- Online privacy app Surfshark analyzed 16 different fitness apps
- It reported on how much personal data these apps collect, with Fitbit and Strava collecting the most
- Here's what it means for users of these apps, and a few simple ways to better protect your privacy
As fitness season kicks off post-holidays, many are turning to fitness apps to help achieve their health goals in 2026.
However, these apps can be quite data-hungry, often logging and sharing personal information, including sensitive data that users may prefer to keep private.
A study by online security firm Surfshark examined 16 popular fitness apps, including Fitbit, Strava, Apple Health, PUSH, Centr, and others, ranking them based on the amount of data they collect.
The rankings consider various data types collected, such as location, contact information, health, and search history. Surfshark also assessed whether the apps utilize data for tracking purposes.
Apple defines tracking as linking user or device data collected from your app with data from other companies’ apps or websites for targeted advertising.
The report also highlighted which apps collect unnecessary data for their functionality. While it's expected for fitness apps to gather health-related data, some also collect information like search history or advertising data.
Four apps were found to collect 'sensitive data', which includes information about race, sexual orientation, fertility, genetic data, and even employment status.
All data was sourced from Apple’s App Store. A screenshot of Fitbit’s listing illustrates the various types of data collected.
The results
Fitbit tops the list, gathering 24 different types of data, including advertising and sensitive data. Only five of these are necessary for app functionality, meaning Fitbit collects 19 types of data beyond what is needed to operate the app.
However, Surfshark notes that Fitbit does not use this information for tracking.
Strava follows closely, collecting 21 types of data, none of which are essential for app operation. It also shares data for tracking with third parties, but does not collect sensitive data.
Nike Training Club collects 20 types of data, including sensitive information, and uses it for tracking purposes.
Centr ranks lowest, collecting just three types of data, yet it still shares data for tracking. PUSH is noted as the least invasive app, collecting data without linking it to users.
What does this mean for users?
While Fitbit's data collection may not be surprising given its ownership by Google, it reportedly does not share personal or sensitive data with third parties, likely due to regulatory constraints.
Concerns arose when Google acquired Fitbit in 2021, with economists warning that it could lead to the monetization of health data. The European Commission allowed the merger with a stipulation that health data cannot be used for marketing for ten years.
Strava has faced privacy issues in the past, including accidental disclosures of sensitive locations through user activity heatmaps. Reports have indicated that hackers can locate users' homes on Strava, even with privacy settings enabled.
Perhaps most concerning is the collection and sharing of sensitive data, which includes personal health information. While such data is protected under GDPR in the EU, there are fewer protections in the US when shared outside medical contexts.
5 ways to protect your privacy
In today's interconnected world, it's challenging to separate from the extensive sharing of personal information. However, users can take steps to control their data collection.
- New accounts: Create a separate account not linked to your personal life for data-hungry apps.
- Check your permissions: Regularly update permission settings on your phone to limit tracking.
- Minimize location leaks: Start location-sharing activities away from home.
- Check the small print: Review data collection practices before downloading apps.
- Multi-factor authentication: Enable multi-factor authentication on all email accounts used for these apps to enhance security.