Is My Health App Safe? Is MyFitnessPal safe?
Scorecard updated 2026-05-27
| Category | Nutrition & calorie tracker — food logging, exercise, weight, body measurements |
|---|---|
| Company | MyFitnessPal, Inc. (owned by Francisco Partners, a private-equity firm, since Dec 2020) |
| Approx. users | 220M+ registered; ~30M monthly active |
| HIPAA covered? | No — consumer app. HIPAA is not mentioned in the privacy policy. |
| GDPR applies? | Yes — US-based but has appointed an EEA representative (DataRep) and provides GDPR rights. |
| Ownership changes | Founded 2005 → acquired by Under Armour 2015 ($475M) → sold to Francisco Partners 2020 ($345M) → acquired Cal AI Dec 2025 |
1. What data does MyFitnessPal collect?
The list is long. Directly from users: name, email, date of birth, sex, location (country/zip), profile photos, dietary habits, every food and drink consumed, medications, calorie counts, fitness activity, body measurements, physiological conditions, and progress photos. Users can also log food via voice, and the app stores that audio input.
Automatically collected: device identifiers, IP address, mobile advertising ID, cookies, usage patterns, and click behaviour. From third parties: data from connected wearables, Apple HealthKit, Google Health Connect, Samsung Health, social media logins, and — notably — data from "analytics and marketing partners" about your interests and demographics.
The privacy policy explicitly acknowledges that "Food and Activity Diary Data may include sensitive personal information when the information indicates or allows someone to infer a health condition." This is correct — and it means MyFitnessPal knows it holds health data but is not bound by HIPAA protections for it.
2. Who does MyFitnessPal share data with?
MyFitnessPal shares personal information with service providers (hosting, payment processing, analytics, customer support), marketing and advertising partners (social media platforms, third-party ad networks), research partners, and business partners for "integrated services."
The advertising pipeline is the critical concern. The policy names "social media platforms, third-party advertising networks, and other parties that assist us in serving, measuring the performance of, and optimizing our advertising campaigns" as recipients of user data for targeted advertising. This is a fundamentally different model from subscription-only apps like Oura, which does not run ad-network SDKs.
3. What does the privacy policy actually say?
The most revealing sentence in the policy: "While MyFitnessPal does not expressly 'sell' information to others, certain uses of Functional Cookies and/or Targeted Advertising Cookies on our website to collect, use, and disclose information may constitute 'sales' or 'sharing' of personal information or the use of personal information for 'targeted advertising' purposes under applicable privacy laws."
In plain language: MyFitnessPal concedes that its own advertising practices may legally qualify as selling your data. The distinction they draw — "we don't expressly sell" — is a legal hedge, not a privacy commitment. Under the CCPA's broad definition of "sale," sharing data with ad networks for value received counts.
The policy was last updated March 18, 2025. It is moderately readable but long, and the most consequential disclosures (like the one above) are buried deep.
4. HIPAA status
MyFitnessPal is not HIPAA-covered. The word "HIPAA" does not appear anywhere in the privacy policy. This is legally correct — HIPAA applies to healthcare providers, insurers, and their business associates, not to consumer apps — but it means that the detailed dietary, weight, medication, and body-measurement data you enter has no federal health-privacy protection in the US.
Washington State's My Health My Data Act and similar state laws may offer some coverage, and MyFitnessPal does publish a separate Washington State health-data notice, which suggests they recognise the gap.
5. GDPR status
MyFitnessPal is US-headquartered (Austin, TX) but has appointed DataRep as its EEA representative across all 27 EU member states, plus the UK, Norway, Iceland, and Switzerland. Standard GDPR rights are offered: access, correction, erasure, portability, objection to marketing, and withdrawal of consent.
Transfers to the US occur and the policy notes that data "may be transferred to countries outside of the EEA, Switzerland, and the UK, including the United States to companies that are not certified under the EU-US Data Privacy Framework." This language is weaker than companies that commit exclusively to DPF-certified transfers.
6. Security and enforcement history
This is where MyFitnessPal's record is worst.
2018 breach — 150 million accounts: In February 2018, an unauthorised party accessed usernames, email addresses, and hashed passwords for approximately 150 million MyFitnessPal users. Under Armour disclosed the breach in March 2018. While some passwords were hashed with bcrypt, others used the weaker SHA-1 algorithm — a significant security shortcoming for an app holding health data at that scale.
2026 Cal AI breach — 3 million users: In March 2026, shortly after MyFitnessPal's acquisition of calorie-tracking app Cal AI became public, a threat actor posted a 12 GB dataset on BreachForums claiming to have breached Cal AI via an unauthenticated Firebase database. The alleged dataset includes meal logs, weight data for 3.5 million users, user profiles with gender and date of birth for 3.2 million users, and subscription details including email addresses for approximately 3 million users. Cal AI has not officially confirmed the breach.
The security disclosure in the privacy policy is generic: "reasonable technical, organizational, and administrative safeguards." No bug bounty programme, no security certifications, and no audit reports are publicly referenced.
7. Deletion and retention
Retention terms are vague: "We will retain your personal information as long as necessary to fulfill the purposes outlined in this Policy (including to satisfy our legal or reporting requirements), unless a longer retention period is required or allowed under law." No specific time limits are given for any data category.
Users can request deletion, but the policy hedges with "subject to certain exceptions prescribed by applicable law." De-identified data is kept indefinitely: "If we de-identify information, we will maintain and use the information in de-identified form." Given that food-logging data is high-dimensional and personally distinctive, the practical anonymity of "de-identified" dietary records is questionable.
Grade rationale
- Collection scope: extensive — dietary, body measurement, medication, physiological, voice, location, and advertising IDs.
- Third-party sharing: advertising networks and social platforms receive data for targeted ads.
- Data selling: company concedes cookie-based sharing may legally constitute "sales."
- Security record: catastrophic — 150M-account breach in 2018; 3M-user Cal AI breach in 2026.
- Retention: no specific time limits; indefinite de-identified retention.
- Ownership stability: sold twice in five years; each transfer moves user data to new controllers.
- GDPR posture: EEA representative appointed; standard rights offered — a partial positive.
- Policy transparency: acknowledges health-data sensitivity and CCPA "sale" risk — honest, if buried.
Weighted score ≈ 45 → D.
What would move this to a C?
- Specific, time-bound retention limits for food logs, body measurements, and health data.
- Remove advertising-network data sharing entirely, or limit it to non-health data categories.
- Publish a public security audit or obtain SOC 2 certification.
- Provide a clear, unhedged statement on data sales — not "may constitute."
- Implement a bug bounty programme and publish a security transparency report.
Sources: MyFitnessPal privacy policy (updated March 18, 2025); TechCrunch — 2018 breach disclosure; Cybernews — Cal AI breach (March 2026); Business of Apps — MyFitnessPal statistics; Francisco Partners acquisition announcement. This page is editorial analysis, not legal advice.