Step Tracking Privacy: Why Your Fitness Data Matters

Your step tracker knows more about you than you think. It knows when you wake up, how active your day is, where you walk, and how your health trends over time. For millions of Apple Watch users, this data paints an intimate portrait of daily life.

But here’s a question most people never ask: where does all that data go?

The fitness app industry has grown into a multi-billion-dollar market, and your health data is one of its most valuable commodities. Some apps sell it to advertisers. Others share it with data brokers. And many collect far more information than they need to count your steps.

This guide breaks down what fitness trackers actually collect, why it matters, and how to protect yourself.

What Data Do Step Trackers Collect?

At a minimum, a step counter needs your motion data to work. But many apps collect significantly more than that.

Data Most Step Trackers Collect

Step counts and activity data — daily steps, distance walked, calories burned
Health metrics — heart rate, sleep patterns, weight, body composition
Location data — GPS routes, frequently visited places, travel patterns
Device information — phone model, OS version, watch type, unique device IDs
Account data — name, email, age, gender, height, weight
Usage analytics — how often you open the app, which features you use, session duration

Data Some Trackers Also Collect

Social connections — friends, leaderboards, shared challenges
Purchase history — in-app purchases, subscription status
Third-party integrations — data shared with MyFitnessPal, Strava, or other connected services
Advertising identifiers — used to target you with personalized ads across apps

That step count you glanced at this morning? It might be bundled with your location, your heart rate, and your demographic profile — then sold to a data broker before lunch.

Why Health Data Privacy Matters

You might think: “Who cares if someone knows I walked 8,000 steps today?” But health data carries risks that go far beyond individual step counts.

Insurance and Employment Risks

Health data is increasingly valuable to insurers and employers. Reports from the Electronic Frontier Foundation and other digital rights organizations have documented how health data from fitness apps has been used by:

Life insurance companies to adjust premiums based on activity levels
Health insurance providers to flag “risky” lifestyle patterns
Employers using wellness programs to monitor workforce health trends

While regulations are catching up, the legal landscape varies dramatically by country and state. In many jurisdictions, fitness app data falls into a gray area — it’s clearly health-related, but not always protected under healthcare privacy laws.

Data Breaches

Fitness data breaches are more common than people realize. Notable incidents include:

Strava’s Global Heatmap (2018) revealed the locations of secret military bases by aggregating user running routes
MyFitnessPal suffered a breach exposing 150 million user accounts
Fitbit data has been subpoenaed in legal proceedings, including criminal investigations and divorce cases

When your fitness data is stored on a company’s servers, it becomes a target — for hackers, law enforcement, and litigants.

De-Anonymization

Companies often claim they “anonymize” your data before sharing it. But research has repeatedly shown that anonymized health data can be re-identified. A study published in Nature Communications found that 99.98% of Americans could be re-identified in any dataset using just 15 demographic attributes — many of which fitness apps collect by default.

Your “anonymous” step data, combined with your age, zip code, and device type, often isn’t anonymous at all.

Health Data Regulations: Where Do We Stand?

Several regulations aim to protect health data, but coverage is uneven.

HIPAA (United States)

HIPAA protects health data held by healthcare providers and their business associates. However, HIPAA does not cover most fitness apps. Unless your step tracker is prescribed by a doctor or integrated into a clinical program, HIPAA likely doesn’t apply.

The GDPR classifies health data as “special category” data requiring explicit consent for processing. This means EU-based users have stronger protections — apps must clearly explain what data they collect and why, and users can request deletion.

State Privacy Laws (US)

States like California (CCPA/CPRA), Colorado, and Virginia have passed consumer privacy laws that cover health data from fitness apps. Washington’s My Health My Data Act, enacted in 2023, specifically targets consumer health data outside HIPAA’s scope.

The Gap

For most fitness app users worldwide, there is no comprehensive law specifically protecting the data your step tracker collects. This makes the app’s own privacy practices — and your ability to evaluate them — critically important.

How to Evaluate a Fitness App’s Privacy Policy

Not all privacy policies are created equal. Here’s what to look for when evaluating a step tracking app.

1. What Data Is Collected?

Look for a clear, specific list of data types. Be wary of vague language like “we may collect information related to your use of the app.” Good privacy policies enumerate exactly what they collect.

2. Where Is Data Stored?

There are three common models:

On-device only — your data stays on your phone and watch. This is the most private option.
Company servers — your data is uploaded and stored on the app developer’s cloud infrastructure.
Third-party cloud — your data is stored on someone else’s servers (AWS, Google Cloud, etc.), sometimes in multiple countries.

3. Who Gets Access?

Check whether the app shares data with:

Advertisers and ad networks
Data brokers
Analytics providers
“Business partners” (an intentionally vague category)
Researchers or academic institutions

4. Can You Delete Your Data?

A trustworthy app lets you delete your data — truly delete it, not just hide it. And deletion should include any copies on their servers, not just what’s visible in the app.

5. What Happens If the Company Is Sold?

Many privacy policies include a clause allowing data transfer in the event of a merger or acquisition. This means a privacy-respecting company could sell your data to a less scrupulous buyer.

On-Device Processing: The Gold Standard

The most effective way to protect fitness data is simple: don’t send it to a server in the first place.

On-device processing means your health data is stored locally on your phone and watch. It never touches a company’s servers. It can’t be included in a data breach because it was never uploaded. It can’t be sold to advertisers because the company never had it.

Apple’s HealthKit framework is designed to support this model. Apps can read step data from Apple Health, process it locally, and display insights — all without ever transmitting your health information to an external server.

Benefits of On-Device Data Processing

No data breach risk — can’t breach what you don’t have
No third-party access — your data stays between your devices
No server dependency — the app works even if the company goes offline
Faster performance — no network requests for basic features
True data ownership — your health data belongs to you, period

The iCloud Sync Exception

Some on-device apps offer sync between your personal devices (like Apple Watch to iPhone) through your personal iCloud account. This is fundamentally different from uploading to a company’s server — the data lives in your own iCloud storage, encrypted with your personal keys, and the app developer never has access to it.

How StepMelon Handles Your Data

StepMelon was built with a privacy-first architecture from day one. Here’s how it works:

All Data Stays on Your Devices

Your step counts, goals, streaks, and analytics are stored locally on your Apple Watch and iPhone. StepMelon never uploads your health data to external servers.

Sync Through Personal iCloud

If you use StepMelon on both your Apple Watch and iPhone, data syncs through your personal iCloud account. This means:

Only your Apple ID has access
Data is encrypted in transit and at rest
StepMelon (the company) never sees your data
If you delete the app, your data goes with it

No Accounts Required

You don’t need to create an account, provide an email address, or share any personal information to use StepMelon. There’s no signup flow because there’s nothing to sign up for.

No Analytics on Your Health Data

StepMelon doesn’t track what step counts you hit, what goals you set, or how often you use rest days. The app collects no behavioral analytics tied to your health data.

Apple’s Privacy Nutrition Label

You can verify any app’s data practices by checking its App Store privacy label. StepMelon’s label confirms: no data collected that is linked to your identity.

Practical Steps to Protect Your Fitness Data

Regardless of which step tracker you use, here are steps to protect your health data:

1. Review App Permissions

Check which apps have access to Apple Health data. Go to Health > Sharing > Apps on your iPhone. Revoke access for any apps you no longer use.

2. Check Privacy Labels Before Downloading

Every App Store listing includes a privacy nutrition label. Check it before installing any fitness app. Look for “Data Not Collected” or “Data Not Linked to You” as positive indicators.

If an app asks for location access, camera access, or contacts — ask yourself why a step counter needs that information. Grant only the permissions that are essential.

4. Prefer On-Device Apps

Choose apps that process data locally over those that require cloud accounts. Your Apple Watch already has powerful step tracking sensors — a good app leverages them without exporting your data.

5. Export and Delete Regularly

If you use a cloud-based fitness app, periodically export your data (if supported) and consider deleting your account when switching to a more private alternative.

6. Use Strong Authentication

Enable two-factor authentication on any fitness accounts you do maintain. If a breach occurs, strong authentication limits the damage.

The Future of Fitness Data Privacy

The trend is moving toward stronger privacy protections. Apple’s ongoing investment in on-device processing, new state-level privacy laws, and growing consumer awareness are all pushing the industry toward better practices.

But regulation alone won’t solve the problem. The most effective protection is architectural — choosing apps that are designed from the ground up to minimize data collection. As the saying goes in security: the safest data is data that was never collected.

When you’re choosing a step tracker, features like customizable goals and built-in rest days matter for your fitness. See our comparison of the best step counter apps to understand how different apps handle privacy. But the app’s privacy architecture matters for everything else — your insurance rates, your employment prospects, your personal security, and your fundamental right to keep your health information private.

The Bottom Line

Your fitness data is more sensitive than most people realize. It reveals patterns about your health, habits, location, and lifestyle that have real-world consequences when shared, sold, or breached.

Before choosing your next step tracker, look beyond features and design. Read the privacy policy. Check the App Store privacy label. Ask the fundamental question: does this company need my health data on their servers to count my steps?

The answer, almost always, is no.

References

Rocher, L., Hendrickx, J.M., & de Montjoye, Y-A. (2019). “Estimating the success of re-identifications in incomplete datasets using generative models.” Nature Communications, 10, 3069. https://www.nature.com/articles/s41467-019-10933-3
Electronic Frontier Foundation. “Medical Privacy.” https://www.eff.org/issues/medical-privacy
Washington State Legislature. “Chapter 19.373 RCW: Washington My Health My Data Act.” https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true
Under Armour. (2018). “Under Armour Notifies MyFitnessPal Users of Data Security Issue.” https://www.cnbc.com/2018/03/29/under-armour-stock-falls-after-company-admits-data-breach.html
Hsu, J. (2018). “Strava Fitness Tracker Heat Map Reveals Military Base Locations.” The Guardian. https://www.techtarget.com/searchsecurity/answer/How-did-Stravas-Global-Heatmap-disclose-sensitive-US-info

Want a step tracker that respects your privacy? Download StepMelon for Apple Watch — all your data stays on your devices, with no accounts, no tracking, and no data collection. Free on the App Store.