Fitbit Privacy Policy

This document is Fitbit's standalone privacy policy governing the collection, use, and sharing of personal data through Fitbit devices, apps, and services for users who have not linked their Fitbit account to a Google Account; users who have linked to a Google Account are directed to the Google Privacy Policy instead. The policy states that Fitbit collects a broad range of data categories including health and fitness metrics (sleep, heart rate, activity, exercise, menstrual health, weight), precise GPS location, device and usage data, payment information, and user-generated content, and the terms authorize sharing this data with service providers, corporate affiliates, third-party app developers with user consent, and potential acquirers in a corporate transaction. The policy's carve-out routing Google Account-linked users to a separate Google Privacy Policy creates a bifurcated data governance structure that may make it materially difficult for users to identify which policy governs their data, and the breadth of health and fitness data collected, including menstrual cycle and sleep data, raises sensitivity considerations that may engage protections beyond standard consumer privacy frameworks. The policy engages GDPR for EEA and UK users, CCPA and related California privacy law for California residents, and due to the nature of health and fitness data collected, may require evaluation under the FTC Act's health breach notification guidance and applicable state health privacy laws; jurisdiction-specific rights including data access, deletion, correction, and portability are acknowledged for EU, UK, Swiss, and California residents. The policy was last updated February 27, 2026, and compliance teams should note that the Google Account integration pathway effectively transfers data governance to Google's framework, which has its own regulatory posture and may alter user rights in practice.