Data Harvesting in 'Free' Apps: What You're Really Paying With

The Universal Rule

If you're not paying for a product, you are the product — the saying is now several decades old and still essentially true. A free app has to make money somehow: ads, paid upgrades, partner data sharing, or selling user data. Some combination of those funds every single free app you've ever installed.

This doesn't mean free apps are bad. It means you should understand the trade. Some trades are reasonable; some are predatory.

The Five Common Models

1. Freemium. Free tier is genuinely limited; paid tier unlocks features. Honest trade. Examples: Spotify, Dropbox, Notion.
2. Ad-supported. Free with ads; the ads are sometimes targeted using your behavioural data. Reasonable trade if data sharing is bounded. Examples: YouTube, Facebook, most mobile games.
3. Data harvesting. The app's primary value to its operator is the data it collects, sold to data brokers or used for targeted ads on other platforms. Examples: many flashlight apps, free QR scanners, third-party keyboards.
4. Open source / public good. Funded by donations or grants. Examples: Signal, Wikipedia, Firefox, Bitwarden.
5. Loss leader. Free app drives users to a paid product elsewhere. Examples: a free CRM tool that pushes you to enterprise sales.

What Apps Collect

• Your IP address, device model, OS version, language
• Your installed apps list (on Android, with permission)
• Your location (precise if you grant location permission; approximate from IP otherwise)
• Your contacts (if you grant contacts permission)
• Your usage patterns (when you open the app, what you click, how long you spend)
• Your in-app purchases and any payment info
• Sometimes: photos, files, calendar, microphone audio (with respective permissions)

How to Spot a Harvester

• The app asks for permissions it doesn't need. A flashlight asking for contacts and location is a data harvester.
• The privacy policy lists 'partners' or 'service providers' you've never heard of.
• The app is from a developer with many other unrelated apps in their portfolio (typical 'spray and pray' harvester pattern).
• The app loads ads from networks you've never heard of (a sign of bottom-tier ad fill that pays the developer in user data).
• The app has a vague monetisation model. Honest apps tell you their model up front.

iOS vs Android

iOS App Privacy labels (mandatory since 2020) summarise what each app collects, in three buckets: Data Linked to You, Data Not Linked to You, Data Used to Track You. Read these before installing.

Android's equivalent (Data Safety section) is newer (2022+) and less complete. Privacy-conscious Android users supplement with tools like Exodus Privacy which audits apps for tracker libraries.

Where to Spend Money for Privacy

Some categories of app are systemically worth paying for instead of using free alternatives:

• VPN — free VPNs are almost always selling your data. Pay $5-10/month.
• Email — ProtonMail / Tutanota / FastMail charge $5-15/month and don't monetise your inbox.
• Cloud storage — iCloud / Google One / Dropbox paid tiers don't scan content the way some free storage does.
• Password manager — 1Password, Bitwarden Premium are inexpensive ($3-5/month).

Bottom Line

You don't have to refuse all free apps. You just have to understand the trade. For ten-second utility apps (flashlight, calculator), the data cost is rarely worth it. For apps you'll use daily that handle sensitive data (email, password manager, VPN), pay for the version that doesn't monetise you.

Related Guides

See also: why 'anonymous data' isn't anonymous, how data brokers profile you, and how ad targeting works.