Privacy Checker

Every app on your phone and every website you visit is doing more than you see on screen. Behind that weather forecast, social feed, or news article, code is running that collects data about you — sometimes for legitimate purposes, sometimes not. Trackers embedded in apps and websites monitor your behaviour, permissions grant access to your personal information, and terms of service you never read often give companies broad rights over your data. Understanding what’s happening is the first step toward making informed choices about which apps deserve a place on your device and which websites deserve your trust.

Understanding Trackers

Trackers are pieces of code that app developers include to collect information about how you use their app. They’re not inherently malicious — many serve legitimate purposes — but the sheer number in some apps raises questions about necessity.

Analytics trackers monitor how you interact with an app: which screens you visit, how long you spend on features, where you tap. Google Firebase Analytics is the most common, appearing in millions of apps. Developers use this data to improve their products, fix usability issues, and understand which features people actually use. On its own, analytics tracking is relatively benign.

Advertising trackers are where privacy concerns escalate. These build profiles of your interests based on app usage, browsing history, and sometimes location. Companies like Facebook, Google Ads, and dozens of smaller ad networks use this data to serve targeted advertisements across the internet. When you see an ad for running shoes after discussing fitness with a friend, it’s often because ad trackers correlated your activity across multiple apps.

Crash reporting tools like Crashlytics or Sentry automatically send diagnostic information when an app crashes. This helps developers identify and fix bugs quickly. The data typically includes device information and app state at the time of the crash — useful for debugging but rarely sensitive.

Attribution and identification trackers are the most concerning category. These attempt to identify you across apps and devices, building persistent profiles that follow you around the digital world. Some use device fingerprinting techniques that work even when you’ve opted out of other tracking methods.

Not all trackers are equal in their privacy implications. An app with three analytics tools is very different from one with fifteen ad networks. Context matters: a free game funded by advertising will naturally have more ad trackers than a paid productivity app. The key is whether the tracking is proportionate to the app’s purpose.

Android Permissions Explained

When you install an Android app, it requests permission to access certain device capabilities. Google classifies these into two categories with very different implications.

Normal permissions are granted automatically because they pose minimal risk. Accessing the internet, running on startup, controlling vibration, and preventing the device from sleeping fall into this category. You won’t see popup dialogs for these because they don’t expose sensitive personal information.

Dangerous permissions require explicit approval because they access data you’d reasonably expect to keep private. These are the permissions that matter most for privacy:

• Location — Fine location reveals your precise GPS coordinates; coarse location gives approximate position. Background location allows tracking even when the app isn’t open, which is particularly invasive.

• Camera and Microphone — Direct access to record photos, videos, and audio. Legitimate for camera apps and voice recorders, but concerning when requested by apps with no obvious need.

• Contacts — Reading your contact list exposes your social network. Some apps upload entire contact lists to their servers, potentially exposing friends who never agreed to share their information.

• Phone — Access to your phone number, call history, and the ability to make calls. Few apps genuinely need this level of access.

• SMS — Reading, sending, and receiving text messages. Previously common for two-factor authentication, but Android now provides safer alternatives.

• Storage — Access to photos, videos, documents, and other files on your device. Modern Android versions offer more granular photo and video permissions.

• Calendar — Read and write access to your schedule reveals patterns about your life, work, and personal commitments.

• Body sensors — Heart rate and other health data from wearables. Increasingly requested by fitness and health apps.

The problem isn’t that apps request permissions — it’s when they request more than they need. A torch app asking for location and contacts is a red flag. A navigation app requesting location makes sense; requesting SMS access doesn’t.

You can review and revoke permissions in Android Settings > Apps > [App Name] > Permissions. Many apps continue working with reduced permissions, only prompting when you try to use a feature that requires access you’ve denied.

Website Privacy and Tracking

While mobile apps require explicit permission requests, websites track you silently through invisible scripts. Modern websites commonly embed dozens of third-party trackers that monitor your behavior across the internet.

Third-party cookies are the foundation of web tracking. When you visit a website, these small files are set by advertising networks and analytics companies — not by the site you’re visiting. They follow you across the web, building profiles of your interests and browsing habits. A single article on a news site might set cookies from twenty different companies you’ve never heard of.

Third-party scripts run code on your browser from domains other than the website you’re visiting. Facebook’s pixel, Google Analytics, and advertising networks inject JavaScript that collects data about your device, location, and behavior. These scripts can see what you type, where you click, and how long you spend on different parts of the page.

Session recording goes further, capturing your exact mouse movements, scrolls, and clicks. Services like Hotjar and FullStory record your entire browsing session as if someone was watching over your shoulder. While marketed as a usability tool, it reveals everything you do on a site — including data you typed but deleted before submitting.

Canvas fingerprinting is a sophisticated tracking technique that works even when you block cookies. It instructs your browser to draw an invisible image using HTML5 canvas, then reads back the resulting pixels. Tiny variations in how different computers render graphics create a unique signature — effectively a fingerprint that tracks you across websites without storing any files on your device.

Key logging on websites monitors every keystroke you make. This is sometimes used to improve forms and detect frustrated users, but it can capture sensitive information like passwords, credit card numbers, and private messages — even data you typed but never submitted.

Websites justify this tracking as necessary for improving user experience, personalizing content, and measuring effectiveness. Some of it serves those purposes. Much of it exists primarily to monetize your attention through advertising networks that pay per impression or click.

Browser protection is your first line of defense. Firefox and Brave block many trackers by default. Safari has Intelligent Tracking Prevention. Chrome lags behind but offers some protection. Browser extensions like uBlock Origin, Privacy Badger, and Ghostery add additional blocking, though aggressive blocking can sometimes break website functionality.

Reading privacy policies takes time most people don’t have, but you can spot red flags quickly. Look for how they define “personal information” (broader definitions mean more data collection), who they share data with (third parties, advertisers, partners), and how long they keep data. Privacy policies filled with vague language like “may share” or “trusted partners” deserve skepticism.

What ToS;DR Grades Mean

ToS;DR (Terms of Service; Didn’t Read) is a community project that rates privacy policies and terms of service using a letter grade system. Their volunteers read the legal documents so you don’t have to, highlighting both concerning and positive clauses.

Grade A indicates excellent practices. These services respect user privacy, don’t share data unnecessarily, allow data deletion, and have clear, fair terms. They’re rare — most major tech companies don’t qualify.

Grade B means generally fair terms with perhaps a few minor concerns. These services make reasonable efforts to protect privacy while maintaining viable business models.

Grade C represents mixed practices — some good, some concerning. Most mainstream services fall here. They might have end-to-end encryption but also broad data sharing clauses, or clear privacy options buried in complex menus.

Grade D indicates poor practices with significant privacy issues. These services often claim broad rights over your data, share information extensively with partners, or have vague terms that could be interpreted against users.

Grade E is reserved for the worst offenders — services with major red flags that actively work against user interests. Misleading practices, selling personal data, or refusing data deletion requests might earn this rating.

Many apps and services haven’t been reviewed yet, shown as unrated. ToS;DR relies on volunteers, so coverage prioritises popular services. An unrated service isn’t necessarily bad — it just hasn’t been analysed yet.

Protecting Your Privacy

Privacy isn’t all-or-nothing. Small steps add up to meaningful protection without requiring you to abandon modern technology entirely.

Review permissions regularly. Go through your installed apps and revoke permissions that don’t make sense. Most apps adapt gracefully, only asking again when you try to use a feature that requires the denied permission.

Consider alternatives. For core functions like messaging, maps, and browsers, privacy-focused alternatives exist. Signal instead of WhatsApp. Firefox instead of Chrome. OSMAnd instead of Google Maps. You don’t have to switch everything, but swapping one or two high-use apps makes a difference.

Check apps before installing. Use this privacy checker (or Exodus Privacy directly) to understand what an app does before giving it access to your device. A minute of research prevents problems.

Audit your accounts. Many services let you download your data or see what they’ve collected. Google Takeout, Facebook’s Download Your Information, and similar tools reveal what these companies know about you. It’s often more than expected.

Understand the trade-offs. Free apps need revenue somehow. Advertising-funded apps will have trackers — that’s how they pay developers. Paid apps generally have fewer trackers but aren’t automatically privacy-respecting. Choose based on your comfort level.

A VPN encrypts your internet traffic and masks your IP address, which prevents your internet provider from seeing your activity and adds privacy on public WiFi. However, VPNs don’t stop app-level tracking — the trackers inside apps work regardless of your network connection. VPNs are one tool in a privacy toolkit, not a complete solution.

Common Privacy Myths

“I have nothing to hide.” Privacy isn’t about hiding wrongdoing. It’s about controlling who knows what about you. You close the bathroom door not because you’re doing something illegal but because some things are simply private. The same principle applies to your digital life — your health searches, financial situation, relationship status, and daily routines are nobody’s business unless you choose to share them.

“Free apps are fine.” There’s truth in the saying “if you’re not paying, you’re the product.” Free apps need revenue, and advertising is the most common model. This requires tracking to target ads effectively. Some free apps, particularly open-source projects like Signal or Firefox, are funded through donations or foundations with privacy-respecting mandates. But most free apps from commercial developers fund themselves through your data.

“Deleting the app removes my data.” Uninstalling an app removes it from your device but usually doesn’t delete data already collected. That information lives on company servers and is governed by their retention policies. Some services offer data deletion requests (often legally required under GDPR in Europe or CCPA in California), but this requires active steps beyond simply removing the app.

“I’ve already given up my privacy, so it doesn’t matter.” This fatalistic view ignores that privacy isn’t binary. Every piece of data not collected is data that can’t be breached, sold, or misused. Starting fresh with better practices now prevents future exposure, even if past data is already out there. It’s never too late to improve.

“Private browsing protects me.” Incognito mode prevents your browser from saving history locally — it doesn’t hide your activity from websites, your employer, or your internet provider. And it does nothing about app tracking, which happens at a completely different level.

FAQ

How do I check if an app or website is safe?

Enter the app name or package ID in our Privacy Checker:

• Android apps are analysed using Exodus Privacy’s database to show embedded trackers and requested permissions with privacy scores
• iOS apps show basic app information from Apple’s App Store (ratings, size, developer) - privacy scoring is not available due to API limitations
• Website scanning is coming soon (requires specialized infrastructure)

We also check ToS;DR for terms of service ratings when available. For the most comprehensive privacy analysis, check Android apps which provide tracker detection and permission analysis.

What is a good privacy score?

Scores of 8-10 indicate good privacy practices with minimal tracking — apps like Signal typically score in this range. Scores of 5-7 are moderate, typical for mainstream apps that balance functionality with some tracking. Below 5 suggests heavy tracking or excessive permissions relative to the app’s purpose.

Why is iOS app data less reliable?

Apple’s security architecture prevents independent analysis of iOS applications. Unlike Android APK files which can be decompiled and examined, iOS apps are encrypted and signed in ways that make automated inspection impossible.

Apple’s privacy labels (self-reported by developers) are not available through the public iTunes API, so we can only show basic app information like ratings, size, and version. We cannot calculate privacy scores for iOS apps due to this API limitation. For rigorous privacy analysis with trackers and permissions, check the Android version of an app when available.

Are all trackers bad?

No. Crash reporting helps developers fix bugs, benefiting users. Basic analytics can improve app design. The concern is proportionality — does a simple utility app really need fifteen advertising trackers? Context and quantity matter more than mere presence.

How often should I check my apps and websites?

Apps: Before installing new ones, especially from unfamiliar developers. After major updates, as trackers can be added in new versions. Periodically for apps you use daily, particularly those handling sensitive information like banking, health, or private communications.

Websites: Before creating an account or sharing personal information. For websites where you regularly interact (shopping, news, social media), occasional checks help you understand what tracking is happening. Browser extensions like uBlock Origin or Privacy Badger can provide real-time tracking protection.

What’s the most private messaging app?

Signal consistently ranks highest. It’s open-source, collects minimal data, uses strong end-to-end encryption, and has no advertising trackers. It’s funded by a non-profit foundation rather than by monetising user data. Other privacy-focused options include Threema and Session.

Do I need a VPN?

It depends on your threat model. VPNs add value on public WiFi, prevent your ISP from seeing your activity, and can bypass geographic restrictions. However, VPNs don’t stop in-app tracking, can’t protect you from phishing, and require trusting the VPN provider instead of your ISP. For most people, a VPN is helpful but not essential — app-level privacy practices matter more for day-to-day protection.

How can I block website trackers?

Use a privacy-focused browser (Firefox, Brave) or add extensions to your current browser. uBlock Origin blocks most trackers and ads. Privacy Badger learns which trackers to block based on behavior. Ghostery shows detailed information about each tracker. Most browsers also offer built-in tracking protection in their privacy settings — enable it. Note that aggressive blocking occasionally breaks website functionality, so you may need to whitelist specific sites.