Fitbit User Data and Developer Policy
Last revised on May 25, 2023
Effective as of June 6, 2023
Fitbit Platform Developer Principles
As a developer of health and fitness applications and services, you often collect and manage sensitive user information like health and fitness data. Keep these key principles in mind:
- Protect users' privacy: Don't use any Fitbit user data for prohibited uses, like selling or using user data for advertising purposes.
- Be transparent: Accurately represent and explain to users what data you will collect, why you will collect it, and how you will use it.
- Respect users' wishes: Honor user requests to delete their data.
- Secure user data: Handle all user data securely and demonstrate you adhere to certain security practices.
- Request appropriate permissions: Don't request access to data that you don't need to provide the primary features of your application or service.
Fitbit API Policies
The policy below, as well as the
Fitbit Platform Terms of Service,
Fitbit Terms of Service,
govern the use of and access to the Fitbit Platform, including the Fitbit
APIs, Fitbit Developer Tools, and Fitbit Data. If you use Fitbit APIs to
request access to Google user data, your use of and access to the fitbit
Platform is also governed by the Fitbit Additional Terms of Service,
Google APIs Terms of Service,
OAuth 2.0 policies,
Google API Services User Data Policy.
You must also comply with all applicable laws and regulations. In the event of a conflict between this policy or any other terms with regard to the Fitbit Platform or accessing Fitbit Data, this Fitbit User Data and Developer Policy controls.
Please check back from time to time as these policies are occasionally updated. It is your responsibility to monitor and ensure your compliance with these conditions on a regular basis. If, at any time, you cannot meet these conditions (or if there is a significant risk that you will not be able to meet them), you must immediately stop using our services. We reserve the right to suspend and/or terminate access to our services if you do not comply with this policy.
Appropriate Access to and Use of the Fitbit Platform
Requests to access Fitbit user data must be clear and understandable. Fitbit APIs and Developer Tools may only be used in accordance with the applicable policies, terms and conditions, and for approved use cases as set forth in this Policy. This means you may only request access to Fitbit APIs when your application or service meets one of the approved use cases.
Approved use cases for access to Fitbit APIs are:
- Applications or services with one or more features to benefit users' health and fitness via a user interface allowing users to directly journal, report, monitor, and/or analyze their physical activity, sleep, mental well-being, nutrition, health measurements, physical descriptions, and/or other health or fitness-related descriptions and measurements.
- Applications or services with one or more features to benefit users' health and fitness via a user interface allowing users to sync their physical activity, sleep, mental well-being, nutrition, health measurements, physical descriptions, and/or other health or fitness-related descriptions and measurements.
Limited Uses of User Data
Upon accessing Fitbit user data for an appropriate use, your use of the data obtained must comply with the below requirements. These requirements apply to data derived from restricted permissions, the raw data obtained from Fitbit APIs or Developer Tools, and data aggregated, anonymized, de-identified, or derived from the raw data.
- Limit your use of user data to providing or improving your appropriate use case or features that are visible and prominent in the requesting application's user interface.
- Transfers of data are not allowed, except:
- To provide or improve your appropriate use case or user-facing features that are clear from the requesting application's user interface and only with the user’s consent;
- For security purposes (for example, investigating abuse);
- To comply with applicable laws and/or regulations; or,
- As part of a merger, acquisition or sale of assets of the developer after obtaining explicit prior consent from the user.
- Do not allow humans to read user data, unless:
- You have obtained the user's explicit consent to read specific data (for example, helping a user re-access the product or a service aftetr having lost their password);
- The data (including derivations) is aggregated and anonymized and used for internal operations in accordance with applicable privacy and other jurisdictional legal requirements;
- It’s necessary for security purposes (for example, investigating abuse);
- To comply with applicable laws and/or regulations.
All other transfers, uses, or sale of user data is completely prohibited, including:
- Transferring or selling user data to third parties like advertising platforms, data brokers, or any information resellers even if aggregated or anonymized
- Transferring, selling, or using user data for serving ads, including personalized or interest-based advertising.
- Transferring, selling, or using user data to determine credit-worthiness or for lending purposes.
- Transferring, selling, or using the user data with any product or service that may qualify as a medical device pursuant to Section 201(h) of the Federal Food Drug & Cosmetic Act if the user data will be used by the medical device to perform its regulated function.
- Transferring, selling, or using user data for any purpose or in any manner involving Protected Health Information (as defined by HIPAA) unless you receive prior written approval to such use from Fitbit.
Access to Fitbit user data may not be used in violation of this Policy or other applicable Fitbit terms and conditions or policies, including for the following purposes:
- Do not use Fitbit APIs or Developer Tools to sell information to third parties, such as advertising platforms, data brokers, or any information resellers, even if aggregated or anonymized.
- Do not disclose information obtained through Fitbit APIs or Developer Tools to third parties in violation of this Policy, including the Limited Uses of User Data section.
- Do not use Fitbit APIs or Developer Tools for applications, services, or features designed to collect or combine user data for human subjects research, medical research, or any other similar research overseen by an Institutional Research Board or Ethics Commission unless you agree to abide by the Fitbit Web API Health Research Policy in conducting such research.
- Do not use Fitbit APIs or Developer Tools for any purpose or in any manner involving Protected Health Information, as defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) unless you receive prior written approval to such use from Google.
- Do not use Fitbit APIs or Developer Tools with any product or service that may qualify as a medical device pursuant to Section 201(h) of the Federal Food Drug & Cosmetic Act if the user data will be used by the medical device to perform its regulated function.
- Do not use Fitbit APIs or Developer Tools in developing, or for incorporation into, applications, environments or activities where the use or failure of the Fitbit APIs or Developer Tools could reasonably be expected to lead to death, personal injury, or environmental or property damage (such as the creation or operation of nuclear facilities, air traffic control, life support systems, or weaponry).
Apps and clockfaces within the App Gallery must also adhere to the Fitbit App Gallery Guidelines. The above is a non-exhaustive list of use cases for which Fitbit does not permit access to Fitbit APIs or Developer Tools.
Minimum Scope Required for Access to Fitbit APIs and Fitbit Developer Tools
You may only request access to permissions that are critical to implementing your application or service's functionality. This means:
Don't request access to information that you don't need. Only request access to the permissions necessary to implement your product's features or services. If your product does not require access to specific permissions, then you must not request access to those permissions. Don't attempt to "future proof" your access to user data by requesting access to information that might benefit services or features that have not yet been implemented.
Request permissions in context where possible. Only request access to user data in context (via incremental auth) whenever you can, so that users understand why you need the data.
Transparent and Accurate Notice and Control
Applications and services must also request access to user data in context (via incremental auth when possible), so that users better understand what data will be provided, why you need the data, and how the data will be used. In addition to the requirements under applicable law, you must also adhere to the following requirements:
- You must provide a disclosure of your data access, collection, use, and
sharing. The disclosure:
- Must accurately represent the identity of the application or service that seeks access to user data;
- Must be within the application itself if application-based or in a separate dialog window if web-based;
- Must be displayed in the normal usage of the application if application-based or website if web-based and not require the user to navigate into a menu or settings;
- Must provide clear and accurate information explaining the types of data being accessed, requested, and/or collected;
- Must explain how the data will be used and/or shared: if you request data for one reason, but the data will also be utilized for a secondary purpose, you must notify users of both use cases;
- Cannot be included with other disclosures unrelated to personal and sensitive data collection.
- Your disclosure must accompany and immediately precede a request for user
consent. You must not begin collection prior to obtaining affirmative
consent. The request for consent:
- Must present the consent dialog in a clear and unambiguous way;
- Must require affirmative user action (for example, tap to accept, tick a check-box, a verbal command, etc.) in order to accept;
- Must not interpret navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and,
- Must not utilize auto-dismissing or expiring messages.
- You must provide user help documentation that explains how users can manage and delete their data from your app.
Secure Data Handling
We expect all user data is secure in transit and at rest. Take reasonable and appropriate steps to protect all applications or systems that make use of Fitbit user data against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure.
Recommended security practices include implementing and maintaining an Information Security Management System such as outlined in ISO/IEC 27001 and ensuring your application or web service is robust and free from common security issues as set out by the OWASP Top 10.
Required security measures include:
- Using an industry accepted encryption standard to encrypt user data that is:
- Stored on portable devices or portable electronic media;
- Maintained outside of Google's, Fitbit’s or your systems;
- Transferred across any external network not solely managed by you; and,
- At rest on your systems.
- Transmitting data using secure modern protocols (for example, over HTTPS).
- Keeping user data and credentials, specifically tokens such as OAuth access and refresh tokens, encrypted at rest.
- Ensuring keys and key material are managed appropriately, such as stored in a hardware security module or equivalent-strength key management system.
Depending on the API being accessed and number of user grants or users, we will require that your application or service follow the Cloud Application Security Assessment (CASA), undergo a periodic security assessment, and obtain a Letter of Assessment from a Google-designated third party if your product transfers data off the user's own device.
You agree to promptly notify us at email@example.com of any known or suspected unauthorized access to your systems, networks, accounts, or other locations where Fitbit User Data is stored (“Security Breach”). You agree to cooperate fully with Google to correct any known or suspected Security Breach, and in any such event, to notify us at firstname.lastname@example.org before you make any public statements regarding any known or suspected Security Breach.
Google / Fitbit Commitments to the European Commission
There are escalation tools available to API users as part of the Google / Fitbit Commitments to the European Commission where API users’ access to the Fitbit Web API is either denied or revoked in violation of the Google / Fitbit Commitments.
If you wish to escalate an issue to the Monitoring Trustee, you can contact them at email@example.com.
Please refer to the Google / Fitbit Commitments to the European Commission for more information, including:
- Web API Access Commitment described in Section (A.2)(7)&(8)
- Fast Track Dispute Resolution Procedure described in Annex 5