In a joint investigation by Canadian federal and provincial privacy authorities it was found that the Tim Hortons mobile ordering tracked and recorded users every few minutes, every day, even when the app was not open. The app was found to be in violation of Canadian privacy laws (news release).
It should be noted that Tim Hortons halted the continual tracking of users' locations in 2020 after the government began investigating. But that "did not eliminate the risk of surveillance" because "Tim Hortons' contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell 'de-identified' location data for its own purposes," the Office of the Privacy Commissioner said. As the office noted, there "is a real risk that de-identified geolocation data could be re-identified."
I must be missing the part where a customer has any assurances that an app issuer does not have nefarious plans for their personal data. The Tim Horton's story just makes me trust Krispy Kreme even less.
An example: I was under the mistaken impression that I had to download the Ticketmaster app just to purchase tickets for the Eiffel Tower replica in Vegas. As soon as that need was complete, I deleted the app... and I'm still dealing with residual ads for entertainment ever since.