You open an app, log your breakfast, enter your weight, note that you slept badly, mark that you are feeling stressed, and track your menstrual cycle. Within a few days, that app knows more about your body than most people in your life.
Now the question: where does all that data go?
It is not a paranoid question. It is a necessary one. Your health data is among the most sensitive personal information you possess — and in most cases, people share it without reading a single line of the privacy policy.
Let us look at the landscape and, most importantly, what you can do to protect yourself.
What wellness apps actually collect
The list goes far beyond what you might expect. Health and fitness apps typically collect:
- Nutrition data: what you eat, quantities, timing, dietary restrictions
- Body metrics: weight, height, BMI, body fat percentage, measurements
- Physical activity: exercise type, duration, heart rate, running routes (with GPS)
- Sleep: schedules, duration, quality, patterns
- Mental health: mood, stress levels, anxiety, emotional logs
- Reproductive health: menstrual cycle, symptoms, sexual activity
- Medications: what you take, dosages, schedules
- Location: where you exercise, where you eat, where you travel
Each of these data points alone reveals a lot. Combined, they create an intimate and detailed portrait of your life.
Where your data goes
This is where things get more concerning. Depending on the app, your data may be:
Stored on company servers — which raises the question: where are those servers? In which country? Under which legal jurisdiction?
Shared with third parties — business partners, analytics companies, advertising platforms. In many cases, your eating habits and sleep patterns are being used to target ads.
Sold to data brokers — companies that buy, aggregate, and resell personal data. Your health information could end up in the hands of insurers, employers, or any company willing to pay.
Used for research — sometimes anonymized, sometimes not as thoroughly as you might assume.
The issue is not that every app does all of this. The issue is that many do, and few communicate it clearly.
The regulatory gray area
There is an important distinction that most people are unaware of:
Medical apps (regulated by health authorities like the FDA or EMA) go through rigorous approval processes and are subject to strict rules about handling patient data.
Wellness and fitness apps — the majority of apps you use — are generally not classified as medical devices. This means that the rules applied to electronic health records, for example, do not necessarily apply to the app where you log your meals.
This regulatory gray area means that many apps operate with far less stringent data protection standards than would be ideal, especially given the sensitivity of the information they collect.
What to check before using any health app
Before trusting an application with your most personal information, it is worth examining a few key areas:
1. Privacy policy
Yes, it is long and tedious. But at least look for the section on data sharing with third parties. If the app says it may share your data with “partners” without specifying who they are or for what purpose, that is a red flag.
2. Data storage
Where are the servers located? Is data encrypted in transit and at rest? Encryption is the bare minimum expected for sensitive information.
3. Data deletion
Can you permanently delete your data? Not just deactivate your account, but actually request the removal of your information from the company’s servers.
4. Data portability
Can you export your data in a format that lets you use it elsewhere? Your data is yours — you should be able to take it with you.
5. Account deletion
Can you completely delete your account? Is the process straightforward, or does it involve sending emails, waiting through deadlines, and navigating bureaucratic hurdles designed to discourage you?
6. Anonymization
If the app uses data for analytics or research, is that data truly anonymized? Genuine anonymization goes far beyond simply removing your name.
Red flags to watch for
Some indicators that an app may not deserve your data:
- No privacy policy — it might seem obvious, but it happens
- Vague sharing language — phrases like “we may share with third parties” without specifying who, when, and why
- No option to delete data — if you cannot erase it, you are not truly in control
- Excessive permissions — why does a food-logging app need access to your contacts, camera, or microphone with no clear reason?
- Free with no visible business model — if you are not paying for the product, there is a good chance you are the product. Free apps frequently fund themselves by selling data or serving targeted advertising
No single red flag means an app is malicious. But a combination of several should give you pause.
Your rights by region
Data protection laws vary by region, but they are becoming stronger worldwide:
In the European Union — GDPR (General Data Protection Regulation):
- Right to access your data
- Right to rectification of inaccurate data
- Right to erasure (“right to be forgotten”)
- Right to data portability
- Right to withdraw consent at any time
- Right to be informed about how your data is used
In the United States:
- HIPAA applies to healthcare providers and health plans, but generally does not cover most wellness and fitness apps
- CCPA/CPRA (California) gives residents the right to know what data is collected, request deletion, and opt out of sales
- Several other states have passed or are passing similar laws (Virginia, Colorado, Connecticut, and others)
- There is no comprehensive federal privacy law covering health apps — protection depends heavily on where you live
Elsewhere:
- Canada’s PIPEDA, Australia’s Privacy Act, the UK’s post-Brexit GDPR variant, and many others provide varying levels of protection
- The trend globally is toward stronger data protection, but enforcement varies
Regardless of where you live, it is worth knowing what rights you have and how to exercise them. Look for the privacy or data protection section within the app, or contact the company’s data protection officer (DPO) directly.
Practical tips to protect your data
You do not need to abandon health apps to protect yourself. A few practices make a significant difference:
Use strong, unique passwords. It sounds basic, but many data breaches happen because of weak or reused passwords. A password manager makes this effortless.
Enable two-factor authentication. Whenever available, add this extra security layer. Even if someone discovers your password, they will not be able to access your account.
Review app permissions regularly. Go into your phone’s settings and check what permissions each app has. Disable anything that does not make sense for the app’s core function.
Be selective about what you share. Not every field is mandatory. If an app asks for information that is not essential to the service, consider whether it is worth providing.
Read the privacy policy — at least the sharing section. You do not need to read everything. Look for sections about “sharing,” “third parties,” and “data we collect.” Those three sections reveal a great deal.
Keep apps updated. Updates frequently patch security vulnerabilities. Postponing updates can leave your data exposed.
Prefer apps with a transparent track record. Companies that have published transparency reports, respond promptly to data requests, and maintain clear policies are generally more trustworthy.
The balance between utility and privacy
Health apps can be genuinely useful tools. Logging nutrition, monitoring sleep, tracking exercise — all of this can contribute to a healthier and more intentional life.
The point is not to avoid technology. It is to use it with awareness. Just as you choose what you eat, you can choose who you trust with your data. Just as you take care of your body, you can take care of your digital privacy.
The good news is that you do not need to be a cybersecurity expert to protect yourself. Small actions — a better password, one fewer permission granted, a quick scan of the privacy policy — significantly reduce the risks.
Your health data tells your most intimate story. It deserves to be treated with the same care you give your health.