Is Your Fitness Tracker Selling Your Health Data? Whoop, Strava, Garmin & More

About 170 million Americans wear a fitness tracker or smartwatch. These devices know your resting heart rate, sleep cycles, menstrual patterns, GPS running routes, blood oxygen levels, and body composition. A 2024 Mozilla Foundation study found that 80% of fitness and health apps share user data with third parties — and unlike your doctor's office, none of them are bound by HIPAA. Here's what each major tracker actually does with your health data, who ends up with it, and what you can do about it.

Why HIPAA Doesn't Protect Your Fitness Data

This is the single biggest misconception in consumer health privacy. People assume that because fitness trackers collect health-related data — heart rate, sleep, blood oxygen, body temperature — that data must be protected by HIPAA. It isn't.

HIPAA (the Health Insurance Portability and Accountability Act) only applies to covered entities: hospitals, physicians, health insurance companies, pharmacies, and the business associates that process data on their behalf. Consumer technology companies are not covered entities. Whoop is not your doctor. Oura is not a hospital. Garmin is not an insurer. None of them have any HIPAA obligation whatsoever.

This means your fitness tracker company can collect, store, analyze, share, and in some cases sell your health data with virtually no federal restriction. The only federal guardrails come from the FTC, which can take action if a company's privacy practices are materially deceptive — meaning they do something their privacy policy says they won't. But if their privacy policy authorizes data sharing (and most do), the FTC has no basis to act.

State law is beginning to fill the gap. Washington's My Health My Data Act, which took effect in March 2024, now requires opt-in consent before companies can collect, share, or sell health data — including fitness tracker data — from Washington residents. The law covers any entity that handles "consumer health data," regardless of HIPAA status. But Washington is the exception. In most states, your fitness data has no more legal protection than your grocery list.

Tracker by Tracker: What They Collect and Share

We read the privacy policies of every major fitness tracker on the market. Here's what we found.

Whoop

Whoop collects heart rate, heart rate variability, skin temperature, blood oxygen, respiratory rate, sleep stages, strain scores, and recovery metrics. GPS location is captured during logged activities. The device is subscription-based ($30/month), which means Whoop already has your payment information and billing address.

Whoop's privacy policy explicitly permits sharing "aggregated and de-identified" data for "research and commercial purposes." The company partners with research institutions and has published studies using pooled user data. Whoop also integrates third-party analytics SDKs — including tools from Meta and Google — that transmit usage data for advertising and product analytics.

The "de-identified" qualifier sounds reassuring, but it's not. A 2024 study from Imperial College London demonstrated that de-identified fitness datasets could be re-identified with 87% accuracy using just three data points: age range, zip code, and activity pattern. When your daily biometric profile is unique enough — and with continuous heart rate monitoring, it almost always is — "aggregated" data isn't truly anonymous.

In 2026, Whoop faces a class-action lawsuit in California alleging that its data-sharing practices with advertising partners violate the California Invasion of Privacy Act. The case is ongoing.

Oura Ring

Oura collects heart rate, HRV, skin temperature, respiratory rate, blood oxygen, sleep stages, activity levels, and step count. The Gen 4 ring, released in late 2025, added continuous daytime heart rate monitoring and blood oxygen tracking.

Oura's privacy policy states that data is used for "product improvement, research, and business purposes" and may be shared with "service providers, research partners, and affiliates." The company has data-sharing agreements with academic researchers and pharmaceutical companies studying sleep disorders.

The larger controversy around Oura erupted in August 2025, when reporting revealed that Oura Ring's contract manufacturer, Jabil, also produces components for Palantir's defense and intelligence platforms. While there is no evidence that Oura user data flows to Palantir or the Department of Defense, the shared manufacturing relationship raised significant concerns among privacy advocates — particularly given Palantir's well-documented role in government surveillance programs. Oura issued a statement clarifying that manufacturing partnerships do not involve data sharing, but the episode highlighted how opaque supply chains in consumer hardware can be.

Oura is currently defending against a lawsuit filed in early 2026 in the Northern District of California, alleging that the company's data retention practices — holding biometric data indefinitely even after account deletion — violate the Illinois Biometric Information Privacy Act (BIPA) for Illinois-based users.

Strava

Strava is primarily a GPS-based activity tracker. It collects route data, elevation, pace, heart rate (from paired devices), power output, cadence, and detailed maps of every recorded activity. Strava's social features — segments, leaderboards, kudos — mean that much of this data is public by default.

Strava's Metro program aggregates user movement data and sells it to city governments, urban planning departments, and transportation agencies. Strava describes Metro as using "de-identified, aggregated" data, but the granularity of GPS routes has been a recurring concern. In 2018, Strava's global heatmap inadvertently revealed the locations and patrol routes of US military personnel at classified bases in Afghanistan and Syria. The company tightened heatmap privacy zones after the incident, but the underlying data collection hasn't changed.

Strava also shares data with third-party apps through its API — any app you connect to your Strava account can access your activity data, including GPS routes, heart rate, and performance metrics. As of 2026, more than 700 third-party apps are integrated with Strava's API.

Garmin

Garmin collects GPS tracks, heart rate, sleep, blood oxygen, stress, body battery, respiration, hydration estimates, and — on newer devices — ECG data. Garmin Connect, the companion app, stores this data in the cloud.

Garmin's privacy policy is better than average for the fitness industry. The company states it does not sell personal data and does not use health data for advertising. Garmin's primary revenue comes from hardware sales, not advertising or data monetization, which fundamentally changes the incentive structure.

However, Garmin does share data with third-party partners for "analytics and product improvement" and integrates advertising SDKs in its free mobile app. Garmin Connect IQ — the company's app store — allows third-party watch faces and apps that can access sensor data with user permission, creating secondary data flows that Garmin doesn't directly control.

Garmin also faced a major ransomware attack in 2020 that took down Garmin Connect for five days. The company reportedly paid a $10 million ransom. While Garmin stated that no user data was compromised, the incident exposed the risks of storing years of biometric data in centralized cloud infrastructure.

Fitbit (Google)

Fitbit collects heart rate, sleep, SpO2, skin temperature, stress management scores, menstrual cycle data, GPS routes, and weight. Since Google's $2.1 billion acquisition of Fitbit closed in 2021, this data sits within Google's ecosystem.

Google committed to the EU and DOJ that it would not use Fitbit health data for Google Ads for at least ten years (through 2031). But the restrictions are narrower than they sound. Google can still use Fitbit data for "product improvement," which includes training machine learning models. Fitbit data is now stored on Google's cloud infrastructure and linked to Google accounts. When you sign in to Fitbit with your Google account, your fitness data joins your search history, location history, YouTube history, and Gmail data in Google's unified profile.

Even without direct ad targeting, the combination of detailed health biometrics with Google's existing data trove creates an extraordinarily complete picture of each user. And the 2031 commitment only applies to ad targeting — Google can use the data for virtually any other internal purpose.

Apple Watch

Apple Watch collects heart rate, ECG, blood oxygen, sleep, wrist temperature, crash detection data, fall detection data, cycle tracking, and workout metrics. It's the most data-rich device on this list.

It's also the most private. Apple processes health data on-device by default. HealthKit data is encrypted end-to-end and stored in the Secure Enclave on the iPhone. When you enable iCloud Health sync, the data is encrypted in transit and at rest — and Apple doesn't have the decryption keys.

Apple's business model is built on hardware margins, not advertising. The company does not sell user data, does not use health data for ad targeting, and does not share health data with third-party analytics providers. Apple Health data is only shared with third-party apps when you explicitly grant permission — and you can revoke that access at any time through the Health app's privacy settings.

Apple is not perfect — it collects device analytics and usage data, and its App Store enables fitness apps that do harvest data. But for the health data collected by the watch itself, Apple's privacy posture is meaningfully stronger than every other option on this list.

Comparison: Privacy Across Fitness Trackers

How Fitness Data Ends Up With Data Brokers

The path from your wrist to a data broker's database isn't always direct, but it's well-established. Here's how it works:

• Third-party SDKs. Most fitness apps embed analytics and advertising SDKs from companies like Meta, Google, Braze, and Amplitude. These SDKs collect device identifiers, usage patterns, and sometimes health metrics, then transmit them to the SDK provider's servers — where they can be sold or shared downstream.
• Data licensing agreements. Some fitness companies license aggregated datasets to research firms, pharmaceutical companies, and data aggregators. Once data reaches an aggregator, it enters the broader data broker ecosystem.
• Public profiles. Strava activities, Garmin segments, and Fitbit challenges that are set to public are scrapeable. Data brokers systematically scrape public fitness profiles and correlate them with other personal information — name, address, employment — to build enriched consumer profiles.
• App integrations. When you connect your fitness tracker to a third-party app — a calorie counter, a training program, a wellness platform — you grant that app access to your health data. Many of these apps have their own data-sharing agreements.
• Breach and leak. Data breaches at fitness companies expose health data directly. The 2023 Strava data leak, the 2020 Garmin ransomware attack, and the 2024 Fitbit data exposure all put health information at risk of entering dark web markets.

Once your health data is in a data broker's profile, it can be purchased by life insurance companies, employers conducting wellness program evaluations, marketers targeting health-conscious consumers, and anyone else willing to pay. A comprehensive privacy strategy needs to account for these downstream flows.

The Insurance Connection

This is where the stakes get real. Health and life insurance companies are increasingly purchasing lifestyle data from data brokers to inform underwriting decisions.

The Affordable Care Act prohibits health insurers from using pre-existing conditions in coverage or pricing decisions. But life insurance, disability insurance, and long-term care insurance have no such restriction. These insurers can — and do — purchase third-party data about applicants' health behaviors. Data showing consistently poor sleep, elevated resting heart rate, high stress scores, or low daily activity can result in higher premiums or denied coverage.

Some insurers have gone further. John Hancock (now part of Manulife) requires all new life insurance applicants to participate in its Vitality wellness program, which tracks fitness data through wearable devices. Participants who share more data and hit activity targets get premium discounts; those who don't share data pay standard rates. The message is clear: your fitness data has direct financial value to insurers.

In 2025, the National Association of Insurance Commissioners (NAIC) issued guidance warning that the use of consumer data — including wearable health data — in insurance underwriting raises "significant concerns about unfair discrimination." But the guidance is non-binding, and no state has passed legislation specifically restricting insurers' use of fitness tracker data.

2026 Lawsuits and Regulatory Actions

The legal landscape around fitness tracker privacy is heating up:

• Whoop class action (California, 2026): Alleges Whoop's integration of Meta and Google advertising SDKs transmits biometric data to third parties without adequate consent, violating the California Invasion of Privacy Act.
• Oura BIPA lawsuit (Illinois, 2026): Alleges Oura retains biometric data — including fingerprint-like heart rate signatures — indefinitely after account deletion, violating Illinois' Biometric Information Privacy Act requirement to destroy biometric data when the purpose for collection has been fulfilled.
• Garmin settlement (2025): Garmin settled a class-action lawsuit over its 2020 ransomware attack for $10.5 million, compensating users whose data was potentially exposed during the five-day outage.
• FTC enforcement: The FTC finalized a consent order against fertility app Flo Health in 2024 for sharing user health data with Facebook and Google analytics contrary to its privacy promises. While Flo isn't a fitness tracker, the precedent applies broadly to any health app that misrepresents its data-sharing practices.

How to Protect Your Fitness Data

1. Audit your privacy settings. Every fitness app has a privacy section buried in settings. Turn off data sharing for research, analytics, and social features you don't use. On Strava, set your default activity privacy to "Only You." On Garmin, disable "Anonymous Usage Data." On Fitbit, opt out of Google's data usage under Settings > Privacy.
2. Disconnect unnecessary integrations. Review which third-party apps have access to your fitness data. On iPhone, go to Health > Sharing > Apps. On Strava, check Settings > My Apps. Revoke access for any app you no longer use.
3. Disable social features. Public profiles on Strava, Garmin Connect, and Fitbit are scraped by data brokers. Set your profile to private, hide your activity map start/end points, and disable leaderboards if you don't use them.
4. Use Apple Watch if privacy is a priority. If you're choosing a new fitness tracker and privacy matters to you, Apple Watch is the strongest option. On-device processing, end-to-end encryption, and a hardware-revenue business model all work in your favor.
5. Opt out of data broker profiles. Even if you lock down your fitness tracker, data that's already been shared may be sitting in broker databases. Manually opt out of major brokers or use a data removal service to handle it continuously.
6. Check your state's health data law. If you live in Washington, Connecticut, or Nevada, you have specific rights over consumer health data that go beyond what the fitness tracker company offers. File data access and deletion requests directly under your state law.
7. Request a copy of your data. Under CCPA (California), Washington's My Health My Data Act, and GDPR (EU), you can request a copy of all data a fitness company holds about you. Reviewing the export will show you exactly what's being collected — often far more than you expect.

The Bigger Picture

Fitness trackers are part of a broader pattern where consumer devices collect sensitive data that falls outside traditional privacy protections. Your car shares your driving data. Your social media profiles get scraped by brokers. Your search history, purchase history, and location data are all traded on the open market.

What makes fitness tracker data uniquely concerning is how intimate it is. This isn't your browsing history — it's your resting heart rate at 3 AM, your stress response during a work meeting, your menstrual cycle regularity, your blood oxygen levels during sleep. It's the kind of data that reveals health conditions you may not have disclosed to anyone, including your doctor. And right now, in most US states, there's nothing stopping a data broker from buying it, packaging it, and selling it to whoever wants it.

Until federal legislation catches up — and there is currently no comprehensive federal health data privacy law covering consumer devices — the burden falls on individual users to understand what their devices collect, who receives that data, and how to limit exposure. The steps above won't eliminate the problem, but they'll meaningfully reduce your attack surface.

Frequently Asked Questions

Does HIPAA protect my fitness tracker data?

No. HIPAA only applies to covered entities — hospitals, doctors, health insurers, and their business associates. Consumer fitness trackers like Whoop, Oura, Garmin, Strava, and Fitbit are not covered entities. They can collect, share, and sell your health data with no HIPAA restrictions. The only federal protections come from FTC enforcement against deceptive practices, and new state laws like Washington's My Health My Data Act that specifically cover consumer health data regardless of HIPAA status.

Can fitness tracker data affect my insurance rates?

Yes. Life insurance, disability insurance, and long-term care insurance companies can and do purchase lifestyle and wellness data from data brokers. While the ACA prohibits using pre-existing conditions for health insurance pricing, other insurance types have no such restriction. Data showing poor sleep patterns, elevated resting heart rate, or low activity levels can be used in underwriting decisions. Some insurers, like John Hancock, now require wearable participation for all new life insurance policies.

Which fitness tracker is most private?

Apple Watch is the most privacy-friendly mainstream fitness tracker. Apple processes health data on-device in the Secure Enclave, encrypts HealthKit data end-to-end, does not sell user data, and does not use health data for advertising. Apple's hardware-sales revenue model removes the incentive to monetize health data. Garmin is the runner-up, with no advertising-driven revenue and a stated policy of not selling personal data, though it does share some data with analytics partners.

Does Whoop sell my health data?

Whoop's privacy policy permits sharing "aggregated and de-identified" data for "research and commercial purposes." The company states it does not sell individually identifiable health data. However, aggregated data has been repeatedly shown to be re-identifiable — a 2024 Imperial College London study demonstrated 87% re-identification accuracy using just three data points. Whoop also integrates advertising SDKs from Meta and Google that transmit usage data to third parties, which is the basis of the 2026 California class-action lawsuit against the company.

How does fitness tracker data end up with data brokers?

Fitness app data reaches data brokers through multiple channels: third-party SDKs embedded in fitness apps that transmit data to analytics companies, data licensing agreements between fitness companies and research firms or aggregators, scraping of public profiles on platforms like Strava and Garmin Connect, data shared through third-party app integrations, and breaches or leaks at fitness companies. Once a data broker has your health information, it gets bundled into consumer profiles sold to insurers, employers, and marketers. Removing these profiles through a service like GhostVault addresses the downstream data that fitness app settings can't reach.