Runkeeper has admitted that its fitness-tracking app has been tracking users too much, and claimed this was accidental.
Last week Norway’s consumer watchdog made a complaint to the country’s privacy authority about Runkeeper, saying the app siphoned up location information even when people weren’t using it to monitor their runs.
According to a Runkeeper blog post Tuesday, this was due to “a bug” in the way the app integrated with a third-party advertising service.
Get Data Sheet, Fortune’s technology newsletter.
The Boston-based team, bought this year by footwear firm Asics (ASCCF), wrote:
Like other Android apps, when the Runkeeper app is in the background, it can be awakened by the device when certain events occur (like when the device receives a Runkeeper push notification). When such events awakened the app, the bug inadvertently caused the app to send location data to the third-party service.
Today we are releasing a new version of our app that eliminates this bug and removes the third-party service involved.
Runkeeper said the bug only affected its Android (GOOG) app, but it was making the same changes to its iOS (AAPL) app nonetheless “out of an abundance of caution.”
“We apologize for letting this bug slip through, and we regret the concern this has caused our users,” the team wrote.
However, the Norwegian consumer authority said Runkeeper’s action was “a start, but far from good enough.”
For more on privacy, watch:
“The circumstance that this leading fitness app with more than 45 million users inadvertently collects personal user data tracking users when the app is not in use and sending the data to third parties, indicates that the app industry needs to do more to earn their users’ trust,” the authority wrote in its own blog post.
The consumer authority said it expected Runkeeper to make sure that the third-party ad network, which it identified as Kiip, deletes the “illegally collected” location data.
The watchdog also noted that other elements of its complaint—such as Runkeeper’s terms and privacy policy not saying whether the outfit deletes data after a certain period—remain unresolved.
“All of these issues are breaching either the EU Unfair Contract Terms Directive or key articles of data protection law, according to our analysis,” it said.
