Who Really Sells Your Fitness Data? A Verbatim Read of Five Privacy Policies

Five privacy policies. One question. The answer is less about what each company says and more about what each one can't say, won't say, or quietly admits in a CCPA table at the bottom of the page.

By Simon · Closed Network Privacy Podcast · April 17, 2026 · 18 min read

TL;DR — The Verdict

1. Apple Health — wins on architecture. Apple doesn't just promise not to sell your health data; with 2FA enabled, it has built a system where it cannot read most of the data in the first place.
2. Garmin (Jan 9, 2026) — the cleanest non-architectural posture. No advertising program. Data Privacy Framework certified. Opt-in marketing. The word "sell" does not appear in the policy. Verified parental consent for children 8+.
3. Coros — a mixed bag. No AI-training clause at all, no automated decision-making, consent-gated health data under GDPR Article 9. But the CCPA table quietly admits selling coarse location, IP addresses, and device identifiers to analytics and advertising partners. No security section, no children's section, and a remarkably candid warning about data sent to Chinese affiliates.
4. Strava (Jan 1, 2026) — mature policy, but the most commercially aggressive of the non-advertising companies. Explicit AI-training on health and location data with a soft opt-out. Runs Strava Metro as a commercial data-licensing product built from user GPS tracks. Public-by-default visibility for adults. And — importantly — once Runna data reaches Strava, it is governed by this policy, not by Runna's narrower one.
5. Runna — the most transparent document, which is exactly why it comes last. Acknowledges CCPA-defined "selling" for advertising. Names Meta as an advertising publisher. Trains AI/ML on user activity data under legitimate interest. Shares blanketly with parent company Strava. Ranked last because its own practices plus Strava's downstream regime apply.

The trick question every privacy policy hides behind

If you ask a fitness app "do you sell my data?" the answer is almost always no. That's not honesty. That's California.

CCPA (and its sibling CPRA) defines "selling" much more broadly than any human reader would. If a company shares an advertising identifier with Meta so Meta can target you with a running-shoe ad — that counts as selling under the statute. No money has to change hands. So when a company writes "we do not sell your data," what they often mean is "we do not take a check for it." They can — and often do — still share it in ways the law defines as selling.

Keep that in your head. It's the difference between what a privacy policy says and what it's actually committing to.

1. Runna — the most transparent policy, which is why it comes last

Runna's 2026 policy — effective April 30, 2026 — is the clearest-written of the five. Runna was acquired by Strava in 2025, and the policy reflects that. Credit where it's due: you read it and you actually understand what they do. What they do is a lot.

Does Runna sell your data?

Verbatim:

We do not sell personal information for monetary value. … To the extent that certain US State Privacy Laws consider some sharing of personal information for advertising purposes to be 'selling' or 'sharing' of personal information, Runna may have shared the following categories of personal information with third parties in the preceding 12 months: Identifiers; Commercial information; and Internet or similar network activity.

That's the California carve-out, spelled out in Runna's own words. They do not take money for your data. They do share it for advertising, and yes — the law calls that selling. Meta is named explicitly as one of Runna's advertising publishers.

The one meaningful guardrail: health data is walled off

If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent.

Your heart rate, specifically, is protected from monetization while at Runna. Your location, your pace, your advertising identifier, your click behavior — not protected the same way.

Two more things Runna discloses that most apps hide

AI training on user data, under legitimate interest. Verbatim: "Train, fine-tune, and improve internal ML or AI models." Activity data, location data, and user-generated content are all listed as inputs. The legal basis is legitimate interest, which in GDPR means processing without explicit permission.

Blanket sharing with parent company Strava. Runna's policy says Strava "process[es] that information under their own Privacy Policies." No opt-out described. Hold that thought — it gets worse once you read Strava's policy.

2. Strava — why Runna's "Strava handles it under their own policy" line matters

Strava's current privacy policy is dated January 1, 2026. Strava is Runna's parent company. When Runna tells you your data is shared with Strava and "processed under their own Privacy Policies," this is the document they're pointing at.

Does Strava sell your data?

Strava's policy contains no flat "we do not sell your data" statement at all. What it does say:

We may also disclose information to marketing partners or third-party advertising networks to promote our services (with your consent, where required).

You can opt out of us sharing your personal information for third-party targeted advertising through the 'Do Not Share My Personal Information' link on our website or the 'Personal Information Sharing' setting in the app.

The presence of that opt-out mechanism is itself the admission: Strava engages in CCPA-defined "sharing" for cross-context behavioral advertising. GPC is honored. DNT is not. The one narrow carve-out — mirroring Runna's — is that health data pulled from connected devices is excluded: "we will not sell or use it for advertising or other similar purposes."

Strava trains AI on your health and location data

This is spelled out in unusually plain language. Verbatim:

AI Development: We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers.

Depending on your privacy controls and sharing permissions, we also may use personal information such as health and Location Information for AI Features, for example, to provide you with training analysis and recommendations.

Health and location data can be used for AI training, gated by user controls that are "where possible" de-identified. The policy gestures at an opt-out ("Learn more about your choices to contribute to Strava's development of AI Features"), but it is opt-out, not opt-in.

Strava Metro — the commercial data-licensing product

We may also license or share deidentified or aggregated information with third parties for purposes such as to improve walking, running or riding in cities via Strava Metro or to help our partners understand more about users.

Strava Metro is a real business: cities and transportation planners license aggregated data derived from users' GPS tracks. The word "license" is meaningful — it's commercial data distribution. No per-user opt-out for Metro is described in the privacy-policy text itself.

What "subsidiaries process under their own Privacy Policies" actually means

This is the paragraph that matters for every Runna user:

We may share your personal information with our corporate family of companies, including affiliates and subsidiaries. Our subsidiaries may process that information under their own Privacy Policies.

Read carefully. The commitment is that Runna processes data under Runna's policy. Nothing in Strava's policy commits Strava to processing inbound Runna data under Runna's narrower terms. In practice: the moment Runna data flows upstream to Strava, it is governed by this document — which allows AI training on health and location data, Metro licensing, and the "Everyone" public visibility default. Runna's own guardrails don't follow the data.

The "Everyone" default and a few other surprises

• Public-by-default visibility for adults. "Your information, including parts of your profile, username, photos/videos, information and content you share (including precise location, such as where you run or ride)" defaults to "Everyone" for 18+ users.
• Public segments and routes survive account deletion. Delete your account; your contributed segments stay.
• 45-day deletion SLA. "It may take up to 45 days to delete your personal information and system logs from our systems." At least it's a concrete number — most policies don't commit to one.
• No DPF certification. SCCs only for international transfers, unlike Garmin.

3. Garmin — on the January 9, 2026 policy, a genuinely clean posture

Garmin's current privacy policy is dated January 9, 2026. Important framing first: the policy covers your Garmin account, the website, stores, customer support, and apps that link to it — but not the wearables themselves. Verbatim:

We have a separate privacy policy that applies to Garmin Connect and its compatible wearables and other devices.

The heart-rate data from your Fenix, the GPS tracks from your Edge, the Body Battery score, the sleep stages — those are governed by a separate Garmin Connect Privacy Policy, not this one.

Does Garmin sell your data?

The word "sell" does not appear anywhere in the current global privacy policy. There is no CCPA "Do Not Sell or Share My Personal Information" section on this page — California residents are redirected to a separate CCPA Privacy Notice. But the substantive point is that the global policy doesn't describe any of the machinery through which data normally gets sold. No targeted advertising program. No cross-context behavioral advertising framework. No ad-partner list. No data-broker language.

What makes this version meaningfully strong

• Marketing is opt-in with consent as the legal basis. Not legitimate interest.
• EU-U.S. / Swiss-U.S. / UK Data Privacy Framework certified. Verbatim: "Garmin's U.S.-based affiliates are certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks, including the UK extension." A transfer safeguard beyond SCCs that none of the other four have.
• No automated decision-making. "We do not make any decisions based on algorithms or other automated processing that significantly affect you."
• Verified parental consent for children 8+. The strongest children's language of the five policies.
• Transparent vendor list. 25+ named service providers with addresses across email, SMS, payments, fraud, hosting, support, and analytics. More specific than any of the other four.
• Payment card data is not stored by Garmin.

The honest gaps

• No AI-training disclosure in either direction. For a company shipping AI-coached training plans on Forerunner and Fenix watches in 2026, silence is a transparency gap.
• No affirmative "we do not sell" statement on this page. That commitment — if it exists in verbatim form — lives in the separate CCPA Privacy Notice.
• No standalone security section.
• The sensor data is governed by a separate policy. Until you read the Garmin Connect Privacy Policy, you cannot assume any of the above protections extend to the heart-rate and GPS data from the watch.

4. Coros — the surprise middle of the pack

Coros is the trail-runner's watch of choice, popular with ultramarathoners and climbers. Their privacy policy is structurally unusual: textbook GDPR on one hand, textbook transparency gaps on the other. It has no posted effective date at all, which is a red flag in itself.

Does Coros sell your data?

Yes — and the policy is simultaneously inconsistent about it. In the California Shine-the-Light section, Coros says: "We do not share your personal information with third parties for those third parties' direct marketing purposes." In the Nevada section: "Currently, we do not engage in such sales."

But in the CCPA disclosure table toward the bottom, the "We Sell To:" column is populated for two data categories:

• Geolocation information — "Analytics and advertising partners (coarse location only)"
• Internet or Electronic Network Activity Information (IP addresses, device identifiers, cookie IDs) — "Analytics and advertising partners"

The reconcilable reading: Coros doesn't sell personal health/fitness data or directly-identifying information for others' direct marketing, but it does engage in CCPA-defined sales of coarse location, IP, and device identifiers to its own ad and analytics partners. Importantly, sensitive data — your training, heart rate, sleep, routes — is not in the "We Sell To" column. That's genuinely meaningful.

The policy uses the older CCPA framing ("Do Not Sell My Personal Information") rather than current CPRA ("Do Not Sell or Share"), and there is no GPC (Global Privacy Control) support. Compared to Strava, Runna, and Apple Health, this is the weakest opt-out plumbing of the bunch.

What Coros does NOT do — and this is the good news

• No AI / ML training clause. The word "train" appears 31 times in the policy, but every single instance refers to product features (training plans, training zones, training load, Training Hub). There is no clause granting Coros the right to train machine-learning or AI models on user data. Strava and Runna both have explicit AI-training language. Coros does not.
• No automated decision-making. Verbatim: "We do not use automated decision-making, including profiling, on the basis of your personal data in accordance with Art. 22(1) and (4) of the GDPR."
• Health data processing is consent-gated under GDPR Article 9 — the "special category" data standard — rather than legitimate interest. That's a stronger legal basis than Runna or Strava use.
• Explicit named-vendor list with addresses — AWS, Google, Facebook, Zendesk, Hangzhou Netease Cloud Technology, Shopify, Mailchimp, Refersion, Stamped, TrainingPeaks. More specific than most US-oriented competitors.
• Offline / no-sync usage is supported and acknowledged. "COROS watches can be used without pairing with the COROS app."

What Coros does NOT disclose — and this is the bad news

• No effective date. Version control is opaque.
• No security section. No encryption claims, no breach-notification commitment, no certifications.
• No children's privacy section at all. No age gate. No COPPA statement. This is a notable gap given that teen runners use these watches.
• No data retention windows for health, GPS, training data.
• No Standard Contractual Clauses named, no DPF certification — despite the fact that EEA-user data crosses borders for customer support.
• A candid GDPR Article 49 warning about transfers to Chinese affiliates. Verbatim: "Upon receiving your explicit consent … we will transfer personal data to countries where our Group Companies locate outside the EU that may not provide for an adequate level of data protection to provide with you customer support upon your request. This entails the risk that personal data may also be accessed and processed for the purposes of authorities and/or third parties without your knowledge and that there may be no efficient legal protection against such access and processing." One of Coros's customer-support vendors is Hangzhou Netease Cloud Technology, a Chinese company.

The verdict on Coros

Coros is the hardest of the five to rank confidently. If you care most about AI training and automated profiling, Coros is the second-best choice behind Apple. If you care about commercial data sale posture, Coros is worse than Garmin but narrower in scope than Strava (coarse location and identifiers only, not health or activity data). If you care about baseline policy maturity — security, retention, children's protections, date-stamping — Coros lags every other policy in this piece.

5. Apple Health — wins on architecture rather than promises

The most interesting fact about the Apple Health app privacy disclosure is what it doesn't say. Search the page for "sell." It's not there. Search for "advertising." Not there. Search for "research" or "ResearchKit." Not there. Search for "Advanced Data Protection." Also not there.

You'd think that would be a problem. It's actually kind of the point.

The three sentences that do the work

When your device is locked with a passcode, Touch ID, or Face ID, all of your health and fitness data in the Health app — other than your Medical ID — is encrypted and inaccessible by default.

If you are using iOS 12 or later and turn on two-factor authentication, Apple will not be able to read your health and activity data synced to iCloud.

Apple does not maintain or have access to the encryption keys for data that is stored on our servers and shared with your healthcare organization and cannot decrypt, view, or otherwise access this data.

Apple's pitch on the Health page isn't "we promise not to sell your data." It's "we cannot read most of your data." Selling data you cannot decrypt is a hard business model.

On-device processing for the most sensitive categories

• Medications: "All processing for the Medications feature occurs on device."
• Mental Health: "All processing for Mental Health features occur on device."
• Siri Health queries: "All processing of recognized Health app data requests by Siri occurs on device."

The honest caveats

• No "sell" disclaimer on this specific page. Apple's brand-level commitment not to sell data lives in the umbrella policy.
• "End-to-end encryption" is not used as a phrase on this page. The operative language is "Apple will not be able to read."
• Advanced Data Protection is not referenced. ADP is Apple's mechanism for extending end-to-end encryption to iCloud Backup. Turn it on: Settings → [your name] → iCloud → Advanced Data Protection.
• Medical ID is an exception to lock-screen encryption. By design, for first responders.
• Third-party workout apps can display Health data on the Lock Screen during a workout session.
• Deleting the Health app does not delete your Health data. Use Settings → Health.

Side-by-side on the questions that matter

The verdict

1 Apple Health — wins on architecture On-device processing for Medications, Mental Health, and Siri Health queries. Encrypted-at-rest when the device is locked. iCloud-synced Health data that Apple states it cannot read with 2FA enabled. Zero-knowledge provider-sharing server. The caveats are about what this specific page doesn't say (sale, ads, research, legal process) rather than about aggressive practices it discloses. 2 Garmin — the cleanest non-architectural postureOpt-in marketing. No automated decision-making. No cross-context advertising. DPF-certified international transfers. Verified parental consent for children 8+. Transparent vendor list. Payment card data not stored. The word "sell" doesn't appear in the policy at all. The remaining blind spot is real: the actual heart-rate and GPS data lives under a separate Garmin Connect policy we haven't analyzed. 3 Coros — structurally flawed but narrowly monetized No AI-training clause anywhere. No automated decision-making. Health data processing tied to explicit GDPR Article 9 consent. But: the CCPA table admits sale of coarse location and device identifiers; no security section; no children's section; no retention windows; and a candid warning that data sent to Chinese affiliates may be accessed by authorities with no legal recourse. A reasonable choice if AI training is your dealbreaker — a cautious one if policy maturity matters. 4 Strava — mature policy, commercially aggressive practicesHonors GPC, has a 45-day deletion SLA, spells out sixteen US states by name, and names the Irish DPC as its EEA supervisory authority. All good. But it also trains AI on user health and location data with a soft opt-out, licenses user-derived GPS data to third parties through Strava Metro, defaults to "Everyone" visibility for adults, and keeps your public segments and routes online after you delete your account. The subsidiary clause is the critical one for Runna users: once data reaches Strava, it's governed by this policy — not by Runna's narrower one. 5 Runna — the most transparent, transparently permissiveAcknowledges CCPA-defined selling and sharing for advertising. Names Meta as a publisher. Trains AI/ML on user fitness data under legitimate interest. Shares blanketly with parent Strava under Strava's separate policy. The one real guardrail is the explicit carve-out for health-specific data such as heart rate. Effectively, if you use Runna, both Runna's own permissions AND Strava's downstream regime apply — so even the protections Runna claims may evaporate once the data flows upstream.

What to actually do tonight

1. If you want privacy-first fitness tracking: keep your primary log in Apple Health. Turn on two-factor authentication. Turn on Advanced Data Protection under Settings → [your name] → iCloud.
2. If you're on Garmin: the main company policy is genuinely pro-privacy. Read the separate Garmin Connect Privacy Policy before assuming the same protections extend to your sensor data. Then go to Garmin Connect → Account Settings → Privacy and lock every sharing toggle to "Only Me."
3. If you're on Coros: do not assume the "we don't sell" framing. Read the CCPA table. Then, under Coros app settings, revoke consent for analytics and pixel tracking; in web browsers use uBlock Origin or equivalent to block the Facebook pixel from loading. The health, training, and location data is not in the "sell" column — but the coarse location and device identifiers are.
4. If you're on Strava: flip your default visibility off "Everyone." Set up Privacy Zones around your home and anywhere else you don't want geofenced. Opt out of AI development via the privacy settings. Hit the "Do Not Share My Personal Information" footer link. Know that public segments and routes you've contributed stay online after account deletion.
5. If you're on Runna: understand the deal. Your activity data is training internal models. Your advertising identifier is shared with Meta and similar partners. Strava sees everything under Strava's broader terms. The one thing Runna has promised not to monetize is your health-specific data — heart rate and the like. Decide if that's enough.
6. Everyone: broadcast the Global Privacy Control signal from your browser. Runna honors it. Strava honors it. Most US-state consumer rights attach to it.

Methodology & sources

This analysis is based on the text of each company's public privacy disclosure as of April 17, 2026. All quotations are verbatim from the retrieved documents. The Runna, Strava, Coros, and Apple Health disclosures were pulled directly from the live pages. The Garmin policy was read from the PDF of the January 9, 2026 version. The separate Garmin Connect Privacy Policy, which governs the actual sensor data from Garmin wearables, was not analyzed for this post — that's the logical follow-up.

• Runna — Privacy Policy 2026
• Strava — Privacy Policy (Effective January 1, 2026)
• Garmin — Privacy Policy (Last Updated January 9, 2026)
• COROS — Privacy Policy
• Apple — Health App & Privacy

Got a privacy policy you want me to read on air? Send it to simon@closednetwork.io and I'll read the whole thing — weasel words and all.