Several major companies are secretly recording your every move on their iPhone apps without your permission or even your knowledge, a new investigation has found.

According to a TechCrunch report, several popular iPhone apps, including hotels and travel sites and retailers, not only know what you’re doing with their apps but they could even expose sensitive data.

The technology news site discovered that apps including Hotels.com, Air Canada, Singapore Airlines, Expedia, Hollister and Abercrombie & Fitch use Glassbox, a customer experience analytics firm that allows developers to embed so-called “session replay” technology into their apps. Developers can then record users’ screens and play them back to see how people used the app.

“Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers,” TechCrunch reports.

The technology news site asked mobile expert The App Analyst to examine apps that Glassbox listed as customers and see what data was leaving the iPhone.

According to TechCrunch, none of the apps that were checked told users they were recording their screens or that they were sending the information back to each company. Although all apps submitted to Apple’s App Store must have a privacy policy, the news site reports that none of the apps they reviewed make it clear that they record a user’s screen. If any of Glassbox’s customers are not correctly masking data, it could be problematic, The App Analyst told TechCrunch.

“Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he told TechCrunch.

TechCrunch reports that it would have to analyze all the data for each app to know for sure if an app is recording a user’s screens.

The App Analyst told TechCrunch that while Abercrombie & Fitch sent its session replays to Glassbox, others such as Hotels.com captured the session replay data and sent it back to their own servers. Although he reportedly said the data was “obfuscated,” he did see email addresses and postal codes in a few instances. Air Canada’s iPhone app was not properly masking the session replays, however, exposing passport numbers and credit card data, according to The App Analyst.

Hotel.com’s policy does not mention recording users’ screens, nor does Expedia’s. In Air Canada’s case, the TechCrunch investigation did not find any mention in its privacy policy that suggests the app sends screen data back to the airline.

TechCrunch asked each company where in their privacy policies it allows them to capture what users do on their phones.

Abercrombie confirmed that it uses Glassbox but the company’s privacy policy makes no mention of session replays, reports TechCrunch. Air Canada gave TechCrunch the following statement:

“Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips,” said a spokesperson.” This includes user information entered in, and collected on, the Air Canada mobile app. However, Air Canada does not—and cannot—capture phone screens outside of the Air Canada app.”

The other companies did not respond to requests for comment from the tech news site.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

Fox News reached out to Apple, Glassbox, Air Canada, Hotels.com, Abercrombie & Fitch and Expedia with a request for comment on the story.