What Are Companies Doing with Your Fitness Tracking Data?

Photo by Luke Chesser on Unsplash

Companies Behaving Badly is a corporate accountability legal network and advocacy group, comprising journalists, legal experts, and whistleblowers who believe corporate harm should have legal consequences. The movement’s mission is to expose corporate negligence and connect associated victims to legal resources.

Tracking your fitness through apps and wearables is a common way to monitor health, build accountability, and stay motivated. These tools help people track patterns in their activity, sleep, and well-being to support their strength and weight-management goals.

However, as fitness tracking becomes more widespread, questions are emerging about how the data is handled once it’s collected, and where it goes. It’s not just for you to look back on to see how far you’ve come. Keep reading to discover what’s happening with your sensitive information.

Why Fitness Tracking Data Matters to Users

You might not think it’s a big deal if companies know how far you’ve run or how well you slept last night. However, fitness tracking data reveals more than just your basic activity levels. Over time and with enough input, it can shed light on your daily routines, work schedules, travel habits, health changes, and more. This level of depth not only makes data useful to third parties but also makes it highly sensitive.

Stakeholders Who Can Access Fitness Data Tracking

Data Sharing, Employers, and Monetization

Generally, insurers and employers can’t directly access someone’s fitness tracking data without consent. However, they may access it indirectly through wellness programs, employer-sponsored fitness initiatives, or insurance schemes that encourage data sharing.

In these instances, users may agree to share specific metrics without understanding how that data is stored or used, or whether it may influence insurance premiums, coverage, or workplace decisions. These arrangements can also be framed as part of a monetization strategy, in which companies benefit from data insights or participation.

It may seem unlikely, but it happens. In 2017, John Hancock Life Insurance launched a program offering premiums discounts to customers who shared fitness data from their wearable devices. Essentially, this developed a business model that monetized user activity by rewarding or penalizing behavioral patterns with financial incentives.

The Sensitivity of Accumulated Data

To most users, the concern isn't so much the individual data points. After all, learning how far you walk in a day isn’t overly helpful information to third parties; it’s about accumulation. The continuous tracking creates detailed timelines. Even when a company says your data will be anonymized, your behavioral patterns are unique to you and can be highly revealing.

Trust is a key factor when you begin to question how companies use your fitness tracking data. The data is often passed through multiple organizations, including device manufacturers, app developers, cloud storage providers, and analytics platforms. Each transfer may contribute to a broader business model that leverages user data for advertising, partnerships, or monetization.

The Common Uses of Fitness Tracking Data vs. Associated Risks

Real-world example: In 2019, Strava released its Global Heatmap, which visualized the activities of millions of users worldwide. The data was anonymized, but it inadvertently revealed sensitive security and military locations, showing how aggregated fitness data can have real-world implications. 

Regulatory Protections and Limitations

Regulatory protections are in place and can provide much-needed peace of mind. For example, Europe’s General Data Protection Regulation (GDPR) is widely regarded as the world’s strictest data privacy and security law. However, data access rights and rules vary by country and are often buried in complex privacy policies. As a result, many users agree to practices they don’t fully understand or that they don’t morally agree with.

How Companies Collect, Store, and Apply the Data

There is typically a structured process for how companies handle fitness tracking data. The first step, of course, is to collect data via sensors. When you wear or use devices with temperature sensors, heart rate monitors, GPS chips, and accelerometers, the data is gathered as raw signals. Software is then used to convert the signals into metrics such as sleep stages, calories, and steps.

Storage and Management

Next, the data is uploaded to cloud servers operated by the company or a third-party provider. Access controls vary by company and determine which individuals and groups within a business can view or analyze datasets. The broader the access, the higher the chance of misuse or accidental exposure.

By default, many fitness platforms retain users’ data for as long as they have an active account and even after they stop using it. Data may be deleted if a user manually removes it or closes their account. Most platforms give users the right to export or delete their data, but the ease of this process varies from company to company.

For example, Apple lets you export or delete your data through your Apple ID settings, whereas Google has a data export tool and account deletion options through Google Takeout. In Fitbit, you’ll find instructions for exporting and deleting your data in the account dashboard, but the same information for Garmin is in the privacy settings.

While these major platforms all offer ways to delete and export data, the processes for each differ. Google and Apple tend to be more user-friendly, with self-service options, whereas Garmin and Fitbit require additional steps or requests.

How long data is retained varies by company and region. It may only be mentioned in privacy policies, rather than in user-facing settings where it’s readily accessible and visible.

Data Analysis

Once data sets are uploaded from devices, they are analyzed for a range of purposes. Some companies use it to improve the accuracy of their devices, identify usage trends, and test new features. Others rely on it for internal forecasting or researching partnerships.

In many cases, fitness companies say that they don’t sell raw, identifiable data directly to advertisers. However, anonymized or inferred data may still be part of the company’s monetization and business model, supporting targeted marketing, business partnerships, and sponsorships, depending on the user content settings and platform.

It’s during analysis and secondary use that governance failures occur most frequently, as platforms such as Companies Behaving Badly frequently discuss. Inference of sensitive information, hidden data sharing with third parties, and re-identification of data that’s supposed to be anonymous are just some of the many privacy issues that can arise during this phase.

Communication with Users

The final component of the structured process is communication with users. Dashboards, privacy controls, and consent prompts collectively shape what fitness app users see and control. Design choices in the communication process determine whether consent is truly informed or merely procedural.

Informed consent involves transparent, plain-language communication that strives to ensure users understand the data being collected, why the company needs it, and how it will be used. When consent is procedural, companies may use techniques such as pre-ticked boxes and hidden settings. These consent mechanisms also support business models by legitimizing the monetization of user data.

Day-to-Day Handling of Fitness Data

As another day of steps, heart rates, and sleep patterns comes to a close, it’s only natural to be curious about how your chosen fitness app company is handling your data every day. Once it leaves your device, companies use everyday processes to manage it.

In most cases, data is transferred from your device to a company server in small batches. As it’s being transferred, the company is checking for incorrectly counted steps, unusual heart rate readings, and other potential errors.

Once it’s in the company's system, the data is reviewed to see how you use your device and whether any features can be improved. The company is even looking for trends in health behaviors. While most of these processes are automated and performed by computers, individual employees may also still review the results.

Data retention policies can also reflect their monetization policies, such as maintaining datasets that they can sell, leverage for business intelligence, or analyze for partnerships. The specific rules and measures that companies have in place affect how private or exposed your data is over time.

How Company Culture Affects Your Data

How a company treats your fitness data depends on its priorities and culture. For example, a company that’s solely focused on growth may collect more data than it realistically needs to fuel marketing and product development. If a business authentically values its users’ privacy, it may limit how it collects your data or may process it directly on your device when possible.

Transparency also plays a large role. Companies that explain what data they collect and how they use it build greater trust. If a company does not provide a clear explanation of how it uses your data, it can raise concerns among users. A company’s approach to monetization often shapes its level of transparency, with some prioritizing generating revenue over clear communication.

Endnote

Fitness tracking data supports useful features, but it also raises questions and concerns about control, visibility, and trust. Companies use layered processes, complex infrastructure, and internal norms to manage this information. For fitness app and device users, it’s important to understand these systems to learn how your data is being used and determine the level of control you have over it.