10 popular apps that collect extensive personal data on Americans are foreign-owned

Both foreign and domestic tech companies collect staggering amounts of Americans’ personal data via their mobile applications. Privacy advocates have been aware of and concerned about apps collecting personal data for at least several decades. Those worries have only intensified with the rise of social media and the data broker landscape, which sees billions in profits from the sale and trade of personal data.

However, the rise of popular applications developed by entities headquartered outside the United States presents new challenges. These applications are just as data-hungry as the rest—but they exhibit distinct data governance models that diverge from Western privacy expectations. Even specialists who scrutinize privacy policies and terms of service may be unfamiliar with how much data is collected by foreign tech companies, what kind of data is harvested, and how it’s shared with other entities outside of their expected use.

It’s a growing concern at the national security level. The US Department of Justice’s final rule recently restricted some transactions involving sensitive data of United States citizens to key countries, such as China, Russia, and Iran.

These measures are likely a response to major cybercrime events involving the transfer of Americans’ data abroad. In 2024, a China-based espionage group was discovered stealing over 1 million American users’ data from the networks of the nation’s top telecommunications companies. Telegram, a popular secure messaging app used globally by journalists, activists, and privacy-conscious users, was also recently accused of ties to Russia’s Federal Security Service (FSB), according to an investigation.

In order to make understanding foreign-owned data harvesting practices more accessible, Incogni’s researchers examined the most popular apps by download in the US (from dates ranging between August 2024 and 2025) that were developed and owned by companies outside the US. It summarizes the prevalence and data collection and sharing practices of the most popular foreign-owned applications in the American market, their number of downloads, their data collection methodologies, and the types of data collected and shared with third parties. 

As American users increasingly rely on an interconnected global technology ecosystem, this study aims to provide insights into the scope and nature of foreign data access to American user information through analysis of application data handling practices.

Key insights

• 6 out of 10 foreign-owned apps in the US originate from China, including TikTok, Temu, Alibaba, Shein, CapCut, and AliExpress.
• Apps developed by Chinese-owned tech companies were some of the most data-hungry apps observed, collecting an average of 18 data types from each American user and sharing 6. 
• TikTok, the most data-hungry app, collects sensitive personal information such as users’ names, addresses, and phone numbers.
• Alibaba, a B2B ecommerce platform, can access users’ files, documents, videos and photos, phone numbers, home addresses, and full names. 
• Temu, a B2C retail platform, collects users’ approximate locations, installed apps, and other user-generated content, while Shein shares most of the data it collects with third parties, including users’ phone numbers, names, and photos. 
• AliExpress, and ‘America’s best pics and vids’ (ABPV) share their users’ approximate locations with third parties.
• The applications identified in this study were downloaded an estimated 1 billion times in the US, and three-quarters of those downloads were of Chinese apps.

The top 10 most popular applications in the US, created by foreign-owned companies

To understand the prominence of foreign-owned apps in the US, Incogni researchers sought out their origins and collected download numbers as estimated by the AppTweak platform. 

Our observations revealed a significant concentration of Chinese-developed applications within the American mobile ecosystem. Chinese applications constitute 6 of the 10 most popular foreign applications in the United States, representing a substantial market presence with an estimated 755 million downloads by American users since 2019.

This cohort is among major platforms across the entertainment and ecommerce sectors, including TikTok (and its companion application CapCut) and retail platforms Shein, AliExpress, Temu, and the B2B commerce platform Alibaba. The download metrics represent multiple installations per user, including instances of application reinstallation following device changes or prior uninstallation.

Of particular significance is the data collection exhibited by Chinese-born applications, which demonstrate expansive data-gobbling practices. These applications collect an average of 18 distinct data types per user, and share an average of 6 data categories with third-party entities (such as location, personally identifiable information (PII), etc.).

Two Singapore-based applications, DramaBox and Talkie AI, collectively accumulated approximately 70 million downloads among American users. However, Singapore-based incorporation does not directly establish Singaporean ownership, as Incogni’s researchers could not identify the controlling interests of these applications.

The study also identified ABPV (America’s Best Pics and Vids), incorporated in Cyprus, at nearly 26 million American downloads, while Telegram (originally founded in the United Arab Emirates, with alleged ties to Russian-based controlling interests) has seen over 145 million downloads in the United States.

Data collection and sharing

With the exception of Talkie AI, which has a dubious data safety section on the Google Play Store, the investigated apps collected an average of 15 data types and shared 5 of those types with third parties. The types of data collected and shared by these applications were categorized by:

• Location
• Personally identifiable information 
• Financial information
• Health and fitness information
• Messages
• Photos and videos
• Audio files
• Files and documents
• Calendars
• Contracts
• App activity
• Web-browsing activity
• App information and performance
• Device information or other digital IDs.

TikTok demonstrated the most data-hungry position, using 24 distinct data types from users and sharing 6 categories with third-party entities, including user names, residential addresses, and telephone numbers. Transmitting any data to external entities introduces multiplied privacy risks, as each transfer represents a potential vulnerability point through security breaches.

Alibaba, the Chinese-owned B2B commerce app, ranks second in data interaction scope, collecting 20 data categories and sharing 6 with external parties. The platform maintains access to user-generated content, including files, documents, videos, and photographs, alongside traditional personally identifiable information such as telephone numbers, addresses, and names.

The popular factory-to-consumer app, Temu, exhibits a more limited sharing profile, but still gobbles Americans’ data. It collects 18 data types but shares only 1 of those with third parties. The platform’s data collection encompasses location approximations, installed application inventories, and user-generated content, suggesting comprehensive device and behavioral profiling capabilities.

Shein presents a distinctive pattern characterized by extensive third-party data dissemination, sharing 12 of 17 collected data types to external entities. This represents the highest ratio of shared-to-collected data among the examined applications. The platform’s sharing practices include transmission of telephone numbers, names, and photographs to undisclosed third parties. The opacity surrounding ultimate data recipients compounds privacy concerns, as the research methodology cannot definitively establish the identity or jurisdictional compliance of downstream data processors. This uncertainty amplifies the potential for data to traverse jurisdictional boundaries and reach entities with varying privacy and security standards, including those that may operate counter to user interests.

Data collected for advertising and marketing purposes

Incogni researchers investigated what types of data are collected or shared for the explicit purpose of advertising and marketing. Email addresses collected by Shein, AliExpress, and Alibaba are explicitly designated for advertising purposes, with these platforms sharing such contact information with third-party entities for marketing activities. In this case, an email is shared with third parties for marketing purposes, which could mean that these platforms contribute to the unwanted spam that users receive, originating from marketing ecosystems that they never originally opted into.

Geographic data sharing presents additional privacy considerations, with AliExpress, and ABPV sharing approximate locations with third parties for advertising purposes. Similarly, ABPV also shares precise location information for marketing purposes. The Chinese platforms Shein, Alibaba, and AliExpress similarly share user names with external entities for advertising objectives.

However, most data that’s interacted with for the purpose of advertising is used by the app developers themselves, or at least, the developers don’t indicate that this data ever reaches third parties. Incogni researchers observed that:

• TikTok can utilize user contacts for advertising.
• TikTok and ABPV (America’s best pics, vids) use user-generated content for marketing purposes. 
• DramaBox uses information about what applications users have installed for advertising purposes. 
• AliExpress uses web browsing history for advertising.

Such data-based personalized advertising can lead to unwanted spending or even personalized pricing, where algorithms calculate an optimal price based on consumer behavior. This practice represents a fundamental shift from familiar uniform pricing models in the West, toward personalized economic extraction based on individual data profiles.

Conclusion

These findings are intended to highlight the immediate privacy concerns US users face due to the harvesting of mobile apps’ data by foreign-owned entities and address the broader question of digital sovereignty. 

The scale and intensity of foreign data collection from American users suggest that existing privacy frameworks may be inadequate to keep up with the popularity of these apps. 

Any Western privacy frameworks would benefit from addressing not only the collection of sensitive data from foreign-owned mobile apps but also the complex networks of third-party sharing that amplify privacy risks and complicate accountability. 

As the digital economy continues to ‘go global,’ understanding and addressing these cross-border data flows will be essential for maintaining both individual privacy rights and national security interests in an increasingly interconnected world.

Methodology

Incogni researchers defined the most downloaded apps in the last 12 months as per AppTweak datasets. On August 4th, 2025, Incogni’s researchers took the most downloaded apps and used a search engine to identify the headquarters or country that is home to each app’s ultimate beneficiary owner—defined as the controlling interest in this study.

Data collection and sharing practices were systematically documented using information disclosed in Google Play Store privacy sections, where developers provide mandatory disclosures regarding data collection categories, sharing practices, and stated purposes for data utilization.

For the purposes of this research, apps developed by North American beneficiary companies with controlling interests were disregarded. We included news or other media that led us to the conclusion that the selected apps were not owned or controlled by North American beneficiaries in the public dataset linked below.

For detailed information used in this study, see our public dataset. 

Visuals

Notwithstanding the terms of the CC BY-NC-SA 3.0 licenses of the visuals above, we grant news organizations and other media entities permission to use the specified asset(s) in their news coverage or commentary, including on pages that display advertising.

The visuals can be downloaded or embedded using the menu at the top right of the visual. Embedded visuals preserve their interactivity.