Health Data Privacy

What Your Fitness Tracker Actually Knows About You

July 1, 2026 7 min read Haven Team

In 2018, Strava published a global heatmap built from its users' aggregated GPS activity. Researchers noticed clean, well-lit rectangles in the middle of deserts in Syria and Afghanistan: the running routes of soldiers on classified military bases, traced by their own wearables. Nobody at Strava intended to expose troop positions. The data just did what fitness data does: it recorded exactly where people were, exactly when, and it moved.


That incident is five years old now, but it's still the clearest public demonstration of a fact most fitness tracker owners haven't fully absorbed: a wearable is a health sensor, a location tracker, and a behavioral profiler running at the same time, and very little of what it captures gets the legal protection people assume health data gets.

The device knows more than "steps"

Modern trackers, from a $30 band to an Oura ring or a Whoop strap, typically log some combination of: continuous heart rate, heart rate variability, blood oxygen estimates, skin temperature, sleep stages (not just duration, actual sleep architecture), GPS routes with timestamps, and in some cases attempts at menstrual cycle prediction based on temperature and heart rate shifts. Some devices infer stress levels. A few try to detect atrial fibrillation.

Individually, a lot of this looks harmless. Combined and time-stamped, it's a fairly complete behavioral record: when you wake up, when you're stressed, when you're at home versus somewhere else, and for devices that track cycles, information that is, functionally, reproductive health data.

Why "health data" doesn't mean HIPAA-protected

This is the misconception that causes the most confusion. HIPAA, the US law people reach for when they hear "medical privacy," only applies to covered entities: health care providers, insurers, and their business associates. A consumer fitness app is almost never one of those. Unless your tracker's data is being fed directly into your doctor's electronic health record system under a formal agreement, HIPAA has nothing to say about it. The company that makes your tracker is bound by whatever its own privacy policy says, and by general consumer protection law, not by medical privacy law.

The gap

Under GDPR, health data is a "special category" requiring explicit consent and heightened protection (Article 9). Under US federal law, the same data from a consumer wearable generally falls outside HIPAA entirely and is governed by ordinary privacy-policy terms, which vary widely and can change with an update to the app.

Where the data actually goes

Most fitness platforms share data with named categories of third parties: analytics providers, advertising partners, and, increasingly, research or insurance programs you may have opted into without reading the terms closely. John Hancock's Vitality program, for example, offers premium discounts to life insurance customers who share activity data from a connected device, an explicit trade of behavioral data for a lower rate. That's disclosed and consensual, but it's also a preview of a direction the industry is moving: fitness data as an input to financial and insurance decisions, not just a personal dashboard.

Aggregated and "anonymized" datasets get sold to researchers and third parties more often than most users realize, and re-identification of supposedly anonymized location or health data has been demonstrated repeatedly in academic research. A handful of data points, like a home location inferred from where a device stops moving overnight plus a workplace inferred from a weekday pattern, is often enough to single out one person in a large dataset.

The acquisition problem

Ownership of these companies changes, and privacy policies change with it. Fitbit was acquired by Google in 2021, moving years of individual health histories under a company whose core business is advertising. Google committed to not using Fitbit data for ad targeting at the time, a commitment that exists in a policy document, not in the architecture of the system. Policies can be updated. A user who joined a small fitness startup in 2020 has no real way to predict, or consent to, who will hold that data by 2030.

What's actually worth doing about it

The breach history is already long

Data doesn't have to be sold to leak. MyFitnessPal disclosed a breach in 2018 affecting around 150 million accounts, exposing usernames, email addresses, and hashed passwords. It wasn't the health metrics themselves that were exposed in that case, but it demonstrated the scale these platforms operate at: a single fitness app breach can dwarf most other consumer data incidents simply because of how many people log their meals and workouts on their phones. Any database that large is a standing target, independent of how carefully the company handles sharing agreements with named partners.

There's also a category of health-adjacent apps that sit just outside the "fitness tracker" label but collect data with even higher stakes: period and fertility trackers logging cycle data, symptoms, and sometimes pregnancy status. In the years since Roe v. Wade was overturned in the United States, researchers and journalists have documented specific concern about that category of data being sought in legal proceedings related to abortion, prompting several period-tracking apps to add local-only storage modes or end-to-end encryption specifically in response. The lesson generalizes: any app logging sensitive body data should be evaluated not just on today's privacy policy, but on what a subpoena in a future legal or political environment might be able to compel from it.

None of this requires giving up the device. It requires treating the data it produces the way you'd treat any other sensitive personal record: worth knowing where it goes before you generate more of it. For the same reason, it's worth applying that same scrutiny to the location data brokers who buy and resell exactly this kind of movement history, and to how opting out of data broker listings actually works in practice.

Where Haven fits

Haven doesn't make a fitness tracker, and this isn't a pitch for one. It's a reminder that the same question applies to every service handling sensitive personal data: not "does this company say it protects my privacy" but "what does the architecture actually allow it to do with what I generate." That's the standard we hold our own encrypted email and chat to, and it's a fair standard to apply to the wearable on your wrist.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →