Noom and the third-party sharing fineprint
Noom's privacy policy permits broad behavioural-marketing data flows. We map who actually receives what.
The pitch and the reality
Noom markets itself as a behavioural-change app rather than a “calorie tracker.” That distinction matters legally — the policy framing leans on “wellness coaching” rather than “nutrition logging,” which gets it slightly different treatment under HIPAA-adjacent regulation in the US. (HIPAA itself does not apply to consumer wellness apps in any case; the framing is policy-rhetorical, not legal.)
The privacy posture, in practice, is the most aggressive of any major nutrition app we have audited. We’ll show what we observed.
Methodology
Standard methodology (see /methodology/). 24-hour session on a clean Pixel 7a, GrapheneOS, sandboxed Play Services, NextDNS + mitmproxy. Audit run April 11–13, 2025. Paid subscription so we could observe the full feature surface.
What the policy says
Direct paraphrase of the relevant clauses (full policy at noom.com/privacy):
- Personal data is collected for service delivery, communications, analytics, and “marketing partnerships.”
- “We do not sell personal information for monetary consideration” — note the qualifier.
- Data is shared with “advertising partners” for “interest-based advertising.”
- Aggregated and de-identified data may be shared “without restriction.”
- Cross-context behavioural advertising opt-out is offered “where required by law.”
The qualifiers do all the work. “Don’t sell for monetary consideration” doesn’t preclude sharing for ad-targeting in non-cash exchanges. “Where required by law” means the opt-out is offered to California, Virginia, etc. residents; everyone else is opted in by default.
What we observed in traffic
| Destination | Category | Notes |
|---|---|---|
| api.noom.com | First-party API | Always |
| graph.facebook.com | Behavioural ads | Always; events with user pseudo-IDs |
| facebook.com (events API) | Behavioural ads | Always |
| amplitude.com | Product analytics | Always; weight, mood, food categories |
| google-analytics.com | Page analytics | Always |
| googleadservices.com | Ads + conversion | Always |
| firebase, crashlytics | Crash + push | Always |
| branch.io | Attribution | Always |
| api.appsflyer.com | Attribution | Always |
| api.adjust.com | Attribution | Always |
| segment.io | Analytics aggregator | Always |
| iterable.com | Marketing email/push | Always |
| Various DSPs | Programmatic ads | Always |
The pseudo-ID sent to Facebook’s events API is concerning. It’s a hashed identifier that, when combined with the user’s IP and device characteristics, is reasonably unique. The Facebook events API permits Noom to push behavioural events (“logged a meal,” “missed a streak day”) to Facebook’s ad infrastructure with that ID, and Facebook’s matching layer can join it to a Facebook user profile if that user is signed in to Facebook on the same device.
This is the standard “we don’t sell data, we just share events” pattern that has been the subject of years of EU regulatory action. Noom is not particularly worse than other players who do it; they just do it more aggressively.
What’s in the events
We observed the following event types crossing to third-party destinations:
- Account creation and login events
- Subscription events (purchase, renewal, cancellation, downgrade)
- Logged-meal events with macro categories (not full meal text, but “logged 600cal carb-heavy meal”)
- Weight-trend events (delta, not absolute)
- Streak/engagement events (“3-day streak achieved”)
- Lesson-completion events (Noom’s behaviour-coaching curriculum)
- Mood-questionnaire events (mood category, not free text)
That’s a granular behavioural profile. The framing in the policy (“interest-based advertising”) doesn’t really capture it.
Practical implications
If you use Noom and have a Facebook account on the same device:
- Facebook can plausibly link your Noom usage pattern to your Facebook profile.
- That linkage feeds Facebook’s own ad-targeting, including off-Facebook on the broader DSP graph.
- “Healthy eating” interest signals can be used by advertisers in fitness, supplements, weight-loss, and adjacent niches.
If your Facebook profile is also linked to your real name and employer:
- The fact of your Noom subscription is, to varying degrees, available to ad partners.
- Insurance industries don’t (publicly) buy this data, but the data brokers above the DSP layer do, and re-aggregation is a recurring concern.
Compared to MFP and Cronometer
Noom’s posture is materially worse than Cronometer’s. It is roughly comparable to MFP’s, with two differences:
- Noom’s events are slightly more granular (mood, lessons).
- Noom’s policy framing is less honest about what’s happening.
What to do
If you’re a Noom subscriber:
- File a CCPA “do not sell or share” request. It is worth it.
- Disable Facebook on the same device, or use Facebook only in a separate work profile.
- Cancel the subscription on a payment method you can verify is no longer being charged.
- File a GDPR/CCPA deletion request after cancellation. We have done this twice; both succeeded but slowly.
If you’re considering Noom:
- Don’t.
If you specifically want behavioural-coaching content separate from a tracker:
- Books work for this. Atomic Habits etc. are not novel insights but they’re not telemetry either.
References
- Noom privacy policy: noom.com/privacy (read the live version)
- Reporting on consumer-app data flows: see the work of the Norwegian Consumer Council (Forbrukerrådet) and the NOYB / European Center for Digital Rights.
- Methodology
- Cronometer policy walkthrough
- MyFitnessPal audit