Garmin says they do not share your data with third parties unless you ask them to. But the Garmin Connect app has Facebook tracking code built in that automatically sends information about your app usage to Facebook. You never asked for your fitness app activity to be reported to Facebook. Garmin collects some of the most intimate data possible — your heart rate every second, your sleep patterns, your stress levels, even your menstrual cycle. But security researchers found 13 serious vulnerabilities in Garmin software that would let attackers steal all of this data. Some of these flaws use programming techniques that Microsoft banned over 10 years ago because they are so dangerous. A malicious app from the Garmin app store could access everything your watch knows about your body.
What they claim: Garmin privacy policy states the company does not share device data with third parties unless the user directs it, and does not sell data or share for advertising without consent.
What we found: The Garmin Connect app (v5.9.1) embeds 4 Facebook trackers (Facebook Analytics, Facebook Flipper, Facebook Login, Facebook Share) and 2 Google trackers (CrashLytics, Firebase Analytics). Facebook Analytics and Facebook Share send user engagement data to Facebook servers by default. Facebook receives notification when users open the app. This constitutes sharing user activity data with a third-party advertising company (Meta) without requiring explicit user direction for each data transmission.
What they claim: Garmin positions itself as a trusted health data custodian, collecting intimate biometric data 24/7 including heart rate, SpO2, sleep, stress, menstrual cycles, and HRV.
What we found: Five critical/high CVEs (CVE-2023-23298, CVE-2023-23299, CVE-2023-23300, CVE-2023-23302, CVE-2025-2818) demonstrate inadequate security for the sensitivity of data collected. CVE-2023-23298 and CVE-2023-23300 are critical buffer overflows allowing malicious ConnectIQ apps to escape sandboxing and hijack device firmware — gaining access to all biometric sensor data. CVE-2025-2818 is a SQL injection in Garmin Connect 5.14 allowing theft of health data from 300+ device models. Garmin uses banned C functions (strcpy, memcpy) in GarminOS. Anvil Secure found 13 vulnerabilities affecting 100+ models.
What they claim: Garmin Connect is a fitness and health tracking platform. The Garmin Venu 3 is a smartwatch for monitoring health metrics like heart rate, sleep, and stress.
What we found: The Garmin Connect app requests permissions far beyond health tracking: SEND_SMS (send text messages), CALL_PHONE (make phone calls), ANSWER_PHONE_CALLS (answer calls), READ_CALL_LOG (read call history), READ_CONTACTS (access contact list), READ_CALENDAR (read calendar events), CAMERA (take photos/video), RECORD_AUDIO (record microphone). These 8 permissions grant access to deeply personal communications data that has no direct relationship to fitness tracking or health monitoring.
What they claim: Garmin states it does not sell personal data and that de-identified aggregate data shared with third parties cannot identify individuals.
What we found: Garmin admits sharing de-identified aggregate data with third parties for research or other purposes. Garmin has partnered with insurance providers (John Hancock Vitality program) to leverage wearable health data for dynamic coverage plans. Research consistently shows that de-identified health data combined with activity patterns, GPS location, and biometric profiles can be re-identified. A 2020 study in Nature Communications demonstrated that fitness tracker data can uniquely identify 95% of users from just 4 data points. Insurance partnerships inherently require individual-level data to adjust coverage.
What they claim: Garmin stated after the 2020 WastedLocker ransomware attack that there was no indication customer data was accessed, lost, or stolen.
What we found: Garmin reportedly paid $10 million ransom to Evil Corp (a sanctioned Russian hacker group). Garmin Connect was offline for 5 days, affecting millions of users's health data access. Garmin never disclosed full forensic findings or whether biometric health data (heart rate, GPS tracks, sleep data, menstrual cycles) was exfiltrated during the attack. The WastedLocker variant used against Garmin encrypted systems but the 5-day window of attacker access to Garmin infrastructure means attackers had access to the centralized health data platform. Paying a ransom to a sanctioned entity also raised OFAC compliance questions.
What they claim: Garmin Connect requests ACCESS_BACKGROUND_LOCATION for continuous GPS tracking and activity monitoring.
What we found: The Venu 3 has multi-GNSS (GPS, GLONASS, Galileo) and the Connect app requests ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, and ACCESS_COARSE_LOCATION — enabling continuous location tracking even when the app is not in use. Combined with 8 hardcoded Garmin cloud endpoints (connect.garmin.com, di-edge.garmin.com, api.garmin.com, omt.garmin.com, services.garmin.com, ciq-prod.garmin.com, etc.), all GPS activity data syncs to Garmin cloud automatically. In 2018, Strava's heatmap of aggregated GPS data exposed secret military base locations. Garmin's GPS data pool is larger and includes daily routines, not just workouts.
What they claim: Garmin privacy policy does not specify data retention periods for health and biometric data.
What we found: Garmin collects continuous 24/7 biometric data (heart rate, SpO2, sleep, stress, HRV, respiration, menstrual cycles, GPS tracks) but the CCPA disclosure and privacy policy do not specify how long this data is retained. Garmin Connect stores years of historical health data by default with no automatic expiration. California residents can request deletion but the absence of defined retention limits means biometric data accumulates indefinitely. Post-Dobbs, menstrual cycle tracking data stored without time limits in cloud services faces potential law enforcement access via subpoena or warrant.
What they claim: Garmin privacy policy states data is shared across 70+ Garmin subsidiaries globally including five in China.
What we found: The Garmin Connect app collects 43 permissions worth of personal data including background location, contacts, call logs, calendar, camera, microphone, and SMS access. All of this data is shared interchangeably between Garmin subsidiaries. Five Garmin subsidiaries operate in China, where the 2017 National Intelligence Law requires organisations to support, assist, and cooperate with national intelligence work. This means Chinese subsidiaries could be legally compelled to provide user health data, GPS tracks, contacts, and communications metadata to Chinese intelligence services.
What they claim: The Garmin Connect app requests RECORD_AUDIO and CAMERA permissions for a smartwatch companion app.
What we found: Garmin Connect (v5.9.1) requests RECORD_AUDIO (microphone access) and CAMERA (camera access) permissions. The Venu 3 smartwatch has no camera or microphone, so these permissions access the phone's hardware, not the watch. Combined with ACCESS_BACKGROUND_LOCATION and RECEIVE_BOOT_COMPLETED (auto-start on phone boot), the app has the technical capability to access the phone's microphone and camera while running in the background. There is no documented Venu 3 feature that requires phone camera or continuous microphone access.
What they claim: Garmin is a trusted health technology provider with FCC-certified devices used by millions for health monitoring.
What we found: Despite FCC certification (IPH-A4542) and trusted health device positioning, Garmin has no reported FTC enforcement actions for privacy practices despite: (1) the 2020 ransomware attack affecting millions of health data records, (2) 13 ConnectIQ vulnerabilities allowing firmware hijacking on 100+ models (Anvil Secure, 2023), (3) SQL injection in Garmin Connect allowing health data theft from 300+ device models (CVE-2025-2818), and (4) use of banned C functions in safety-critical firmware. This regulatory gap means there is no independent oversight of how Garmin handles biometric data despite repeated security failures.