There’s a lot, and it doesn’t really matter if you use Facebook only occasionally.

The collecting and giving away of personal data starts when you sign up for Facebook, gains steam as you use the social network more, and it continues as users add third-party apps.

When you sign up for a Facebook account, you’re required to share:

• name
• gender
• date of birth
• email or mobile number

From here, Facebook gathers and stores more personal data, which can be used to target users with ads, including what users share and add, and their likes and clicks. That means Facebook tracks and stores data about:

• Every ad users click on
• Any additional personal information added to the profile including schools, maiden name, hometown and current city, employment, other social networks like political clubs, groups, and alumni associations (current and former)
• Every IP address that the user used when logging into the Facebook account
• Every friend in the network, including friends that have been deleted
• All of the user’s activity—ever. Facebook describes its activity log as “a list of your posts and activity, from today back to the very beginning. You’ll also see stories and photos you’ve been tagged in, as well as the connections you’ve made – like when you liked a Page or added someone as a friend.” That means every “like,” every status change, and every search of another person on Facebook.

But the real fun begins with third-party apps. These are many apps from Candy Crush and Airbnb to Spotify and Uber that allow users to sign in using their Facebook password. It’s so convenient (only one password to remember!) that many people opt in.

Every third-party app is different in the kinds of data that’s collected. But the important step to remember is to stop and really read through what you’re agreeing to—even if sometimes it’s contained in a lengthy legalese agreement—before casually hitting the “continue” to log in using Facebook button. Typically, these apps want access to names, genders, and locations. But many apps dig deeper into personal preferences and friend networks.

From here, all it takes is for the third-party app to sell the data to someone else, like behavior research firm Strategic Communication Laboratories, which is affiliated with Cambridge Analytica, the data firm that worked for Trump’s campaign. Facebook has cut down on the information it shares with third party apps. However, it has not been eliminated altogether.

A new report by Fractl found that all that personal data from Facebook and other accounts is being illegally sold on the “dark web” for little more than a few dollars. For instance, the firm found Facebook logins sold for $5.20 each while credentials to PayPal accounts went for an average of $247, reported MarketWatch.

Short of deleting a Facebook account, there are a few other steps users can take to protect themselves, starting with getting rid of all those third-party apps and turning off location data. Go to Facebook settings (nope, not privacy), then “apps,” and check how many apps are linked to Facebook.

When I took a look recently, there were 40 apps linked to my Facebook account, which is low compared to others I know who had as many as 100 third-party apps linked to their own accounts.

You can remove these apps. Or you can head over to the apps, websites, and plugins square, click on “edit,” and then turn off all third-party API access. Doing so will prevent third-party apps from linking to your Facebook account in the future.

Facebook tracks users locations, but it doesn’t have to. There are actually options to deny it location access, or to only give it access when the app is being used. Users can do this with their iPhone or Android, although process is just slightly different.

In Android, go to settings, scroll down and click location. From here, users can slide location on and off. For those with iPhones, go to settings, then privacy, and then location. From here, users can find the Facebook app and pick the location access they want to give.