We're conscious that health and fitness data is particularly sensitive to users. Ensuring the security and privacy of that data is of utmost importance. To ensure security and privacy during the exchange of this data, all Google Fit API scopes are Restricted. Learn more about requesting access to restricted OAuth scopes.
What do you need to do?
Read through the Google Fit Developer and User Data Policy and address any gaps.
When you're going through the OAuth verification process in the Google Cloud Platform console, follow the appropriate verification steps.
When do you need to apply for verification?
- If you're adding a new Google Fit scope to your app, follow the instructions to prepare for restricted scope verification.
- For existing apps, wait until you're contacted by the Google team who will give you more information on the verification process and next steps. Until then, your app will continue to have access to the data and scopes it currently accesses.
FAQs
Which Google Fit APIs does the policy apply to?
The policy applies to both the REST and Android APIs.
What are the approved use cases for the Google Fit REST and Android APIs?
Approved use cases for the Google Fit REST and Android APIs include fitness and wellness, rewards, fitness coaching, corporate wellness, medical care, health research, and games. Applications granted access to the Google Fit REST and Android APIs may not extend its use to undisclosed or non-permitted purposes.
Approved use cases |
Fitness and Wellness
Applications that allow users to track their fitness / wellness and progress to their goals using phone sensors, manual journalling or participating in digital classes and guided sessions. |
Rewards
Applications that encourage users to adopt and maintain healthy habits in exchange for financial rewards. |
Fitness Coaching
Applications that feature virtual human fitness coaching helping users to achieve a health or fitness goal. Human coaches have access to user data to check on progress and provide guidance and support. |
Corporate Wellness
Enterprise focused platforms that enable wellness managers to distribute and manage wellness programs for employees. |
Medical Care
Applications that help users receive and manage clinical care. These applications may provide services that exchange health and fitness data with clinical teams, such as condition management apps focused on medical conditions like diabetes or hypertension. |
Health Research
Applications give users the opportunity to donate their data for health research studies. These studies are typically approved by an Institutional Review Board (IRB) or Ethics Committee (EC) and collect user consent for conducting health research. |
Games
Applications where a user’s progress in a game is influenced or impacted by their fitness and/or wellness. These are games that collect a user’s activity data as a way to advance game play. |
What are the requirements for the in-app disclosure of data access, collection, use, and sharing?
The in-app disclosure:
- Must be within the app itself, not only in the app description or on a website;
- Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
- Must describe the data being accessed or collected;
- Must explain how the data will be used and/or shared;
- Cannot only be placed in a privacy policy or terms of service; and
- Cannot be included with other disclosures unrelated to Google Fit data collection.
- Does not need explicit consent such as an “accept” or “I understand” granted by the user as this is done in the runtime prompt that immediately follows; enabling the user to close or swipe away are acceptable ways to migrate out of the disclosure.
Recommended disclosure statement formats: To meet the policy requirements, it’s recommended that you reference the following example format: “(This app) collects health and fitness data to enable ("feature"), ("feature"), & ("feature").”
Example: “Fitness Coach collects activity data to enable analytics and personalized coaching.”
The prominent disclosure may include other information to ensure compliance to policy requirements and clarity for users but must at least include the above, where relevant.
What do the review enhancements mean in practice?
If you access Fit APIs and have more than 100 users, you will be contacted in due course to begin a verification process. If you request read/write access to any of the linked read/write health scopes, you will also be required to carry out a security assessment. This includes cases where you are reading sensor data, such as steps, using the Recording API and Sessions APIs on Android.
How can I check whether I have 100 or more users?
You can look that up for your project in Cloud Console.
How will I be informed that I need to go through verification?
You will be contacted via the contact email addresses that you have stored in Cloud Console, so please make sure these are kept up to date.
How do I determine if my app needs a security assessment?
If your app uses any of the linked read/write health scopes, and has exceeded the 100-user cap then it will need a security assessment. You will be separately informed that you need to go through verification and security assessment, and will be given ample notice to complete it. For more information about the security standards used, see App Defense Alliance security assessment FAQ.
How do I get a security assessment if my app needs one?
When you are invited to go through verification, you will be provided with details of how to get a security assessment with ample notice to complete it.