Pokémon GO might be free to play, but that doesn’t mean it won’t cost you. In the week since its launch, millions of enthusiasts made the game one of the most popular (and profitable) augmented-reality games to date, boosting Nintendo's value by $9 billion according to BuzzFeed. But, according to that same report, buckets of money aren’t the only things coming to the gamemakers. It turns out the app is also pulling in tons of valuable information about its players. Before logging on to become the next Pokémon champion, it’s probably worth asking: does Pokémon GO access private data?

For those unfamiliar with the latest craze, here’s why Pokémon are suddenly everywhere (again): the franchise has been turned into a mobile game, through a joint venture of The Pokémon Company and Alphabet-backed game developer Niantic (remember, Alphabet is the conglomerate formerly known as Google). Using location and clock data from a player’s smartphone, the game makes Pokémon “appear” in real-life locations and the object is — you guessed it — to “catch ‘em all.”

So, it makes total sense that in order to play the game properly, users would have to offer up information about where they went, and for how long, which means handing over their GPS data. And to actually "see" the Pokemon, players have to allow the game to use their phone's camera.

But what has some players alarmed is the other, seemingly unrelated information that Pokémon GO can access, including user emails and other documents. According to the Pokémon GO privacy policy, Niantic can collect — and keep! — user email address, IP address, web browser history, username, and location. But Apple users have the option of logging on using their Google account information. So, some users were concerned that Niantic would also have access to their Google email accounts, Google Drive documents, and, well, anything that the player might have connected to using Google.

Of course, users hand over sensitive GPS data and other personal information to mobile apps all the time. I mean, how else would I get those cool alerts when I’m near a Starbucks or a sale at Target? But the difference here is that the super-detailed location info captured by Pokémon GO could lead players into dangerous scenarios. According to CNN, one Wyoming teenager found a dead body instead of the Pokémon she was hunting for, and some would-be robbers in Missouri have used the app to lure potential victims to isolated spots.

In a statement issued to Gizmodo, Niantic denied ever accessing user emails or calendars:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.

Furthermore, according to the company, a fix is already in the works:

Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. [...] Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.

That’s good news for the more than one million users who have already downloaded the game, according to BuzzFeed. But still, forking over unfettered access to GPS data could still be concerning. At best, constantly broadcasting location information is a huge battery drain, TechCrunch reported. And at worst, it can put precious information about user whereabouts into the wrong hands. This week, law enforcement agencies warned Pokemon players to stay alert while playing the game and to avoid potentially shady scenarios (like deserted areas, closed buildings, and stranger residences). In other words, catching ‘em all may not always be the best plan. Play it safe out there, Pokémon hunters.