Your Exercise Bike Knows a Lot About You—and It Doesn't Keep Every Secret

Consumer Reports’ digital privacy experts took a dive into the privacy policies and practices of companies that offer connected exercise devices and services, including popular bikes and treadmills from companies including NordicTrack and Peloton and wall-mounted home gym systems such as Lululemon Studio (formerly a separate company called Mirror) and Tonal.

The researchers didn’t find too many surprises: The legalese looks a lot like the policies that govern other online activities. But that’s especially concerning for these services, our experts say, because the information they collect may reveal sensitive information about the user’s health.

“It seems like they used the same boilerplate language that you see across the internet, which is essentially a lengthy and hard-to-decipher catalog of types of info they collect,” says Matt Schwartz, a policy analyst at CR who focuses on privacy. They then give themselves “carte blanche to do whatever they want with that data, even if they don’t currently have a use case for it.” 

Many people assume that more sensitive health-related data has stricter privacy protections than other kinds of data. But outside of the narrow bounds of where HIPAA applies—that is, your direct interactions with a healthcare provider like a doctor or clinic—no such national protections exist. In many cases, health data you provide to exercise companies may be treated with no more sensitivity than your shoe-shopping habits. 

For our study, we evaluated 10 fitness brands:

• BowFlex (including its associated JRNY app)
• Concept2 (including its associated ErgData app)
• Hydrow
• Kinomap
• Lululemon (including Lululemon Studio, formerly Mirror, fitness devices)
• NordicTrack (including its associated iFit app)
• Peloton
• Tempo
• Tonal
• Zwift

So what are these companies doing with all of this workout data they’re collecting? Who else can see or use it?

Well, apart from Kinomap, which specifically says it shares information with the International Olympic Committee, it’s hard to say for sure. (Kinomap didn’t respond to a question from CR about this.) 

In most cases, your data could be shared with a very extensive group of companies. It includes fraud protection companies, IT and technical support providers, payment processors, analytics providers, advertisers, marketing and database management firms, law enforcement, and government regulators. 

A few privacy policies outline specific reasons why certain outside companies might receive your data. Tempo, for example, partners with a company called Prism Labs, which calculates body composition based on head-to-toe 3D body scans.

In all cases, the privacy policies allow the companies to share your information with at least some other organizations. As the privacy policies of BowFlex and several other companies point out, in certain situations this may be legally considered “selling” your data under the California Consumer Privacy Act or other state privacy laws. 

Some of these fitness companies also offer separate privacy policies specifically to cover consumer health information, a category of data defined by a handful of state privacy laws. Washington, Nevada, and Connecticut are a few of the states that have enacted such laws, which make it unlawful, for example, to sell consumer health data without first getting a user’s consent. Definitions of consumer health data vary by state but may include any data that would allow a company to infer a person’s physical or mental health diagnoses.

These state-specific policies occasionally shed a bit more light on data protections the companies have in place. Tonal, which collects health information that can include pregnancy data, explicitly states that it neither sells nor shares consumer health data beyond what you might grant permission for by integrating your Tonal information with Apple Health, for example. 

Several companies say that the purpose of sharing your data with analytics and advertising providers may be to target you with ads. Language like this is a red flag, according to Justin Sherman, CEO of the research and advisory firm Global Cyber Strategies. That’s because it potentially gives companies the right to share your data with data brokers. 

Data brokers collect information on individuals from a wide range of sources and provide it to other companies. In many cases, the information is used for targeted advertising. But health data generated by exercise services could also end up being shared with other clients, including insurance companies, similar to how information on driving behavior has been collected by car manufacturers, then ultimately shared with car insurers.

It’s not a stretch to imagine life, disability, or long-term care insurers making use of such data to help determine your coverage or premiums, Sherman says. “That is absolutely the kind of thing that’s in market demand,” he says.

We reached out to all of the companies whose services we evaluated to ask them about our findings, including why such widespread data collection is necessary to provide their services, how they comply with state-level privacy laws, and what protections they have to keep customer data from being shared with data brokers. 

Most didn’t respond. 

Peloton provided some additional context on how it treats data on customers who participate in pregnancy-oriented workouts. “While we do not collect medical or health information, certain privacy-related laws may classify some of our offerings—such as pregnancy-related workouts or accessibility features—as health-related information,” a spokesperson told us. “Importantly, Peloton does not make any assumptions about a Member’s health or medical conditions based on their workout selections.” Peloton also told us it doesn’t sell its members’ information to data brokers, though the company’s privacy policy says it may use the data it collects for marketing. 

A representative from Hydrow told us that the company “fully adheres to all applicable data privacy regulations.”

We also asked Tonal about its practice of storing video of users. “We save only those recordings that a customer has decided to save,” it said. “Saving the recordings allows Tonal to provide guidance to the member about their form and power self-serve tools that enhance users’ workout experience.”

“Members can review their videos to assess their form and refine their movements,” it said. “If desired, they can delete their recordings at any time.”

If you use an exercise service app, check your privacy settings to make sure you aren’t publicly sharing anything you don’t want to. For some services, like Hydrow’s, your exercise data is public to other app users by default, and you have to actively change your settings to make your workout data private. 

Blair finds this to be counterintuitive. “When you go to the gym, do you wear a name tag?” he says. “I don’t.”

We also checked on how consumers can delete their data for each of these services. Only ErgData, Hydrow, and Tempo allow you to delete your account directly from the app, while iFit allows you to clear all your stored data from within the app. 

In several cases, however, there was no way to delete all, or sometimes any, of the stored data from within the app. You need to reach out to the company to request that your data be deleted or to get information about whom your data has been shared with. Two companies—BowFlex and Zwift—stated that in some circumstances they may even charge you a fee for this service. 

Some state-level privacy laws, such as those in Oregon and Delaware, may allow you to request a list of which third parties (including data brokers) your data has been shared with. In some cases, you can also request that your data be deleted. If you’re interested in getting some assistance with that process—and you’re a user of Bowflex, Concept2, Hydrow, iFit, Kinomap, Lululemon Studio, Peloton, Tonal, or Zwift—CR’s Permission Slip app can help. 

Sherman says that in California you can also contact data brokerage firms directly. The state maintains a list of data brokerage firms so that you can contact them directly and request to see and/or delete information. There are a lot of these firms; Permission Slip Plus users can file bulk requests to more than 100 data brokerages at once. And starting in 2026, California will be setting up a tool that provides a way to request deletion of your data held by all data brokers at once (rather than going one by one). 

One thing to consider if you’re not already hooked on a connected fitness regimen: You can choose a treadmill, a bike, or an elliptical that doesn’t require data collection by the manufacturer.

Here are some of CR’s top-rated treadmills that don’t require you to connect with an app on your phone or to an on-demand exercise subscription service.