Amazon’s smart doorbell company Ring may be using its app to surveil users, a report from the Electronic Frontier Foundation revealed on Wednesday.

The “Ring for Android” app shares user data including names, private IP addresses, mobile network carriers and sensor data with a number of third-party trackers, the investigation found. At least four analytics and marketing companies receive such information from customer devices.

“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system,” Bill Budington, senior staff technologist at the EFF and author of the report, said.

Every time a customer opens the Ring app, it sends information to Facebook about the user, including the time zone, device model, language preferences, screen resolution, and a unique identifier, the report found.

It also sends information to the data company AppsFlyer, including user actions, mobile carrier, and when Ring was first installed and launched, the report found. In addition, it shares data from sensors installed on the phone, including a magnetometer, gyroscope, and accelerometer, and current calibration settings.

MixPanel, a business analytics firm, receives the most information, the report found, including users’ full names, email addresses, device information such as operating system (OS) version and model, whether Bluetooth is enabled, and the number of Ring devices installed.

A spokeswoman from Ring confirmed the company uses third-party services to “optimize the customer experience” and “evaluate the effectiveness” of its marketing.

“Ring ensures that service providers’ use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes”, she said.

On its website, Ring discloses it utilizes third-party data analytics, but Budington said the extent of the data collection was not made clear in the post. The information on Ring’s website also only mentions four companies: Google Analytics, Mixpanel, HotJar, and Optimizely. The page has not been updated since May 2018 and does not include companies the EFF found to be receiving data, including AppsFlyer or Facebook.

The report is the latest controversy for Ring, which faced increased scrutiny in 2019 for its partnerships with police forces across the US, quietly expanding a privately owned surveillance system. It is also the target of a number of class action lawsuits after many of its cameras were hacked and used to harass users.

Ring’s app can be downloaded even if a user does not own a device, but doorbells retail at around $100. Budington noted that it was not atypical for apps to share data but Ring was unique in the number of trackers it has embedded.

“There is an adage that if you aren’t paying for the product, then you are the product –but in this case you are both paying for the product and you are the product,” he said. “Companies can do better.”