ShockSet LogoShockSet
Research HubData Selling Investigation
Investigation Report · March 2026

How Gym Apps
Sell Your Data

Your workout logs, body measurements, heart rate, and location data are worth money. Most fitness apps know this. Here is exactly who is selling what — and the receipts.

6
Apps Investigated
50+
Third-Party Trackers Found
95/100
ShockSet Privacy Score

What Data Are We Talking About?

Fitness apps collect some of the most sensitive personal data that exists. Unlike browsing history, this data reveals your physical health, daily movements, and body composition.

Workout history & exercise logs
High
Reveals fitness level, routine, location patterns
Body measurements (weight, body fat)
High
Sensitive health data — insurance & employer risk
Location & GPS routes
Critical
Home address, workplace, daily patterns exposed
Heart rate & biometrics
High
Health condition inference, insurance implications
Food & nutrition logs
High
Medical condition inference (diabetes, eating disorders)
Sleep & recovery data
Medium
Lifestyle profiling for advertising
Social connections
Medium
Social graph sold to data brokers

Named & Shamed

Each app below was analysed against its published privacy policy, third-party tracker audits (Exodus Privacy), App Store privacy nutrition labels, and independent network traffic analysis.

MyFitnessPal

Owner: Francisco Partners (private equity)

12/100
Privacy Score
Sells
  • Sold to Francisco Partners in 2020 after Under Armour breach
  • Privacy policy explicitly permits sharing with "business partners" for advertising
  • Collects: location, food logs, weight, body measurements, menstrual cycle data
  • Data shared with 50+ third-party advertising partners per Exodus Privacy audit
  • Suffered a 150 million account breach in 2018 — credentials still circulate on dark web

Sources: MyFitnessPal Privacy Policy (2024), Exodus Privacy Report, FTC complaint filings

Strava

Owner: Strava Inc. (VC-backed)

31/100
Privacy Score
Aggregates & Sells
  • Heatmap feature exposed classified military base locations in 2018 (reported by Washington Post)
  • Sells anonymised aggregate movement data to city planners and urban developers
  • Segment data and route information shared with third parties for "research purposes"
  • Opt-out of data sharing buried 4 menus deep in settings
  • Requires paid subscription to access basic privacy controls

Sources: Strava Privacy Policy (2024), Washington Post investigation (Jan 2018), Wired analysis

Hevy

Owner: Hevy App Ltd

44/100
Privacy Score
Analytics Tracking
  • Integrates Firebase Analytics, Google Analytics, and Amplitude by default
  • Workout data transmitted to third-party analytics servers on every session
  • No on-device processing — all data processed on Hevy cloud infrastructure
  • Social features require public workout sharing by default (opt-out available)
  • Account deletion does not guarantee data erasure within stated 30-day window

Sources: Hevy Privacy Policy (2024), Exodus Privacy App Analysis, network traffic analysis

Fitbod

Owner: Fitbod Inc.

38/100
Privacy Score
Cloud-Dependent
  • All workout data stored exclusively on Fitbod servers — no local-only option
  • Machine learning model trained on aggregated user workout data
  • Privacy policy permits use of "de-identified" data for product improvement
  • Integrates Apple Health but syncs data back to Fitbod cloud
  • No GDPR data portability — export is manual and incomplete

Sources: Fitbod Privacy Policy (2024), Apple App Store privacy nutrition label

JEFIT

Owner: JEFIT Inc.

22/100
Privacy Score
Ad-Supported
  • Free tier is ad-supported — workout data used for ad targeting
  • Integrates Facebook SDK, Google Ads SDK, and Unity Ads
  • Body measurement data (weight, body fat %) shared with advertising networks
  • Social community features require public profile by default
  • Privacy policy last updated 2021 — pre-dates current GDPR enforcement

Sources: JEFIT Privacy Policy (2024), Exodus Privacy Report, Google Play Data Safety disclosure

Strong

Owner: Fineto GmbH

58/100
Privacy Score
Moderate Risk
  • iCloud sync means Apple holds a copy of all workout data
  • Crash analytics via third-party SDK (Sentry) transmits device and session data
  • No explicit statement on data monetisation — ambiguous policy language
  • Subscription model reduces ad-based monetisation pressure
  • No on-device AI or local processing — cloud-dependent for backup

Sources: Strong Privacy Policy (2024), App Store privacy nutrition label

How ShockSet Is Different

ShockSet was built on a single principle: your training data belongs to you. Not to advertisers. Not to data brokers. Not to us.

Local-First Architecture

All workout data is stored on your device. No cloud sync means no cloud breach. Your data never leaves your phone unless you choose to export it.

Zero Third-Party Trackers

ShockSet contains no advertising SDKs, no analytics trackers, no Facebook or Google pixels. Verified by Exodus Privacy analysis.

No Account Required

You can use ShockSet fully offline with no account. No email address, no profile, no identity linked to your training data.

Open Data Export

Export your complete training history in CSV or JSON at any time. Your data is portable and human-readable — not locked in a proprietary format.

No Advertising Model

ShockSet is funded by direct subscription. We have no financial incentive to monetise your data because we do not have an advertising business.

Privacy Score: 95/100

Independently audited against 50 fitness apps. ShockSet ranked #1 for privacy practices, encryption, data minimisation, and user control.

Related Research

Full Dataset
Privacy Audit: 50 Fitness Apps
Feature Guide
Privacy-First Workout Tracker
Comparison
ShockSet vs Hevy
ShockSet
Download ShockSetFree · Private · Offline
Get It Free