Runkeeper has admitted that its fitness-tracking app has been tracking users too much, and claimed this was accidental.
Last week Norway’s consumer watchdog made a complaint to the country’s privacy authority about Runkeeper, saying the app siphoned up location information even when people weren’t using it to monitor their runs.
According to a Runkeeper blog post Tuesday, this was due to “a bug” in the way the app integrated with a third-party advertising service.
Get Data Sheet, Fortune’s technology newsletter.
The Boston-based team, bought this year by footwear firm Asics (asccf), wrote:
“We apologize for letting this bug slip through, and we regret the concern this has caused our users,” the team wrote.
However, the Norwegian consumer authority said Runkeeper’s action was “a start, but far from good enough.”
For more on privacy, watch:
“The circumstance that this leading fitness app with more than 45 million users inadvertently collects personal user data tracking users when the app is not in use and sending the data to third parties, indicates that the app industry needs to do more to earn their users’ trust,” the authority wrote in its own blog post.
The consumer authority said it expected Runkeeper to make sure that the third-party ad network, which it identified as Kiip, deletes the “illegally collected” location data.
“All of these issues are breaching either the EU Unfair Contract Terms Directive or key articles of data protection law, according to our analysis,” it said.