Privacy Risks of Fitness Apps and Health Data Sharing in 2026
Your fitness app knows your heart rate, location, sleep patterns, and workout intensity. This data is valuable — to insurers, employers, data brokers, and advertisers. Most fitness apps share this data with third parties. This guide reveals what’s being tracked, who’s buying it, and how to protect yourself.
The Fitness Data Economy
Fitness data is monetized in ways most users never realize:
- Insurers: Buy aggregated fitness data to set premiums (less active = higher rates)
- Employers: Purchase activity data to identify “high-cost” employees for wellness programs
- Advertisers: Buy fitness profiles to target health-related products
- Data brokers: Aggregate fitness data and resell to insurance companies, employers, and governments
- Researchers: Academic institutions and government health agencies purchase anonymized datasets
Financial incentive: A single user’s comprehensive fitness dataset sells for $10-$50 to insurers. With 100 million users, that’s $1-5 billion in annual data sales.
Strava — Location Privacy Problem
Strava is the world’s largest fitness app (85 million users). Most users don’t realize their workout locations are publicly visible by default.
Data Collected:
- GPS location of every run/bike ride (precise route)
- Distance, pace, heart rate (if you have a wearable)
- Time of workout (revealing work schedule, commute routes)
- Social graph (connections with other athletes)
- Personal goals and performance metrics
Privacy Risks:
1. Public Route Maps By default, your routes are visible at strava.com. Your home address can be reverse-engineered from your start/end points.
Example: A Strava user runs from their home at 7 AM daily. A bad actor can:
- Identify the home address
- Learn the work address (where the 7 AM run starts)
- Identify the gym (evening runs to same location)
- Determine when the home is empty (long runs correlate with travel)
2. Employer Surveillance Employers can infer:
- Health status (decreasing activity = potential illness or poor health)
- Commute patterns (location and time)
- Overtime habits (unusual activity patterns on weekends)
- Personal life details (gym time, meeting locations)
3. Insurance Risk Assessment Insurers can:
- Track if you quit your fitness routine (insurance risk)
- Identify activity drops that correlate with health issues
- Set premiums based on activity levels
Real Case: In 2018, Strava’s heatmap revealed military base locations and patrol routes when aggregated activity data was published. The app is now banned on many military installations.
How to Secure Strava
Immediate Steps:
- Make Routes Private
- Settings → Privacy Controls
- Toggle “Show My Public Profile” → OFF
- Toggle “Make Rides Private” → ON (retroactive)
- Create Private Activities
- When logging activity, toggle “Private” before saving
- Enable Two-Factor Authentication
- Settings → Privacy → Add 2FA with authenticator app
- Limit App Permissions
- Disconnect third-party apps requesting location/health data
- Settings → Connected Apps → Review & disconnect unused apps
- Don’t Use Activity Broadcast
- Disable sharing to social media
- Disable notifications to followers about workout times
Privacy-Safe Workflow:
- Don’t use Strava’s social features
- Mark every activity as “Private”
- Or: Use Strava data export, delete account, use privacy-focused alternative (Runkeeper with privacy mode)
Peloton — Data Broker Risks
Peloton collects:
- Workout performance (wattage, cadence, heart rate)
- Workout location (if using app on phone)
- Sleep data (if you connect to a sleep tracker)
- Weight/body metrics (optional profile data)
- Payment information (billing address, method)
Privacy Problem: Peloton was revealed in 2021 to be working with data brokers to sell aggregated fitness data. The company explicitly states in their privacy policy:
“We may share your information with… vendors and service providers… including those who may use your information for marketing purposes.”
Implications:
- Your workout habits are sold to fitness equipment manufacturers
- Insurance companies can request fitness data (though with legal limitations)
- Third-party advertisers target you based on fitness profile
Peloton Privacy Controls
- Opt Out of Data Sharing
- Settings → Privacy & Sharing
- Uncheck “Share my data with Peloton partners”
- Uncheck “Allow Peloton to use my data for marketing research”
- Limit Profile Data
- Don’t fill in weight, body metrics, or health conditions
- Use pseudonym instead of real name (if allowed)
- Delete Workout History
- While this is extreme, old workouts can be deleted individually
- Or delete account entirely to erase all data
Cost: Peloton still monitors aggregate usage patterns. Opting out only prevents individual-level sharing.
Apple Health — Ecosystem Advantage
Apple Health is the most privacy-forward major fitness platform, but with caveats.
Data Collected:
- Heart rate (from Apple Watch or third-party devices)
- Steps, active energy, stand time
- Sleep duration and patterns
- Workout type and duration
- Health records (if you opt in)
- Medications (optional)
Apple’s Privacy Model:
- Data is encrypted on-device by default
- Cloud sync to iCloud is end-to-end encrypted
- Apple states they cannot access your health data
- No third-party advertising in Health app
- No data sharing with external companies (Apple claims)
Caveat: Apple does share health data with:
- Your doctor (if you consent to Health Records feature)
- Medical research institutions (ResearchKit — opt-in only)
- Third-party apps you explicitly authorize (e.g., MyFitnessPal, Strava)
Apple Health Privacy Configuration
- Review Connected Apps
- Health app → Data Access & Devices
- Remove any apps that don’t need health data
- Disable specific data access per app
- Disable Siri Health Suggestions
- Settings → Siri & Search
- Turn off “Show Health & Fitness tips”
- Opt Out of Research Studies
- Health app → Health Sharing
- Toggle research studies to OFF
- Use Apple ID+ for iCloud Encryption
- Ensure iCloud+ paid plan (includes advanced encryption)
- Settings → [Your Name] → iCloud
- Verify “Advanced Data Protection” is enabled
- Don’t Link to Third-Party Apps
- Only connect apps you explicitly trust
- Review permissions before authorizing
Recommendation: Apple Health is the best among major platforms, but treat connected apps carefully.
Google Fit — Data Sharing Model
Google Fit collects fitness data across Android and connected wearables. Privacy model is more permissive than Apple.
Data Sharing:
- Google mines Fit data for AI training
- Data may be shared with Google advertising partners
- Google can sell insights to fitness equipment manufacturers
- HIPAA compliance is limited (only if you’re a covered healthcare provider)
Privacy Issues:
- Google links Fit data to your Google account (tracked with other behavior)
- Activity patterns can be inferred from search history + fitness data
- Google has history of privacy policy changes
Google Fit Privacy Controls
- Limit Activity Types
- Don’t track sensitive health data (medication, symptoms)
- Use only for basic activity tracking
- Disconnect Third-Party Apps
- Google Fit → Settings → Connected Apps
- Remove all apps except essential ones
- Disable Activity Tracking on Phone
- Settings → Location → Turn off for Google Fit
- Disable Google Play Services location tracking
- Use Data Export
- Regular exports of your data (Google Takeout)
- Delete account if you’re concerned
Recommendation: If privacy is a concern, consider switching from Google Fit to Apple Health or privacy-focused alternatives.
Fitbit (Amazon) — Data Acquisition Concern
Amazon acquired Fitbit in 2021. Major concern: FTC settlement prohibits Amazon from selling Fitbit data for the first 20 years, but this expires in 2041.
What Amazon Currently Does:
- Uses Fitbit data to recommend products (internal use)
- Sends you targeted ads based on fitness patterns (Amazon Shopping app)
- May share data with Echo/Alexa ecosystem
Future Risk:
- After 2041, FTC restrictions lift
- Amazon could sell Fitbit data to insurers, employers
- No legal barrier to monetization after expiration
Fitbit Privacy Approach
- Opt Out of Marketing Emails
- Fitbit app → Settings → Notifications
- Disable marketing and promotional emails
- Don’t Accept Terms & Conditions Changes
- Fitbit periodically asks to agree to new T&Cs
- Review changes carefully before accepting
- If unacceptable, delete device and data
- Export Data Regularly
- Fitbit → Settings → Data Export
- Maintain personal backup
- Consider Switching Before 2041
- Apple Watch is better long-term privacy choice
- Garmin (less data collection, more privacy)
HIPAA Gaps and Legal Exposure
Important: Fitness apps are NOT covered by HIPAA unless they’re explicitly medical devices or used by healthcare providers.
What This Means:
- Your fitness app doesn’t need HIPAA compliance
- Fitness data can be sold and shared freely
- No legal recourse if data is breached (no HIPAA penalties)
- Data broker regulations are minimal
Example Scenario:
- You track heart rate variability in fitness app (suggests stress)
- App sells this to data broker
- Data broker sells to life insurance company
- Life insurance company denies your policy or increases premium
- You have limited legal recourse (HIPAA doesn’t apply)
Legal Status:
- Fitness tracking data is NOT health information under HIPAA
- Wearable data is NOT regulated like medical records
- FDA doesn’t require privacy certifications for most fitness apps
- State privacy laws (California CCPA, Virginia VCDPA) provide some protection but are weak
Data Broker Risks
Major data brokers that acquire fitness data:
| Broker | Data Sources | Buyers | Estimated Records |
|---|---|---|---|
| Experian | Strava, Fitbit aggregates | Insurers, employers | 500M+ |
| Equifax | Wearable data aggregates | Credit lenders, insurers | 1B+ |
| Acxiom | Fitness aggregates | Advertisers, insurance | 2B+ |
| CoreLogic | Fitness + location data | Wealth managers, brokers | 300M+ |
How Fitness Data Flows:
Your Fitness App
↓
Third-party analytics company
↓
Data aggregator (Acxiom, Equifax, etc.)
↓
Insurance company, employer, advertiser
Actionable Privacy Steps
Tier 1: Basic Protection (5 minutes)
- Make Strava activities private
- Opt out of Peloton data sharing
- Remove third-party apps from Apple Health
Tier 2: Medium Protection (30 minutes)
- Switch to Apple Health or Garmin (if possible)
- Enable two-factor authentication on all fitness apps
- Export data from Fitbit, Strava, Peloton
- Delete accounts for apps you don’t actively use
Tier 3: Maximum Protection (2 hours)
- Delete all fitness app accounts
- Verify deletion in data broker opt-out services (Experian, Equifax)
- Use offline-only fitness tracking (Garmin watch with no cloud sync)
- If tracking is necessary, use Apple Health exclusively (best privacy)
Opt-Out Services
Several services can opt you out of data brokers:
- GDPR Right to be Forgotten: If in EU, use GDPR deletion requests to data brokers
- State Privacy Laws: California CCPA and Virginia VCDPA grant deletion rights
- Opt-Out Services:
- DeleteMe (removes from 200+ data brokers, $300/year)
- Optery (GDPR/CCPA specialist)
- Data.com removal tool
Cost: $0 (manual process) to $300/year (automated services)
Privacy-First Fitness Alternatives
If privacy is critical:
Garmin: Minimal cloud sync, data stays on device, less aggressive data collection
- Privacy: Excellent
- Features: Good
- Cost: $300-$800 watch
- Drawback: Smaller app ecosystem
Apple Watch + Apple Health: Strong encryption, limited sharing
- Privacy: Excellent (among mainstream options)
- Features: Excellent
- Cost: $250-$800
- Ecosystem: Tightly integrated
Simple Step Counter: Non-smart device that doesn’t track personal data
- Privacy: Perfect
- Features: Minimal
- Cost: $20-$50
- Drawback: No health insights
Recommendations
For Most Users:
- Use Apple Health if you have Apple devices
- Make Strava routes private or delete account
- Opt out of Peloton data sharing
- Disconnect third-party apps from any fitness platform
For Privacy-Conscious Users:
- Switch to Garmin or Apple Watch
- Delete accounts on Fitbit, Peloton, Google Fit
- Manually opt out of data brokers (Experian, Equifax)
- Use fitness tracking offline when possible
For Maximum Privacy:
- Don’t use cloud-connected fitness trackers
- Use offline step counter or basic activity tracking
- Accept that comprehensive health insights require privacy tradeoff
Related Articles
- How Data Brokers Compile Your Personal Profile
- HIPAA vs Consumer Privacy Laws for Health Data
- Health Insurance Discrimination: Genetic and Fitness Data
- Best Privacy-Focused Wearables 2026
- Opting Out of Data Brokers: Complete Guide 2026
Built by theluckystrike — More at zovo.one