What calorie tracking apps know about you — and who they share it with.
When you sign up for a calorie tracking app, you hand over an unusual amount of personal data. Not just an email address — your weight, height, age, sex, dietary restrictions, food allergies, health conditions, and a detailed log of everything you eat. Over time, that log becomes one of the most intimate datasets about your daily life.
A 2025 analysis by Surfshark examined the 15 most popular weight control apps on the App Store and found that the average app collects 13 of Apple's 35 defined data categories. A third of the apps exceeded that average in both data collection and user tracking.
Noom, according to that same analysis, collects 22 of 35 categories — nearly double the average. Their intake questionnaire asks about physical activity limitations, health conditions including diabetes and depression, race, and dietary restrictions. Privacy International found that Noom was sharing user health quiz data in real-time with third-party analytics firms including Braze, FullStory, and Mixpanel.
MyFitnessPal collects name, email, date of birth, gender, location data, fitness data, and device identifiers. Their privacy policy describes sharing data with service providers, vendors, and connected social media platforms.
In February 2018, MyFitnessPal suffered one of the largest data breaches in history: approximately 150 million accounts were compromised. Usernames, email addresses, IP addresses, and password hashes were exposed. Under Armour (then-owner) discovered the breach in March and disclosed it four days later. By 2019, the stolen data was for sale on a dark web marketplace.
MyFitnessPal didn't lose your food diary in that particular breach. But the incident illustrates a basic risk: any data stored on a company's servers can be exposed. Healthcare data breaches have been accelerating — the HIPAA Journal reported over 276 million healthcare records breached in the US in 2024 alone, a 64% increase from the prior year.
Health data is particularly valuable. IBM's 2024 Cost of a Data Breach Report found that the average healthcare breach costs $9.8 million, more than double the financial sector average. Medical records sell for significantly more than credit card numbers on the dark web, because unlike a card number, the information in a medical record doesn't expire.
Photo-based calorie trackers introduce an additional privacy dimension that text loggers don't have: image metadata.
When your phone takes a photo, it embeds EXIF metadata — GPS coordinates, device make and model, serial numbers, and exact timestamps. If a calorie app uploads your food photo with EXIF intact, the server doesn't just receive a picture of your salad. It receives your precise location, the exact time you ate, and your device identity.
Over months of daily food logging, that metadata creates a detailed map of your life: where you eat breakfast (your home address), where you eat lunch (your workplace), which restaurants you frequent, and your exact daily schedule. None of this has anything to do with nutrition.
Some platforms strip EXIF data on upload. Many don't. Unless an app explicitly states it removes metadata, you should assume it's being stored.
Even without photo metadata, your eating patterns are more revealing than they might seem. Dietary data can signal:
This isn't hypothetical. Target famously built a model that predicted customer pregnancies from purchasing patterns alone — analysing around 25 product categories to assign a "pregnancy prediction score." Dietary data is at least as revealing as shopping data.
Regulators are catching up. GDPR classifies health data as a "special category" requiring explicit consent. Washington State's My Health My Data Act extends protections to health data collected by consumer apps — and explicitly covers inferred health information, not just data you directly provide.
In 2021, the FTC settled with Flo Health, a period tracking app with over 100 million users, for sharing sensitive health data with Facebook and Google despite promising users it would remain private. The practice only stopped after a news article exposed it.
Clawrie was designed around a principle: we should know as little about you as possible.
Here's what that means in practice:
This architecture means that if someone breached Clawrie's backend tomorrow, they'd find a rate-limiting database with anonymous device tokens and subscription status. No names. No emails. No food logs. No photos. No weight history. That data doesn't leave your phone.
There is a genuine trade-off to this approach. Without accounts, there's no cloud sync — if you lose your phone, your data is gone (unless you use iOS backup). Without analytics, we can't see which features people use most or where they get confused. Without a user database, we can't send you helpful emails or re-engage you when you stop using the app.
These are real costs. Every other app in this space makes the opposite choice, and there are legitimate business reasons for that.
We made this choice because diet data is personal in a way that most app data isn't. Your food diary is an intimate record of your daily life, your health, your body, and your habits. We don't think you should have to trust a startup to protect it. The simplest way to keep your data safe is to never collect it.
Sources: Surfshark weight control apps privacy analysis (2025). Privacy International: Noom re-testing (2023). MyFitnessPal breach via Have I Been Pwned. HIPAA Journal breach statistics (2024). IBM Security Cost of a Data Breach Report (2024). FTC v. Flo Health settlement (2021).