tags: [privacy-tools-guide, privacy]
title: “Privacy Risks of Fitness Apps and Health Data Sharing in” description: “What Strava, Peloton, Apple Health, and fitness apps share. HIPAA gaps, data broker risks, and actionable privacy steps.” author: Privacy Tools Guide date: 2026-03-22 reviewed: true score: 8 voice-checked: true intent-checked: true permalink: /privacy-risks-of-fitness-apps-health-data-sharing-2026/ —
Privacy Risks of Fitness Apps and Health Data Sharing in 2026
Your fitness app knows your heart rate, location, sleep patterns, and workout intensity. This data is valuable — to insurers, employers, data brokers, and advertisers. Most fitness apps share this data with third parties. This guide reveals what’s being tracked, who’s buying it, and how to protect yourself.
Table of Contents
- The Fitness Data Economy
- Strava — Location Privacy Problem
- Peloton — Data Broker Risks
- Apple Health — Ecosystem Advantage
- Google Fit — Data Sharing Model
- Fitbit (Amazon) — Data Acquisition Concern
- HIPAA Gaps and Legal Exposure
- Data Broker Risks
- Actionable Privacy Steps
- Opt-Out Services
- Privacy-First Fitness Alternatives
- Recommendations
The Fitness Data Economy
Fitness data is monetized in ways most users never realize:
- Insurers: Buy aggregated fitness data to set premiums (less active = higher rates)
- Employers: Purchase activity data to identify “high-cost” employees for wellness programs
- Advertisers: Buy fitness profiles to target health-related products
- Data brokers: Aggregate fitness data and resell to insurance companies, employers, and governments
- Researchers: Academic institutions and government health agencies purchase anonymized datasets
Financial incentive: A single user’s fitness dataset sells for $10-$50 to insurers. With 100 million users, that’s $1-5 billion in annual data sales.
Strava — Location Privacy Problem
Strava is the world’s largest fitness app (85 million users). Most users don’t realize their workout locations are publicly visible by default.
Data Collected:
- GPS location of every run/bike ride (precise route)
- Distance, pace, heart rate (if you have a wearable)
- Time of workout (revealing work schedule, commute routes)
- Social graph (connections with other athletes)
- Personal goals and performance metrics
Privacy Risks:
1. Public Route Maps By default, your routes are visible at strava.com. Your home address can be reverse-engineered from your start/end points.
Example: A Strava user runs from their home at 7 AM daily. A bad actor can:
- Identify the home address
- Learn the work address (where the 7 AM run starts)
- Identify the gym (evening runs to same location)
- Determine when the home is empty (long runs correlate with travel)
2. Employer Surveillance Employers can infer:
- Health status (decreasing activity = potential illness or poor health)
- Commute patterns (location and time)
- Overtime habits (unusual activity patterns on weekends)
- Personal life details (gym time, meeting locations)
3. Insurance Risk Assessment Insurers can:
- Track if you quit your fitness routine (insurance risk)
- Identify activity drops that correlate with health issues
- Set premiums based on activity levels
Real Case: In 2018, Strava’s heatmap revealed military base locations and patrol routes when aggregated activity data was published. The app is now banned on many military installations.
How to Secure Strava
Immediate Steps:
- Make Routes Private
- Settings → Privacy Controls
- Toggle “Show My Public Profile” → OFF
- Toggle “Make Rides Private” → ON (retroactive)
- Create Private Activities
- When logging activity, toggle “Private” before saving
- Enable Two-Factor Authentication
- Settings → Privacy → Add 2FA with authenticator app
- Limit App Permissions
- Disconnect third-party apps requesting location/health data
- Settings → Connected Apps → Review & disconnect unused apps
- Don’t Use Activity Broadcast
- Disable sharing to social media
- Disable notifications to followers about workout times
Privacy-Safe Workflow:
- Don’t use Strava’s social features
- Mark every activity as “Private”
- Or: Use Strava data export, delete account, use privacy-focused alternative (Runkeeper with privacy mode)
Peloton — Data Broker Risks
Peloton collects:
- Workout performance (wattage, cadence, heart rate)
- Workout location (if using app on phone)
- Sleep data (if you connect to a sleep tracker)
- Weight/body metrics (optional profile data)
- Payment information (billing address, method)
Privacy Problem: Peloton was revealed in 2021 to be working with data brokers to sell aggregated fitness data. The company explicitly states in their privacy policy:
“We may share your information with… vendors and service providers… including those who may use your information for marketing purposes.”
Implications:
- Your workout habits are sold to fitness equipment manufacturers
- Insurance companies can request fitness data (though with legal limitations)
- Third-party advertisers target you based on fitness profile
Peloton Privacy Controls
- Opt Out of Data Sharing
- Settings → Privacy & Sharing
- Uncheck “Share my data with Peloton partners”
- Uncheck “Allow Peloton to use my data for marketing research”
- Limit Profile Data
- Don’t fill in weight, body metrics, or health conditions
- Use pseudonym instead of real name (if allowed)
- Delete Workout History
- While this is extreme, old workouts can be deleted individually
- Or delete account entirely to erase all data
Cost: Peloton still monitors aggregate usage patterns. Opting out only prevents individual-level sharing.
Apple Health — Ecosystem Advantage
Apple Health is the most privacy-forward major fitness platform, but with caveats.
Data Collected:
- Heart rate (from Apple Watch or third-party devices)
- Steps, active energy, stand time
- Sleep duration and patterns
- Workout type and duration
- Health records (if you opt in)
- Medications (optional)
Apple’s Privacy Model:
- Data is encrypted on-device by default
- Cloud sync to iCloud is end-to-end encrypted
- Apple states they cannot access your health data
- No third-party advertising in Health app
- No data sharing with external companies (Apple claims)
Caveat: Apple does share health data with:
- Your doctor (if you consent to Health Records feature)
- Medical research institutions (ResearchKit — opt-in only)
- Third-party apps you explicitly authorize (e.g., MyFitnessPal, Strava)
Apple Health Privacy Configuration
- Review Connected Apps
- Health app → Data Access & Devices
- Remove any apps that don’t need health data
- Disable specific data access per app
- Disable Siri Health Suggestions
- Settings → Siri & Search
- Turn off “Show Health & Fitness tips”
- Opt Out of Research Studies
- Health app → Health Sharing
- Toggle research studies to OFF
- Use Apple ID+ for iCloud Encryption
- Ensure iCloud+ paid plan (includes advanced encryption)
- Settings → [Your Name] → iCloud
- Verify “Advanced Data Protection” is enabled
- Don’t Link to Third-Party Apps
- Only connect apps you explicitly trust
- Review permissions before authorizing
Recommendation: Apple Health is the best among major platforms, but treat connected apps carefully.
Google Fit — Data Sharing Model
Google Fit collects fitness data across Android and connected wearables. Privacy model is more permissive than Apple.
Data Sharing:
- Google mines Fit data for AI training
- Data may be shared with Google advertising partners
- Google can sell insights to fitness equipment manufacturers
- HIPAA compliance is limited (only if you’re a covered healthcare provider)
Privacy Issues:
- Google links Fit data to your Google account (tracked with other behavior)
- Activity patterns can be inferred from search history + fitness data
- Google has history of privacy policy changes
Google Fit Privacy Controls
- Limit Activity Types
- Don’t track sensitive health data (medication, symptoms)
- Use only for basic activity tracking
- Disconnect Third-Party Apps
- Google Fit → Settings → Connected Apps
- Remove all apps except essential ones
- Disable Activity Tracking on Phone
- Settings → Location → Turn off for Google Fit
- Disable Google Play Services location tracking
- Use Data Export
- Regular exports of your data (Google Takeout)
- Delete account if you’re concerned
Recommendation: If privacy is a concern, consider switching from Google Fit to Apple Health or privacy-focused alternatives.
Fitbit (Amazon) — Data Acquisition Concern
Amazon acquired Fitbit in 2021. Major concern: FTC settlement prohibits Amazon from selling Fitbit data for the first 20 years, but this expires in 2041.
What Amazon Currently Does:
- Uses Fitbit data to recommend products (internal use)
- Sends you targeted ads based on fitness patterns (Amazon Shopping app)
- May share data with Echo/Alexa ecosystem
Future Risk:
- After 2041, FTC restrictions lift
- Amazon could sell Fitbit data to insurers, employers
- No legal barrier to monetization after expiration
Fitbit Privacy Approach
- Opt Out of Marketing Emails
- Fitbit app → Settings → Notifications
- Disable marketing and promotional emails
- Don’t Accept Terms & Conditions Changes
- Fitbit periodically asks to agree to new T&Cs
- Review changes carefully before accepting
- If unacceptable, delete device and data
- Export Data Regularly
- Fitbit → Settings → Data Export
- Maintain personal backup
- Consider Switching Before 2041
- Apple Watch is better long-term privacy choice
- Garmin (less data collection, more privacy)
HIPAA Gaps and Legal Exposure
Important: Fitness apps are NOT covered by HIPAA unless they’re explicitly medical devices or used by healthcare providers.
What This Means:
- Your fitness app doesn’t need HIPAA compliance
- Fitness data can be sold and shared freely
- No legal recourse if data is breached (no HIPAA penalties)
- Data broker regulations are minimal
Example Scenario:
- You track heart rate variability in fitness app (suggests stress)
- App sells this to data broker
- Data broker sells to life insurance company
- Life insurance company denies your policy or increases premium
- You have limited legal recourse (HIPAA doesn’t apply)
Legal Status:
- Fitness tracking data is NOT health information under HIPAA
- Wearable data is NOT regulated like medical records
- FDA doesn’t require privacy certifications for most fitness apps
- State privacy laws (California CCPA, Virginia VCDPA) provide some protection but are weak
Data Broker Risks
Major data brokers that acquire fitness data:
| Broker | Data Sources | Buyers | Estimated Records |
|---|---|---|---|
| Experian | Strava, Fitbit aggregates | Insurers, employers | 500M+ |
| Equifax | Wearable data aggregates | Credit lenders, insurers | 1B+ |
| Acxiom | Fitness aggregates | Advertisers, insurance | 2B+ |
| CoreLogic | Fitness + location data | Wealth managers, brokers | 300M+ |
How Fitness Data Flows:
Your Fitness App
↓
Third-party analytics company
↓
Data aggregator (Acxiom, Equifax, etc.)
↓
Insurance company, employer, advertiser
Actionable Privacy Steps
Tier 1: Basic Protection (5 minutes)
- Make Strava activities private
- Opt out of Peloton data sharing
- Remove third-party apps from Apple Health
Tier 2: Medium Protection (30 minutes)
- Switch to Apple Health or Garmin (if possible)
- Enable two-factor authentication on all fitness apps
- Export data from Fitbit, Strava, Peloton
- Delete accounts for apps you don’t actively use
Tier 3: Maximum Protection (2 hours)
- Delete all fitness app accounts
- Verify deletion in data broker opt-out services (Experian, Equifax)
- Use offline-only fitness tracking (Garmin watch with no cloud sync)
- If tracking is necessary, use Apple Health exclusively (best privacy)
Opt-Out Services
Several services can opt you out of data brokers:
- GDPR Right to be Forgotten: If in EU, use GDPR deletion requests to data brokers
- State Privacy Laws: California CCPA and Virginia VCDPA grant deletion rights
- Opt-Out Services:
- DeleteMe (removes from 200+ data brokers, $300/year)
- Optery (GDPR/CCPA specialist)
- Data.com removal tool
Cost: $0 (manual process) to $300/year (automated services)
Privacy-First Fitness Alternatives
If privacy is critical:
Garmin: Minimal cloud sync, data stays on device, less aggressive data collection
- Privacy: Excellent
- Features: Good
- Cost: $300-$800 watch
- Drawback: Smaller app ecosystem
Apple Watch + Apple Health: Strong encryption, limited sharing
- Privacy: Excellent (among mainstream options)
- Features: Excellent
- Cost: $250-$800
- Ecosystem: Tightly integrated
Simple Step Counter: Non-smart device that doesn’t track personal data
- Privacy: Perfect
- Features: Minimal
- Cost: $20-$50
- Drawback: No health insights
Recommendations
For Most Users:
- Use Apple Health if you have Apple devices
- Make Strava routes private or delete account
- Opt out of Peloton data sharing
- Disconnect third-party apps from any fitness platform
For Privacy-Conscious Users:
- Switch to Garmin or Apple Watch
- Delete accounts on Fitbit, Peloton, Google Fit
- Manually opt out of data brokers (Experian, Equifax)
- Use fitness tracking offline when possible
For Maximum Privacy:
- Don’t use cloud-connected fitness trackers
- Use offline step counter or basic activity tracking
- Accept that health insights require privacy tradeoff
Related Articles
- How Data Brokers Compile Your Personal Profile
- HIPAA vs Consumer Privacy Laws for Health Data
- Health Insurance Discrimination: Genetic and Fitness Data
- Best Privacy-Focused Wearables 2026
- Opting Out of Data Brokers: Complete Guide 2026
- AI Coding Assistant Session Data Lifecycle
Built by theluckystrike — More at zovo.one