Device & Wearable Privacy Grades
6 companies analysed · Sorted by privacy score
Phones, watches, and rings generate continuous sensor streams—movement, heart rate, sleep stages, menstrual health, SpO₂, GPS fixes, and ambient audio triggers—that are far stickier than ordinary app analytics. Ecosystem vendors differ sharply on whether health metrics stay on-device, sync end-to-end, or feed cloud ML for “insights,” and on how they licence data to insurers, employers, or researchers. OS-level vendors also set the rules third-party apps must follow, so their defaults for permissions, tracking, and backups ripple across the market. Buyers should compare not only encryption claims but also data export, adolescent accounts, law-enforcement wording, and cross-device advertising. Each grade is derived from the published privacy policy using the same methodology described on the About page.
| # | Company | Grade | Score | In plain English | |
|---|---|---|---|---|---|
| 1 | B+ | 78/100 | Apple collects significantly less data than other big tech companies and explicitly commits — using …Apple collects significantly less data than other big tech companies and explicitly commits — using both Nevada and California legal definitions — to never selling or sharing your data for advertising. Their own ad platform doesn't use data brokers or cross-app tracking. Private personal data isn't used to train Apple's AI models. The main caveats are health, fitness, and financial data collection, government ID in some cases, and personalised ads that exist but are easy to turn off. | → | |
| 2 | B | 73/100 | Oura collects a lot of sensitive health data to run the service, but they don't sell it, give you re…Oura collects a lot of sensitive health data to run the service, but they don't sell it, give you real control over it, and are clearer than most about what they do with it. | → | |
| 3 | B | 71/100 | Garmin collects a lot of health and location data to run the service, doesn't sell it or share it wi…Garmin collects a lot of health and location data to run the service, doesn't sell it or share it with advertisers, and gives you good control over it — but the policy is dense, retention is vague, and aggregate data sharing with third parties isn't fully explained. | → | |
| 4 | B- | 68/100 | Fairphone doesn't sell your data and has a genuinely ethical mission, but it runs retargeting ads, s…Fairphone doesn't sell your data and has a genuinely ethical mission, but it runs retargeting ads, sends your full IP address to Bloomreach for segmentation, keeps contract data for a minimum of seven years, defaults to anonymisation rather than deletion when you ask for your data to be removed, and forum posts older than 60 days can never be fully deleted. | → | |
| 5 | C- | 44/100 | Microsoft's privacy statement covers an enormous product surface — Windows, Office, Azure, Bing, Xbo…Microsoft's privacy statement covers an enormous product surface — Windows, Office, Azure, Bing, Xbox, and Copilot — and the data practices vary dramatically across them. The umbrella policy is deliberately vague, deferring almost all specifics to product-level documentation. Cross-product data combination, AI model training on your content, and employer/school access to your files and communications are the key risks most consumers don't realise they're accepting. | → | |
| 6 | D | 38/100 | Samsung Australia collects an unusually wide sweep of data for a hardware company — IMEI numbers, MA…Samsung Australia collects an unusually wide sweep of data for a hardware company — IMEI numbers, MAC addresses, GPS location, voice commands sent to third-party servers, health metrics from Galaxy devices, contacts lists, browsing behaviour, and financial details. Data is shared with affiliates, business partners (including wireless carriers who can independently use it for promotions), and service providers, and is transferred to up to 16 countries including South Korea, China, and India. The policy acknowledges those countries may have weaker privacy protections than Australia, and users effectively waive the right to demand overseas recipients comply with Australian law just by using the services. Some controls are decent — a resettable Advertising ID, a 30-day access response window, and Samsung Pay that doesn't log transaction details — but retention periods are entirely vague, no security certifications are named, and there is no breach notification commitment. | → |
How we grade·Each company is scored 0–100 across four pillars: data collection, third-party sharing, user controls, and policy promises. The overall grade maps to the score band. → Read the full methodology