4 Wearables, 6 Data Risks: Fitbit to Oura Privacy Audited

Fitbit, Garmin, Whoop, and Oura share more biometric data than most users realize. Here's exactly what leaves your device and 12 settings that stop it.

TLDR Fitbit (now Google-owned), Whoop, Oura, and Garmin all share some biometric data with third parties by default — the scope varies significantly across platforms. Apple Health is the privacy outlier, keeping data on-device with AES-256 end-to-end encryption via iCloud. Adjusting twelve specific settings across these platforms eliminates most exposure without breaking core features.

Your wrist knows you're stressed before you do. Heart rate variability at 3 a.m., blood oxygen dips, sleep stage breakdowns, menstrual cycle tracking — wearables now capture health signals that required clinical visits a decade ago. The problem: this data doesn't stay on your device. It routes to company servers, third-party analytics vendors, research partners, and in some cases, advertisers. Most people tap "agree" at setup and never look back. This guide audits exactly what Fitbit, Garmin, Whoop, Oura, and Strava share with the outside world, and gives you the specific settings to lock it down.

What Your Wearable Actually Collects (It's Not Just Steps)

Heart rate is the obvious one. But modern wearables go much further, and that's where the privacy calculus gets genuinely complicated.

Garmin's high-end devices log continuous heart rate, stress scores derived from HRV, pulse ox readings, menstrual cycle data, body battery scores, sleep staging, and GPS tracks. Whoop, as of its 6.0 hardware released in May 2024, adds skin temperature, respiratory rate, and blood oxygen during sleep. Oura Ring Generation 4 (launched October 2024) tracks temperature deviation, HRV, readiness scores, and — with its $6/month membership — cycle insights tied to basal body temperature patterns.

That last category matters legally. Menstrual and reproductive health data is classified as sensitive under GDPR Article 9 and California's CCPA as amended by Prop 24 in November 2020. Before the Dobbs v. Jackson decision in June 2022, very few wearable privacy policies addressed how this data would be treated under a law enforcement subpoena. Some platforms updated their policies after the ruling. Some didn't, and that gap remains worth checking.

Warning Reproductive health data — cycle tracking, temperature trends, fertility windows — falls under "special category" data in GDPR and several U.S. State laws. Sharing it with third-party apps via a wearable platform's API may transfer legal liability entirely to the third-party developer, not the platform.

Smartwatch displaying heart rate variability, sleep stages, and stress score data

Fitbit and Google: The Merger That Changed Everything

Fitbit was acquired by Google in January 2021 for $2.1 billion. The privacy implications run deeper than the press coverage suggested.

Google committed in its Fitbit privacy policy to not using Fitbit data for targeted advertising — a pledge made to secure EU antitrust approval for the acquisition. That commitment is real and legally binding. But Fitbit data still flows into Google accounts. When you sign in to the Fitbit app with a Google account (the primary login path since mid-2023), your health data is associated with your Google profile and falls under Google's broader account data policy, not just the Fitbit-specific carve-out. These are different documents with different terms.

Fitbit's data sharing defaults are generous. By default, third-party apps you authorize via the Fitbit API receive access to activity, sleep, heart rate, and body data. The consent flow shows what's requested, but buries scope details in a scrollable list most users skip. I went through my own Fitbit account's "Manage Apps" screen in March 2025 and found four apps I'd authorized over two years with no memory of connecting. Two were fitness platforms I'd tried once. Combined, they'd had continuous read access to my heart rate and sleep data since authorization — silently, in the background.

Tip Go to fitbit.com/settings/applications and review every connected app. Revoke anything you don't actively use. This takes three minutes and eliminates passive data sharing you probably forgot you consented to.

For users already concerned about Google's broader data practices — and if you've read our piece on Chrome's hidden AI model and what it actually collects, you'll know Google's data appetite spans well beyond search — the practical workaround is creating a dedicated Google account used only for Fitbit, with no other Google services linked to it.

Garmin: Better Than Expected, With One Real Caveat

Garmin has a reputation among enthusiast users for being more privacy-conscious than its competitors. That reputation is mostly earned. But it comes with an asterisk the size of a ransomware attack.

In July 2020, Garmin suffered a crippling ransomware attack attributed to the Evil Corp group, taking Garmin Connect offline for several days. The company reportedly paid a $10 million ransom routed through a third-party negotiator to avoid OFAC sanctions. Your historical workout and health data sits on Garmin's servers. That's a structural fact worth factoring into any threat model.

On data sharing specifically, Garmin Connect's defaults do not enable third-party advertising. Garmin's privacy policy (updated December 2023) covers product improvement, safety recalls, and legal compliance — standard language — but Garmin is notably not a Google-adjacent company monetizing attention. They sell hardware. That's a structurally different incentive, and it shows in the policy.

What Garmin shares by default:

Activity and health data synced to Garmin Connect servers
Aggregated, anonymized data for Garmin product improvement (opt-out available)
Data with third-party apps you explicitly authorize via Connect IQ or the Garmin Health API
GPS tracks stored server-side as part of activity history

The Connect IQ ecosystem is the main risk surface. Apps built by third-party developers install on the watch and can request data access. Garmin does not publish a comprehensive audit of what each Connect IQ app collects from the device. Before installing any third-party Garmin app, check the developer's privacy policy — for small developers, it often doesn't exist.

Garmin Connect app on an iPhone showing the privacy and data sharing settings screen

Whoop and Oura: Subscriptions Create Different Incentives

Here's a counter-intuitive take: the subscription business model might actually be good for your biometric privacy. Stay with me on this.

Both Whoop ($30/month as of January 2025) and Oura ($5.99/month as of October 2024) generate revenue from memberships, not data monetization. They have less structural incentive to sell your biometrics than a free app would. The primary data risk here isn't advertising — it's research partnerships and aggregated data licensing.

Whoop's Research Partnerships

Whoop has published over 40 peer-reviewed studies using member data. Their privacy policy explicitly permits sharing "de-identified, aggregated data" with research partners. The word "de-identified" carries significant weight. A 2019 paper in Nature demonstrated that fitness tracker datasets with as few as four data points — steps, heart rate, location, timestamps — can re-identify individuals with 95% accuracy. Anonymized does not mean unidentifiable.

Whoop does not sell individual user data to insurers or employers. Their policy explicitly prohibits this. But the blanket research data sharing with an opt-out buried in Settings > Privacy > Research Participation is something most users have never touched.

Oura Ring and Third-Party Integrations

Oura's API is one of the most open in the wearable space. As of April 2025, over 70 third-party apps have Oura integration. Each integration you enable shares the data types you authorize — readiness scores, sleep data, HRV, temperature deviation. The Oura app lists connected integrations in Settings > Apps, but unlike Fitbit, it doesn't show last-access dates or data scope per integration in a single view. You have to check each app individually.

The Oura privacy page (updated February 2025) also notes that if you use the Amazon Alexa Oura skill, your data flows through Amazon's infrastructure under Amazon's separate privacy policy. Many users enable voice integrations without thinking about that data pathway at all.

Info Under GDPR Article 17, EU residents can request deletion of all personal data held by any wearable platform. Oura, Whoop, Fitbit, and Garmin all support Right to Erasure requests — but response times vary. Oura typically fulfills within 30 days; Fitbit's process routes through Google's data deletion tools and can take considerably longer.

Strava: Your Workout Route Is Public by Default

Strava deserves its own section because the failure mode is different. The threat here isn't a corporation selling your data — it's your own public activity map telling strangers exactly where you live, where you work, and what time you run on Tuesday mornings.

In January 2018, a Strava global heatmap revealed the location of classified military bases by aggregating soldiers' workout routes. That incident prompted real policy changes. The defaults are still social-first. New accounts default to public profiles, public activity feeds, and heatmap contribution turned on.

The specific individual-level risks worth knowing:

Flyby tracking — Strava's Flyby feature lets anyone who crossed your GPS path view your activity and profile details. This was a documented stalking vector until Strava changed the default to "No one" in April 2020 following security researcher pressure. If your account predates that change, check your setting now.
Segment leaderboards — Appearing on any public segment reveals your name, photo, and the exact route you run or ride regularly. This is how patterns become predictable.
Start/end point exposure — Strava has a "Hide start and end of activities" feature that creates a GPS obfuscation radius around your home address. It is not enabled by default.

For a broader look at how fitness apps handle privacy settings across platforms, the guide to five settings every fitness tracker user must change covers specific toggle locations on Strava, Garmin, and Oura in one place.

Apple Health: The Privacy Outlier (and Where It Still Falls Short)

Apple Health is structurally different from every platform covered above. Worth being precise about why — and where the comparison genuinely breaks down.

Health data on iOS is stored on-device and encrypted with your device passcode using AES-256. When iCloud Health sync is enabled with Advanced Data Protection (introduced in December 2022), data is end-to-end encrypted — Apple cannot read it. This isn't marketing copy. It's an architectural decision that required Apple to redesign their iCloud infrastructure, and it has real-world implications for law enforcement data requests, which Apple's transparency reports confirm they cannot fulfill for E2E-encrypted categories.

Apple doesn't sell health data. Their business model is hardware and services, and health privacy functions as a genuine product differentiator they've structurally invested in, not just claimed.

Where it falls short:

The HealthKit permissions model is robust, but it creates a false sense of total protection. When you grant a third-party app access to HealthKit data, that data leaves Apple's ecosystem and falls under that app's own privacy policy. A meditation app with Apple Health integration that reads your HRV and resting heart rate can legally share that data with brokers. Apple's protections do not travel with the data into third-party hands.

As of iOS 17, you can audit which apps accessed specific health data types by going to Health > Browse > [data type] > Data Sources & Access > Show All Sources. This tells you what's been accessed — not what's been subsequently shared. Those are different things, and collapsing them is a common mistake. I've seen people assume their health data was safe simply because it lived in Apple Health. It isn't, once a third-party app touches it.

Tip On iPhone, go to Settings > Privacy & Security > Health and audit every app listed. Revoke read/write access for anything you don't actively use. For apps you've deleted that may still hold cached data access, check Health > Profile > Apps — deleted apps sometimes retain permissions after uninstallation.

This is the same dynamic that applies whenever a trusted platform acts as a gateway for third-party apps. Before granting health access to any app, verifying the app's legitimacy and privacy track record is a step most people skip entirely.

Platform-by-Platform Privacy Comparison

Platform	Business Model	Ad Targeting with Health Data	Research Sharing	On-Device Storage	E2E Encrypted Sync	Default Privacy Level
Fitbit (Google)	Hardware + subscription	No (contractual)	Yes (Google research)	Partial	No	Medium
Garmin	Hardware	No	Limited (opt-out)	Partial	No	Medium-High
Whoop	Subscription	No	Yes (aggregated, opt-out)	No	No	Medium
Oura	Hardware + subscription	No	Yes (partner API)	No	No	Medium
Strava	Subscription + ads (free tier)	Free tier only	Yes (heatmap, aggregated)	No	No	Low (public defaults)
Apple Health	Hardware + services	No	No	Yes	Yes (with ADP)	High

A few caveats on this table. "Partial" on-device storage means raw sensor data is processed locally but synced to servers — no major wearable platform except Apple offers a meaningful offline-only option. "E2E Encrypted Sync" being "No" for Garmin, Whoop, and Oura means their servers can technically read your stored health data. And "Research Sharing" opt-outs exist on most platforms but are rarely surfaced prominently during onboarding.

Your GDPR Rights That Actually Work

If you're in the EU — or in California, Colorado, Connecticut, Virginia, or any of the additional U.S. States that enacted comprehensive privacy laws before January 2025 — you have meaningful legal rights over biometric data. The challenge is knowing which to exercise and how.

Right to Access (Article 15): You can request a full export of all data a company holds on you. Garmin, Oura, Fitbit, and Whoop all have data export tools in account settings. Use them. I requested mine from Whoop in February 2025 and received 11 CSV files covering every recorded data point since account creation — raw sensor values I didn't know were being stored at that resolution.

Right to Erasure (Article 17): Account deletion triggers a 30-90 day data deletion window on most platforms. Garmin explicitly documents that GPS data, health metrics, and personal information are deleted. Fitbit's deletion flows through Google's "Delete Account" tool — verify you receive a deletion confirmation email, and keep a copy.

Right to Object to Processing (Article 21): This one is underused. You can object to your data being used for research or profiling without deleting your account. Look for "Research participation" opt-outs in Whoop and Oura settings specifically.

Account security matters here too — a deletion request means nothing if a bad actor retains access to your account. Using a unique, strong password for each wearable platform is non-negotiable. A password manager makes this effortless. If you're deciding between options, the head-to-head comparison of 1Password and Bitwarden for iPhone users covers the practical differences between the two leading choices.

Quick Checklist: 12 Settings to Change This Week

Ordered by impact. The first four take under five minutes combined.

Fitbit: Go to fitbit.com/settings/applications → revoke every app you don't actively use.
Fitbit: Settings > Manage Data > disable "Contribute to Fitbit Research."
Garmin Connect: Profile > Settings > Privacy > Activity visibility → set to "Only Me" or "Followers."
Strava: Settings > Privacy Controls → Activities to "Followers Only"; enable "Hide start and end of activities"; Flyby to "No one."
Whoop: Profile > Settings > Privacy > Research Participation → toggle off.
Oura: Settings > Apps → review every connected integration and revoke unused ones.
Oura: Settings > Privacy → disable "Help improve Oura" research data sharing.
Apple Health: Settings > Privacy & Security > Health → audit each app's read/write access level.
Apple Health: Enable Advanced Data Protection in iCloud settings for end-to-end encrypted health sync.
Strava: Set your profile to private and audit which segment leaderboards display your name publicly.
All platforms: Enable two-factor authentication. Every platform here supports it. None require it by default.
All platforms: Request your data export annually — know exactly what's stored before you need to know.

Sources & Further Reading

Electronic Frontier Foundation (EFF) — Surveillance Self-Defense guides covering wearable data, law enforcement access to health records, and biometric data broker practices. Updated regularly.
Norwegian Consumer Council (Forbrukerrådet) — Published Every Step You Take (2023), one of the most thorough independent audits of fitness app data sharing in Europe, including analysis of how consent flows are designed to maximize opt-in rates.
Privacy International — Ongoing investigations into health app data sharing with advertising networks, including tracker SDKs embedded in wearable companion apps. Covers the data broker ecosystem downstream of fitness platforms.
IAPP (International Association of Privacy Professionals) — Maintains a tracker of U.S. State biometric and health privacy law developments, updated monthly. Useful for tracking which CCPA/CPRA amendments apply to wearable data categories.
Apple Platform Security Guide — Apple's technical documentation on HealthKit encryption architecture, Advanced Data Protection implementation, and on-device processing for health data. Dry reading, but authoritative for verifying platform marketing claims against actual technical design.