Support road.cc

Like this site? Help us to make it better.

Peloton, Strava and TrainerRoad collect and share the most personal data, finds new cycling app study

Find out how popular cycling apps rank for sharing users’ personal data with third parties...

Peloton, Strava and TrainerRoad have been found to be the most 'personal data-hungry' cycling apps, according a recent study by Supplement Timing.

Supplement Timing looked at over 100 of the most popular fitness and health apps available on the app store, releasing its findings to rank them according to which share the most and least of your personal data.

> 29 best cycling apps — explore the ways your phone can help your riding

“Which data could possibly be more personal than your health and fitness stats?”, asks Supplement Timing. Well, if this is a concern for you, the full breakdown of the data being tracked, both by default and as a optional setting, can be seen in the table below.

2021 Supplement Timing personal data 2

The team read the user agreements and privacy policies of each app to discover which ones are collecting and sharing the most personal data with third parties.

The Peloton fitness app, with live classes as well as a back catalogue of previous classes, was found to track the most personal data, with Strava coming a close second.

> 8 things you didn’t know about Strava — advanced features for exploring and performance analysis

Fulgaz, an Australian app that uses real-world videos of cyclists, was found to store the least amount of data of the apps analysed, with Bkool Simulator and Wahoo Fitness not too far behind.

> 12 of the best indoor cycling apps - get the right turbo training experience for you

“Supplement Timing believes that whether it's your fitness regimen, the food you eat, or the supplements you take - everybody can push themselves to harder, better, faster and stronger.

“But in today’s technologically-driven world, many of the apps we use to keep track of our nutrition and our workouts come with a cost - our personal data.

“Supplement Timing wanted to bring this to light to help you achieve your fitness goals while retaining your privacy.”

> Zwift vs TrainerRoad: Which is best for you?

Nutrition and weight loss apps were also found to be the ones most likely to track personal data by default without alerting you, while FitBit is the step counter app that collects and shares your data the most.

At the other end, yoga, mental health and sleep tracking apps are the least hungry for your personal data.

Methodology

For each app, Supplement Timing says it analysed the official privacy policy as provided on their website or on the website of the parent organisation:

“Where possible, a distinction was made between the information users have to provide to use the app and its features, and the information users can choose to share with the app", it said. 

For each of the 27 types of personal data identified, Supplement Timing says it give an app 2 points if a certain type of data was tracked by default, and 1 point if that type of data was tracked only if users gave permission for it to be tracked.

Supplement Timing's full study can be found here and all of the data is over here.

Could this information change which fitness apps you use, and the way you use them? Let us know in the comments as always. 

Anna has been hooked on bikes ever since her youthful beginnings at Hillingdon Cycle Circuit. As an avid road and track racer, she reached the heady heights of a ProCyclingStats profile before leaving for university. Having now completed an MA in Multimedia Journalism, she’s hoping to add some (more successful) results. Although her greatest wish is for the broader acceptance of wearing funky cycling socks over the top of leg warmers.

Add new comment

10 comments

Avatar
Smiffi | 3 years ago
2 likes

Who could ever have guessed that Strava knows who I am, where I am, that I have a Garmin Edge, what language I speak, and what my workout details are!  Isn't that precisely why we use it?

Avatar
NPlus1Bikelights | 3 years ago
1 like

My FitnessPal should get a special mention, for selling limited data to food companies and then selling ALL their amassed data to Under Armour.

Avatar
Simon E replied to NPlus1Bikelights | 3 years ago
1 like

Don't forget the 2018 data breach at MFP - 144 million unique email addresses with usernames, IP addresses and passwords that were for sale on the dark web.

Alongside what Facebook know about you (and let people do with that information), data breaches are far, far more scary than Under Armour knowing what I put in my porridge.

Avatar
mdavidford | 3 years ago
5 likes

So the article is headed up to be about what data they "collect and share", but then all the detail, including the infographic, is about what they collect, which is the less interesting part of the question. What they collect will in part be determined by the features they need to support. The more important question is how much of that data are they making publicly available or providing to third parties without people realising it.

[Also, there's at least one inaccuracy in there - it claims that Rouvy doesn't collect heart rate data, which it definitely does - which makes me wonder about the rigourousness of their study.]

Avatar
Secret_squirrel replied to mdavidford | 3 years ago
1 like

Indeed - it's a lot easier to know that you are giving to an app in return for its services, but far more crucial is what the company that runs that app then does with it.  If it's not shared at all or not used for purposes other than to support the app features then no biggy...

Avatar
Sam3 replied to Secret_squirrel | 3 years ago
2 likes

There's a movement out there these days, with user experience strategists like Gerry McGovern, all  pointing out that the amounts of data being collected is a biggy. As is the lack of any clear commitment to what happens to it. 
 

They should limit the amount of data they collect  - by design. And should routinely delete it - by design  

If you think this is trivial, note that the tech giants collect your data by buying up companies mainly for the datasets. They then match them up into mega datasets. So this is not trivial or innocent at all  

A lot of this is unnecessary. For example if you bought an app and paid for it in app, the service provider  does not intrinsically need to know your personal name or your home address.  And having that data makes it all the more risky when the app is tracking your location. 
 

Note also that smartphones actually leak your location data in full because they inherently have a function that provides 3D gyroscopic tracking of your motion even when offline. So effectively many of these apps are tracking you 24-7-365. That's just nothing to do with your workout. It's mass surveillance for commerce  

 

 

Avatar
Sriracha replied to Secret_squirrel | 3 years ago
2 likes
Secret_squirrel wrote:

Indeed - it's a lot easier to know that you are giving to an app in return for its services, but far more crucial is what the company that runs that app then does with it.  If it's not shared at all or not used for purposes other than to support the app features then no biggy...

...until they get hacked or bought, either or both of which is pretty likely to happen. So, how much of this data do they actually need to provide the service, and for how long is it necessary to keep it?

Avatar
Sriracha replied to Sriracha | 3 years ago
0 likes

...or, of course, until they just get careless? Whatever you put into these apps gets "shared", one way or another.
https://www.theverge.com/2021/5/5/22421329/peloton-api-bug-customer-data...

Avatar
Simon E replied to Sriracha | 3 years ago
0 likes

Sriracha wrote:

...or, of course, until they just get careless? Whatever you put into these apps gets "shared", one way or another. https://www.theverge.com/2021/5/5/22421329/peloton-api-bug-customer-data...

Yet another one, and it won't be the last. The article says that he reported it to the company in January and they only 'fessed up now when he went public!

It's shocking how little people care about their personal data being shared or even sold online. Once it's out there in the wild you can never get the genie back in the bottle. Identity fraud, banking fraud, phishing and ransomware are all far more likely to succeed.

It's why my kids have multiple email addresses, use fake DOB on social media etc. Only the government, my bank, insurer etc need genuine information, the rest can have false info. Quite a few sites I've registered with have an old address and telephone number as there is absolutely no reason for them to know my home address.

Avatar
Yorky-M | 3 years ago
6 likes

I have had my first jab, so bill gates knows where i am at all times anyway

Latest Comments