If you have a smartwatch strapped to your wrist or use other gadgets to track your gym sessions, you probably have one or two fitness apps installed on your smartphone. They can be very useful in logging runs, reps and rides, but according to new research from VPN firm Surfshark, some of these apps could be collecting far more of your personal data than you realise.

Surfshark analysed 16 popular iPhone fitness apps via data from the Apple App Store to determine that on average they collect 12 different types of data out of the 35 kinds Apple says it’s possible for apps to collect.

“Out of 16 fitness apps, 75% of them share user data with third parties,” Surfshark said.

“This is called tracked data, where “tracking” refers to linking data collected from your app about a particular end-user or device — such as a user ID, device ID, or profile — with third-party data.”

The worst offender was Fitbit, which was found to gather up to 24 types of data, 19 of which were deemed unnecessary to collect in order for the app to function. Surfshark said this extraneous collected personal data could be used for third-party advertising, developer’s advertising or marketing, analytics or product personalisation.

Though Fitbit collected the most data points, social fitness app Strava had the most data points used beyond the app’s functionality with 21, the same number of data points it collects overall.

“Some apps collect twice or nearly twice the average amount of data. For instance, Fitbit gathers up to 24 unique types of data, making it the most data-hungry app,” Surfshark said.

“Centr stands out as the app that reports collecting just three types of data: user ID, product interaction, and crash data. However, one of these is used for tracking. In comparison, the most data-hungry app — Fitbit — collects roughly eight times more.”

Nike Training Club, Runna, The Body Coach workout Planner and ALO Wellness Club were also found to scrape a lot of personal data. The Nike app was found to use sensitive personal data to target users for advertising, while PUSH Workout & Gym Tracker did well to collect only seven data points and use none of them beyond app functionality.

However, PUSH charges an annual subscription of £89.99, a clear revenue stream. Free workout apps on the other hand rely on using your personal and sensitive data to sell to advertisers in order to make money.

While you won’t necessarily have accepted all the uses of the data these apps were found to leak by default, it’s alarming to see that so many opt to pass it on for the stated reasons given the chance.

Surfshark only studied the use of these apps on iPhone and iPad, so we don’t know if Fitbit was the worst offender on Android. But it’s a reminder to read the terms and conditions before you use or install apps, especially if they are free. You can also tap ‘Ask App Not To Track’ on iPhone when installing a new app and using it for the first time, which stops apps sharing your data with third parties for ad tracking.