The app you downloaded isn't what you think it is. Thousands of fitness apps, smart home devices, and baby monitors are skins on platforms you've never heard of. You trust the brand on the icon. Your data goes somewhere else.
A fitness influencer. A household name like Motorola. A smart plug from your local hardware store. The app store shows their logo, their name, their reviews.
Behind the logo is a white-label platform — a company that builds one app and lets thousands of brands put their name on it. The influencer didn't write the code. They signed up for a service.
Body measurements, progress photos, health data, home routines, camera feeds — all stored by a company you've never heard of. The brand has no servers. The platform has all of them.
| Platform | What users see | Scale | Data collected | Investigation |
|---|---|---|---|---|
| Trainerize (ABC Fitness Solutions) |
"Bella Rahbek Fitness," "Jeff Nippard," thousands of influencer fitness apps | 400,000+ trainers | Body measurements, progress photos, weight, nutrition, injury history, workout data | View → |
| Everfit | Individual trainer-branded coaching apps | 40,000+ coaches | Body data, workout plans, progress photos, nutrition logs | View → |
| Tuya IoT Platform | "Arlec Grid Connect," "Kmart smart plug," 1,100+ hardware brands | 1,100+ brands | Device usage, schedules, energy consumption, home routines | View → |
| eWeLink (CoolKit, Shenzhen) |
"Sonoff," 30+ smart home brands | 30+ brands | Device state, schedules, usage patterns, network info | View → |
| Hubble Connected | "Motorola baby monitor" | Licensed brands | Video feeds of infants, audio, temperature, movement alerts | View → |
White-label platforms are the most visible version of this problem. But there are four other business models that hide who really has your data.
| Type | What they do | Examples | What happened |
|---|---|---|---|
| SDK middlemen | Tracking code embedded inside apps you download. Sends data to companies you never heard of. | Facebook SDK, Adjust (AppLovin) | Hospital websites sent cancer diagnoses to Facebook. A priest was outed via Grindr location data. $5 billion FTC fine. |
| Location data brokers | Buy location data from app SDKs, sell it to military, hedge funds, advertisers. | SafeGraph, X-Mode/Outlogic, Near Intelligence | Muslim prayer app data sold to the Pentagon. Planned Parenthood visit data sold to anyone. Near tracked 1.6 billion devices then went bankrupt. |
| Identity verification | Process your passport photo and face scan when you verify on apps like Uber or TikTok. | Au10tix, Onfido (Entrust) | Au10tix left passport photos from Uber/TikTok/X users on an unsecured server for over a year. Onfido was acquired by a government contractor. |
| Embedded finance | Middleware connecting fintech apps to actual banks. Your "bank" is a UI on their pipes. | Synapse Financial | Synapse went bankrupt. $85 million in deposits went missing. Users couldn't access their money for months. FDIC didn't cover the middleware. |
The privacy policy you should read isn't Bella's. It's trainerize.com/privacy — which states the platform "cannot and does not guarantee any confidentiality with respect to your Content whatsoever."
Bella has no servers. No security team. No incident response plan. No DPO. If there's a breach, ABC Fitness Solutions handles it — but Bella's face is on the app. The brand you trust and the company that has your data are different entities.
Read our full Trainerize investigation →If Trainerize is breached, every app on the platform is breached simultaneously. 400,000 trainers' clients. Millions of users. Body photos. Measurements. Health notes. One database, one target, catastrophic blast radius.
Trainerize says the trainer is the "data controller." The trainer has no idea what that means. The user thinks Bella has their data. Accountability is distributed until it disappears.
Body composition, injury history, eating disorder recovery, mental health notes — Trainerize explicitly refuses HIPAA compliance. Clinical-grade data, consumer-grade protection.
Trainerize uses "de-identified" data for AI development. You shared your body data with a coach. You're training a corporation's algorithm. Consent laundering through the white-label chain.
com.trainerize.bellarahbekfitness. The first part (com.trainerize) reveals the platform. If you see com.trainerize, com.everfit, com.tuya, or com.coolkit — you're on a white-label platform.trainerize.com/privacy — Trainerize has your data, not Bella.400,000+ trainers. "Cannot guarantee confidentiality." Not HIPAA compliant. De-identified data for AI. The fitness platform behind thousands of apps.
1,100+ brands. Your "Australian" smart plug is a Tuya device made in Shenzhen, running on Chinese cloud servers. One platform, a thousand brand names.
30+ smart home brands share one cloud platform. A vulnerability in eWeLink compromises all of them at once. Your light switch command travels to China and back.
The "Motorola" baby monitor is not made by Motorola. It's made by Hubble Connected, licensing the name. Parents trust a brand. A different company watches their baby.