You downloaded the app, tapped “Allow,” and moved on with your day. That was probably the most expensive thing you did all week – and you paid nothing. According to Proton’s analysis of platform revenue figures, Google generates roughly $460 per year from each American user through ad targeting. Meta earns $57 per user globally – and significantly more from users in the US and Canada. The app was free. The business model was not.
The trade is almost never disclosed in plain language. You see a price tag of zero and a permissions dialog you dismiss in two seconds. What you don’t see is where that data goes, who buys it, and how much your behavioral profile is worth to the companies that process it. According to the 2025 App Privacy Index, 75% of the top 100 free apps collect data to track users across other apps and websites – primarily for advertising. And according to 42matters via Statista, roughly 53% of free iOS apps openly declare they collect private user data – compared to just 13.7% of paid apps.
This article is about what that actually means: what gets collected, who profits, and what you can realistically do about it.
The Mechanics of “Free”: How Ad-Funded Apps Actually Work
The revenue model behind free apps is not complicated once you see it clearly. The app collects data about you, packages it, and sells access to your attention – or your profile – to advertisers willing to pay for it.
Every time you open an app, a process called real-time bidding runs in the background. Your device sends a packet of information – your location, device type, browsing history, demographic inferences, past purchase signals – to an ad exchange. Dozens of advertisers bid on the right to show you a specific ad in under 100 milliseconds. The winner pays. The app takes a cut. You see an ad for running shoes because you searched for a 5K two weeks ago.
This system works because apps accumulate behavioral data continuously, not just when you’re actively using them. Location permissions that run in the background, microphone access granted for a one-time voice feature, contact list access requested during signup – each of these feeds a broader profile that becomes more commercially valuable the more it’s cross-referenced with data from other sources.
What “data linked to you” actually means
Apple’s App Store privacy labels categorize collected data into two buckets: data linked to your identity and data used to track you across other apps and websites. An Apteco analysis of 90+ popular apps in May 2025 found that Amazon, PayPal, and Uber scored highest for data collection – 83, 72, and 71, respectively, on a 100-point scale. These aren’t obscure apps harvesting data on the side. They’re the apps installed on practically every smartphone, used daily for routine transactions.
The categories of data collected by the average free app go well beyond what any given feature requires. Purchase history, browsing behavior, precise location, financial information, and search history are common. Health and fitness data, contacts, and user-generated content appear frequently. The pattern is consistent: apps request more than they need functionally, and the excess feeds advertising infrastructure.
The permission gap
There’s a significant difference between what a user reads in a permissions dialog and what they’re actually authorizing. A request for “access to your location while using the app” can shift to background location tracking if the user upgrades the permission once during a feature prompt. The 2025 App Privacy Index found that many apps use what researchers call “permission creep” design patterns – prompts that make extended access seem like a reasonable, one-time request, then bury the controls to revoke it.
Key figures – free apps and data collection
75% of the top 100 free apps collect data to track users across other apps and websites, primarily for advertising. (2025 App Privacy Index)
53% of free iOS apps declare they collect user data – vs. 13.7% of paid apps. (42matters / Statista, Jan 2025)
Google earns approximately $460/year from each American user through ad targeting. Meta earns $57/year globally per user. (Proton, 2024 revenue analysis)
Global digital advertising spend reached $798.7 billion in 2025 – 81% generated through programmatic systems that rely on behavioral data. (Statista)
In the US, digital ad spending per internet user is projected to surpass $1,000 per person in 2025 – triple the figure from 2017. (Oberlo / eMarketer)
Your Data Has a Price. You Just Don’t Set It.
Ad networks don’t publish a price list for personal data, but the economics are visible in the revenue figures that platforms report every quarter. The gap between what companies earn from your data and what you receive for it is the business model.
The clearest way to understand data valuation is through ARPU – average revenue per user – which platforms disclose in earnings reports. Meta’s global ARPU reached $57 in 2025. For US and Canadian users, the figure is considerably higher because the North American advertising market is more developed and advertisers pay more per impression. Google generated $264.59 billion in advertising revenue in 2024 – almost entirely from behavioral targeting. Divided across its US user base, that’s roughly $460 per person per year going to Google, derived from your searches, browsing history, location, and cross-site behavior.
None of this value goes back to the user. You receive the service (the search engine, the social feed, the map) but the financial arrangement is one-directional. The data you generate is the input. The advertising revenue is the output. The app is the mechanism that connects them.
Why is some data worth more than other data
Ad targeting value isn’t uniform. A 35- 44-year-old with high purchase intent, a precise home zip code, and a browsing history that skews toward financial services is worth significantly more to advertisers than a passive browser with no purchase signals. Proton’s analysis of Google’s advertising mechanics found that advertiser value peaks between ages 35 and 44, drops significantly after 65, and varies substantially by device type – iPhone users command higher ad rates than Android users because the platform correlates with consumer spending patterns.
The same logic applies to app categories. A free budgeting app has access to income levels, spending patterns, and financial stress indicators – data that predatory lenders, insurance companies, and financial service providers pay top rates to target. A free fitness app has health proxy data. A free weather app has continuous location data, often without any obvious reason for the user to question it.
The useful question to ask
A weather app does not need access to your contacts. A flashlight app does not need your location. A recipe app does not need to track you across other websites. If the permissions an app requests exceed what its core function requires, the excess is being used for something else – and that something else is almost always advertising.
Where the Data Goes After You Tap “Allow”
Most data collected by free apps doesn’t stay with the app developer. It moves through a chain of intermediaries – SDKs, ad networks, data brokers – before it’s used for targeting. At each stage, more context gets added to your profile.
The average free app contains multiple third-party SDKs (software development kits) embedded by the developer to handle analytics, advertising, and monetization. These SDKs are built by companies like Meta, Google, Appsflyer, and Adjust – and they collect data independently of what the app itself does. When you use a cooking app with a Facebook SDK embedded in it, Facebook receives data about your use of that cooking app, even if you’ve never connected the two accounts.
From there, data flows into programmatic advertising infrastructure, where it gets combined with data from other sources. Your app usage behavior gets merged with your browsing history, your purchase history from loyalty programs, your location patterns from other apps, and your public records. The result is a profile that no single company assembled, but that multiple companies can access and bid against.
The data broker layer
Data brokers sit downstream from ad networks, purchasing behavioral datasets and combining them with offline sources – property records, credit data, government filings. The $300 billion global data broker industry operates largely outside direct user awareness. You don’t create an account with Acxiom or Oracle Data Cloud. Your profile gets built from the data your apps, your loyalty cards, and your ISP generate, then sold to whoever is willing to pay for access to it.
This is where the downstream consequences of app data collection become concrete. A lender buys a dataset segmented by financial stress indicators. An insurance company buys health proxy data assembled from fitness app usage. A political campaign buys profiles segmented by behavioral signals that correlate with voter persuadability. None of this required any explicit consent from you beyond that original permissions dialog.
What the permissions screen doesn’t tell you
When you grant location permissions to an app, you’re not just authorizing that app to use your location. You’re authorizing every SDK embedded in that app – and any downstream data purchaser – to receive location data from your device. The permissions dialog shows one relationship. The actual data chain involves dozens.
Practical Steps to Reduce What Apps Collect
You can’t opt out of the ad economy entirely while using smartphones – but you can reduce the volume and precision of data that flows from your device into it. Most of the controls already exist; they’re just not set by default.
Audit your app permissions
Both iOS and Android let you review which apps have access to location, microphone, camera, contacts, and health data. Go through this list with a single question in mind: does this app need this permission to do the thing I use it for? If a food delivery app has microphone access, it doesn’t need it. If a podcast app has access to your contacts, it doesn’t need that either. Revoke anything that isn’t functionally necessary. On iOS, Settings > Privacy & Security > each category. On Android, Settings > Privacy > Permission Manager.
Limit ad tracking at the OS level
Your device has an advertising identifier – a persistent ID that ad networks use to tie your behavior across apps and websites into a unified profile. On iOS, you can turn this off under Settings > Privacy & Security > Tracking – disable “Allow Apps to Request to Track.” On Android, the equivalent is under Settings > Google > Ads > Delete Advertising ID. This doesn’t make you invisible, but it breaks the cross-app linkage that makes behavioral profiles precise.
Check for third-party data sharing in apps you use regularly
Banking, retail, and e-commerce apps frequently include opt-outs for marketing data sharing buried inside account settings. Look for sections labeled “Marketing Preferences,” “Advertising Data,” “Partner Offers,” or “Data Sharing.” The default is almost always to share. The option to stop is usually a single toggle, but finding it requires navigating past several layers of menus that weren’t designed to be easy to find.
Pay for apps that matter to you
The simplest and most effective change is also the most direct: apps with a paid model have less incentive to monetize behavioral data. The 53% vs. 13.7% gap between free and paid iOS apps in declared data collection reflects this directly. If you rely on a calendar app, a note-taking tool, or a task manager daily, the paid version of that app eliminates the advertising incentive that drives data collection in the free version. It’s a more honest transaction.
The Network Layer: Where a VPN Makes a Difference
App-level permissions are one part of the picture. The network your device connects through is another – and on public Wi-Fi, it’s a significant one.
When your device connects to an unsecured network, your DNS queries and connection metadata are visible to whoever controls that network – and in many cases, that includes advertising intermediaries who purchase traffic data from public hotspot operators. DNS queries reveal every domain you visit. Connection metadata reveals timing, frequency, and device identifiers. This information feeds the same behavioral profiling infrastructure that app SDKs contribute to.
ZoogVPN encrypts your traffic from the device and routes DNS queries through a secure tunnel, so your ISP and network operator see none of it. On public Wi-Fi – airports, cafes, hotel networks – where passive data collection is most aggressive, that protection is at its most practical. ZoogVPN operates under a strict no-logs policy, meaning there’s no record of your activity to breach or sell. It doesn’t reverse the data your apps are collecting. But it closes the network-level channel that keeps feeding behavioral data into the system every time you go online.
A Realistic Assessment
Free apps aren’t going away. The ad-funded model works too well for the companies running it. But the information asymmetry at the center of that model – where users don’t know what they’re giving up because the mechanisms are invisible – is something you can partially correct with a few targeted settings changes.
Auditing your permissions takes about 20 minutes. Disabling your advertising ID takes two taps. Checking data-sharing settings in your banking and retail apps takes another few minutes. None of these actions makes you invisible to the ad economy, but they substantially reduce the precision and volume of the behavioral profile that gets built from your device. The data collection infrastructure is enormous. Your individual contribution to it is more within your control than the default setup suggests.
The price of a free app is real. It’s just invoiced in a currency most people don’t monitor.
How ZoogVPN Fits Into Your Privacy Setup
A VPN addresses the network layer of data collection – the channel that operates below app-level permissions and runs continuously regardless of which apps you’re using.
Your device sends DNS queries for every website and service it contacts. Without a VPN, those queries go through your ISP or the network you’re connected to – both of which can log, analyze, and sell that data. On public Wi-Fi, you can add the network operator and any advertising partners they work with to that list. The traffic itself also passes through these points, exposing connection metadata even when content is encrypted.
ZoogVPN routes all of this through an encrypted tunnel. DNS queries resolve inside the tunnel – not exposed to the network. Your ISP sees a connection to a VPN server, not your browsing behavior. ZoogVPN’s no-logs policy means none of your activity is stored on the server side either, so there’s nothing to breach or subpoena. It runs across all your devices, so your phone, laptop, and tablet are all covered on the same account.
It’s a complement to the app-level steps above, not a replacement for them. Used together – tightened permissions, disabled advertising ID, checked data-sharing settings, and a reliable VPN on networks you don’t control – they address the main channels through which behavioral data flows out of your device into the ad economy.
Your next step
Stop feeding the ad network on public Wi-Fi
ZoogVPN encrypts your traffic at the network level, resolves DNS inside a secure tunnel, and keeps no logs of your activity – across every device you own. It’s the layer of protection that app settings alone can’t cover.
- Diana BestaievaContent Writer at ZoogVPN. Diana deeply explores the newest technologies and shares valuable insights engagingly and comprehensively. Keeping up with the tech news, she makes in-depth content, explaining complex concepts with ease.
