% from the previous year, which means more people than ever are feeding data into these ecosystems.
Statista’s analysis shows some leading apps now collect over 20 distinct data points per user, with Strava and Fitbit each gathering around 21 unique data types as of late 2024. In parallel, independent research by Surfshark found that among 15–16 major fitness apps, the average app collects around 12 types of data, but the most “hungry” apps collect nearly twice that.
How much data are they sharing?
● Around 80% of the most popular fitness apps share user data with third parties such as advertisers and data brokers.
● Earlier research from Surfshark showed 75% of sampled fitness apps were involved in tracking users by linking app data with third‑party data sources.
● Over 90% of apps use at least some of the collected data for purposes beyond core functionality, such as analytics, personalization, or marketing.
These numbers explain why regulators, security researchers, and privacy advocates now treat fitness apps as part of the broader health‑data economy rather than simple lifestyle tools.
What Fitness Apps Collect Beyond Steps and Calories
Most users expect basic metrics: steps, calories, workout history. But modern apps collect a far wider and more sensitive profile.
Here is what typically gets swept up:
● Personal identifiers: Name, email, phone, age, gender, sometimes employer or profile handle.
● Device identifiers: Device ID, advertising ID, IP address, OS version, and sometimes Bluetooth or Wi‑Fi identifiers.
● Location data: Both coarse (city, region) and precise GPS data for your runs, rides, and walks.
● Detailed health metrics: Heart rate, sleep stages, VO2 max, menstrual cycles, fertility windows, pregnancy status, and stress scores.
● Behavioral data: Workout schedules, gym visits, in‑app search history, content you view, and how often you open the app.
● Photos and body metrics: Progress photos, body‑fat percentage, measurements, before‑and‑after images—often stored in the cloud.
● “Sensitive info” fields: Some apps admit to collecting data that can reveal race or ethnicity, sexual orientation, religious beliefs, disability status, or political opinions.
Apple’s privacy taxonomy lists 35 categories of data, and Surfshark’s analysis found fitness apps averaging 12 categories, with outliers like Fitbit collecting up to 24 types. That makes some fitness platforms as data‑intensive as social networks.
A Closer Look at Popular Fitness Apps
Different apps emphasize different data streams, but several big names stand out for how much they collect.
Data appetite of major apps
| App | Approx. data types collected | Notable data areas beyond steps/calories |
| Strava | ~21 data points | Precise routes, social graph, device IDs, marketing/analytics tracking |
| Fitbit | ~21–24 data points | Heart rate, sleep, menstrual health, location, identifiers, analytics |
| Nike Training | High tracking, sensitive info | Coarse location, sensitive info categories, device IDs, interactions |
| Headspace | ~13 data points | Usage patterns, identifiers, some health‑related preferences |
| RISE (sleep) | ~12 data points | Sleep patterns, usage metrics, identifiers |
Surfshark notes that Strava and Fitbit are among the most data‑hungry, collecting around 84% of all potential data points considered in their study. Nike Training Club, meanwhile, explicitly collects and shares some categories of “sensitive” information for targeted advertising.
Location: The Most Sensitive Fitness Data of All
Location is where convenience and risk intersect most sharply.
Fitness apps frequently request real‑time GPS access so they can map routes, calculate pace, and log distances accurately. This same data can reveal:
● Your home and workplace, based on where activities start or end.
● Daily routines, including commute times and usual paths.
● Visits to sensitive places—clinics, religious sites, political events, or private clubs.
Researchers and journalists have documented cases where fitness apps inadvertently exposed sensitive locations of high‑profile individuals. Coverage in outlets like The Guardian and Le Monde described how public activity maps on platforms such as Strava could reveal the running routes of world leaders and military personnel, raising national security concerns.
The core risk isn’t just who you are today—it’s what can be inferred when location data is combined with long time‑series of movements and other personal attributes.
Health Data as a Commercial Asset
Why is all this data so attractive? Because health‑adjacent behaviors are marketing gold.
How the data is monetized
● Targeted advertising: Linking your device ID and fitness patterns to ad networks so you see supplements, gear, or diet plans tailored to recent activity and goals.
● Data brokerage: Selling or sharing aggregated and “pseudonymous” data sets with data brokers who combine them with other sources (retail, financial, social) for profiling.
● Product development and partnerships: Using aggregated metrics to pitch insights to insurers, employers, or pharma companies, often without users fully understanding the downstream uses.
Harvard Health, summarizing a large BMJ study, notes that 88% of sampled mobile health apps had the technical ability to share personal data, and a subset actively transmitted that information to big tech and analytics firms such as Google and Facebook. About a quarter of the apps examined violated their own privacy policies, underscoring the gap between what’s promised and what actually happens.
Security And Privacy Risks You Don’t See
Beyond obvious advertising uses, several deeper risks arise when fitness data leaves your phone.
1. Re‑identification of “anonymous” data
Even when apps strip names or obvious identifiers, combining route data, age, and gender can often re‑identify individuals, especially in smaller towns or specific neighborhoods. With 21+ data points being captured by some apps, the odds of re‑identification increase dramatically.
2. Stalking and physical safety
Publicly shared running or cycling routes can reveal your usual paths and times, making it easier for a malicious actor to predict where you’ll be. Real‑time tracking features are convenient for group runs but potentially dangerous if not configured carefully.
3. Sensitive inferences
Data categories flagged as “sensitive info” can hint at:
● Sexual orientation (through groups, communities, or specific programs joined).
● Pregnancy status or fertility treatment (through cycle and fertility tracking logs).
● Religious or political leanings (through regular attendance at particular locations).
If combined with third‑party data, these inferences can affect targeted advertising and even risk discrimination in areas like employment or insurance if safeguards fail.
4. Weak or opaque privacy protections
The BMJ‑analyzed sample of nearly 16,000 mobile health apps showed that about a third did not provide accessible privacy policies, and roughly one‑quarter violated their own stated policies in practice. That means even diligent users may not get the protections the app promises on paper.
Regulators Are Catching Up, Slowly
Current laws often struggle to keep pace with the hybrid nature of fitness data—part medical, part lifestyle, part social.
● Health data gap: In many jurisdictions, fitness apps are not classified as medical providers, so sensitive metrics they collect may fall outside traditional health‑data protections.
● Location privacy: Legal scholars argue for updated rules that treat precise location as highly sensitive, especially after high‑profile disclosures of leaders’ movements from fitness apps.
● Transparency and consent: Experts emphasize data minimization, clear consent flows, and strong security—principles that many developers still implement inconsistently.
Articles and academic commentary on location‑based risks push for privacy‑by‑design obligations and stricter penalties when apps expose sensitive locations. Until those frameworks fully mature, much of the responsibility still falls on users to manage their own risk profile.
How To Use Fitness Apps More Safely
You don’t have to abandon digital health tools to protect your privacy, but you do need to get intentional.
1. Audit permissions regularly
● Disable precise location when you don’t need live route mapping; use coarse location or manual workout entry instead.
● Revoke access to contacts, camera, or photos if you aren’t actively using social or progress‑photo features.
2. Lock down sharing and “social” features
● Set your activity visibility to “private” or “followers only” rather than completely public.
● Use privacy zones or hidden start/end points to obscure your home or workplace.
3. Choose apps that minimize tracking
Security researchers and consumer advocates recommend looking for apps that:
● Explain clearly what they collect and why, in plain language.
● Offer “local‑only” or offline options where data stays on your device whenever possible.
● Provide granular controls: toggles for analytics, advertising, third‑party sharing, and social features.
Reddit’s privacy community frequently highlights the lack of “local‑only” modes in many gym and workout apps, warning that progress photos and biometric details are often uploaded by default to startup‑run cloud servers.
4. Treat health data like financial data
From a risk perspective, data about your body, mood, and movements can be as sensitive as your bank balance. Before uploading it, ask yourself whether you’d be comfortable if a future employer, insurer, or adversary saw a detailed timeline of your workouts, injuries, menstrual cycles, or stress levels.
A More Honest Way Forward for Fitness Tech
The fitness app ecosystem delivers real benefits: habit formation, motivation, early warning signs for health issues, and social support. But the current default—capture everything, store it indefinitely, and monetize it wherever possible—creates a tension between personal wellness and personal privacy.
A healthier model would be built around:
● Collecting only what is necessary for a feature to work, not every data point that could conceivably be useful.
● Designing for local processing first, cloud upload second, with clear user control.
● Honest, readable disclosures that explain not just what data is collected, but who else can see it and how long it is kept.
Until that becomes standard, users who care about both performance and privacy will need to be selective about the apps they trust and ruthless about the permissions they grant.
Post Comment
Be the first to post comment!