How to Tell If a Health App Is Selling Your Data (Without Reading a 40-Page Privacy Policy)
You don't need a law degree to figure this out, but you do need to look in the right three places: the Play Store's Data Safety section, the permissions the app asks for on install, and one specific sentence in the privacy policy about "third parties."
Start with the Data Safety section
Every app on Google Play is required to disclose what it collects in a "Data safety" section on its store listing. Two phrases matter most:
"No data shared with third parties" means the developer has declared they don't pass your information to outside companies. This is a self-declared statement, not an independent audit, but a missing or vague answer here is itself a warning sign.
"No data collected" is a stronger claim than "not shared." An app can collect plenty of data and simply not share it with anyone else, which still means that data exists on a server somewhere, subject to whatever happens to that server.
If an app's marketing says "privacy-first" but its own Data Safety section lists location, contacts, or health data under "Collected" and "Shared," believe the disclosure, not the marketing copy.
Check what it asks permission for on install
A fasting timer does not need your contacts. A step counter does not need your microphone. If the permission requests don't map to anything the app visibly does, that's usually because the data is being used for something other than the feature you downloaded it for, most often advertising.
Look for the phrase "third parties" or "partners" in the privacy policy
Search the privacy policy (use your browser's find function) for "third party," "partners," or "advertising." Health and fitness apps sharing data with ad networks and analytics companies is not a rare edge case. The Norwegian Consumer Council's "Out of Control" investigation documented exactly this pattern across multiple apps, including a period-tracking app sharing GPS location with ad-tech firms, which led to a roughly €6.3 million GDPR fine against one of the apps named in the investigation (Forbes, noyb.eu).
That case wasn't a fasting app, but the underlying mechanism, a health-adjacent app feeding a data-driven ad business, is exactly what this checklist is built to catch, regardless of which country you're in or which app you're checking.
Does it work in airplane mode?
This is the fastest test of all. Turn on airplane mode and try to use the app's core feature. If it stops working, your data is going somewhere when it's connected. If it keeps working, there was nowhere for that data to go in the first place.
Where this leaves FasTrack
FasTrack's own Data Safety disclosure reads "No data collected" and "No data shared with third parties," and it passes the airplane mode test, because the entire app runs offline. There's no server-side version of your fasting history to leak, sell, or subpoena, because there's no server involved at all.