Health – Tracking Apps: Trading off your Privacy for Health?

Founded by James Park and Eric Friedman, Fitbit was an American consumer electronics and fitness company that specialized in the manufacturing and sale of wireless-enabled wearable technology, physical fitness monitors and activity trackers such as smartwatches, pedometers and monitors for heart rate, quality of sleep, and stairs climbed as well as related software. It was in operation from 2007 to 2021, when it was acquired by Google and merged with their hardware division.

In 2019, Fitbit became the fifth largest wearable technology company in shipments.The company has sold more than 120 million devices and has 29 million users in over 100 countries.

A. Categories of Data Collected:

(Table 2)

B. Third Party Apps/Devices the App Can Access:

• Camera
• Music streaming applications
• Location
• Google Fit/ Apple Health
• Social Media Apps such as Instagram

Fitbit proclaims that such access is granted only with consent from the users. They provide users with privacy controls to disable such access at any time. Fitbit provides users with the rationale for requesting access, ensuring transparency. Furthermore, the policy specifies that such access is optional and based on user consent.

It’s important to note that the data-sharing process is also subject to the privacy policies of Apple Health and Oura, which may collect and use data for their own business purposes.

C. Third Party Access: Fitbit users can control personal data usage through account settings. For example, through privacy settings, users can limit how their data is visible to other users of the Services. Users can revoke the access of third-party applications that they previously connected to their Fitbit account. They can also use the Fitbit application to unpair their device from their account at any time

In its Privacy Policy, Fitbit mentions that third-party payment processors may retain personal information of users such as name, credit/debit card number, card expiration date, CVV code and a billing address. Such retention will be subject to their own privacy policies and terms.

Users can opt to share their personal data with third-parties by either, allowing them access to their Fitbit account or giving their employer access to information in case they choose to participate in an employer wellness program. Such sharing will be governed by the third-party’s privacy policies and terms. Users can choose to withdraw their consent in such cases through their account settings.

Fitbit also provides live coaching services that allows users to communicate with a live health, fitness, or wellness coach (“Live Coaching Services”). Such coaches may be provided by third parties, such as a users’ employer or insurance company, or by their third-party coaching service

providers. If they use Fitbit’s Live Coaching Services, they collect information about such use, ranging from the plan, goals, and actions recorded with their coach, calendar events, communications, notes their coach records about the user, and other information submitted by the user or their coach.

D. Rights under DPDPA

• Right to Withdraw Consent: Users can withdraw at any time, through their account settings and other tools.
• Right to Access:Upon logging into their account, Fitbit states that it provides users with access to much of their personal data. Using their account settings, they can also download such data in a commonly used file format, including activities, body, foods, and sleep.
• Right to Correction and Erasure: Fitbit allows users to edit and delete their personal data. Users can opt to edit or delete their profile data and also delete their account — if they wish to do so. If a user chooses to delete their account, most of their data is deleted within 30 days. However, complete erasure can take upto 90 days. Fitibit cites that this is due to the size and complexity of the systems they use to store data. It is also retained for this period for legal purposes and to prevent harm.
• Right to Grievance Redressal:The Privacy Policy does not provide access to the name and contact number of Fitbit’s Data Protection Officer, however, users can contact our Data Protection Officer at data-protection-office@fitbit.com. Users can also exercise this right by filing a complaint with their local data protection authority or with the Irish Data Protection Commission, their lead supervisory authority, whose contact information is available here. Fitbit will also have to provide such details for a Data Protection Officer based in India.

E. Plain Language and Readability

Fitbit’s Privacy Policy is comprehensive and structured quite extensively. Users are likely to find it to be simple and accessible. However, they may have to traverse several hyperlinks and read through a huge repository of information to have full understanding of how their data is being protected.

1. Lawfulness, transparency and fairness:Fitbit processes personal data after obtaining user consent. Such processing can be done to perform contract obligations with its users and in furtherance of its legitimate commercial interests.
2. Storage limitation : Fitbit stores personal data of users for as long as the account remains active. They do so to ensure that the user account continues to remain in operation.
3. Purpose limitation: Fitbit explains how it uses different kinds of personal data collected through various sources as well as the reasons behind such collection.
4. Data minimisation:  Fitbit collects personal data across a huge range of interoperable services for improved community building and health tracking. This might raise concerns regarding profiling of its users.
5. Accuracy:  Fitbit allows users to access, modify, correct, erase, and update their personal data – thereby ensuring accuracy of personal data.
6. Integrity and Confidentiality: Fitbit employs a combination of technical, administrative, and physical controls to maintain the security of their users’ data. This includes using Transport Layer Security (“TLS”) to encrypt many of their Services. However, they state that no method of transmitting or storing data is completely secure. Fitbit allows users to report security-related concerns through a Customer Support facility.
7. Accountability: Fitbit does a fair job of informing its users in a comprehensive manner about its data protection practices, however, its users’ personal data has been compromised in the recent past. This has occurred despite Fitbit taking reasonable security measures to ensure security and safety of their data.

• Lawfulness, transparency and fairness
• Storage limitation
• Purpose limitation
• Data minimisation
• Accuracy
• Integrity and confidentiality
• Accountability

Data Protection Score : 5/7

Strava is an American internet service for tracking physical exercise and incorporates social network features. Founded by Mark Gainey and Michael Horvath in 2009, it operates on a freemium model with some features only available in the paid subscription plan.

A. Categories of Data Collected:

(Table 2)

B. Third Party Apps/Devices the App Can Access

1. Camera
2. Music streaming applications
3. Location
4. Peloton
5. Garmin
6. Google Fit/ Apple Health
7. Social Media Apps such as Instagram

Strava claims that such access is granted only with consent from the users. Strava provides users with privacy controls to disable such access at any time. Strava provides users with the rationale for requesting access, ensuring transparency. Furthermore, the policy specifies that such access is optional and based on user consent.

C. Third Party Access:

• Strava collects information from devices and apps that a user opts to connect to Strava as per the consent of the user. For example, a user can connect their Garmin watch or Peloton account to Strava to interact with Strava’s services. Strava obtains health-related or activity related information. Users can disable such access at any time through account settings.

• Strava can also collect personal information such as name, email address, profile information and preferences, from third-party account providers. Users can control the nature of the information that is shared in such cases through privacy controls within their user accounts
• Strava may use third-party analytics providers to gain insights into how their Services are used, using aggregated data, and to help them improve the Services.
• Strava mentions that third-party payment processors (Payment Card Industry compliant) may store credit card information as per applicable standards.
• Strava shares only the information necessary for the third-party to facilitate protection and security of its users’ information. Upon sharing of activities over social media applications, Strava cautions its users to carefully review the privacy practices of such third parties, given that location data could be shared on such public platforms.

D. Rights under DPDPA

• Right to Withdraw Consent: Users can withdraw their consent to Strava processing their health data at any time, Strava will delete all health-related data from any future activities users choose to upload. However, Strava states that processing may be continued if they have a separate legal basis (compliance with court orders) or if withdrawal of consent was limited to certain processing activities.
• Right to Access:Users are provided with the right to request access to the personal data by logging into their account. They can request additional access through https://support.strava.com To download a copy of data, users can click here
• Right to Correction and Erasure:Users can correct or delete much of their data by logging into their account, such as editing their profile, deleting content like photos or videos a user may have posted, remove individual activities from view, delete individual activities, or delete their account. Users can correct, amend or update profile or account information at any time by adjusting that information in their account settings. Strava advises users to contact them at https://support.strava.com for any further assistance needed. However, Strava states that processing may be continued if they have a separate legal basis (compliance with court orders) or if withdrawal of consent was limited to certain processing activities.
• Right to Grievance Redressal:Right to Grievance Redressal: Strava does not provide any specific contact details for an authorized Data Protection Officer. Rather, users are advised to contact Strava at a general email address – https://support.strava.com or lodge a complaint with the local data protection supervisory authority.

E.Plain Language and Readability:

Strava’s Privacy Policy is comprehensive and structured quite extensively. Users are likely to find it to be simple and accessible. However, users may have to traverse several hyperlinks and read through a huge repository of information to have full understanding of how their data is being protected.

F. Data Protection Score

1. Lawfulness, transparency and fairness:Strava’s Privacy Policy states that they collect and process data based on user consent, legal obligations, and legitimate interests.
2. Storage Limitation: Strava states that it retains information as long as it deems necessary to provide its services. subject to their legal obligations to further retain such information. Information associated with a users’ account will generally be kept until it is no longer necessary to provide the Services or until their account is deleted or becomes inactive. This might indicate that Strava may opt to retain personal data for an undefined period of time.
3. Purpose limitation: Strava explains how it uses different kinds of personal data collected through various sources as well as the reasons behind such collection.
4. Data minimisation:Strava collects personal data across a huge range of interoperable services for improved community building and health tracking. However, there seems to exist a lack of necessity in relation to data collected through aggregated services.
5. Accuracy: Strava allows users to access, modify, correct, erase, and update their personal data – thereby ensuring accuracy of personal data.
6. Integrity and Confidentiality:  Strava does not provide any details how it ensures security of users’ data.
7. Accountability:Given that Strava only provides a generic email contact point for users to have their grievances addressed, it makes the entire process a lot more opaque than other applications. Additionally, Strava collects personal data across a huge range of services/applications. This could raise potential concerns with respect to pervasive data.profiling. In the past, Strava has been subject to several controversial incidents, raising digital privacy concerns.

If the data protection principle is complied with, the checkbox is accordingly ticked. You’ll see that we’ve left some boxes empty- We have done that where the policy was unclear or we don’t have enough information to determine whether the principle was complied with.

• Lawfulness, transparency and fairness
• Storage limitation
• Purpose limitation
• Data minimisation
• Accuracy
• Integrity and confidentiality
• Accountability

Data Protection Score: 3/7

Google Fit is a health-tracking app developed by Google and released in October 2014. Google Fit uses sensors in a user’s activity tracker or mobile device to record physical fitness activities (such as walking, cycling, etc.), which are measured against the user’s fitness goals to provide a comprehensive view of their fitness. It also syncs data from wearable tech devices such as smartwatches and from other fitness apps.

Google Fit does not have an independent privacy policy; instead, its data practices fall under Google’s comprehensive Privacy Policy. To gain a deeper understanding of how the app processes data, the  Google Fit Terms and Services was also reviewed alongside Google’s privacy policy.

A. Categories of Data Collected:

(Table 4)

Observations:

My Calendar does not explicitly request user consent for the Privacy Policy. By default, user data is stored locally on the user’s device, and My Calendar does not have access to this data. However, the Privacy Policy also states that if a user opts to back up their data to the cloud, a limited number of employees may have access to it.

Observations: While users can voluntarily input health-related data into Google Fit, Google’s general

Privacy Policy applies across all its services. This raises concerns about whether Google Fit, by being a Google service, has access to the broader range of data listed in Column 2 of Table 1. If Google Fit
automatically collects such a wide array of information as similar to what Google collects, it is clearly intrusive.

B. Third-Party Apps/Devices that PTPC can access:

Google Fit can access 50 Apps as of 27 March 2025. The third-party apps can access any data that Google Fit stores including activity information (steps, calories, speed), location data (distance, pace), nutrition and hydration (calories, nutrients, water intake), body sensor information (heart rate), and sleep information (bedtime, wake-up time, total sleep).

Google Fit allows apps to store and access fitness data based on user permissions. When connecting an app, users can choose whether it can:

• Store new data – The app saves fitness-related information to Google Fit, which other authorized apps can access.
• View existing data – The app can retrieve data stored in Google Fit by other connected apps.

Third Party Apps can also share data in two ways:

• Collaborative Sharing: Apps allow other connected apps to access and utilize their stored fitness data.
• Isolated Storing: Apps save data in Google Fit but restrict access to other apps.

Users have the right to revoke access to third party apps and delete data stored.

Observations: The data-sharing process is also governed by the Privacy Policies of third party apps, which may collect usage data for their own business purposes. Additionally, data accessed from Google Fit could potentially be sold to advertising platforms, data brokers, or information resellers, raising privacy concerns.

C. Third-Party Access to Data 

Google Fit does not have a separate policy for third-party data sharing; instead, it follows Google’s general privacy policy, which allows data sharing for the following reasons:

1. With User Consent: Personal data is shared only when users explicitly allow it, such as when connecting third-party apps or services. Users can review and manage these permissions in their Google Account settings. Explicit consent is also taken prior to sharing any sensitive personal information such as confidential medical facts, racial or ethnic origins, political or religious beliefs, or sexuality.
2.  Access by Domain Administrators: Organizations or schools using Google services may allow administrators to access and manage user data.
3. External Processing: Google shares data with affiliates and trusted service providers for operational purposes, including data center management, product improvement, and customer support.
4.  Legal Compliance: Personal information may be disclosed to comply with laws, government requests, fraud prevention, or security concerns.
5.  Mergers & Acquisitions: In case Google is involved in a merger, acquisition, or sale of assets, it will ensure the confidentiality of users’ personal information and notify affected users before their data is transferred or becomes subject to a different privacy policy.
6. Non-Personal Data Sharing: Google may share non-personally identifiable information publicly and with its partners, such as publishers, advertisers, developers, or rights holders. For example, it shares information publicly to show trends about the general use of its services. Google also allows specific partners to collect information from users’ browsers or devices for advertising and measurement purposes using their own cookies or similar technologies.

Observations: While Google’s Privacy Policy asserts that explicit consent will be obtained before sharing sensitive personal information, the absence of a specific privacy policy for Google Fit—an app that collects sensitive personal data—raises significant privacy concerns. Furthermore, Google’s general Privacy Policy does not provide clarity on the specific third parties involved in data sharing, referring only to vague terms such as “affiliates,” “trusted businesses,” and “partners like publishers, advertisers, developers, or rights holders.” This lack of transparency on the exact parties with whom data is shared leaves users uncertain about how their sensitive data might be accessed or used.

D. Rights under DPDPA

Google’s Privacy Policy does not explicitly outline the rights of users regarding their data.

• Right to Withdraw Consent:Consent is assumed and there is no specific option to withdraw consent.
• Right to Access:Google Fit provides users an option to export a copy of all data saved by Google
• Right to Correction and Erasure:Users can review and potentially correct inaccurate activity data within their Google Fit history. Users can also delete specific activity entries or their entire exercise history in Google Fit
• Right to Grievance Redressal:The Privacy Policy does not provide direct information about the Grievance Redressal Officer or Data Protection Officer. Users must search separately to find this information.

E. Plain Language and readability 

The Privacy Policy has language that is simplified and structured. It also has video explanations, illustrative examples and visual aids to improve readability. However, the information in Google’s Privacy Policy is spread across multiple links rather than being clearly stated within the policy itself. This can make it difficult for users to easily find and understand the relevant details. Additionally, the policy uses vague and enabling language throughout, which may leave users uncertain about how their data is actually being handled or shared. This lack of clarity and accessibility can create confusion and reduce users’ ability to make informed decisions about their privacy.

F. Data Protection Score

• Lawfulness, transparency and fairness
• Storage limitation
• Purpose limitation
• Data minimisation
• Accuracy
• Integrity and confidentiality
• Accountability

Data Protection Score: 2/7

Observations: 

1. Lawfulness, transparency and fairness: Google’s Privacy Policy states that they collect and process data based on user consent, legal obligations, and legitimate interests. However, it could be clearer about the specific legal basis for all data processing activities. Surprisingly there is no mention of any data protection laws in the Privacy Policy. The policy also doesn’t clearly specify what data is collected, why it’s used, and in some cases, the reasons for sharing it. Google provides some control over data sharing, such as the ability to disconnect third-party apps or manage privacy settings, though the process isn’t always straightforward. However, the lack of a clear and easily accessible opt-out option for all data collected and shared  remains a concern.
2. Storage Limitation:The privacy policy does not clearly state how long user data is retained. Furthermore, some data is kept for extended periods due to legal, financial, and security considerations, such as fraud prevention, regulatory compliance, and financial record-keeping. This raises concerns about   indefinite retention for some categories of data.
3. Purpose limitation:  Google lists several reasons for collecting data but does not provide enough detail about the specific uses of different types of personal data, especially in the context of third-party sharing.
4. Data minimisation:  Google collects a broad range of personal data (such as location, health data, browsing history, etc.). The policy does not clearly state whether all this data is necessary for the functioning of the app or if some of it is excessive for the purposes outlined. For example, it’s unclear whether all collected data is truly necessary for services like Google Fit. The absence of a dedicated privacy policy for Google Fit indicates that Google collects a wide range of data across multiple services without following the principle of data minimisation. .
5. Accuracy:The privacy policy emphasizes the importance of data accuracy by allowing users to access, modify, correct, erase, and update their personal data.
6. Integrity and Confidentiality: Google employs strong security measures to protect user data, including encryption during data transmission, security tools like Safe Browsing and Two-Step Verification, and internal security reviews to prevent unauthorized access. Further only authorized employees, contractors, and agents can access personal data, and they are bound by strict confidentiality agreements. Violation of these obligations may result in disciplinary action or termination.
7. Accountability: Google’s Privacy Policy does provide a general explanation of its data handling practices. However, the policy is spread across multiple links, which may reduce its accessibility and effectiveness in holding Google accountable. The policy mentions that users can review and manage third-party permissions, but it doesn’t provide a comprehensive, clear description of all accountability measures, such as user rights and grievance redressal mechanisms. The absence of specific details about the grievance redressal process or data protection officers limits the policy’s ability to hold Google accountable. Further in light of lawsuits and settlements, questions remain about the effectiveness of these policies in ensuring compliance with data protection regulations and safeguarding user privacy.

The Step Counter – Pedometer app by Leap Fitness Group is a mobile application designed to help users track their physical activity by calculating and counting steps, calories burned, and monitoring other essential fitness metrics. This app serves as an efficient and convenient tool for individuals looking to improve their health and meet their daily activity goals. It utilizes the device’s built-in sensors to automatically track users’ steps without requiring manual data input or GPS usage, thereby conserving battery life. 

The App can also be used without registration or login. Users have the option to back up their exercise data by linking a Google account.

Lets analyse the Privacy Policy in detail (Last updated on 10 January , 2025)

A. Categories of Data Collected:

(Table 5)

Observations:

The app collects both mandatory and optional user data. Mandatory data includes physical activity access for tracking steps, time, distance, and calories, as well as local media access permission for securely storing fitness records. Optional data consists of personal details such as name, email address, gender, height, weight, and location, which enhance tracking accuracy. Additionally, the app may collect water consumption data, though its necessity and purpose are not explicitly stated.

B. Third-Party Apps/Devices that Maya can access:

• Location
• Camera 
• Microphone 
• Google Fit

Observation:

 The Privacy Policy emphasizes that access to user data is granted only with explicit permission, and users retain the right to revoke permissions at any time. It also clearly outlines the reasons for requesting access, ensuring transparency. Furthermore, the policy specifies that such access is optional and based on user consent.

C. Third Party Access

The Privacy Policy states that user-provided information is not shared with third parties.

Step Counter uses Google for displaying personalized advertisements, by virtue of which Google may collect certain personal data, such as online identifiers and IP addresses, for advertising, analytics, and fraud prevention. Google requires user consent before collecting this data and is obligated not to disclose or misuse the information. Users have the option to disable personalized ads, though non-personalized ads will still be displayed.

For payment processing, third-party providers handle transactions securely in compliance with PCI-DSS security standards. The app itself does not store or collect payment card details.

D. Rights under DPDPA

• Right to Withdraw Consent: The Privacy Policy does not specify the users right to withdraw consent nor does it explicitly collect consent at the time of downloading the app. The Privacy Policy does not specify the users right to withdraw consent nor does it explicitly collect consent at the time of downloading the app.
• Right to Access: Users have the right to request confirmation of whether Step Counter is processing personal data and can access such personal data and related information (e.g., categories of personal data processed).
• Right to Correction and Erasure:Users have the option to correct and erase all data. By clicking “Delete All Data” on the settings page, users can permanently delete both local and cloud data. However no timelines are provided to facilitate these rights. s
• Right to Grievance Redressal:Right to Grievance Redressal:Grievance redressal is provided, however, it does not contain specific details of an officer but just a support team address.

E. Plain Language and readability

The Privacy Policy though structured as a legal contract, it is easy to read. User consent to the Privacy Policy is not explicitly obtained when downloading the app, this raises concerns about informed consent to data processing terms.

F. Data Protection Score

• Lawfulness, transparency and fairness
• Storage limitation
• Purpose limitation
• Data minimisation
• Accuracy
• Integrity and confidentiality
• Accountability

Data Protection Score: 3/7

Observations: 

1. Lawfulness, transparency and fairness: The Privacy Policy of Step Counter details the types of data collected and the reasons for collection. However, the app does not explicitly collect consent for the Privacy Policy or the data collected. 
2. ii) Storage Limitation: The Privacy Policy indicates that users can delete their data by selecting “delete your data” or “delete account” within the app. However, the policy lacks specific details on data retention periods for different data types, leaving it unclear why certain data may need to be stored indefinitely.​
3. iii) Purpose Limitation: The privacy policy of Step Counter – Pedometer specifies that the personal data collected is used for purposes such as enhancing user experience, ensuring app functionality, providing support, fulfilling contractual obligations, and communicating updates. These purposes are explicitly stated, aligning with the principle of purpose limitation,
4. iv) Data Minimisation: The app requests only data necessary; such as physical activity data for step tracking and local storage for purposes of data retention. Optional permissions such as location access and Google Fit integration are clearly labeled as optional, Excessive data beyond what is required for core functioning of the app; is not collected and required.
5. v) Accuracy: The Privacy Policy does not clearly emphasize the importance of data accuracy. However, Step Counter provides mechanisms for users to correct personal information if required. 
6. vi) Integrity and Confidentiality: The Privacy Policy mentions the implementation of measures to protect data against any unauthorised access, loss or alteration. However, it lacks specific details about these security measures; such as encryption methods or access controls, making it difficult to fully assess the robustness of data protection practices. 
7. vii) Accountability: The Privacy Policy does not provide details of a Grievance Officer or Data Protection Officer (DPO), instead, it only includes a general support team email.

HERE’S WHAT WE FOUND: