While Pokémon GO users are collecting all 150 of the game’s fictional species of creatures, Niantic and Nintendo are gaining access to and gather a lot of your personal information.

It’s not just the ability to track your location or the fact that the app is linked to your Google account that’s worrisome; most users accepted a level of invasive monitoring willingly, given the game is about GPS-based hunting.

Anyone who signed up for Pokémon Go with a Google account has perhaps unknowingly given Nintendo and developer Niantic full account access.

Theoretically, this permission could allow Niantic and Nintendo’s subsidiary The Pokémon Company to see/edit/collect just about anything related to your Google account.

Emails, photos, documents, all of your former location and search history: it can see all of this stuff, from even before you started using the app.

It’s a potentially disastrous security risk: just one hack or leak of user information would mean compromises in Google information for a group of people about as large as the number of daily active users for Twitter on Android.

Even if the data isn’t hacked, these two companies are already getting access to your info-pictures, emails, documents-basically everything they could ever want, except a few key abilities like using Google Wallet, changing your password, or deleting your account).

Whether they’re using those abilities or not is an entirely separate matter, but unless Niantic wants to help you build spreadsheets to keep track of your Pokémon, and email your friends to brag about it, this is entirely unwarranted access.

Developer Niantic clarified to Business Insider that Pokémon Go requesting this kind of broad access to players’ Google accounts wasn’t intentional, and added it was never used to look at players’ account information, other than their email address and user ID. The company further explained the issue was a bug in the iOS version of Pokémon Go and said it would be fixed in an upcoming update.