Privacy-first fitness apps: why your workout data matters more than you think

What is actually in your fitness app's data stream

When a free fitness app asks for permission to read Apple Health or Health Connect, you are not just handing over step counts. The complete picture often includes resting heart rate, heart-rate variability, workout location traces, sleep stages, menstrual cycle data, weight, body composition, blood pressure, and dietary logs. Together they form one of the most intimate datasets a person produces.

A 2019 BMJ analysis of 24 top-rated medical apps found that 79% transmitted user data to third parties, and 78% of those transmissions were not disclosed to the user. A 2023 Mozilla Privacy Not Included audit of fitness and reproductive-health apps put 18 of 25 popular apps in its 'warning' category.

How the data leaks: SDKs, not malice

Most fitness apps do not have a shadowy team selling raw data. The leak happens through bundled software development kits — small libraries dropped into the app for analytics, ads, crash reporting, A/B testing. Each SDK phones home. A typical fitness app ships with five to fifteen of them.

The common offenders:

Ad SDKs (Meta Audience Network, Google AdMob, AppLovin) — log device IDs alongside in-app events
Analytics SDKs (Mixpanel, Amplitude, Segment) — capture event streams that can be cross-referenced
Attribution SDKs (Adjust, AppsFlyer, Branch) — exist to identify the user across apps
Aggregators like X-Mode and Veraset have been documented buying location traces from app makers and reselling to data brokers and, in some cases, government contractors

Why your workout data is uniquely valuable

Health data is the highest-margin product in the data economy because it is hard to substitute:

Insurance underwriting — life and health insurers buy aggregated risk signals. Resting heart rate and step variance correlate with mortality, so they correlate with premiums.
Targeting — someone who logged 'rest day' fourteen days in a row is in a different mood-state than someone who PRed yesterday. Advertisers pay for that.
Identity matching — the combination of GPS workout traces and a daily wake-time is more unique than a fingerprint. Two weeks of data is enough to deanonymise most users.

Three checks before installing any fitness app

Before you grant Health permissions, do these three things. They take about five minutes.

Read the app's data-handling label. On the App Store look for 'App Privacy → Data Linked to You.' On Google Play scroll to 'Data safety.' If the list includes 'Health and Fitness' linked to 'Third parties for advertising,' that is the answer.
Check the app's privacy policy for 'data broker', 'partners', 'aggregated', or 'de-identified.' All four are weasel words. Real privacy-first apps state plainly that data is not sold.
Search the app on Mozilla's Privacy Not Included database and the Exodus Privacy SDK tracker. Both list which SDKs an Android app ships with. Two or more ad SDKs is the line where 'free' becomes 'you are the product.'

How Ascend handles this

Ascend was built with the assumption that everything you log is yours. The concrete commitments:

No ad SDKs. Zero. No AppLovin, no Meta Audience Network, no AdMob.
No data brokers. Your logs are not aggregated, anonymised, or sold to any party.
Minimal analytics. Only first-party, server-side event counts. No device IDs, no IDFA, no GAID.
Export and delete on demand. Settings → Data → Export (CSV + JSON) or Delete account (purges within 30 days).
Bring-your-own-cloud option on the roadmap for Premium users who want their data living in their own iCloud or Google Drive.

The trade-off is honest: paying customers fund development, not advertisers. The result is your training data stays training data.

What to do this week

If you have used the same fitness app for more than a year, take three minutes today and:

Open Settings → Privacy → Health on iOS or Connected apps on Health Connect.
Review what each app reads and writes.
Revoke anything that does not earn its keep.

The defaults are designed to maximise what apps can grab. The corrected defaults are usually much smaller.

Join the Ascend waitlist — privacy-first fitness tracking, available on iOS and Android.