The number of users of wearable activity trackers (WATs) has rapidly increased over the last decade. While these devices enable their users to monitor their activities and health, they also raise new security and privacy concerns given the sensitive data (e.g., steps, heart rate) they collect and the information that can be inferred from this data (e.g., diseases). Besides the service providers (e.g., Fitbit), WAT users can share their fitness data with third-party applications (TPAs) and individuals. Understanding how and with whom users share their fitness data and what kind of approaches they take to preserve their privacy is key to assess the underlying privacy risks and to further design appropriate privacy-enhancing techniques. In this work, we perform, through a large-scale survey of 𝑁 = 628 WAT users, the first quantitative and qualitative analysis of users’ awareness, understanding, attitudes, and behaviors toward fitness-data sharing with TPAs and individuals. In particular, we explore users’ practices and actual behaviors toward fitness-data sharing, as well as their mental models by asking them to draw their thoughts. Our empirical results show that about half of WAT users underestimate the number of TPAs to which they have granted access to their data, while 63% share data with at least one TPA that they do not actively use (anymore). Moreover, 29% of the users did not revoke TPA access to their data because they forgot they had given access to it in the first place, and 8% were not even aware they could revoke access to their data. Finally, their mental models as well as some of their answers demonstrate substantial gaps in their understanding of the data-sharing process. In particular, 67% of the respondents think that TPAs cannot access the fitness data that was collected before they granted access to it, while TPAs actually can.