When you use a connected treadmill or exercise bike, you probably expect the service to record data like how long you ran or biked and your pace. If you’re a BowFlex user, however, you might be surprised to learn that the company, in its privacy policy, also grants itself the right to collect and share data on how you smell.
Whether this really happens, or ever will in the future, is not clear. The company did not respond to requests for comment. But while your exercise service claiming the right to collect data on your smell may seem more strange than worrying, it hints at how many companies approach data collection.
A recent CR investigation shows that companies providing on-demand workout and fitness services tend to give themselves permission to collect lots of information about you, including potentially sensitive health data. This might include your heart rate, or your weight and how it changes over time. It might even include information about your reproductive health.
In this article
- Data Your Exercise App Collects
- What Can Companies Do With Your Data?
- What You Can Do
The smart home gym company Tonal, for example, says it may collect data about your pregnancy status, while Peloton offers workouts specifically for pregnancy, and collects information about any workouts you participate in. (Surveillance of pregnant people has become a concern for many Americans in the wake of state and proposed national measures to restrict abortion access.)
In short, when you use a connected exercise machine or app, the company behind it could be collecting and sharing a lot more than just the length and intensity of your workouts. And thanks to broad privacy policies, it’s hard to know where your data will end up and how it will be used.
Data Your Exercise App Collects
Consumer Reports’ digital privacy experts dove deep into the privacy policies and practices of companies that offer connected exercise devices and services, including popular bikes and treadmills from companies including Peloton and NordicTrack, and wall-mounted home gym systems such as Tonal and Lululemon Studio (formerly a separate company called Mirror).
The researchers didn’t find too many surprises: The legalese looks a lot like the policies that govern other online activities. But that’s especially concerning for these services, our experts say, because the information they collect may reveal sensitive information about your health.
“It seems like they used the same boilerplate language that you see across the internet, which is essentially a lengthy and hard-to-decipher catalog of types of info they collect,” says CR’s Matt Schwartz, a policy analyst who focuses on privacy. They then give themselves “carte blanche to do whatever they want with that data, even if they don’t currently have a use case for it.”
Many people assume that more sensitive health-related data enjoys stricter privacy protections than other kinds of data. But outside of the narrow bounds of where HIPAA applies—that is, your direct interactions with a healthcare provider like a doctor or clinic—no such national protections exist. In many cases, health data you provide to exercise companies may be treated with no more sensitivity than your shoe shopping habits.
For our study, we evaluated 10 fitness brands:
- BowFlex (including its associated JRNY app)
- Concept2 (including its associated ErgData app)
- Hydrow
- Kinomap
- Lululemon (including Lululemon Studio, formerly Mirror, fitness devices)
- NordicTrack (including its associated iFit app)
- Peloton
- Tempo
- Tonal
- Zwift
more on health privacy
Guess What? HIPAA Isn’t a Medical Privacy Law.
These Period Tracker Apps Say They Put Privacy First. Here’s What We Found.
Protect Your Privacy From the Apps on Your Phone
CR Security Planner
Our experts reviewed the privacy policies of each service and analyzed the computer code of each app. We looked closely at how companies’ privacy policies state they handle data on pregnancy, heart rate, and calories burned. We also monitored the communications of two pieces of physical equipment, a BowFlex elliptical and a NordicTrack treadmill, to see whether they were transmitting user data (such as email addresses and passwords) securely.
The data transmitted from the treadmill and elliptical were properly encrypted. However, our researchers found potentially troubling information in the privacy policies of nearly all the services we investigated.
Here is some of the information these companies reserve the right to collect.
Basic demographic info: All the services collect certain basic information, such as your name and contact information, weight, height, sex and/or gender, and age. Some also collect seemingly irrelevant information such as marital status.
Workout info: All collect information about your workouts, such as your heart rate if you’re using a device that allows heart rate to be captured (such as a smart watch). Other types of data in this category include the date and type of each workout you perform, your pace and distance, and estimates of calories burned.
Other health data: Generally, these services also collect health-related data, much of it provided by the user. For instance, an app may ask about your dietary habits, injuries you’re recovering from, other medical conditions, allergies, hobbies, interests, or (in the case of Lululemon’s wall-mounted fitness system) your clothing and shoe size. For some services, this also includes pregnancy data.
But not all of this health data is provided by you directly. If you’ve connected your exercise service with another health app, such as Apple Health, the service may also collect information from that app, depending on your privacy settings. Tempo, for example, says that it may collect data about your sleep in this way. Some health data (and other information) may also come from other third parties that the companies work with, like social media networks and companies that track your web browsing history.
Video and audio data: Some services, such as Peloton, Lululemon Studio, Tonal, and Tempo (which offers connected weights that detect how you use them for strength training), collect visual and audio recordings of you or information on how you move, using sensors built into the equipment. Tonal, for example, says it stores video recordings of your workout, as well as data about the position and movements of users’ head, arms, hands, feet, legs and torso.
Inferences that can be made from all of this data: The privacy policies of several companies state that they may also make inferences about you and your health from the data they collect. Lululemon’s privacy policy says, “For example, we may infer your location based on your IP address, or your purchasing habits based on your browsing behavior on our Services,” while Peloton’s says that its inferences are used to personalize your experience, such as “suggesting workouts or classes you may enjoy and communications which may be of interest.”
Steve Blair, a CR privacy expert who led the testing and analysis for this project, says he’s particularly concerned when an app encourages you to connect to other services, such as Apple Health or Google Fit, or to share your workout data through a public profile. Blair says that creates opportunities for both users and other companies to make guesses about who you are and what’s going on with your health.
And apart from how companies might share your exercise-related information, the fact that they are storing it at all puts you at risk from data breaches and criminal scams. “The data lives somewhere,” Blair says. “If it’s on a company’s server, how secure is that server?” Theft of such data, including video and audio recordings, could be hugely useful to criminals attempting to use your likeness for phishing schemes and more, Blair says.
What Can Companies Do With Your Data?
So, what are these companies doing with all this workout data they’re collecting?Who else can see or use it?
Well, apart from Kinomap, which specifically says it shares information with the International Olympic Committee, it’s hard to say for sure. (Kinomap didn’t respond to a question from CR about this.)
In most cases, your data could be shared with a very extensive group of companies. It includes fraud protection companies, IT and technical support providers, payment processors, analytics providers, advertisers, marketing and database management firms, law enforcement, government regulators, and more.
A few privacy policies outline specific reasons why certain outside companies might receive your data. Tempo, for example, partners with a company called Prism Labs, which calculates body composition based on head-to-toe 3D body scans.
In all cases, the privacy policies allow the companies to share your information with at least some other organizations. As the privacy policies of BowFlex and several other companies point out, in certain situations, this may be legally considered to be “selling” your data under the California Consumer Privacy Act or other state privacy laws.
Some, but not all, of these fitness companies also offer separate privacy policies specifically to cover consumer health information, a category of data defined by a handful of state privacy laws. Washington, Nevada, and Connecticut are a few of the states that have enacted such laws, which make it unlawful, for example, to sell consumer health data without first getting users’ consent. Definitions of consumer health data vary by state but may include any data that would allow a company to infer a person’s physical or mental health diagnoses.
These state-specific policies occasionally shed a bit more light on data protections the companies have in place. Tonal, which collects health information that can include pregnancy data, explicitly states that it neither sells nor shares consumer health data, beyond what you might grant permission for by integrating your Tonal information with Apple Health, for example.
Several companies say that the purpose of sharing your data with analytics and advertising providers may be to target you with ads. Language like this is a red flag, according to Justin Sherman, CEO of research and advisory firm Global Cyber Strategies. That’s because it potentially gives companies the right to share your data with data brokers.
Data brokers collect information on individuals from a wide range of sources and provide it for other companies’ use. In many cases, their customers use the information for targeted advertising, but health data generated by exercise services could also end up being shared with other clients, including insurance companies, similar to how information on driving behavior has been collected by car manufacturers, then ultimately shared with car insurers.
It’s not a stretch to imagine life, disability, or long-term care insurers making use of such data to help determine your coverage or premiums, Sherman says. “That is absolutely the kind of thing that’s in market demand.”
We reached out to all the companies whose services we evaluated and asked them about our findings, including why such widespread data collection is necessary to provide their services, how they comply with state-level privacy laws, and what protections they have in place to keep customers’ data from being shared with data brokers.
Most didn’t respond.
Peloton provided some additional context on how it treats data on customers who participate in pregnancy-oriented workouts. “While we do not collect medical or health information, certain privacy-related laws may classify some of our offerings—such as pregnancy-related workouts or accessibility features—as health-related information,” a company spokesperson told us. “Importantly, Peloton does not make any assumptions about a Member’s health or medical conditions based on their workout selections.” Peloton also told us it doesn’t sell its members’ information to data brokers, though the company’s privacy policy says it may use the data it collects for marketing.
A representative from Hydrow told us that they “fully adhere to all applicable data privacy regulations.”
We also asked Tonal about its practice of storing video of users. “We save only those recordings that a customer has decided to save. Saving the recordings allows Tonal to provide guidance to the member about their form and power self-serve tools that enhance users’ workout experience,” the company told us. “Members can review their videos to assess their form and refine their movements. If desired, they can delete their recordings at any time.”
What You Can Do
If you use an exercise service app, check your privacy settings to make sure you aren’t publicly sharing anything you don’t want to. For some services, like Hydrow, your exercise data is public to other app users by default, and you have to actively change your settings to make your workout data private.
Blair finds this to be counterintuitive. “When you go to the gym, do you wear a name tag? I don’t,” he says.
We also checked on how consumers can delete their data for each of these services. Only ErgData, Hydrow, and Tempo allow you to delete your account directly from the app, while iFit allows you to clear all your stored data from within the app.
In several cases, however, there was no way to delete all, or sometimes any, of your stored data from within the app. You’d need to reach out to the company to request your data be deleted, or to get information about whom your data has been shared with. Two companies—BowFlex and Zwift—stated that in some circumstances they may even charge you a fee for this service.
Some state-level privacy laws, such as Oregon’s and Delaware’s, may allow you to request a list of which third parties (including data brokers) your data has been shared with. In some cases, you can also request that your data be deleted. (If you’re a Peloton user and you’re interested in getting help with that process, CR’s Permission Slip app can help.)
Sherman says that in California, you can also contact data brokerage firms directly. The state maintains a list of data brokerage firms, so that you can contact them directly and request to see and/or delete information. There are a lot of such firms; Permission Slip Plus users can file bulk requests to more than 100 data brokerages at once. And starting in 2026, California will be setting up a tool that provides a way to request deletion of your data held by all data brokers at once (rather than going one by one).
One thing to consider if you’re not already hooked on a connected fitness regimen: You can choose a treadmill, a bike, or an elliptical that doesn’t require data collection by the manufacturer.
Here are some of CR’s top-rated treadmills that don’t require you to connect with an app on your phone or to an on-demand exercise subscription service.
Editor’s note:An earlier version of this article referred to sharing fitness data with Google Health. The name of the relevant service is Google Fit.
Catherine Roberts
Catherine Roberts is a health and science journalist at Consumer Reports. She has been at CR since 2016, covering infectious diseases, bugs and bug sprays, consumer medical devices like hearing aids and blood pressure monitors, health privacy, and more. As a civilian, her passions include bike rides, horror films and fiction, and research rabbit holes. Follow her on Twitter @catharob.