We analyze privacy policies from six fitness trackers used by runners and give our thoughts on each
Apple, Coros, Garmin, Polar, Strava, and Suunto
Your privacy matters and it’s important to know how brands handle your personal data
This week, Joe Rogan, host of the most popular podcast in the world (The Joe Rogan Experience), posted an image to Instagram that may have single-handedly canceled a Finnish fitness brand. The brand in question was Polar, the device in question was its heart rate monitor, and the topic in question was an update to its privacy policy.
As shown in Rogan’s post, Polar updated the wording regarding in its privacy policy, and subsequently asked its users to consent to the new terms, which included an agreement that “personal data may be transferred and processed outside my country of origin” and that “Polar may collect and process my sensitive personal data related to my health.”
At first glance, it’s alarming– why does Polar need to transfer my data to other countries, and what’s up with them collecting “sensitive personal data?” Dig a little deeper, and it’s not as sinister, though, and as with most privacy policies– it’s not as clean cut as we’d like it to be.
For starters, Rogan was in Europe at the time of his post, which has an entirely different set of privacy rules that are much stricter than those here in the U.S. He likely received the updated terms because he was within the boundaries of the European Union (EU)/European Economic Area (EEA).
Further, Polar put out a press release in June notifying its customers that its terms had been updated, but that this is merely a semantic change to comply with EU rules regarding sensitive data. The EU/EEA is known for having the strictest rules on earth regarding privacy, so this is believable. Nothing had changed in regards to its longstanding privacy policy, which states that Polar only imports data onto its own servers in Finland, and that a user’s data is never sold to third parties or other countries.
According to Polar, the sensitive personal data is gathered for the purposes of providing training recommendations and metrics. Of course, if you don’t consent, you don’t get your metrics in the Polar Flow app, which renders your devices functionally useless. In short, it’s forced consent.
Not great, but is this any different than any other tech company in the running world? We wanted to know for sure, so we did a cursory review of the privacy policies of the top GPS watch manufacturers and fitness tracking devices for runners. By comparing each brands’ privacy policy, we hope you can decide which one best fits your preferences. Maybe you don’t care at all. In that case, go for whichever watch suits your needs the best. After all, they all use your data to some degree, it’s just that some are more intrusive than others.
We’re not going to go into the myriad ways that your data is being used and sold across every device and website you use (if you want a more thorough look, check out this great rundown from Wired). Just know that at the end of the day, you’ll find that your data is processed and used by any brand you attach to your wrist.
After all, places like the United States are the Wild West in terms of privacy– few laws exist or are ever upheld in the realm of data privacy. In many ways, it’s on the individual brands to establish trust, which is easy to abuse when most of us click away on consent boxes in our rush to access the best device for our training.
That said, there are levels to what data is used and where it’s sold, which we’ll try to break down over the course of this article. We’ll walk you through some of the top training device brands and let you know how their privacy policies stack up with others. Hopefully it helps separate some facts from celebrity snap judgements, and allows you to make considerations when choosing the right tech for your own personal privacy.
Believe in the Run uses Strava for activity tracking, but has never worked with the brand in terms of sponsorships or reviews.
The most-used social fitness app for runners, Strava is one of the third party apps that the others on this list need data sharing permissions to access. It also has its own standalone fitness tracker that can be used from your mobile device. As with any app, it collects data.
As far as data collection, Strava is pretty straightforward and in line with all the others on this list. It’s a fitness app, so it needs basic information like name, email, date of birth, weight, username, and password. It does collect location information, but does not track your device location when you’re not using the service. Bonus points for that.
Regarding health information, you must give explicit consent before Strava can process your health information (i.e. heart rate, power, cadence, and other indicators).
Strava does go a bit deeper than others when it comes to data collection of devices, as it does access log files from your devices, including IP addresses, browser type, platform type, and number of clicks. This is used to analyze trends, track user movement, and gather broad demographic information.
How does Strava use this data? Obviously within its own ecosystem, for activity maps, challenges, leaderboards, route planning, etc. It will also use the info to target you with promotions, which is par for the course. However, in regards to targeted advertising, they have a pretty easy way to opt out within the app, which is appreciated.
Does Strava sell your data? Strava explicitly states that it does not sell personal information for monetary value. It does share with third party service providers, but only to the extent that your information is necessary (i.e. payment systems, analytics, etc.).
Now, while Strava doesn’t sell personal information, it may use, sell, license, and share aggregate information about its users. Aggregate information is data about equipment, usage, demographics, routes, etc., and is used to improve maps and routes. Good news again– you can also opt out of this within the privacy controls of the app.
More good news– Strava operates from the United States and its data stays within the United States. If you are located outside the U.S., your data is transferred to Strava within the U.S., while using international legal mechanisms to ensure it complies with applicable law.
Another good thing about Strava is that if you opt out of Strava processing your health information, you can still use the app and retain your activity history, which– as far as we can tell– is the only company on this list that allows you to withdraw consent and effectively still use its service.
Our verdict? By far, Strava retains the least amount of data and has the best privacy practices as far as giving the user control over their preferences. It’s expected that some amount of data is gathered, but it’s refreshing to see a company put the ball in the user’s court when it comes to privacy. We also appreciate that they don’t track location when the app is closed and that they keep their data within the United States.
However, Strava suffers from some of the same privacy hurdles that other brands have had trouble clearing in the past. As with Polar, Strava also came under intense scrutiny in 2018 after it was discovered that the brand’s Heatmap feature was lighting up the location of covert and non-declared military bases, as outlined in this Forbes article. Since then, they’ve made plenty of changes to convince its users that their privacy is of utmost importance.
Polar’s Privacy Policy
How Polar Defines Sensitive Personal Information
Polar has sponsored past Believe in the Run events and we’ve also written reviews of their products.
Since Polar is at the heart of the Rogan controversy, let’s dive into their privacy policy. To start out, we should note that Polar is a private Finland-based fitness brand that specializes in heart rate monitoring and GPS watches. Relatively speaking, they’re a smaller brand here in the U.S., in comparison to Garmin (and now Coros), but their heart rate monitors are some of the best-selling and best-performing monitors on the market.
Polar is based in the EU, which has the strictest privacy laws in the world under the General Data Protection Regulation (GDPR). However, this only applies to data subjects within the EU, so if you’re using a device in the United States, you’re not covered by the GDPR (even if you’re a European citizen). The likely reason Joe Rogan received an updated notice agreement was because he was within the EU borders at the time. Companies based within the United States also must comply with GDPR data protection when gathering data from European data subjects.
Does Polar sell your data? No. According to Polar, “the data is used only to offer you the service in question, nothing else. Polar does not disclose, give or sell your data to anyone unless [they] are required to do so pursuant to a mandatory provision of law. [They] may use some of the data in research and development work to improve [their] services, but for such purposes data is cleared from identifiers to the maximum amount possible.”
According to their policy, data is transferred outside your country of origin because they need the data to give you accurate training metrics and recommendations. All their servers are based in Finland, Ireland, and Sweden, so your information only goes to those servers, all under the EU/EEA umbrella. When transferred, “Your data will not be disclosed or given to any third parties; it is still under Polar’s control and under your ownership.
Now, data may be transferred to Polar’s subcontractors that carry out tasks related to Polar, though it doesn’t say who those contractors are or where they are located.
The good news is that you have a lot of rights under their policy, including access to the personal information they have on you, the right to object to the handling of personal data, and the right to refuse profiling and automated decision-making. There are far more rights granted by Polar than other companies.
Overall, Polar has pretty exemplary privacy standards, especially among the brands featured in this article. Your information stays within their ecosystem (which is under the EU/EEA), it’s not shared or sold to anyone other than Polar, and it generally adheres to the guidelines of the GDPR.
That said, as a small company in particular, privacy and security can sometimes prove to be hard to lock down– in 2018, Polar had to suspend its Explore feature and global activity map as flaws in the privacy settings made it easy to determine the location data of users. During that investigation, it was found that the privacy flaws went even deeper, as reporters were able to locate the names and addresses of Polar users, including over 6,000 users who worked near sensitive locations like military bases. They weren’t the only company to have this problem, as we’ll see later on.
Believe in the Run events is currently reviewing Garmin watches for inclusion on this website.
One of the longest-standing and most popular choices for GPS watches and devices, Garmin is a public, U.S.-founded company that is currently incorporated in Switzerland. A top choice among runners for their wide selection of GPS watches, Garmin has become a ubiquitous name for GPS devices within the run space.
Compared to Polar, Garmin has a lighter privacy policy. It doesn’t go into great detail what it actually does with your data, or exactly whom it’s shared with, aside from the usual analytics companies and Facebook, which is pretty par for the course. However, it does offer a pretty robust explanation describing the purpose and legal grounds for each of its data collection points. That kind of transparency is appreciated.
Does Garmin sell your data? Garmin’s policy doesn’t explicitly state that it won’t share, sell, or give your data to third parties. In fact, it explicitly states that it may share your information with others: “We may process and disclose personal data about you to others: (a) if we have your valid consent to do so.” To use its devices, you must grant consent, so you’re essentially granting them to share with “others,” a vague term that isn’t defined within the privacy policy.
If you’re opted in, Garmin collects a fair amount of location data on a pretty continual basis (though it doesn’t say whether or not it collects data while the app is closed). It may also share aggregated data with third parties to enhance quality of its products.
By using Garmin products, you also give them permission to use your personal information interchangeably between Garmin-owned companies and subsidiaries, of which there are over 70, including five in China.
The good news is that if you’re in the U.S., your info is stored on servers within the U.S., UK, and/or Australia. If you’re in mainland China, your information is stored on servers within mainland China. In this way, your information is siloed in your home country’s server.
Also, through your Account Management Center, Garmin makes it easy to view your personal data, request a copy, and also request to delete (though this deletes your entire account).
Our verdict? We appreciate that Garmin is one of the few U.S.-based companies, and their privacy policy is fairly robust in comparison to others, with supporting explanations for the data collection. That said, there is some vague wording regarding shared information with third parties. As a prominent contractor with the U.S. military, we’d also like to see more transparency about whether or not our data is being shared with the U.S. government, and to what extent.
However, Garmin was also the victim of a huge ransomware attack in 2020 that shut down its entire system (I’m sure you remember this if you were a Garmin user at the time). Garmin contends that no customer data was accessed, lost, or stolen in the attack, but the hackers demanded $10 million to restore access to the data. It can’t be confirmed whether or not Garmin paid the ransom, but it’s widely believed they did. Four days after the demands, Garmin’s services were restored, but it was a huge headache for users and obviously, the company itself.
Believe in the Run has reviewed a version of the Apple Watch in the past.
The most valuable corporation in the world, Apple is known for its simplistic styling and easy-to-use interfaces. For running purposes, its Apple Watch and Apple Watch Pro are used by athletes for GPS tracking, metrics, and cellular accessibility on the go.
Honestly, I’m not even sure where to start with Apple. According to the company’s privacy page, they strongly believe in fundamental privacy rights, treating any data that identifies you as “personal data.” I’m pretty sure everyone can agree on that.
They continue by letting you know they “respect your ability to know, access, correct, transfer, restrict the processing of, and delete your personal data.” Then they make it hard as hell to actually learn what they collect. To get that information, you must log into your account, click to download a summary of the categories of personal information that Apple collects, realize it won’t actually download, but instead will make you wait three days before emailing you a summary. Supposedly there may be other hoops to jump through as well. Still waiting to see.
Of course, the Privacy Policy then goes into great detail about all the information they collect, which is about everything you can imagine.
That said, within certain apps in the Apple ecosystem (including the health app), you are able to turn on and off sharing with third parties, which is a good thing.
Does Apple sell your data? According to Apple– no, but it does allow companies access to aggregated data for targeted advertising within its own devices.
Additionally, Apple shares your data with Apple-affiliated companies, service providers who act on their behalf, their partners, developers, and publishers, or others at your direction. They also explicitly state that “your personal data may be transferred to or accessed by entities around the world.” That seems pretty extensive and a bit vague.
Our verdict? Obviously, we’re not surprised by the amount of data that Apple gathers. It’s extensive and broad, and while they’re fairly transparent about what they collect and allegedly go to great lengths to protect that information, it’s still just… a lot. In terms of sharing your information, “Apple-affiliated” companies is such a broad term that it’s really hard to say where or with whom your data is being shipped off to.
Believe in the Run has reviewed most models of Coros GPS watches in the past. Coros has also been a supporting sponsor of Winter GRIT.
Over the last few years, Coros has risen from a never-heard-of brand to one of the top GPS watch choices in the running world. Everyone here at Believe in the Run wears a Coros watch, and we were lifetime Garmin wearers before that. The speed at which Coros developed and manufactured their watches– with long battery life and pinpoint accuracy– was a bit breathtaking.
Maybe it shouldn’t have been. After all, Coros is owned by Guangdong COROS Sports Technology Company, a Chinese company that specializes in, well… sports technology. This would be hard to determine from their website, as there is no mention of China or its ownership, just info about its U.S. headquarters in California and its European headquarters in the Netherlands.
As with all of the brands in this article, you are not obliged to give Coros your data. However, you won’t be able to use some of their services (i.e. every service you actually want to use to see your training.)
Things don’t exactly get better from there as far as data sharing is concerned.
If you contact customer support, Coros processes Contact Data, Login Data, End Device Data, Account Data, Health Data, Health Status Data, Training Data, and Communication Data (all these are defined at the bottom of this page).
According to the company, “the legal basis of the processing is the performance of a contract to which you are a party or taking steps at your request before entering into a contract (Art. 6(1)(1)(b) GDPR) and, regarding access to health data and the transfer of personal data to China, your explicit consent (Art. 6(1)(1)(a), 9(2)(a) GDPR).”
You may revoke this consent at any time, but again, you won’t be able to access its services.
By agreeing to those terms, Coros also explicitly states that it will transfer your data to a few categories of recipients, including the hosting provider and group companies of Coros (defined as companies affiliated with COROS Wearables Inc., including companies with registered offices in China).
Also, by simply giving your explicit consent (cf. Art. 49(1)(1)(a) GDPR) to the Coros Privacy Policy agreement, Coros will transfer personal data to countries outside the EU that “may not provide for an adequate level of data protection (in particular to the USA and China). This entails the risk that personal data may also be accessed and processed for the purposes of authorities and/or third parties without your knowledge and that there may be no efficient legal protection against such access and processing.”
The good news? According to Coros, users must manually submit feedback via app/watch for COROS staff (i.e. support) to see it (i.e. for troubleshooting). So there is that level of protection for the user. That means Coros can’t just look into someone’s data, even for troubleshooting, without giving manual permission for them to do so.
Does Coros sell your data? Under the California Consumer Privacy Act (CCPA) section of their privacy policy, Coros says that it does not sell data to any third parties, but that it does share with service providers. However, they restrict service providers from using personal information for any purpose not related to their engagement. After this article was published Coros reached out to me and said this restriction applies to all users; they have “never, and will never sell data to third parties.”
While there’s some transparency and opt-outs available under the California Consumer Privacy Act, it’s unclear if any of those are granted to users outside of California.
Our verdict? Coros is fairly transparent, and pretty similar to others on the list. That said, they are a Chinese-owned company their offices in China, and your data is transferred to its affiliated companies with registered offices in China. Additionally, data is shared to servers that may not have the same sufficient levels of privacy protection within the EU. Where it goes from there, we can’t say. We love the watches, but not the privacy policy. However, if you have TikTok on your phone, disregard this whole section and carry on, because you don’t care about your privacy anyway.
Believe in the Run has not reviewed Suunto products in the past.
Founded over 80 years ago by Tuomas Vohlonen, a Finnish adventurer, Suunto is rooted in the legacy of navigation. Today, the brand is owned by Chinese-based Liesheng − a leading Chinese technology company focusing on the smart & sport wearables electronics segment. It was sold to Liesheng in 2022 by Chinese-based Amer Sports, China’s largest sportswear manufacturer, home to brands like Salomon and Arc’teryx.
Suunto rounds out the “big four” of running GPS watches, and is actually the one watch brand we have never tested here at Believe in the Run (though we may be reviewing some of their gear in the future).
Looking at Suunto’s privacy policy, it’s one of the more straightforward policies and is generally up front about the data they’re collecting and where it’s going. However, it’s kind of a birds-eye view and doesn’t really get into specifics about exactly where and with whom your data is shared.
Like most companies, Suunto does collect a fair amount of data, including your IP address, access times, pages you visit, links you use, etc. when accessing from your desktop. This isn’t surprising, everyone collects the same info and shares it with analytic companies.
Any information provided to Suunto is retained, including your name, training data, age, gender, usernames, and passwords. They also collect biometric data, including blood pressure, heart rate, and fingerprints (some of their watches have unlocking with fingerprint data). Essentially, all the stuff related to your device and training.
Suunto also records location data “even when [your] certain services such as the mobile apps are closed or not in use.” That’s kind of a big one, because a lot of people assume it’s not tracking if the app is closed out, which apparently is not the case with Suunto.
Does Suunto sell your data? We don’t know, but almost assuredly yes (as you will see). Nowhere in its privacy policy does it explicitly state whether it does or does not sell your data to third parties. If you’re a California resident, you do have the right to know if they’re selling your data, and a right to request that Suunto does not sell your info. However, get this– “a request of ‘Do Not Sell My Info’ will result in the deletion of all information that Suunto or its affiliate has on file about you.” Truly amazing, and another example of forced consent.
In terms of processing your data, Suunto uses your personal data to develop their products and market them, though they do not disclose your personal data to companies which use Suunto to promote their own products and services.
In regards to sharing your data across borders, Suunto’s privacy policy states that your personal data may be transferred outside the country where you use its services, including to countries outside the European Economic Area (EEA) where the level of data protection may not be deemed adequate. As noted above, Sunnto is a Chinese company, so it’s safe to assume your personal data is being sent overseas to China.
If you want to learn more about where and how your data is being processed internationally, you may contact them at a listed email address within the privacy policy.
Our verdict? While we appreciate Suunto’s somewhat straightforward approach to its privacy policy, they do gather and share a large variety of personal data. We definitely don’t love that they use location tracking when the app is closed out. Or that they delete all your data if you’re a California resident who asks them not to sell your data. As a Chinese company, you can assume your data is being shared outside of the United States. Where it goes from there, it’s hard to say.
The fact of the matter is, data is the golden egg from the golden goose, and every company is going to want it. The device you own is the tip of the iceberg, the data is everything beneath it. Whether that’s to perfect their own algorithms and training modules, or to sell to third parties, or to build AI, it’s a product with a price tag that gains more value as we move toward the future of AI, which will inevitably be enmeshed in our daily lives.
Companies can’t compete on device sales alone; data collection is the business model and that’s not going to change, ever. And while some of these brands are better than others when it comes to privacy, know that almost all of them are better than a majority of the apps running on your phone. From key-logging to persistent location data tracking, most apps are far more intrusive and less transparent about their data collection and sharing.
Hopefully this list can help you sift through the white noise of privacy within the running device world, specifically related to GPS tracking.
One last note– every single one of these companies will hand over your data to law enforcement or the authorities if asked for it, so no matter what, your privacy is never really very private.
Editor’s note (8/25): A previous version of this article stated that Coros was owned by YF Tech. This was incorrect, at one point YF Tech was a minority investor, but Coros is fully owned by Guangdong COROS Sports Technology Company in China.
Privacy Policy Rankings
Have something to say? Leave a Comment
Robbe is the senior editor of Believe in the Run. He loves going on weird routes through Baltimore, finding trash on the ground, and running with the Faster Bastards. At home in the city, but country at heart. Loves his two boys more than anything. Has the weakest ankles in the game.
More from Robbe
Thoughts on Amazfit? It’s a Chinese company but they offer some security. I’m curious because their recent offerings (trex 3) seen to be of amazing value.
What I found on new privacy for the Amazfit Trex 3- https://us.amazfit.com/blogs/blog/amazfit-t-rex-3-leading-the-charge-in-fitness-tech-and-data-privacy?srsltid=AfmBOoraeKUld-YtbPRvAaLjvPHy3HW7PY7-tT9BwJtDS9nErBP8690p
Let me know your thoughts!
Very interesting, but it also looks like they reverse engineered/patent infringed on a ton of competitor products. Local storage is always a plus, but if you ever connect to the app (which is owned by Zepp Health), you can almost guarantee it’s being given over to third parties and/or the government. Zepp Health has a terrible track record of privacy, so I’m going to guess that the privacy points they’re selling are just window dressing.