Caveat tracker: user beware. Even a free wellness app can cost you a lot.

“Free” doesn’t mean no strings attached. You may be paying for the app with your data because, for some services, every meal or weigh-in you track could be shared with the people who administer your health care plan or with your employer.

I work for a responsible private employer, have quality health care, and pay attention when I sign up for things.

Regardless, I had to do my own research to learn Noom could hand over everything I do with the service to my health plan or my employer.

Thankfully, we have options to claw back control of our health information.

Read on to learn why you should care, how to figure out if your data is at risk, and what to do to protect it.

Why You Should Care

I started using Noom a couple weeks ago. I hoped it could help me manage my weight and be mindful about what I eat.

The app is easy and fun to use. It provides positive reinforcement and simple lessons about eating more of the right foods.

After logging an Old Fashioned cocktail, I wondered how private that data point might be. Turns out, not very.

Noom’s Employer and Partnership Program (B2B) Privacy Policy states, “We may provide your health plan or employer any and all information pertaining to you and your use of Noom’s products and services in relation to this program.”

I sincerely believe I received access to Noom because, if I mindfully manage my weight and health, I may cost my employer less in health care expense. That’s simply common sense.

I also believe everything I eat or drink or how much I weigh each day should not be available to an employer or my health care plan. It’s creepy, and Noom should have disclosed it before I created an account.

It was not. I had to figure this out on my own.

Is Your Data Protected?

There’s two main ways for you to figure out if the health app you’re using is disclosing information you share with it: search online or use artificial intelligence (AI).

I strongly recommend you use AI for this. While Google may be useful, unless you’ve opted out – and I strongly urge you to do so today – everything you do on the platform will be used to track and profile you across the internet.

While AI requires security safeguards of its own – a post for another day – the ability to drill into a subject and ask extensive follow-up questions is a powerful way to gain understanding. Depending on which tool you use, it can search available resources far better than you or I can, will link concepts and threads effortlessly, and can suggest next steps or ways to continue researching.

I used AI to do most of the research for this post, all of which I checked out and challenged. It is my always-on digital assistant, and worth every penny of the $20 monthly subscription.

It even created this table which shows Noom is not the only service which let user data flow:

App / service	Wording that opens the door	Level of detail the sponsor can get	Your levers
Omada Health (diabetes, weight, MSK)	“We may share, transfer, or otherwise disclose Personal Information and PHI to the companies paying for your participation, including their agents and third-party administrators.” (~omadahealth.com~)	Identifiable PHI if the plan is paying; otherwise aggregate.	HIPAA rights apply (request restrictions ⁄ account deletion); Omada offers an in-app data-export & deletion request.
Virgin Pulse / Personify Health (formerly Virgin Pulse)	“In specific circumstances… we may share reports containing identifiable information with your Program Sponsor.” (~international.virginpulse.com~)	Mostly anonymised roll-ups; identifiable only for “proper program administration or tax compliance.”	In-app Data Requests tool lets you opt-out of any “sale,” download your data, or delete your account.
Fitbit Health Solutions (Google)	“You can direct us to share data with your employer as part of a wellness program.” (~canarywww.fitbit.com~)	Whatever you toggle on—steps, heart-rate, weight, etc.—can sync to the employer dashboard.	Don’t connect through the corporate portal, or revoke the “Employer” link under My Applications in settings.
Livongo / Teladoc (diabetes & hypertension)	HIPAA notice says PHI may be shared “with the companies paying for your participation, including … your employer’s health plan.” (~content.teladochealth.com~)	Identifiable clinical readings (glucose, BP) for treatment / payment / operations; employers usually see only aggregates.	HIPAA revocation letter or close the account; losing the subsidy ends the program.
WeightWatchers for Business (WW Health Solutions)	CHD statement: “If our Service is offered through your employer, we may collect info from your employer … and we share each category of health data with affiliates & service providers.” (~weightwatchers.com~)	WW says employer dashboards show aggregate trends; policy still lets them share health data with “other third parties.”	Email ~privacy@ww.com~ to opt-out of any “collection, sharing or sale” of consumer health data (WA & NV have 1-click forms).

What Do We Do Now?

I’ve emailed Noom to ask to opt out of sharing my data with my health plan or employer.

Because I live in Pennsylvania, I can’t use this form to opt out. Unfortunately, the Keystone State has no comprehensive privacy law.

If I can’t opt out through Noom, the next step will be to determine if the service is offered as part of my employer’s formal group healthcare plan or outside it. If it’s in the plan, HIPAA protections should protect my information.

Until I figure out if I can opt out through Noom or if HIPAA applies, I’m benching the app. I disconnected Apple Health permissions and will not use Noom until my questions are answered.

I’ll update this post as soon as possible.

How I Can Help You

Please let me know if you have questions about protecting your data, or if you want help getting started with AI or tailoring it to your specific use cases.

Help is an email or an instant message away.