Revealed: The UK health and fitness apps selling your personal data

  • The UK’s most popular health and fitness apps collect 14 personal data points about their users on average, with the exercise tracker Fitbit collecting the most information
  • Data harvesters who sell on your personal information can legally gather your location, photos, videos and health and fitness details from these apps
  • Running coach app Runna shares 13 data points with third parties, including users’ location, photos, and health and fitness information 
  • Six out of 10 apps analysed collect users’ photos and five collect their precise current location
  • Data protection service Incogni warns consumers to be wary of what they share with apps which then pass on personal information to data brokers 

The UK’s most popular health and fitness apps collect an average of 14 personal data points about their users, which can then be sold on to data harvesters who profit off people’s personal details, new analysis by the data protection service Incogni has found.

Millions of people use fitness apps and trackers to record their runs, workouts and diets — but there can be a privacy trade-off. Those who use fitness trackers, such as the 50,000 competitors who ran in April’s London Marathon, regularly upload personal details including their precise location and heart rate alongside their lap times. 

Yet unbeknown to many users, data brokers could be buying this personal information from the fitness app companies, and then selling it on. Insurance companies, advertisers, and public bodies all have their uses for such information. 

Incogni’s analysis of the biggest fitness apps in the UK by revenue found that the exercise tracker Fitbit, which can connect to smartwatches, is the most data-hungry app, collecting a total of 21 data points from its users.

Six out of 10 apps studied collect users’ photos, while five collect their exact current location (Fitbit, Strava, AllTrails, Runna, MyFitnessPal), meaning app developers know where their users train and possibly other places they visit regularly. 

Not all of the apps that collect data sell it on, but the running coach app Runna, which collects 13 data points, shares all of them with third parties like data brokers. This includes users’ precise location, name and email addresses, photos, and health and fitness information. 

In total three fitness apps — Runna, MyFitnessPal and AllTrails — share users’ location data with third parties.

Chart: User data points collected and shared by fitness apps

Five of the 10 apps (Fitbit, Strava, AllTrails, Calm and Calorie Counter) collect a vaguely defined, catch-all category of personal data called ‘other info’. The similarly ill-defined ‘other user-generated content’ is collected by nine out of 10 apps, with Headspace being the exception.

Incogni has published its findings in a report entitled ‘Exercising caution: how top fitness apps in the UK can compromise your privacy’

Darius Belejevas, head of data protection service Incogni, comments: 

“Apps that record and track exercise data can be a great motivational tool that millions of Brits use to get more out of their workouts, eat better, keep running or just keep active.

“But without realising it, many of us are giving away personal data that doesn’t just show how many calories we’ve eaten or steps we’ve walked, but also reveals the precise location where and when we took those steps.  

“Sensitive, personal health and fitness information is highly valuable to data brokers because there are hundreds of interested parties — both legal and illegal — willing to pay for such information, including insurance companies and marketers.

“It is especially worrying that some apps collect ‘other info’ and ‘other user-generated content’ without specifying what these vague terms involve.

“Most people are shocked at just how much information data brokers hold about all of us — and the only effective way to avoid them profiting from your privacy is to use a data protection service to remove your information from each and every data broker’s lists.” 

Chris Price