Platform Developer and User Data Policy FAQ
Last revised on May 18, 2022
Health and wellness data is particularly sensitive, and ensuring the security and privacy of that data is of utmost importance. Review the following FAQ in order to meet the Fitbit Developer and User Data Policy requirements.
Frequently Asked Questions
Which Fitbit API does the policy apply to?
The policy applies to the Web API.
What are the approved use cases for the Fitbit Web API?
Approved use cases for the Fitbit Web API include fitness and wellness, rewards, fitness coaching, corporate wellness, medical care, health research, and games. Applications granted access to the Fitbit Web API may not extend its use to undisclosed or non-permitted purposes.
Approved Use Cases Fitness and Wellness
Applications that allow users to track their fitness / wellness and progress to their goals using phone sensors, manual journalling or participating in digital classes and guided sessions.
Applications that encourage users to adopt and maintain healthy habits in exchange for financial rewards.
Applications that feature virtual human fitness coaching helping users to achieve a health or fitness goal. Human coaches have access to user data to check on progress and provide guidance and support.
Enterprise focused platforms that enable wellness managers to distribute and manage wellness programs for employees.
Applications that help users receive and manage clinical care. These apps may provide services that exchange health and fitness data with clinical teams, such as condition management apps focused on medical conditions like diabetes or hypertension.
Applications give users the opportunity to donate their data for health research studies. These studies are typically approved by an Institutional Review Board (IRB) or Ethics Committee (EC) and collect user consent for conducting health research.
Applications where a user’s progress in a game is influenced or impacted by their fitness and/or wellness. These are games that collect a user’s activity data as a way to advance game play.
What do you need to do now?
Read through the new Fitbit Platform Developer and User Data Policy and address any gaps.
When do you need to apply for verification?
Wait until you’re contacted by the Fitbit team who will reach out to give you more information on the verification process and next steps. Your app will continue to have access to the data and scopes it currently does until then.
What are the requirements for the in-app disclosure of data access, collection, use, and sharing?
The in-app disclosure:
- Must be within the app itself, not only in the app description or on a website;
- Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
- Must describe the data being accessed or collected;
- Must explain how the data will be used and/or shared;
- Cannot be included with other Disclosures unrelated to Fitbit data collection;
- Does not need explicit consent such as an “accept” or “I understand” granted by the user as this is done in the runtime prompt that immediately follows; enabling the user to close or swipe away are acceptable ways to navigate out of the disclosure.
What is the recommended disclosure statement format?
To meet the policy requirements, it’s recommended that you reference the following example format:
“[This app] collects health and fitness data to enable ["feature"], ["feature"], & ["feature"].”
Example: “Fitness Coach collects activity data to enable analytics and personalized coaching.”
The prominent disclosure may include other information to ensure compliance to policy requirements and clarity for users but must at least include the above, where relevant.
What does the review process mean in practice?
If you access Fitbit APIs and have more than 100 users, you will be contacted in due course to begin a verification process. If you request access to the heart rate, location, sleep, and/or weight scope, then you may be required to carry out a security assessment.
How will I be informed that I need to go through verification?
You will be contacted via the email address for the account associated with the app registered on dev.fitbit.com, so please make sure that is kept up to date.
How do I determine if my app needs a security assessment?
If your app uses the heart rate, location, sleep, and/or weight scopes and has more than 100 users then it will need a security assessment. You will be separately informed that you need to go through verification and security assessment with ample notice to complete it. For more information, please refer to this App Defense Alliance security assessment FAQ.
How do I get a security assessment if my app needs one?
When you are invited to go through verification, you will be provided with details of how to get a security assessment with ample notice to complete it.