Workplace Apps Found Collecting Extensive User Data and Sharing with Third Parties
New research indicates that ten major workplace applications collect an average of 19 data points each, with many sharing user information with third-party advertisers and marketing firms.

New research from Incogni has revealed that ten of the most widely used workplace applications—including Gmail, Microsoft Teams, Slack, and Zoom—collect an average of 19 data points per app, with many sharing this information with third-party advertising and marketing partners Help Net Security. The study, which analyzed Google Play Store data as of March 20, 2026, highlights a significant privacy concern for employees who use the same mobile devices for both professional tasks and personal activities.
The scale of data collection varies by application, with Gmail leading the group by gathering 26 distinct data types, including approximate location, user IDs, and app interaction data Help Net Security. Microsoft Teams and Zoom Workplace follow closely, collecting 25 and 23 data types respectively, and are notably the only two apps in the study that pull precise location data. Other apps, such as Microsoft Outlook (22 data types), Google Meet (21), and Slack, Trello, and Todoist (17 each), also maintain extensive data collection practices Help Net Security.
Beyond collection, the research highlights aggressive data sharing. Notion was identified as the most prolific in this regard, sharing eight distinct data types—including names, email addresses, and device IDs—with third-party advertising partners Help Net Security. Notion’s privacy policy allows these partners to deploy tracking tools to collect behavioral data, a practice that carries increased risk given that Notion workspaces often contain sensitive information like HR notes, client records, and product roadmaps Help Net Security.
The report also underscores significant concerns regarding data control and security. Workday is the only app in the study that does not provide users with an option to request the deletion of their data, despite holding sensitive payroll and employment records Help Net Security. This lack of control is compounded by a history of security incidents; in August 2025, Workday confirmed that attackers exploited its integration with Salesforce to access business contact information, an incident linked to the ShinyHunters hacking group Help Net Security.
Most of the applications analyzed have documented histories of data exposure. In January 2026, a 96-gigabyte database containing 149 million credentials—including 48 million Gmail accounts—was discovered, which Google attributed to infostealer malware Help Net Security. Similarly, in November 2025, attackers used stolen Slack credentials to access the accounts of over 17,000 employees and partners at Nikkei, exposing internal chat histories Help Net Security. Additionally, Trello suffered a major incident in January 2024 when data for over 15 million records was scraped and offered for sale on a hacking forum Help Net Security.
The prevalence of these data collection practices and the recurring nature of security breaches across the workplace software stack highlight a growing tension between enterprise productivity tools and individual privacy. As regulatory bodies like the EU’s Data Protection Board continue to scrutinize how platforms utilize personal data for AI training and marketing, the reliance on these apps for sensitive business operations remains a critical area of concern for security and privacy professionals Help Net Security.