Apple Watch vs Garmin vs Fitbit: Which Fitness Tracker Is Right for Your Home Gym?
Three-way comparison of Apple Watch, Garmin, and Fitbit for home gym fitness tracking. We compare accuracy, battery life...
Fitness Tracker Data Privacy: What Your Wearable Collects & How to Protect It
Your fitness tracker collects sensitive health data. Learn what information wearables gather, how it's used and shared, and specific steps to secure your fitness data privacy across major platforms.
Fitness Tracker Data Privacy: What Your Wearable Collects & How to Protect It
Fitness trackers, smartwatches, and health monitoring apps collect some of the most intimate data available about your life: your heart rate, sleep patterns, location history, menstrual cycles, stress levels, and in some cases, blood oxygen and electrocardiogram readings. This data, when aggregated, creates a detailed portrait of your health, habits, and daily routines.
Our analysis of privacy policies, published research on wearable data practices, and regulatory frameworks indicates that most users have limited awareness of what their devices collect, how that data is used, and what control they have over it. This guide provides a transparent overview of fitness data collection, explains the privacy risks, and offers actionable steps to secure your information.
What Fitness Trackers Actually Collect
Modern fitness trackers gather data across multiple categories. Understanding the full scope is the first step toward informed privacy choices.
Biometric Data
| Data Type | Collection Method | Sensitivity Level |
|---|---|---|
| Heart rate | PPG optical sensor (wrist) | High — indicates cardiovascular health, stress, potential conditions |
| Heart rate variability (HRV) | Derived from heart rate timing | High — indicates autonomic nervous system function, recovery status |
| Blood oxygen (SpO2) | Red/infrared light sensor | High — respiratory and circulatory health indicator |
| ECG/EKG | Electrical sensor (chest strap or watch back) | Very High — cardiac rhythm data; medical-grade information |
| Skin temperature | Thermistor sensor | Moderate — can indicate illness, menstrual cycle phase |
| Respiratory rate | Derived from heart rate and motion | Moderate — respiratory health indicator |
Activity and Motion Data
| Data Type | Collection Method | Privacy Implications |
|---|---|---|
| Step count | Accelerometer | Low individually; patterns reveal routines |
| Distance traveled | GPS + accelerometer | High — precise location history |
| Speed and pace | GPS + accelerometer | Moderate — reveals transportation modes |
| Elevation/floors | Barometric altimeter | Low |
| Swimming metrics | Accelerometer + gyroscope | Low |
| Exercise type recognition | Machine learning on motion data | Moderate — reveals activity preferences and schedule |
Sleep Data
| Data Type | Collection Method | Sensitivity Level |
|---|---|---|
| Sleep duration | Movement + heart rate | Moderate — reveals schedule and potential health issues |
| Sleep stages (light/deep/REM) | Heart rate variability + movement | High — detailed health and wellness information |
| Sleep score/quality metric | Algorithmic composite | Moderate — derived health assessment |
| Blood oxygen during sleep | Periodic SpO2 sampling | High — sleep apnea screening data |
| Snoring detection | Microphone (some devices) | High — audio recording in bedroom |
Personal and Contextual Data
| Data Type | Source | Sensitivity Level |
|---|---|---|
| Age, weight, height | User profile entry | Low–Moderate |
| Menstrual cycle tracking | User entry + biometric correlation | Very High — reproductive health data |
| Food and water logging | Manual user entry | Moderate — dietary habits and potential conditions |
| Mood and stress self-reports | Manual user entry | High — mental health indicators |
| GPS location history | Device GPS | Very High — precise movement and location patterns |
| Social connections | Friend features, challenges | Moderate — social graph data |
How Fitness Data Is Used and Shared
First-Party Use (The Device/Platform Company)
Fitness companies use collected data for:
- Service provision: Displaying metrics, generating insights, tracking progress
- Algorithm training: Improving activity recognition, sleep stage detection, calorie estimation
- Product development: Identifying features users engage with for future development
- Personalized recommendations: Suggesting workouts, recovery days, or health insights
- Advertising (varies by platform): Some companies use activity data to inform ad targeting within their ecosystem
Third-Party Sharing
Based on our analysis of published privacy policies (as of January 2025), sharing practices vary significantly:
| Platform | Third-Party Data Sharing | User Opt-Out Available |
|---|---|---|
| Apple (Health/Watch) | Minimal; app-dependent | Yes — granular controls per app |
| Garmin | Limited; anonymized for analytics | Partial — some sharing required for service |
| Fitbit (Google) | Integrated with Google services | Partial — Google ecosystem integration |
| Samsung Health | Limited third-party; Samsung ecosystem | Yes — app-level permissions |
| Whoop | Limited; research partnerships | Partial |
| Oura | Anonymized research; limited commercial | Partial |
| Strava | Public by default for activities; significant social data | Yes — privacy zone and activity-level controls |
| MyFitnessPal (Under Armour) | Historical data breaches noted; marketing use | Partial |
Table: Third-party sharing practices based on published privacy policies. Policies change — verify current terms directly with each platform.
Important note: When you connect your fitness tracker to a third-party app (via API or OAuth), you are granting that app access to the data types it requests. Many users authorize these connections without reviewing permissions.
Data Sale and Monetization
Direct sale of personally identifiable fitness data to third parties is prohibited by the privacy policies of major fitness wearable companies. However, several monetization pathways exist:
- Aggregated/anonymized datasets: De-identified data sold or licensed for research and market analysis
- Insurance partnerships: Some companies partner with health insurers for wellness program incentives (opt-in)
- Corporate wellness programs: Employers may receive aggregate wellness metrics (not individual data) through opt-in programs
- Advertising ecosystems: Companies within larger tech ecosystems (Google/Fitbit) may use fitness data to inform advertising models at aggregate levels
Privacy Risks: What Could Go Wrong
Risk 1: Data Breach
Fitness platforms have experienced data breaches. Notable incidents include:
- Under Armour (MyFitnessPal), 2018: 150 million user accounts compromised
- Strava heatmap, 2018: Aggregate GPS data revealed location patterns of military bases and personnel
- Fitbit (pre-Google), multiple incidents: Various credential stuffing and data exposure events
Mitigation: Use unique, strong passwords and enable two-factor authentication on all fitness accounts. Accept that platform security is outside your control.
Risk 2: Location Tracking
GPS-enabled fitness tracking creates detailed location history. This data can:
- Reveal home and work addresses (starting/ending points of activities)
- Indicate travel patterns and schedule regularity
- Expose visits to sensitive locations (medical facilities, support groups, religious sites)
Mitigation: Disable GPS for activities where precise location isn't necessary. Use privacy zones around home and work addresses.
Risk 3: Employer and Insurance Access
Some employers and insurers offer incentives for fitness tracking. Before enrolling:
- Verify what data the employer/insurer receives (aggregate vs. individual)
- Understand whether participation affects premiums or coverage
- Review whether you can opt out without penalty
- Note that in the U.S., the Genetic Information Nondiscrimination Act (GINA) and Affordable Care Act provide some protections, but gaps exist
Risk 4: Legal and Subpoena Exposure
Health and fitness data is increasingly subject to legal discovery:
- Fitness data has been used in personal injury litigation to contradict claimed activity limitations
- Location data from fitness trackers has been subpoenaed in criminal investigations
- Sleep and activity patterns have been referenced in disability and insurance claims
Mitigation: Understand that data stored with U.S.-based companies is subject to lawful access requests. No consumer privacy setting prevents legal subpoena.
Risk 5: Re-identification of "Anonymous" Data
Research demonstrates that so-called "anonymized" fitness datasets can often be re-identified by combining them with other data sources. A 2018 study published in Nature demonstrated that GPS traces from fitness trackers could be matched to individuals with high accuracy using minimal auxiliary information.
Securing Your Fitness Data: Actionable Steps
Step 1: Review and Restrict Permissions
iPhone users (Apple Health):
- Settings → Privacy & Security → Health → Data Access & Devices
- Review each connected app; revoke access to data types that aren't essential
- Apple Health acts as a permission gate — controlling Health data access restricts what apps can read
Android users:
- Settings → Privacy → Permission manager → Location/Physical activity/Body sensors
- Review which apps have access to each sensor category
- Google Fit data can be managed through Google Account → Data & privacy → Apps and services
Step 2: Configure Strava Privacy (Critical)
Strava's default settings expose significant data. If you use Strava:
- Privacy Controls → Hide your house/office: Create a privacy zone around your home address
- Privacy Controls → Who can see your activities: Set to "Followers" or "Only you" rather than "Everyone"
- Privacy Controls → Map visibility: Consider disabling the personal heatmap
- Privacy Controls → Group Activities: Disable if you don't want to be associated with other users
- Don't sync sensitive activities automatically — review before uploading
Step 3: Disable Unnecessary GPS Tracking
For activities where route recording isn't important:
- Use "indoor" activity mode for outdoor strength training or yoga (records time and HR, not location)
- Disable GPS for treadmill runs, stationary cycling, and pool swimming
- Only enable GPS for outdoor runs, rides, and hikes where route data matters to you
Step 4: Audit Connected Apps
Most users have connected apps they no longer use:
- Go to your fitness platform's account settings
- Find "Connected apps," "Authorized services," or "Third-party apps"
- Revoke access for any app you don't actively use
- For remaining connections, review what data types each app can access
- Re-authorize with minimal permissions if needed
Step 5: Enable Two-Factor Authentication (2FA)
Every fitness platform account should have 2FA enabled:
- Apple ID: Settings → [Your Name] → Sign-In & Security → Two-Factor Authentication
- Garmin: Garmin Connect → Account Settings → Security → Two-Step Verification
- Fitbit: Fitbit account settings → Security → Two-Step Verification
- Strava: Settings → My Account → Two-Factor Authentication
Use an authenticator app (Google Authenticator, Authy) rather than SMS when possible — SMS is vulnerable to SIM-swapping attacks.
Step 6: Consider Data Export and Deletion Rights
Under GDPR (EU), CCPA (California), and similar regulations, you have rights to:
- Access: Request a copy of all data a company holds about you
- Deletion: Request deletion of your account and associated data
- Portability: Export your data in a usable format
Before requesting deletion: Export your historical data if you want to retain records. Most platforms provide data export in the account settings.
Step 7: Evaluate Open-Source and Privacy-Focused Alternatives
| Alternative | Approach | Tradeoff |
|---|---|---|
| Gadgetbridge (Android) | Open-source fitness tracker companion; no cloud | Limited device support; requires technical setup |
| Open mHealth | Open data standard for health information | Framework, not consumer product |
| Local-only devices | Some GPS watches can operate without app sync | Reduced feature set; manual data management |
| Pen and paper | No digital footprint | No analytics, insights, or trend tracking |
Table: Privacy-focused alternatives to mainstream fitness platforms
Regulatory Landscape
United States
- HIPAA: Does NOT cover fitness tracker data in most cases. HIPAA applies to healthcare providers, insurers, and health information clearinghouses — not consumer fitness device manufacturers.
- State laws: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and others provide some data privacy rights, but fitness data receives limited specific protection.
- FTC Act: Prohibits deceptive practices — companies must follow their published privacy policies.
European Union
- GDPR: Fitness data is classified as "special category data" (health data) requiring explicit consent and enhanced protections. EU residents have stronger rights to access, deletion, and restriction of processing.
Practical Implication
U.S. residents have fewer legal protections for fitness data than EU residents. Privacy settings and personal vigilance are your primary defenses.
Summary: Privacy Checklist
- [ ] Review app permissions on your phone; revoke unnecessary sensor access
- [ ] Configure Strava privacy zones and visibility settings if applicable
- [ ] Disable GPS for activities that don't need location tracking
- [ ] Audit and remove connected third-party apps you don't use
- [ ] Enable two-factor authentication on all fitness platform accounts
- [ ] Use unique, strong passwords (consider a password manager)
- [ ] Review your fitness platform's current privacy policy annually
- [ ] Understand what data your employer or insurer can access through wellness programs
- [ ] Export historical data before requesting account deletion
- [ ] Consider whether the benefit of each data-sharing connection justifies the privacy tradeoff
As an Amazon Associate we earn from qualifying purchases. Product links on this page include our affiliate tag — purchases made through these links support our research at no additional cost to you.
Last updated: January 2025. Privacy policy analysis based on publicly available terms from Apple, Garmin, Fitbit/Google, Samsung, Whoop, Oura, Strava, and MyFitnessPal as of publication date. Privacy policies change — verify current terms directly with each platform. This guide is informational and does not constitute legal advice.