Because I found out a wellness app came with unacceptable data privacy gaps, I set out to make it easier for everyone to understand the risks and protect their data.

In an earlier post, I described how I learned that all the information I shared with Noom – the meals I ate, what I drank, my daily weigh in results, etc. – could be shared with my employer or my health care plan.

And then I made a Custom GPT you can use to help safeguard your personal privacy. Anyone with a ChatGPT account, free or paid, can use my Personal Privacy Assistant to protect themselves and their data.

What I Did With Noom

Having just started using Noom, I wanted to understand how it could use my data. In the platform’s Employer and Partnership Program (B2B) Privacy Policy, I found the unpleasant truth: everything I entered into the app could be shared far and wide.

Because I do not live in a state like California with its comprehensive data privacy legislation, I could not opt out. So, what to do?

I started with the email to Noom customer service:

I am a Noom-for-Work participant. I hereby opt-out of the ‘sale’ or ‘sharing’ of my personal information and limit the use/disclosure of my sensitive personal information, including any disclosure to my employer or health plan.

My work email address is….

Please confirm if that request can be acted upon.

This response landed a day later:

…Given the regional constraints, we may not be able to honor the request to opt out of data sharing due to local privacy regulations. If the limitations around data sharing are a significant concern, the alternative would be to cancel the Noom subscription….

Yes, since I sent the original email, the data sharing limitations are indeed a significant concern.

Before cancelling, though, I did check with Human Resources. As expected, Noom does not fall under my core healthcare plan.

I shared my perspective about data privacy, recommended they consider it in the future, thanked them for the response, and told them I’d no longer use Noom.

Finally, I had Noom customer service confirm my data had been deleted, then deleted the app.

What I Didn’t Do

I did not storm into HR. I asked a question in a professional manner, listened to the response, and then made the best decision for me given the facts.

And while I did write two blog posts about this, I did not rant about it on social media. There’s nothing less effective than anger and bile spewed in public.

Considering what’s at stake, there’s no time for grandstanding or saber rattling.

Why You Should Care

There are three reasons why I care so much about safeguarding my digital privacy. Here’s how they intersect with my objection to Noom’s policy:

1. Sharing personal information can and has had massive unintended consequences. People who used 23andme unexpectedly learned about unknown relatives. When a user spat into a plastic vial, they had no clue they might be blowing the lid off generations of family secrets.
2. Once I share my data, I lose control over how it may be used and by whom. While I trust my employer, if I choose to enter data into Noom or a similar app, I effectively surrender my ability to control how it may be used. The only time you ever truly control your data is before you share it.
3. We can get a sense of a company’s intent by watching what it does in addition to reading its terms of service. Noom “shares” user data with some of the largest online advertisers.

That’s not a platform I wish to enrich with any of my private information.

Knowledge Is Power

Privacy policies are written by lawyers to protect the right of companies and their stakeholders. They’re filled with difficult-to-understand terminology and jargon.

To help you crack that code, and to arm you with a personal privacy guide you can use any time you want, I built a Privacy Policy Assistant Custom GPT with the help of ChatGPT. I designed it to make it easy to find out what if any privacy risks exist with an online service, how you might think about them, and what steps you could take to deal with the risks if you choose.

As I described in an earlier post, a Custom GPT “allows you to define how the assistant behaves, what it knows, and what tone or personality it uses when interacting.” It contains instructions for what to ask, how to think about the information it receives, and then what to return to a user.

To test it, I chatted with it about Facebook. It couldn’t directly access Meta’s privacy policy, but a quick online search got me to a print-friendly page. I generated a 94-page PDF, uploaded it, and received a full report which included this overall recommendation:

If targeted ads and extensive data sharing don’t bother you, Facebook’s controls (Privacy Checkup, Off-Facebook Activity, Ad Preferences, Account Deletion) give reasonable self-service options. But if you prefer minimal tracking, you’ll need to actively prune data, review settings regularly, and accept that some records can still be stored or shared.
My take: For privacy-conscious users, consider tightening every setting, turning off “Off-Facebook Activity,” and periodically downloading & deleting past posts. If that still feels too invasive, you might rethink using the platform altogether.

Had I not been aware of those settings, the GPT would have been able to hold my hand through changing Meta Settings I cared to update. Using this GPT, a user can uncover data security gaps and then proactively protect themselves in a few minutes.

This is uncharted territory for me. I haven’t spent hours debugging the GPT, so I’m a bit nervous about posting this.

Regardless, I am excited to share the Privacy Policy Assistant with you and eager to hear your feedback.