Cronometer's privacy policy, line by line
Better than MyFitnessPal, not without flags. We highlight the clauses worth reading.
Why bother reading the policy
Most privacy policies are boilerplate templated against an attorney’s “be defensible” prompt. Cronometer’s is shorter than most, more readable than most, and contains three clauses that materially affect what you should expect them to do with your nutrition data. We’ll walk through the whole thing but flag the three.
The policy is roughly 4,500 words. We’re going to summarise faithfully, not in full quotation. The canonical source is cronometer.com/privacy and you should read it yourself if you’re considering paying for Gold.
Last revised by Cronometer: late 2024. This walkthrough was originally drafted January 2025; minor revisions through that year.
What they collect
Account data, nutrition logs, body composition data, biometric markers (if you input them), connected-device data (Garmin / Fitbit / Oura, optionally), and standard telemetry (IP, device type, app version).
This is unsurprising. The interesting question is what they do with it.
Sharing
Cronometer’s stated practice (per the policy):
- Service providers for hosting, email, payment, analytics. Standard.
- Aggregated and anonymised research with academic partners.
- Legal compliance when required.
- Business transfers (the universal “if we get acquired” clause).
What they do not claim:
- They do not state they sell personal data.
- They do not claim a right to share identifiable data with advertisers.
- They do not claim a right to share with insurance providers (which MFP’s policy structurally permits via “partners”).
This puts them measurably ahead of MFP, Noom, and Lose It on stated commitments. Whether the implementation matches the policy is a separate question — we’ll get to that.
Three flags
Flag 1: “Aggregated and anonymised research”
The policy says aggregated, de-identified data may be shared with academic partners and used in research publications. This is a real thing — Cronometer does have published collaborations with university nutrition programs.
The flag is that “anonymised” is doing a lot of work. Nutrition logs are extremely high-dimensional and re-identification of an individual diary is plausible if you have enough auxiliary information. The k-anonymity guarantees behind their aggregation aren’t disclosed in the policy.
If you’re a public figure or someone with an unusual diet pattern, “aggregated and anonymised” is not a strong privacy guarantee.
Flag 2: Connected-device data flow
If you connect Garmin, Fitbit, or Oura, your activity data flows from those services into Cronometer. The policy correctly notes that the third-party service’s terms also apply.
The flag is that those terms are typically less restrictive than Cronometer’s. Fitbit (now Google) has a much broader data-use policy than Cronometer does. Connecting them imports their permissive posture into your Cronometer-stored profile.
Solution: don’t connect the wearables. Or use only one, with the most restrictive terms. We don’t connect any to Cronometer in our test accounts.
Flag 3: International transfers
Cronometer is a Canadian company. Hosting is primarily US-based (AWS). The policy notes international transfers under standard contractual clauses for EU users.
The flag is that the SCCs are doing the legal work but the practical risk of a US lawful-access request hitting the AWS instance is nonzero. EU users with strict-DPA needs should consider this. US and Canadian users have less legal exposure but the practical posture is the same.
What we observed in traffic
Live traffic capture, January 2025, 24-hour session, paid Gold account:
- api.cronometer.com (first-party, always)
- segment.io (analytics)
- google-analytics.com (page-level analytics)
- mixpanel.com (product analytics)
- intercom.io (support chat)
- braintree-api.com (payment)
- sentry.io (error reporting)
No observed traffic to ad networks. No Facebook pixels. No AppsFlyer / Adjust attribution.
This is significantly cleaner than MFP. Still not zero — Mixpanel’s session-level event capture is broad — but qualitatively different from MFP’s posture.
GDPR and access requests
We filed a data-subject access request in January 2025. Response in 7 days, complete machine-readable export of the diary, biometrics, and account metadata. Deletion request honoured at the end of the audit; we re-tested with a fresh account that was deleted on demand and the deletion was, as far as we can verify, real.
This is the operational test. They pass it.
Comparison to MFP and Noom
| Practice | Cronometer | MFP | Noom |
|---|---|---|---|
| States they don’t sell personal data | Yes | No | No |
| Behavioural ad sharing | No* | Yes | Yes |
| Sells aggregated data | No | Yes | Yes |
| Publishes academic research collabs | Yes | No | No |
| GDPR access portal works | Yes | Yes | Yes |
| GDPR delete actually deletes | Yes | Yes | Partial |
* Cronometer has no observed ad-network traffic and the policy disclaims behavioural ad sharing.
Does this make Cronometer “private”?
No. They still phone home, still hold your data, still do analytics. They do not, by stated policy or observed traffic, behave like MFP.
If you must pay for a closed-source nutrition tracker and you cannot self-host, Cronometer is the most defensible choice from a privacy posture standpoint. That’s a different sentence from “Cronometer is private,” and you should read it as such.
References
- Cronometer Privacy Policy: cronometer.com/privacy (read the live version; this piece is a snapshot)
- mitmproxy: mitmproxy.org
- GDPR rights walkthrough
- MyFitnessPal privacy audit