Garmin says you control your data, but their dash cam app tracks your location in the background, reads your call history and contacts, can send text messages and make phone calls on your behalf, and scans every app on your phone — far beyond what a dash cam needs.
critical
Garmin's privacy policy lists only basic data like your email and location, but their app can actually access your microphone, camera, phone call history, contact list, and text messages — none of which are mentioned in the policy.
high
Garmin claims they don't sell your data, but their dash cam app includes advertising trackers from Google that follow you across apps. It actively requests your Google advertising ID, which is specifically designed for cross-app ad tracking.
Garmin says they do not share your data with third parties unless you ask them to. But the Garmin Connect app has Facebook tracking code built in that automatically sends information about your app usage to Facebook. You never asked for your fitness app activity to be reported to Facebook.
critical
Garmin collects some of the most intimate data possible — your heart rate every second, your sleep patterns, your stress levels, even your menstrual cycle. But security researchers found 13 serious vulnerabilities in Garmin software that would let attackers steal all of this data. Some of these flaws use programming techniques that Microsoft banned over 10 years ago because they are so dangerous. A malicious app from the Garmin app store could access everything your watch knows about your body.
high
The Garmin Connect app is supposed to be for tracking your fitness and health. But it asks for permission to read your text messages, make phone calls, access your call history, read your contacts, read your calendar, use your camera, and record audio. A fitness tracker app does not need to read your call log or send text messages.
In July 2020, Russian hackers shut down every Garmin service for five days. Garmin reportedly paid $10 million to a group linked to Evil Corp, sanctioned by the US Treasury. Paying sanctioned entities may violate US law. Garmin never confirmed whether attackers copied user data — years of GPS tracks, home addresses, and daily routes for millions of athletes. They paid the ransom, restored services, and hoped everyone would forget. Whether Russian criminals have your cycling routes remains unanswered.
high
In 2018, a 20-year-old Australian student discovered Strava's heatmap was revealing secret US military bases in Afghanistan — soldiers' fitness trackers drew glowing lines around classified installations. Garmin Edge data feeds identical ecosystems. Your daily commute, weekend rides, coffee stops — they paint a heatmap of your life as detailed as anything that exposed military operations. The difference is soldiers had security clearances and you have a cycling hobby. The data exposure is the same.
high
Garmin doesn't "sell" your data. Instead, it "partners" with insurance companies and wellness programs offering discounts for sharing fitness metrics. Your employer buys a Garmin program. You join for the $500 insurance discount. Now your boss's insurer knows your resting heart rate, exercise frequency, and whether you actually ride that bike. Garmin didn't sell your data — your employer bought a program that happens to include it. The distinction is legal. The result is the same.