MyFitnessPal privacy audit, 2024–2026
What changed when Under Armour sold to Francisco Partners, and what didn't change but still matters.
Why this exists
MyFitnessPal is the largest calorie-tracking app in the world. Its data posture is the de-facto industry baseline. Tracking what changes there matters even if you don’t use the app, because everyone else (Lose It, MacroFactor, Cronometer’s free tier) is benchmarked against it implicitly.
This piece tracks what we observed across the 2024–2026 ownership transition. Under Armour announced the sale to Francisco Partners in late 2020; the deal closed and the rebrand and policy changes propagated through 2024. We have audited the app five times: October 2024, January 2025, June 2025, January 2026, and a partial re-audit in March 2026 after the most recent privacy-policy revision.
Methodology: a clean Pixel 7a on GrapheneOS with sandboxed Play Services, NextDNS profile capturing all DNS, mitmproxy with the system CA installed and the app’s certificate pinning bypassed via Frida. 24-hour app sessions per audit, normal-use behaviour patterns. We do not publish full payload captures. We publish observed third-party destinations and observed payload categories.
Outbound destinations
Aggregated from all five audits. “Always” = present in every audit. “Sometimes” = present in 1–4 audits.
| Destination | Category | Status |
|---|---|---|
| api.myfitnesspal.com | First-party API | Always |
| graph.facebook.com | Auth + analytics | Always |
| googleapis.com (firebase) | Push + analytics | Always |
| google-analytics.com | Page analytics | Always |
| crashlytics.com | Crash reporting | Always |
| branch.io | Attribution | Always |
| onesignal.com | Push notifications | Always |
| amplitude.com | Product analytics | Always |
| api.mixpanel.com | Product analytics | Until mid-2025 |
| facebook.com (events) | Behavioural ads | Always |
| api.appsflyer.com | Attribution | Always |
| app.adjust.com | Attribution | Always |
| iterable.com | Marketing email/push | Sometimes |
| segment.io | Analytics aggregator | Sometimes |
| Various ad-network DSPs | Behavioural ads | Always |
The list grew slightly between October 2024 and January 2026 (Iterable and Segment came and went; AppsFlyer and Adjust both stayed). The overall pattern is roughly the same as it has been since 2022.
What’s new since Francisco Partners
The acquisition closed in late 2020 / 2021; Under Armour got out of the consumer-app business; the post-acquisition policy revisions landed in tranches through 2024 and 2025. The substantive changes we have actually observed:
- Barcode scanner paywalled (mid-2024). The free tier still has barcode lookup but with rate limits and a daily cap that effectively forces Premium for any real use.
- Marketing-data sharing language broadened (privacy policy revision, July 2024). The pre-existing language already permitted sharing with “service providers and partners”; the revision added clearer affirmative language about behaviour-targeting partners. Practical impact on outbound traffic: hard to attribute. The destinations were already there.
- Onboarding ad-personalisation toggle moved (January 2025). The opt-out now requires three taps and is on a screen most users won’t see.
- Offline cache changes (April 2025). Logged foods cached for offline use now expire after 14 days unless you have Premium. Subtle but meaningful: tracking continuity is now a paid feature.
- GDPR access portal got slower (anecdotal, 2025–2026). Our data-subject access requests went from ~5 days in 2024 to ~17 days in late 2025. Within the 30-day legal window, but worse.
What’s the same and was always bad
- Behavioural-ad sharing was already broad before the sale. The Cambridge Analytica era should have warned everyone but the press has never caught up to MFP-specifically.
- The 2018 breach (150M accounts) is still relevant to current users — a lot of password reuse trails.
- The privacy policy permits cross-application sharing with Under Armour’s other subsidiaries, even after the sale, until the EOL agreements expire.
- Behavioural targeting is opted-in by default in the US.
What MFP gets right
Credit where due:
- HTTPS on all observed traffic; no plaintext leaks since our 2023 audit.
- The breach-notification posture in 2018 was quick.
- The GDPR access portal exists and works (slowly, but works).
- They have, when pressed, complied with deletion requests we have actually filed.
This is a low bar and they clear it.
Practical advice
If you use MyFitnessPal:
- Turn off ad-personalisation. It’s three taps deep but it’s there.
- Consider a separate email for the account.
- File a GDPR/CCPA access request once a year. See GDPR rights for nutrition apps.
- Don’t use the Facebook login.
If you’re considering switching:
- See our comparisons section for FOSS alternatives.
- See why I left MyFitnessPal for one editor’s experience.
Corrections and updates
This is the second public revision of this audit. Original posted October 5, 2024. Updated:
- January 12, 2025: Added January 2025 audit findings (paywall changes).
- June 22, 2025: Added June 2025 audit (Mixpanel removed, Iterable added intermittently).
- February 8, 2026: Added January 2026 audit and March 2026 partial re-audit.
Errors in this piece should be sent to editor@selfhostednutrition.org.
References
- MFP privacy policy as it existed at audit dates: archived in Wayback at the relevant timestamps.
- Reporting on the Francisco Partners deal: see 9to5Mac and The Verge coverage from late 2020 through 2024.
- mitmproxy: mitmproxy.org
- Frida: frida.re
- Methodology