Your Apps Quietly Share 19 Personal Data Points

Office work in 2026 depends on a suite of mobile applications living on the same phones employees use for personal banking, family chats, and location tracking. Ten of the most widely deployed workplace apps across U.S. companies, including Gmail, Microsoft Teams, Zoom Workplace, Slack, and Notion, have collectively surpassed 12.5 billion downloads on Google Play alone. Fresh research from Incogni, drawing on Google Play Store data captured on March 20, 2026, reveals that these applications harvest an average of 19 distinct data points each and pass roughly 2 data types to external parties.

Gmail leads the pack in data collection, pulling in 26 unique data types, the highest tally in the study. The app captures approximate location, app interactions, and user IDs for advertising and marketing objectives. Microsoft Teams follows closely with 25 data types, while Zoom Workplace collects 23. Notably, Teams and Zoom Workplace are the only two apps in the group that gather precise location data. Microsoft Outlook collects 22 data types, Google Meet takes 21, and Slack, Trello, and Todoist each log 17.

Six of the ten apps use collected data for advertising or marketing: Gmail, Slack, Notion, Outlook, Todoist, and Zoom Workplace. Among them, Slack, Todoist, and Notion go a step further by harvesting employee email addresses for promotional efforts.

Notion stands out for its third-party data sharing, distributing 8 distinct data types to outside entities. These shared categories include email addresses, names, user IDs, device or other identifiers, and app interactions, with several flowing directly to advertising partners. Incogni researchers point out that Notion’s privacy policy permits specific ad-tech partners to install tracking tools on user browsers to gather behavioral data. Because workspace content stored in Notion can encompass product roadmaps, HR notes, and client records, the stakes rise considerably when that information reaches third parties. In December 2024, the EU’s Data Protection Board issued an opinion that tightened requirements for how platforms must justify using personal data in AI model training under GDPR, increasing scrutiny of how Notion AI processes workspace content through external model providers.

Workday lacks a data deletion option, making it the only app in the analysis that does not allow users to request removal of their information. The platform holds employment records, payroll details, and personal identifiers. In August 2025, Workday confirmed two related security incidents tied to its use of Salesforce as a CRM platform, where attackers obtained business contact information including names, email addresses, and phone numbers. That breach was part of a broader social engineering campaign linked to the hacker group ShinyHunters.

A pattern of breaches runs across the stack. In January 2026, a security researcher uncovered a publicly accessible 96-gigabyte database containing roughly 149 million login credentials, including 48 million tied to Gmail accounts. Google attributed the exposure to infostealer malware on user devices and denied any internal breach. In November 2025, Japanese media company Nikkei disclosed that attackers used malware-stolen Slack credentials to access accounts belonging to more than 17,000 employees and business partners, exposing names, email addresses, and internal chat histories. In January 2024, scraped Trello data covering over 15 million records appeared for sale on a hacking forum. Zoom, Notion, and Slack have all experienced data breaches. Microsoft and Google, parent companies of several apps in the study, have each had breaches in other products. Todoist is the only app in the set with no known connection to a data breach.

The dataset covers Google Play listings only, leaving open the question of whether iPhone users see the same picture. When asked whether the iOS Privacy Nutrition Labels for the same ten apps would align with Google Play disclosures, Bogdan Popescu, Research & Communications Senior Manager at Incogni, told Help Net Security: “Yes, this research focused on Google Play apps solely. In our experience, we have compared iOS and Android apps in the past, and the privacy nutrition tends to be similar, but we haven’t applied this filter here. Independent studies comparing the disclosures for apps available on both platforms revealed notable differences in data practice disclosure in the iOS and Google Play app stores for apps that one would otherwise have expected to be identical.”

These findings carry significant weight for BYOD environments, where many employees install these apps on personal devices to meet employer requirements. The collected data includes contact details, financial information, and precise location, with much of it feeding into advertising ecosystems or sitting inside corporate systems that grant broad administrator access. Slack workspace owners and administrators can reach virtually all communications on the platform, including direct messages and private channels, since the service does not offer end-to-end encryption. The combination of high-volume collection, advertising-linked use, and recurring breaches across this category gives employers and workers a concrete picture of what installing these apps puts on the line.