A new study released today by data privacy company Incogni reveals that the most widely used workplace applications collect far more personal data than employees typically expect - and that much of it flows to advertisers and third-party companies without workers having any meaningful ability to opt out.

The research, published on April 27, 2026, analyzed the data collection and sharing practices of 10 commonly used workplace apps, including Gmail, Microsoft Teams, Slack, Zoom Workplace, Notion, Microsoft Outlook, Google Meet, Todoist, Trello, and Workday. Together, according to Incogni, these 10 apps account for more than 12.5 billion downloads on Google Play alone.

The average workplace app in the study collects nearly 20 distinct types of personal data, and shares approximately two of those types with third parties. That arithmetic, applied across a typical knowledge worker who uses several of these tools simultaneously, means a single employee may be exposing dozens of personal data categories just by doing their job.

Gmail leads in data volume

According to the report, Gmail is the most data-hungry app analyzed, collecting 26 distinct data types - more than any other platform examined. The data Gmail collects includes approximate location, app interactions, and user identifiers, several of which are collected explicitly for advertising or marketing purposes. That places Gmail alongside Slack, Notion, Microsoft Outlook, Todoist, and Zoom Workplace in a group of six apps that the study found collect data specifically for advertising ends.

The scope of Gmail's collection is notable given that the app is often required for work at organizations that run on Google Workspace. In November 2025, Gmail publicly denied changing user settings to enroll people in AI data training programs - a controversy that itself highlighted how much data flows through the platform and how little visibility employees typically have into what is collected and why. More recently, France's data protection authority CNIL fined Google €325 million in September 2025, in part over advertising practices tied to Gmail.

Precise location data: only two apps collect it

Microsoft Teams and Zoom Workplace are the only two apps in the study found to collect precise location data - a category that Incogni describes as one of the most sensitive available. Precise location is distinct from approximate location in that it can reveal not just a general area but specific addresses, commute patterns, and real-time whereabouts. Microsoft Teams collects 25 data types in total, placing it near the top of the collection spectrum.

The location data question matters beyond privacy in the abstract. According to the Incogni report, if location data is exposed in a breach, it could enable stalking, physical threats, and blackmail. When shared with third parties for advertising purposes, it allows advertisers to build detailed profiles of where users go, how long they stay, and which physical stores they visit.

Microsoft Teams has been the subject of growing security scrutiny. The report notes that in 2025, researchers documented vulnerabilities in Teams that enabled impersonation, spoofed notifications, and forged caller identities. Microsoft responded by announcing that, beginning January 12, 2026, it would automatically enable a set of critical messaging safety protections for organizations using standard configurations. That security improvement does not reduce the volume of personal data Teams collects.

Notion shares the most with third parties

While Gmail collects the most data types overall, Notion stands apart for a different reason: it shares more data with third parties than any other app in the study. According to Incogni's analysis, Notion distributes 8 distinct data types to external parties - including names, email addresses, user IDs, device identifiers, and app interactions, several of which are shared specifically for advertising purposes.

Notion's privacy policy allows third-party advertising technology partners to place tracking tools on users' browsers to collect behavioral data. That practice sits uncomfortably alongside how many organizations use Notion in practice: as a workspace for product roadmaps, HR notes, internal documentation, and client materials. The EU's Data Protection Board issued preliminary guidance in early 2025 suggesting that current AI consent mechanisms used by platforms including Notion are insufficient. Scrutiny of how Notion AI processes workspace content with third-party model providers has increased since then.

For marketing teams that store campaign briefs, audience research, or client data inside Notion, the combination of broad third-party sharing and evolving AI data use creates a meaningful risk surface. The SECURE Data Act introduced by House Republicans on April 21, 2026, which would create a single national privacy framework, could eventually require clearer disclosures from platforms like Notion about exactly how shared data is used for targeted advertising.

Slack: advertising use of email addresses

Slack collects 17 data types, two of which are shared with third parties. What makes Slack unusual is that it is one of only three apps in the study - alongside Todoist and Notion - that collects email addresses explicitly for advertising purposes. Email addresses are among the most commercially valuable identifiers in digital advertising: they serve as the foundation for customer match programs, first-party audience strategies, and identity resolution infrastructure.

The advertising industry has increasingly relied on email-based targeting as a replacement for third-party cookies. That shift has made email addresses more, not less, sensitive from a data perspective. An employee whose work email address is collected by Slack for advertising purposes may find that identifier flowing into ad networks they have no visibility into - networks that could use it to build a behavioral profile that extends well beyond anything work-related.

According to the Incogni report, Slack has also had a troubled security history. In November 2025, Japanese media company Nikkei disclosed that hackers used malware-stolen Slack credentials to access accounts belonging to more than 17,000 employees and business partners, exposing names, email addresses, and internal chat histories. Security researchers have pointed to Slack's lack of end-to-end encryption as a structural concern: workspace administrators and, under certain legal conditions, Slack itself retains technical access to message content - including direct messages between employees and conversations in private channels.

Zoom Workplace: advertising data plus a critical vulnerability

Zoom Workplace collects 23 data types and, like Microsoft Teams, collects precise location data. It also collects data for advertising purposes, including names, email addresses, and user IDs.

The platform's privacy history has been unsettled. An earlier controversy over Zoom's AI terms of service prompted significant policy clarifications. In February 2026, Zoom updated its privacy statement to expand definitions of customer content and clarify recording access rights. More urgently, a critical security vulnerability tracked as CVE-2026-22844 was discovered in Zoom Node Multimedia Routers, carrying a severity score of 9.9 out of 10 - meaning it could allow a meeting participant to execute remote code via network access. The combination of precise location collection, advertising-linked data use, and a high-severity unpatched vulnerability makes Zoom one of the more complex platforms to evaluate from a data exposure standpoint.

Workday: no deletion rights

Workday is the only app in the study that does not allow users to request deletion of their data. For most platforms, data deletion rights - while imperfect - give users some leverage over what persists after they leave. Workday sits at the center of employment records, payroll data, performance reviews, and personal information. The absence of a deletion right means that an employee's entire employment history may remain in Workday's systems indefinitely, even after they leave a company.

That concern is compounded by Workday's own security record. In August 2025, the company confirmed two related incidents tied to its use of Salesforce as a CRM platform. Attackers - linked to the hacker group ShinyHunters - gained access to business contact information including names, email addresses, and phone numbers. The breach was part of a broader social engineering campaign targeting large enterprises. Workday stated that no core customer tenant data was accessed, but the incident raised questions about how HR platforms manage third-party integrations. Workday has faced separate legal scrutiny over its AI-powered hiring tools, with a federal discrimination lawsuit over algorithmic screening scheduled for class certification in June 2026.

The advertising connection

For the marketing and advertising community, the Incogni study surfaces a question that tends to get less attention than consumer-facing tracking practices: where does the data that workplace apps collect for advertising actually go?

According to the report, six of the ten apps analyzed collect data explicitly for advertising or marketing purposes. The data types involved include personal identifiers - names, email addresses, user IDs, device IDs, approximate locations, and app interactions. When these identifiers are shared with third-party advertising technology companies, they can be used to build persistent cross-device profiles, match users across platforms, and target them with advertising that has nothing to do with their work.

Google's real-time bidding system alone broadcasts data about US individuals approximately 31 billion times per day, according to a complaint filed with the FTC in January 2025 by the Electronic Privacy Information Center and the Irish Council for Civil Liberties. The workplace app data that flows into advertising ecosystems joins that broader data stream - often without employees having any visibility into the process.

The Spain data protection authority's 71-page guide on agentic AI and GDPR compliance, published in February 2026, drew an explicit parallel between BYOD policies and newer risks: just as bring-your-own-device arrangements created unmanaged security gaps, bring-your-own-AI tools are creating new unmanaged data processing exposures. Workplace apps sit at the intersection of both concerns.

Methodology

Incogni researchers collected their data from the Google Play Store on March 20, 2026, examining what each app's developer claimed to collect and share, what purposes were stated, and whether advertising or marketing was among those purposes. The team also searched for documented breach incidents involving the apps or their parent companies. The research team curated the app sample through a systematic review of industry-leading software evaluations and workplace technology benchmarks, identifying software frequently mandated or used in modern US work environments.

Only one app in the study - Todoist, made by the independent company Doist - has no known history of data breaches. Trello, owned by Atlassian, does not appear to collect data explicitly for advertising purposes, though a dataset of over 15 million Trello records surfaced for sale on a hacking forum in January 2024, obtained from a publicly accessible resource using email addresses from previous leaks.

The structural problem

Darius Belejevas, Head of Incogni, is quoted in the report: "Many workers assume privacy trade-offs come from social media apps - not from tools their employer requires them to use. But our research shows workplace apps are often collecting surprisingly broad categories of personal data, and in some cases sharing it with third parties - opening the door to potential profiling, tracking, and additional security risks."

The structural issue the report identifies is that workers cannot simply delete apps they distrust when those apps are mandated by an employer. A person who dislikes Facebook's data practices can close their account. A person whose employer requires Workday for payroll has no equivalent option - and, uniquely among the apps studied, cannot even request that their data be deleted.

That dynamic becomes more consequential as AI features expand inside workplace tools. Google has rolled out Gemini AI across both Gmail and Google Meet, enabling AI analysis of email content and meeting transcripts. Microsoft has integrated Copilot AI into Teams and Outlook. Zoom has its own AI companion features. Each of these capabilities extends the surface area across which personal data is analyzed, even where the platforms maintain that enterprise data is not used to train public models.

Timeline

  • January 2024 - Data scraped from Trello surfaces for sale on a hacking forum, totaling over 15 million records including email addresses, names, and usernames.
  • August 24, 2022 - None Of Your Business files complaint with CNIL regarding Gmail advertising without consent, beginning an investigation that would culminate in a major fine.
  • March 2024 - Google strengthens EU user consent policy enforcement, affecting EEA-based audience inclusion in advertising products. PPC Land coverage
  • August 2025 - Workday confirms two breach incidents tied to its use of Salesforce as a CRM platform; attackers linked to ShinyHunters group accessed business contact data.
  • September 1, 2025 - France's CNIL fines Google €325 million over Gmail advertising and cookie practices. PPC Land coverage
  • November 2025 - Japanese media company Nikkei discloses that hackers used malware-stolen Slack credentials to access accounts belonging to over 17,000 employees and business partners.
  • November 21, 2025 - Gmail publicly denies changing user AI data settings amid widespread claims of automatic enrollment in training programs. PPC Land coverage
  • January 12, 2026 - Microsoft automatically enables critical messaging safety protections for Microsoft Teams organizations using standard configurations.
  • January 16, 2026 - A security researcher discovers a publicly accessible, unencrypted 96-gigabyte database containing approximately 48 million Gmail account credentials; Google attributes exposure to infostealer malware.
  • February 2026 - Spain's data protection authority (AEPD) publishes a 71-page guide on agentic AI and GDPR compliance, drawing parallels between BYOD risks and newer AI data exposures. PPC Land coverage
  • February 2026 - Zoom updates its privacy statement to expand definitions of customer content and clarify recording access rights.
  • March 20, 2026 - Incogni researchers collect data from the Google Play Store, analyzing the privacy disclosures of 10 workplace applications.
  • April 21, 2026 - House Republicans introduce the SECURE Data Act, proposing a single national privacy framework that would override state laws and impose new data broker registration requirements. PPC Land coverage
  • April 27, 2026 - Incogni publishes its research on workplace app data collection, finding that the average app collects nearly 20 data types and that six of the ten apps analyzed collect data explicitly for advertising purposes.

Summary

Who: Incogni, a data privacy company, conducted the research. The apps analyzed include Gmail (Google), Microsoft Teams, Zoom Workplace, Microsoft Outlook, Google Meet, Slack (Salesforce), Todoist (Doist), Trello (Atlassian), Notion, and Workday.

What: A research study analyzing the data collection and third-party sharing practices of 10 widely used workplace applications, finding that the average app collects nearly 20 types of personal data, that six collect data explicitly for advertising purposes, and that Workday is the only app that does not allow users to request deletion of their data.

When: The data collection for the study took place on March 20, 2026. The research was published today, April 27, 2026.

Where: The analysis was based on privacy disclosures from the Google Play Store. The apps examined are used globally, with the research focusing on software commonly mandated in US work environments.

Why: Millions of workers are required to use these applications as a condition of employment, meaning they cannot opt out of the data collection practices these apps employ. The study aims to surface a privacy blind spot in modern workplaces where the data practices of mandated professional tools receive far less scrutiny than consumer social media applications - despite collecting comparable or greater amounts of personal information.

Share this article
The link has been copied!