How France’s most popular banking and health apps harvest your personal data

Banking and health apps have become part of daily life. We use them to manage our finances, monitor our bodies, schedule care, and track our habits — often multiple times a day. But the same apps we trust with our money and wellbeing may also be harvesting a remarkable breadth of personal data in the background.

An analysis of leading apps in France reveals that many collect information ranging from precise location and user content to sensitive data, purchase activity, and search history. The question is no longer whether these apps are collecting data — it’s how much, why, and at what cost to user privacy.

Key insights

• An analysis of four top banking apps and four most popular health and fitness apps in France reveals that collected data spans user content, purchases, search history, location, sensitive information, and other data. On average, banking apps collect 13 different data types, while health and fitness apps collect 15 out of the 35 data types listed in the Apple App Store. For example, user photos or videos are collected by all analyzed health and fitness apps and two banking apps (Fortuneo Banque & Bourse and Mes Comptes BNP Paribas). These same two banking apps also collect emails or text messages. Precise location is collected by all banking apps except BoursoBank, as well as two health and fitness apps, Doctolib and Strava. Additionally, Strava collects purchase and search histories, while Mon espace santé handles sensitive information. This represents only a part of the overall data collected.
• In the banking category, an analysis of four apps reveals that Mes Comptes BNP Paribas captures the most user data, collecting 19. By comparison, Ma Banque collects the fewest with 5 data types — meaning Mes Comptes BNP Paribas may collect nearly four times as much data. When looking at data collected that may be linked to user identity, Fortuneo Banque & Bourse tops the list with 16 data types collected, while BoursoBank sits at the bottom, collecting no data that may be linked to user identity. However, just because an app doesn’t collect such data, it doesn't mean it isn't tracking users or sharing data with data brokers. Two apps, BoursoBank and Fortuneo Banque & Bourse, explicitly state that they use some data types for such purposes.
• In the health and fitness category, where the four most popular apps were analyzed, Strava tops the list by collecting 21 data types, while Mon espace santé ranks at the bottom, collecting half that amount — 11. The same pattern holds when looking only at data types that may be linked to user identity: Strava tops the list with 20 data types, and Mon espace santé sits at the bottom with 5. However, only Strava states that it collects some data for user tracking and may share it with data brokers.
• The purposes of data collection often extend beyond app functionality. Among the analyzed banking apps, BoursoBank is the only one that exploits some collected data for third-party advertising. It also leverages user data across the widest range of objectives, including product personalization, analytics, and other purposes. For example, BoursoBank requires 3 of its 8 collected data types for actual app functionality. By comparison, Mes Comptes BNP Paribas uses all 19 of its collected types for functionality, whereas Fortuneo Banque & Bourse requires 15 out of 18, and Ma Banque utilizes 4 out of 5. While every analyzed app leverages some portion of collected data for analytics, only Mes Comptes BNP Paribas and BoursoBank also use it for product personalization.
• A similar trend emerges in the health and fitness category. Strava stands alone as the only app that leverages collected data for third-party advertising. The platform also utilizes user data across the broadest spectrum of purposes, including its own marketing and advertising, product personalization, analytics, and other uses. For example, Strava requires 15 of its 21 collected data types for actual app functionality. By comparison, Doctolib - Compagnon de santé uses 10 out of 15 collected types for functionality, whereas Basic-Fit requires 9 out of 12, and Mon espace santé utilizes 7 out of 11. Although every analyzed app leverages some portion of collected data for analytics, only Basic-Fit and Strava use it for their own marketing and advertising purposes as well.

Methodology and sources

This study investigates the data collection practices of iOS apps handling highly sensitive personal information, specifically focusing on banking and health categories. For the banking category, the sample includes two apps of the largest traditional banks¹ in France, Mes Comptes BNP Paribas and Ma Banque, alongside two apps of the most prominent digital banks², BoursoBank and Fortuneo Banque & Bourse. For the health category, the apps were selected based on download numbers from AppMagic.³ The selection criteria filtered for the Health & Fitness tag, the iOS App Store, the geography of France, and the 2025 calendar year. The top four apps meeting these criteria were Doctolib, Mon espace santé, Strava, and Basic-Fit.

To evaluate selected apps, their data collection practices were analyzed using information sourced from the Apple App Store on May 20, 2026. The scope of this assessment targeted the total volume of data types collected, the defined purposes for processing that data, and whether user tracking practices were utilized.

Data was collected from:

References: