A Canadian government investigation into Tim Hortons found the coffee chain’s app continually tracked users, collecting location data “even when their app was not open.” In a statement published Wednesday, the Office of the Privacy Commissioner of Canada claimed the app would use that location information to “infer where users lived” and worked, and flag if they went to a competing coffee shop. Officials say this practice violated Canadian privacy laws.

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance,” Canadian Privacy Commissioner Daniel Therrien said.

Tim Hortons employed Radar, a third-party service provider based in the United States, to track and collect location information. Initially, the government report claims the company planned to use this data for targeted advertising, but then ultimately decided not to pursue that strategy. Tim Hortons says it used the data to track trends, such as how user activity changed during the pandemic. It stopped such data collection after federal and provincial privacy authorities launched their inquiry in 2020. The investigation itself was spurred by a 2020 report in the Financial Post, which first revealed the tracking practices.  

[Related: How data brokers threaten your privacy]

Still, officials warned that privacy concerns related to the app remain due to the language of the Radar agreement, which was “so vague and permissive” that Radar could still choose to access and sell “de-identified” location data. (Radar told regulators that it had no intention to do so, saying its “business model is to sell software, not data.”) Experts have cautioned that it can be easy to re-identify data based on user movements and regular routines, creating a significant privacy risk

The report recommended Tim Hortons delete any of this remaining data and call on third-party providers like Radar to delete their records as well. It also asked the coffee chain to retool its privacy management program to include “privacy impact assessments” for its app, among other features. According to the statement, Tim Hortons has agreed to move forward with those suggestions. The Verge notes that its app now claims to only use location data to help users find nearby stores for mobile orders.