A new investigative report from The Wall Street Journal today looks into the controversial practice of popular third-party iOS and Android apps sending very personal user data to Facebook. In some cases, this happened immediately after an app recorded new data, even if the user wasn’t logged into Facebook or wasn’t a Facebook user at all. Notably, the report highlights that Apple and Google don’t require apps to divulge all the partners that user data is shared with.

WSJ noted how we share some of the most intimate details of our lives with apps.

What the investigative report discovered was that Facebook purchases this personal data from apps, and in many cases has access to it as soon as new data is recorded. Further, this happens even when users aren’t logged in to Facebook or don’t even have an account.

WSJ notes that many of Facebook’s controversial user tracking strategies have been uncovered over the last couple of years, but this investigation uncovered even more concerning details, like what in-app data 11 popular apps are sharing with Facebook.

The tricky part for users is that iOS and Android apps aren’t required by Apple and Google to disclose all of the partners that have access to your data. What’s more, with the apps tested, there was no clear way to prevent them from sending data to Facebook.

Some of the example’s include heart rate app, Instant Heart Rate: HR Monitor, Flo a period and ovulation tracker, and Realtor.com’s app.

Even when users aren’t logged into Facebook, the company can often match up personal data from third-party apps to users once it receives the data.

Flo Health Inc.’s Flo Period & Ovulation Tracker, which claims 25 million active users, told Facebook when a user was having her period or informed the app of an intention to get pregnant, the tests showed.

Real-estate app Realtor.com, owned by Move Inc., a subsidiary of Wall Street Journal parentNews Corp , sent the social network the location and price of listings that a user viewed, noting which ones were marked as favorites, the tests showed.

Here’s how this process works:

As for Facebook, it says it uses this data to “personalize ads and content on Facebook and to conduct market research, among other things.”

Apple told the WSJ it requires user consent to collect data, but as the report points out, users don’t know where the data is going.

Google gave a more vague statement:

What do you think? Should Apple do more to protect user privacy in apps? Or does the responsibility land on app developers? Share your thoughts in the comments below!

Read the full investigative report here.