Your fitness app's privacy policy may be about to change – and that's a good thing

Data privacy, especially when it comes to the tech, fitness apps and platforms we use everyday, is having a moment.

Why now? After major user data breaches at Facebook, Strava and Under Armour, plus the fact that the GDPR (General Data Protection Regulation Act) is finally coming into effect in Europe on 25 May, tech companies are realising they need to get their acts together on privacy and personal data.

Read this: 'Fit leaking' is a problem for fitness companies

As a result we've seen a flurry of companies – including Facebook-owned Oculus and Airbnb – sending out emails to users about changes to their Terms of Service and Privacy Policies in the past week or so. And we'll no doubt see plenty more between now and the end of May.

What's interesting is how, with the new requirements, what we can access and do with our data will soon differ between Europe and the US. The likes of Fitbit have overhauled their whole policy, but some sections only apply to certain countries where these new rights – like the rights to object to data processing for marketing – are coming into play.

Until now, opting out has been all or nothing – your wearable or app could be rendered useless if you really cared about privacy. But all this new detail and transparency is great, as are the changes to settings which are moving towards more granular control of what exactly we want to share and how much.

We'll add more apps and services to this list as they upgrade their policies. Spotted one? Let us know in the comments below.

Fitbit

Fitbit seems to have put some good work into its privacy policies – in both the UK and US, policies were updated on 23 April and the new versions go into effect on 24 May or when you agree to the policy in-app (whichever comes sooner).

You can read the privacy policy in full here (US) and here (UK) but we've outlined a few key changes:

• There's more detail about what type of data Fitbit collects from its users, including: location data from GPS, Wi-Fi access points, cell towers and IP addresses; device information on the trackers and the tech you use to interact with the Fitbit app; info from third parties like Facebook and Google Fit.
• Health and personal data covered under GDPR needs explicit consent, which you can withdraw by stopping using a feature, removing a third party integration, unpairing a device, deleting specific data or deleting your account.
• There's a specific Privacy Policy for children's accounts for kids under aged 13 who are using the Fitbit Ace.
• There's more detail on what Fitbit does with your data, e.g. it uses data on where a workout took place and your vital stats to "improve features" which includes developing new services.
• Fitbit shares personal information with partners involved in: "customer support, information technology, payments, sales, marketing, data analysis, research, and surveys".
• The policy is more robust when it comes to sales and mergers. It now says that it will take measures to protect the confidentiality of the data and give users notice.

One key thing is that Fitbit says it has made it easier to edit and delete our personal data by enhancing the settings in the app. That means it is easier to edit, delete and download personal data (on activity, body, sleep and food) as well as to change the settings on which other users can see your data and manage and remove third party services – any data shared with these apps will be covered under their own privacy policies.

• If you live in Europe (including the UK and Switzerland) you now have the right to access and export your personal information; to delete data or your account (which might take up to 90 days); as well as to object to Fitbit's use of your personal data for things like marketing. You can also request to restrict the processing of your data via data-protection-office@fitbit.com.
• The above is in the main US Fitbit policy but namechecks these specific countries. We asked Fitbit if it applies to US users and it does: "All Fitbit users globally enjoy the same account settings and tools that enable our European users to exercise their rights. These settings and tools let our users access, export, edit, delete, object to, and control certain uses of their data. For example, through their privacy settings, all users can limit how their information is visible to other Fitbit users. Using their notification settings, all users can control our periodic marketing messages about Fitbit products."

Strava

Strava found itself in major hot water after its global heat maps were found to reveal info on the location of military bases. Around that time Strava added a more prominent opt-out toggle to make it easier to remove this feature, but that's not all that's changing.

It has updated both its Privacy Policy and Terms of Service and both go into effect on 25 May. Here's what you need to know:

• All Strava users must now be aged 16 and over.
• Strava uses de-identified, aggregate data about its users "for business purposes".
• You can withdraw consent to the processing of your health data at any time.
• There's lots of detail about the data Strava collects on you, including: contact info; data from devices or services you connect to Strava; it can "infer health information" from data you input manually or via a device; location info; technical info on your devices/phone/computer; and also content like photos, comments and kudos.
• You can set up a Privacy Zone e.g. home or work in settings which "makes private" any activity within that zone but is still processed by Strava.
• Strava collects info about you from "marketers, partners and researchers" and combines this with its own data on you.
• Strava uses your data to develop new features and market its products.
• It sells/shares/licenses de-identified, aggregate data about its users.
• You can change the privacy settings for the aggregate data used for its global heatmap.
• If Strava is sold or merges, it will share your personal data.
• It will be requesting consent around collecting and processing your personal health and fitness data from its users "soon".
• If you live in the EU, you now have the right to: access and download your data; restrict/limit/delete "much" of your data by logging into your account; object to the processing of your data; and withdraw your consent around health related data via the app or Strava's support team.
• Again, it doesn't appear that the above applies to US or other Strava users outside Europe.

Under Armour

Under Armour is a biggie as its policies also apply to the millions of users of UA Record, Endomondo, MapMyFitness and popular food tracking app MyFitnessPal. Under Armour was under fire itself recently when we found out that 150 million MyFitnessPal accounts were hacked in February – users were told to change their passwords.

Under Armour's new Privacy Policy and Terms of Service – both of which are very long and not very layperson friendly, we might add – come into effect on 20 May.

• Users in the EU have the right to access, export, object, correct, restrict and delete their personal data via the app settings and for requests, contact EUprivacy@underarmour.com.
• There's also specific detail about how you can withdraw your consent for things like location data used for analytics and advertising – do this by finding "limit ads tracking" and "opt out of ads personalisation" in settings.
• Don't know what that is? Under Armour says: "With your consent, we may share your precise Location Data with Third Parties for on and off platform personalization and curated marketing and advertising purposes."
• The policy goes through UA's four types of sharing – private physical stats, activity stats are under "share with friends" as default and both community social data and "lookup information" (main account info) are public.
• There's lots of detail around what data Under Armour collects including: fitness and wellness data, wearable data, location data, in-store video, offers and deals and third party services.
• Under Armour says it de-identifies and aggregates data by removing name, email address and any tracking ID and that this data is then not subject to the privacy policy.