Apps with the Worst Privacy Grades

This list pulls the bottom ten overall scores across our entire corpus—companies whose policies, taken together, show the heaviest collection, the fuzziest sharing, the weakest user leverage, or the least specific commitments on retention and AI training. Being here does not always mean “malicious”; often it reflects an advertising or data-resale core business that makes broad processing structurally necessary. Use the table as a shortcut to the worst offenders, then open each report for category-level nuance—sometimes a service is mediocre overall but egregious on biometrics or minors. Scores are comparable because every entry is graded with the same four-pillar framework; see the About page for formulas and worked examples. We update entries when policies materially change.

#	Company	Grade	Score	In plain English
1	TikTok	F	18/100	TikTok collects your biometrics, keystroke patterns, and even content you record but never post — th…TikTok collects your biometrics, keystroke patterns, and even content you record but never post — then shares data with ByteDance affiliates, advertisers, and researchers. You have limited control and no meaningful way to stop collection while using the app.	→
2	Meta	F	22/100	Meta collects almost everything about you across Instagram, Facebook, WhatsApp, and Threads, shares …Meta collects almost everything about you across Instagram, Facebook, WhatsApp, and Threads, shares it with advertisers, and keeps it indefinitely — including your AI chat conversations which now fuel ad targeting.	→
3	X	F	24/100	X collects everything you do on and off the platform, infers your identity even when you're signed o…X collects everything you do on and off the platform, infers your identity even when you're signed out, and explicitly allows third-party 'collaborators' to use your data to train their own AI models. There is no meaningful way to stop the core collection, your public posts are available via API for mass scraping, and security is disclosed only in the vaguest terms.	→
4	Google	D	26/100	Google tracks almost everything you do online — every search, email, location, video, and website vi…Google tracks almost everything you do online — every search, email, location, video, and website visit — across all their products and millions of third-party sites, then uses it to sell ads. They do give you unusually good tools to review and delete your data, but the defaults collect everything.	→
5	Instagram	D	32/100	Meta collects almost everything: what you post, what you look at and for how long, device and locati…Meta collects almost everything: what you post, what you look at and for how long, device and location data, and data from other people and advertisers. They infer sensitive traits and use Meta AI conversations for ad targeting. Data is shared across all Meta products and with advertisers. You can adjust ad preferences and download your data, but you can't stop collection itself.	→
6	WhatsApp	D	35/100	WhatsApp's end-to-end encryption genuinely protects your message content, but everything around it —…WhatsApp's end-to-end encryption genuinely protects your message content, but everything around it — who you talk to, when, how often, your contacts, your device — flows to Meta and is used to build ad profiles across Facebook and Instagram. You can't opt out of the Meta data sharing and still use the app.	→
7	Uber	D	36/100	Uber tracks everywhere you go, records your calls, photographs your face, and buys demographic profi…Uber tracks everywhere you go, records your calls, photographs your face, and buys demographic profiles from data brokers — then feeds all of it into a vast advertising machine that includes Meta and TikTok. You can limit some collection but you can't use the service without surrendering your location and trip history for up to seven years.	→
8	LinkedIn	D	38/100	LinkedIn builds a remarkably detailed professional and personal profile from everything you do on an…LinkedIn builds a remarkably detailed professional and personal profile from everything you do on and off the platform — including inferred age, gender, salary, and seniority — then shares it with Microsoft, advertisers, and third-party partners. Your data persists even after account closure, your public activity is fed into Microsoft's broader ad ecosystem, and there is no way to opt out of non-personalised ads.	→
9	Samsung	D	38/100	Samsung Australia collects an unusually wide sweep of data for a hardware company — IMEI numbers, MA…Samsung Australia collects an unusually wide sweep of data for a hardware company — IMEI numbers, MAC addresses, GPS location, voice commands sent to third-party servers, health metrics from Galaxy devices, contacts lists, browsing behaviour, and financial details. Data is shared with affiliates, business partners (including wireless carriers who can independently use it for promotions), and service providers, and is transferred to up to 16 countries including South Korea, China, and India. The policy acknowledges those countries may have weaker privacy protections than Australia, and users effectively waive the right to demand overseas recipients comply with Australian law just by using the services. Some controls are decent — a resettable Advertising ID, a 30-day access response window, and Samsung Pay that doesn't log transaction details — but retention periods are entirely vague, no security certifications are named, and there is no breach notification commitment.	→
10	Amazon	D	40/100	Amazon builds a detailed picture of everything you buy, watch, say to Alexa, and do in their physica…Amazon builds a detailed picture of everything you buy, watch, say to Alexa, and do in their physical stores — then uses it to sell you ads. They don't sell your data to others and have real security certifications, but the sheer breadth of collection across shopping, voice, surveillance cameras, and credit history is hard to escape if you use their services.	→