// Trust & Security Report
Google (Fitbit)
Fitbit wearable fitness trackers and health monitoring devices, including consumer Fitbit app (now Google Health) and enterprise Fitbit Wellness platform with HIPAA support.
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on blog.google“Fitbit Wellness will be able to expand integration opportunities with health plans and self-insured employers by its ability to enter into Business Associate Agreements with HIPAA-covered entities. Note: this applies only to the enterprise Fitbit Wellness offering; the consumer Fitbit app is not HIPAA covered.”
Verify on support.google.com“Fitbit LLC complies with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF as set forth by the US Department of Commerce.”
Verify on support.google.com“the Products are in conformance with the applicable security requirements in Schedule 1 of The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.”
Verify on support.google.com“Google declares that Fitbit Air has been manufactured in compliance with the Cyber Security (Security Standards for Smart Devices) Rules 2025.”
> Show 4 unconfirmed / not-held certifications
source: support.google.comNo public evidence of SOC 2 certification for Fitbit consumer app or Google Health. Google Cloud and Google Workspace hold SOC 2, but these do not apply to consumer Fitbit.
source: support.google.comNo ISO 27001 mentioned in Fitbit privacy policy or security documentation for consumer app. Google Cloud and Google Workspace hold ISO 27001, but these do not apply to consumer Fitbit.
source: support.google.comNot applicable to consumer Fitbit; applies only to Google Cloud services.
source: noyb.euWhile Fitbit claims GDPR compliance, three GDPR complaints were filed by noyb (Max Schrems' organization) in August 2023 in Austria, Netherlands, and Italy alleging illegal data transfers to the US without adequate legal mechanism and forced consent without meaningful withdrawal option.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States and other countries (no specific data center locations disclosed)
Fitbit does NOT automatically use customer health data for AI model training. Users must explicitly opt in to participate in research and development programs where their data can be used to train Google's generative models. Conversation data from Google Health Coach may undergo human review if user provides feedback.
// Security controls
Encryption in Transit
Transport Layer Security (TLS) encryption used for data transmission between devices and servers
support.google.comPayment Data Security
Card details encrypted and tokenized; tokens sent back to device instead of storing raw payment information
support.google.comSecurity Controls
Combination of technical, administrative, and physical controls to maintain data security
support.google.comMulti-Factor Authentication
Two-factor authentication available for account security
support.google.comSecurity Updates
Fitbit devices receive security updates for at least 2 years after the applicable device is last sold
support.google.comAccount Monitoring
Users can view which devices are logged into accounts and revoke access to unrecognized devices
support.google.com// Products & data scope
data: Steps, heart rate, sleep data, location, food/weight logs, female health tracking. NOT HIPAA compliant.
Personal health data not used for Google Ads. Data transfers to US and other countries. Opt-in for research use only.
data: Same as consumer Fitbit, but with HIPAA-compliant controls and BAA support
Only variant with HIPAA BAA. Designed for corporate wellness programs, health plans, and self-insured employers. Covers basic fitness metrics only in HIPAA mode.
data: Consolidated health tracking app integrating Fitbit data with Google Health features
Replaces standalone Fitbit app. Not HIPAA compliant. Supports opt-in research participation.
// What to watch
- CRITICAL: Three GDPR complaints filed August 2023 by noyb alleging illegal data transfers to US and forced consent. Potential fines up to €11.28 billion if found guilty.
- CRITICAL: Consumer Fitbit is NOT HIPAA compliant. Only enterprise Fitbit Wellness platform offers HIPAA/BAA. Over-claim risk if marketing suggests consumer app is HIPAA-compliant.
- HIGH: No SOC 2 or ISO 27001 certifications for consumer Fitbit app, despite being owned by Google which holds these for Cloud/Workspace.
- MODERATE: Limited GDPR consent withdrawal - users must delete entire accounts to opt out of data transfers, losing all health data. GDPR requires withdrawal without account deletion.
- MODERATE: Data transfers to US lack clear legal mechanism post-Schrems II ruling. Reliance on Data Privacy Framework is disputed by privacy advocates.
- MODERATE: 2021 data leak by third-party GetHealth exposed 61M fitness records including Fitbit data (unsecured database with names, birthdates, weight, health data).
- LOW: Account takeover risk if 2FA not enabled; security updates only guaranteed for 2 years.
// At a glance
Pricing model
Freemium (free consumer app; premium features; enterprise wellness contracts)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Google (Fitbit)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
support.google.com