Let's face facts: When you get a new wearable device, whether it be a smartwatch or fitness tracker, you tear it out of the box and quickly tap "next," "next", and "Agree" to anything presented to you - including the terms of service and privacy policies.
2018 is a new world though, one where data breaches seem to be happening on the monthly. There was also Facebook's big Cambridge Analytica scandal, which opened a lot of eyes to how much data these companies have on us and how it can be abused for nefarious purposes.
Read this: Fit leaking' is a big privacy problem for companies
GDPR sets privacy rules built for our modern times. They aim to ensure that personal data is collected under strict conditions and those who collect it will need to protect it from exploitation and misuse. Companies also have to tell you how they collect and use your data in the simplest terms possible, which is why all those privacy policies are getting major rewrites.
GDPR applies to companies in the EU, but it also applies to any company that wants to offer goods and services in the EU. As companies are often pragmatic and want to avoid messiness, like having wildly different privacy policies for different parts of the world, it essentially means that many of GDPR's rules could trickle out to non-EU countries.
Data privacy: The best option
The Cupertino company also makes it incredibly easy to correct and erase your data with its privacy portal. You just have to sign into your Apple ID and go to town, though if you're not in the EU some of the ease of deleting your data is eroded, though Apple tells 9to5Mac it plans on adopting those features for the rest of the world, too.
Essential reading: Fitness app privacy policies for GDPR
Garmin's process for deleting data could also be better, as you'll have to email one of two email addresses, depending on whether you live in the EU or not. Under Armour, which owns a number of important wearable apps like MapMyRun, follows. The company has seen a data breach resulting in 150 million people's accounts being compromised, so that's worth remembering here.
Under Armour's policy is very, very long and very, very difficult to read. It collects a whole mess of data, it details several default sharing options, and explains how you can opt out of location data used for ad tracking.
In last place comes Xiaomi. While there's nothing too egregious here, any complaints or lawsuits against the company will be routed through Chinese courts. Also, the company doesn't outline what would happen to your data if there was a merger or closure - only that it would let you know of the decisions that would be made. Not good enough at all.
Fitbit in brief
- Fitbits are not medical devices and you should consult your doctor before you start using one
- PurePulse heart rate tracking may cause problems if you have an existing heart condition
- Fitbit uses anonymous data about non-paying users in its Premium services
- It sells de-identified data
- If you get a skin reaction, keep the band clean, dry, loose and give your wrist a break. After 2-3 days, tell your doctor.
- You have control over your child's data until 13, then they can manage it on their own if he or she choses to.
Fitbit Terms and Conditions highlights
"The accuracy of the data collected and presented through the Fitbit Service is not intended to match that of medical devices or scientific measurement devices."
"The Fitbit Service is not intended to diagnose, treat, cure, or prevent any disease. If you have a medical or heart condition, consult your doctor before using the Fitbit Service, engaging in an exercise program or changing your diet."
"Prolonged contact with wearable devices may contribute to skin irritation or allergies in some users. To reduce irritation, follow four simple wear and care tips: (1) Keep it clean; (2) keep it dry; (3) don't wear it too tight, and (4) give your wrist a rest by removing the band for an hour after extended wear. For more information visit www.fitbit.com/productcare. If you notice any skin irritation, soreness, tingling, numbness, burning, or stiffness in your hands or wrists while or after wearing the product, remove your device and please discontinue use. If any symptoms persist longer than 2-3 days after removing the device, consult your doctor."
"Fitbit products using PurePulse technology have a heart rate tracking feature that may pose risks to users with certain health conditions. Consult your doctor prior to use of such products if you (1) have a medical or heart condition, (2) are taking any photosensitive medicine, (3) have epilepsy or are sensitive to flashing lights, (4) have reduced circulation or bruise easily, or (5) have tendonitis, carpal tunnel syndrome, or other musculoskeletal disorders."
Fitbit Terms and Conditions (23 April 2018)
"We also use your information to make inferences and show you more relevant content. Here are some examples:
- Information like your height, weight, gender, and age allows us to improve the accuracy of your daily exercise and activity statistics like the number of calories you burned and the distance you traveled.
- Based on your sleep data, we may make inferences about your sleeping patterns and provide you with customized insights to help you improve your sleep.
- We may personalize exercise and activity goals for you based on the goals you previously set and your historical exercise or activity data."
"We may share non-personal information that is aggregated or de-identified so that it cannot reasonably be used to identify an individual. We may disclose such information publicly and to third parties, for example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services."
"If we are involved in a merger, acquisition, or sale of assets, we will continue to take measures to protect the confidentiality of personal information and give affected users notice before transferring any personal information to a new entity."
"Some Fitbit devices support payments and transactions with third parties. If you activate this feature, you must provide certain information for identification and verification, such as your name, credit, debit or other card number, card expiration date, and CVV code. This information is encrypted and sent to your card network, which upon approval sends back to your device a token, which is a set of random digits for engaging in transactions without exposing your card number."
"When you create an account for your child, we'll ask for personal information about them, like their name, date of birth, gender, height, and weight. You or your child may choose to share certain additional information with us."
"We use the information in the following ways: to provide, personalize, and improve our services, authenticate users' identities, to track activities and exercise, and to provide customer support. We also use the data we collect for internal purposes such as troubleshooting, protecting against errors, data analysis and testing, to develop new features and services, and to promote the safety and security of Fitbit.
We also use the information we collect to help children connect with other, guardian-approved Fitbit users which are displayed within the family account."
"If at any time you wish to stop further collection or use of your child's information, you can delete your child's account by either (1) contacting Customer Support, or (2) deleting your child from the family account and confirming your intent to delete the account in the email we send you."
"When your child turns 13 (or any higher minimum age required for the creation of a Fitbit account without parental consent in your country), he or she will be eligible to independently manage his or her account. If your child chooses to manage his or her Fitbit account, you will no longer have access to, or be able to exercise control over it through your Fitbit account."
Apple Watch terms in brief
- Apple advises you keep the Watch at least 10mm away from your head to limit radio frequency (RF) exposure
- Be careful when driving or riding a bike and using the Watch
- The Apple Watch isn't a medical device and you should tell your doctor before starting a fitness program with it
- If you suffer skin irritation while wearing the watch, it might be allergies, soap, sweat or a nickel-related reaction
- Apple does not guarantee that its location data is accurate, recommending that you pay attention to road signs - or any other services
- Sharing or syncing photos with your Apple Watch could mean photo location data is also shared
- Apple can limit your use of the Watch without notifying you
- Apple isn't liable for any financial problems via Apple Pay - talk to your bank or card issuer
- Apple shares your personal data with its "affiliates" and combines it with other information that it obtained about you
- It can share de-identified data for any purpose
- You can easily correct/remove your information via Apple ID on Apple's privacy portal
Apple watchOS4.2 Terms and Conditions highlights
"Using Apple Watch in some circumstances can distract you and may cause a dangerous situation (for example, avoid typing text messages while driving a car or using headphones while riding a bicycle). By using Apple Watch you agree that you are responsible for observing rules that prohibit or restrict the use of mobile phones or headphones (for example, the requirement to use hands-free options for making calls when driving). "
"Apple Watch, the heart rate sensor and its data and included Apple Watch apps are not medical devices and are intended for fitness purposes only. They are not designed or intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease."
"Before starting or modifying any exercise program using Apple Watch, consult your physician. Be careful and attentive while exercising. Stop exercising immediately if you feel pain, or feel faint, dizzy, exhausted, or short of breath. By exercising, you assume inherent risks including any injury that may result from such activity. If you have any medical condition that you believe could be affected by Apple Watch (for example, seizures, blackouts, eyestrain, or headaches), consult with your physician prior to using Apple Watch."
"Sharing or syncing photos through your Apple Watch may cause metadata, including photo location data, to be transmitted with the photos."
"Apple and its licensors reserve the right to change, suspend, remove, or disable access to any Services at any time without notice. In no event will Apple be liable for the removal of or disabling of access to any such Services. Apple may also impose limits on the use of or access to certain Services, in any case and without notice or liability."
"Neither Apple nor any of its content providers guarantees the availability, accuracy, completeness, reliability, or timeliness of stock information, location data or any other data displayed by any Services."
"Location data provided by any Services, including the Apple Maps service, is provided for basic navigational and/or planning purposes only and is not intended to be relied upon in situations where precise location information is needed or where erroneous, inaccurate, time-delayed or incomplete location data may lead to death, personal injury, property or environmental damage. You agree that, the results you receive from the Maps service may vary from actual road or terrain conditions due to factors that can affect the accuracy of the Maps data, such as, but not limited to, weather, road and traffic conditions, and geopolitical events. For your safety when using the navigation feature, always pay attention to posted road signs and current road conditions. Follow safe driving practices and traffic regulations, and note that walking directions may not include sidewalks or pedestrian paths."
"Apple may also impose limits on the use of or access to certain Services, in any case and without notice or liability."
"Nor is Apple responsible for the content, accuracy or unavailability of any payment cards, rewards cards, stored value cards, commerce activities, transactions or purchases while using Apple Pay functionality, nor is Apple in any way involved in the issuance of credit or assessing eligibility for credit, or the accrual or redemption of rewards under a merchant's rewards program."
Wearing Apple Watch support highlights
Read this: Need to know - the Apple Watch skin irritation complaints
"We also collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose."
"We may collect information such as occupation, language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising."
"We may collect and store details of how you use our services, including search queries. This information may be used to improve the relevancy of results provided by our services. Except in limited instances to ensure quality of our services over the Internet, such information will not be associated with your IP address."
"Apple takes the security of your personal information very seriously. Apple online services such as the Apple Online Store and iTunes Store protect your personal information during transit using encryption such as Transport Layer Security (TLS). When your personal data is stored by Apple, we use computer systems with limited access housed in facilities using physical security measures. With the exception of iCloud Mail, iCloud data is stored in encrypted form including when we utilize third-party storage."
Xiaomi Mi Band
Xiaomi terms in brief
- Any disputes with Xiaomi will be dealt with in Chinese courts
- Xiaomi is committed to upholding privacy laws including in your country
- Don't use your Xiaomi devices in your car
- Xiaomi does not guarantee the reliability/specific functions/ability to meet your needs of its products
- Your personal data is held in Beijing, Singapore and the US
- Xiaomi doesn't clarify what happens to personal information if there's a merger/sale just that you will be notified
- It shares de-identified data
- You can request to remove your personal data here.
Mi Terms and Conditions
"The laws of the People's Republic of China will apply to any disputes arising out of or relating to these terms or the Services. All claims arising out of or relating to these terms or the Services will be litigated exclusively in the courts of the People's Republic of China, and you and Xiaomi consent to personal jurisdiction in those courts."
"Do not use our Services in a way that prevents you from obeying traffic safety laws."
"Other than as expressly set out in these terms or additional terms, neither Xiaomi nor its suppliers or distributors make any specific promises about the services. For example, we don't make any commitments about the content within the services, the specific functions of the services, or their reliability, availability, or ability to meet your needs. We provide the services "as is"."
Mi Terms and Conditions (not dated)
"We are committed to protecting the privacy, confidentiality and security of your personal information by complying with applicable laws, and we are equally committed to ensuring that all our employees and agents uphold these obligations."
"We may disclose your personal information on occasion to third parties (as described below) in order to provide the products or services that you have requested."
"If Xiaomi is involved in a merger, acquisition or asset sale of all or a portion of our assets, you will be notified via email and/or a prominent notice on our website, of any changes in ownership, uses of your personal information, and choices you may have regarding your personal information."
Garmin terms in brief
- Garmin warns against taking advice from other Garmin Connect users
- Garmin does not guarantee the accuracy/reliability of its services
- Be careful who you share your location data with
- You can ask for your personal data to be edited or removed
- Garmin shares your personal information with affiliates (listed here).
- You can request that your data is corrected or deleted by emailing: firstname.lastname@example.org or email@example.com.
"We are not responsible for, and we do not endorse, the opinions, advice, or recommendations posted or sent by users in any Public Forum and we specifically disclaim any and all liability in connection therewith."
"Garmin makes no representations or warranties about the accuracy, reliability, completeness, or timeliness of the Content or about the results to be obtained from using the Garmin Sites and the Content. Any use of the Garmin Sites and the Content is at your own risk."
"Garmin processes your activity data, if you choose to upload it to Garmin, to enable you to analyze your activity data, see your location on your activity course and segment maps, see your heart rate related metrics such as stress score, track your fitness goals, and, if you wish, share your activity data with others. If you reside in the European Economic Area or in Switzerland, the legal ground for this processing is your explicit consent, which you can withdraw at any time within your Garmin account."
"If you choose to upload activity data (such as steps, distance, pace, activity time, calories burned, heart rate, sleep, etc.) from your Garmin device to your Garmin account and you choose to participate in Insights, then you will be presented with an Insights section in your Garmin account in which you will be provided with recommendations and motivational messages, information and links to articles that may be of interest to you based upon your activity data, and a comparison of your activity data with aggregated activity data of others in the Garmin Connect community. If you reside in the European Economic Area or in Switzerland, the legal ground for processing this data for this purpose is your explicit consent, which you can withdraw at any time within your Garmin account."
"If you choose to enable your Garmin account to access accounts you have with other app providers, such as your MyFitnessPal, Strava or TrainingPeaks account, we will obtain information about you from such account, such as the number of calories consumed in a particular day based on information from your MyFitnessPal account or courses and segments from your Strava account."
"If you reside in the European Union, you have the right under the General Data Protection Regulation to request from Garmin access to and rectification or erasure of your personal data, data portability, restriction of processing of your personal data, the right to object to processing of your personal data, and the right to lodge a complaint with a supervisory authority. If you reside outside of the European Union, you may have similar rights under your local laws."
UA terms in brief
- Under Armour can track your location even when its apps aren't running
- It does not guarantee its services are accurate, error free or reliable
- It combines personal data that you share with personal data from third parties but you can opt out of this
- Data from HealthKit will not be used by UA for marketing/advertising or transferred to third parties for marketing/advertising
- The default privacy setting on UA Accounts for sharing activity data is "Share with all my friends." Physical stats, however, are set to private.
- Don't blame UA if your posts mean you don't get into a club/onto a team
- It advises against choosing the 'Public' setting for a number of reasons
- You can use Under Armour's services if you are over the age of 13
Under Armour Legal Policies
"The UA parties make no warranty that (a) the services will meet your requirements; (b) the services will be uninterrupted, timely, secure, or error-free; (c) the results that may be obtained from the use of the services will be accurate or reliable; (d) the quality of any products, services, information, or other material purchased or obtained by you through the services will meet your expectations; and (e) any errors in the services will be corrected."
"Certain sports organizations have rules on amateurism and eligibility that could potentially be implicated if you post User Content within the Services, even User Content that you believe is noncommercial in nature. It is your responsibility to determine whether posting User Content within the Services will affect your eligibility to participate in any sport under any applicable rules of any sports organization."
"Some unauthenticated Users may have the ability to extract location information from photos or videos that are posted by you with a "Public. Share With Everyone" designation."
"Upon your termination of your Account, you may request that we completely "purge" your Account, including deleting any and all User Content previously submitted. We will undertake commercially reasonable efforts to ensure that your User Content associated with your Account is purged when you terminate your Account, subject to the limitation that we may not be able to fully delete all of your User Content, specifically any User Content posted in our community groups, or on other User pages. In addition, we cannot wholly purge health index-related User Content upon the deletion of a User Account. We will, however, remove individually identifiable information upon the termination of your Account."
"We may collect precise Location Data in several ways, such as through your wireless carrier, based on WiFi access point location, via Bluetooth beacons, through a connected device, or directly from the device on which you use the Services. If you choose to purchase apparel or products with specially embedded hardware to track the movement or location of the apparel or product, these technologies may also enable collection of precise Location Data. If you are accessing the Services through one of our mobile applications, the way we collect precise Location Data will differ depending on your mobile device's operating system. In all events, we do not collect precise Location Data, unless you have 'allowed' its collection. If you decline to allow Location Data collection in the app, we will not collect your precise Location Data unless you manually enter it in."
"We may also ask for your consent to share your Personal Data with certain Third Party business partners in order to offer certain goods, services, or programs. To withdraw consent, please go to the preferences of the specific third party service or app."
"We may ask for your consent to provide Personal Data to allow third parties to contact you regarding their products, services, Promotions, or offers. Typically this is in conjunction with a sweepstakes or challenge (your consent for third party marketing is generally not a pre-requisite to participation. To withdraw consent, please go to the preferences of the specific third party."
"We may request your consent to use your Personal Data for Research purposes. We may also request your consent to contact you to determine your interest to participate in certain Research initiatives and to share identifying results. For market research, we may ask questions on behalf of business partners and share your response with business partners."
"'Fitness and Wellness Data' includes data you provide related to your lifestyle (e.g., sleeping habits), life events, dietary restrictions, fitness goals, height, weight, measurements, fitness level, heart rate, sleep data, BMI, biometric data, and similar types of data relating to physiological condition, and activity. We collect this data in order to provide the Services and to tailor features, products, advertising, and services to your interests and goals, including providing meal suggestions, workout plans, training- and coaching-related services, and product recommendations (e.g., custom products)."
"We also collect Personal Data, including Fitness and Wellness Data, when you use a device that is connected to the Internet, such as heart rate monitors, activity trackers, and other devices or wearables that are not personal computers or mobile phones or tablets. When you use a wearable or connected device or product, we may also collect certain information about the device or product such as serial number, Bluetooth address, UPC, or other device- or purchase-related information."
"Within our Services there are four sharing settings: Private, Share with Friends, MyFitnessPal Members Only (only available within MyFitnessPal), and Public. Under Armour apps are designed for your wellness and fitness benefit. As such, you are able to control what Personal Data you share and with whom you share it. We encourage you to adjust the sharing settings to best meet your objectives and sharing comfort level. In the interest of safeguarding your Personal Data, we have outlined some initial default sharing settings."
"The Personal Data Under Armour processes, and all associated Services and systems, including registration, is housed on servers in the United States. If you are located outside of the United States, please be aware that Personal Data we collect will be processed and stored in the United States (the data protection and privacy laws in the United States may offer a lower level of protections than in your country/region)."
Google and Wear OS
Google terms in brief
- Google Fit/Wear OS watches are not medical devices and don't have the same security level as health insurance services
- When you begin using Wear OS, you can opt in or out of letting Google Fit use and store sensor data and connecting to Wear Cloud Sync
- You can delete all your Google Fit data by removing the apps and then using the Delete History feature on the website
- Google will serve you tailored ads based on your personal data
- It combines personal data on you from different Google services
- It shares non identifiable data with partners, publishers and advertisers
- Meet any applicable law, regulation, legal process, or enforceable governmental request. We share information about the number and type of requests we receive from governments in our Transparency Report.
- Enforce applicable Terms of Service, including investigation of potential violations.
- Detect, prevent, or otherwise address fraud, security, or technical issues.
- Protect against harm to the rights, property or safety of Google, our users, or the public as required or permitted by law."
"We'll share personal information outside of Google when we have your consent. For example, if you use Google Home to request a ride from a ride-sharing service, we'll get your permission before sharing your address with that service. We'll ask for your explicit consent to share any sensitive personal information."
"We also use your information to ensure our services are working as intended, such as tracking outages or troubleshooting issues that you report to us. And we use your information to make improvements to our services — for example, understanding which search terms are most frequently misspelled helps us improve spell-check features used across our services."
"We use the information we collect in existing services to help us develop new ones. For example, understanding how people organized their photos in Picasa, Google's first photos app, helped us design and launch Google Photos."
"Many of our services let you share information with other people, and you have control over how you share. For example, you can share videos on YouTube publicly or you can decide to keep your videos private. Remember, when you share information publicly, your content may become accessible through search engines, including Google Search."
Samsung terms in brief
- Samsung's health and fitness wearables are for "recreational" purposes only and should not be used for medical purposes
- Samsung does not guarantee the accuracy of its health and fitness software
- It is not liable for any problems from its products being inaccurate or faulty
- It combines personal data which you choose to share with other information from third parties but you can opt out of this
- You can opt out from your data being used for marketing (most of the time)
- It shares personal data with affiliates, business partners and service providers
Samsung Gear/Gear Fit End User License Agreement
"The Wearable Device and the Fit Software is intended for recreational purpose only, and is not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease or any other medical purposes. Certain data derived from the Fit Software is for informational purposes only and is not intended to be treated as a medical device nor replace the relationship between you and your physician or other medical provider. Do not disregard professional medical advice nor delay in seeking it because of something you have learned through the Fit Software."
"Samsung is not liable for any injuries, damages, losses and/or costs suffered by users, which are associated with the services and/or information, including recommendations, coaching, tips and/or guidelines, nor for the accuracy of any information provided or acquired by or accessed through Fit Software."
"Samsung will not be liable for any damages of any kind arising out of or relating to the use or the inability to use the software, its content or functionality, including but not limited to damages caused by or related to errors, omissions, interruptions, defects, delay in operation or transmission, computer virus, failure to connect, network charges, and all other direct, indirect, special, incidental, exemplary, or consequential damages even if Samsung has been advised of the possibility of such damages, some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above exclusions or limitations may not apply to you."
Samsung Gear/Gear Fit End ULA (1 January 2017)
"Where we use trusted third parties to enrich our database, we ensure that there is a legally enforceable agreement between us and the third party provider to ensure that any combined data has been lawfully obtained from you. Depending on the reason for which we combine the data, and on the requirements of applicable law, specific controls for such combination will be made available to you, for instance in device or application settings menus, or by visiting our webpage which provides you with the opportunity to exercise your individual rights under data protection law. Please visit GDPR Support page."
"We also may collect other information about you, your device, or your use of the Services in ways that we describe to you at the point of collection or otherwise with your separate consent where required.
You can choose not to provide us with certain types of information (e.g. information we request during Samsung account registration), but doing so may affect your ability to use some Services. We will provide you with relevant information at the time of collection to help you make an informed decision."
"We may disclose your information internally within our business to the relevant teams such as, without limitation, the customer services team, the legal team, the finance team, the sales team, and where you have chosen to receive marketing messages, the marketing teams. We may also disclose your information to the following entities, only to the extent that this will be necessary to perform the Services:
- Business Partners.We also may share your information with trusted business partners, including without limitation, wireless carriers, retailers, and distributors. These entities may use your information to provide you with services you request and to make predictions about your interests, and may provide you with promotional materials, advertisements, and other materials with your separate consent.
- Service Providers.We also may disclose your information to carefully selected companies that provide services for or on behalf of us, such as companies that help us with repairs, customer contact centres, customer care activities, advertising, conducting customer satisfaction surveys, billing, or that send emails on our behalf. These entities are limited by contractual provisions in their ability to use your information for purposes other than providing services for us."
Additional research by Rob Cappellina. Additional words by Conor Allison.
How we test