Google promised not to use your health data for ads when it bought Fitbit, but the promise has loopholes. Your location data, device info, and app usage data are NOT protected — Google can still use those for advertising. And Fitbit's own privacy policy says it shares data with advertising partners anyway. Fitbit promised 'nothing changes' after Google bought them. But now Google is forcing everyone to migrate their health data to Google accounts or lose it forever. Your intimate health data — heart rate, sleep patterns, stress levels, menstrual cycles — will be governed by Google's privacy rules, not Fitbit's original promises.
What they claim: The Fitbit Sense 2 is marketed as a health and fitness smartwatch. Its hardware sensors are designed for health monitoring: heart rate, ECG, SpO2, stress (cEDA), skin temperature, and GPS.
What we found: The Fitbit companion app requests 82 permissions including CALL_PHONE, READ_CALL_LOG, SEND_SMS, READ_CONTACTS, RECORD_AUDIO, CAMERA, READ_CALENDAR, WRITE_CALENDAR, and GET_ACCOUNTS. A fitness tracker does not need to make phone calls, read your call history, send text messages, read your contacts, record audio, access your camera, or read your calendar. These permissions grant access to deeply personal data far beyond what health monitoring requires.
What they claim: Fitbit markets the Sense 2 as an 'Advanced Health and Fitness Smartwatch' focused on stress management, heart health, and sleep tracking.
What we found: The device includes NFC (13.56 MHz) for Fitbit Pay contactless payments, Wi-Fi for firmware updates, and always-on Bluetooth — three wireless radios beyond what health monitoring requires. NFC payment data creates a financial transaction profile. The combination of health data (heart rate, stress, sleep), location data (GPS), and financial data (NFC payments) in a single wrist-worn device creates an unprecedented personal surveillance profile — all flowing to a company whose primary business is advertising.
What they claim: Fitbit states health and wellness data will not be used for Google Ads and will be kept in a separate data silo (EU acquisition commitment, December 2020).
What we found: The EU commitment explicitly carves out geolocation data, device identifiers, and non-health usage data from the protected silo — Google can still leverage these for advertising. The ACCC (Australia) rejected the remedies as insufficient and the CMA (UK) expressed reservations. Meanwhile, Fitbit's own privacy policy states the app can share personal information with 'advertising partners for targeted, interest-based advertising across the internet.'
What they claim: Google's Fitbit data commitment states Fitbit health data will be kept in a separate silo and not used to inform ad personalization.
What we found: Google explicitly states that the 'text of' Assistant voice interactions (transcripts) from Nest/Google Home devices MAY be used to inform interests for ad personalization. Since Fitbit data is migrating to Google accounts and can interact with Google Assistant, the boundary between 'health data' and 'assistant interaction data' becomes blurred. Mozilla's Privacy Not Included review found Google allows 'specific partners to collect information from your browser or device for advertising purposes using their own cookies.'
What they claim: The Fitbit Sense 2 continuously collects heart rate, stress levels (cEDA), skin temperature, SpO2, sleep stages, and precise GPS location — creating an extraordinarily detailed health profile.
What we found: The device has 8 hardcoded cloud endpoints including client-analytics-events.fitbit.com and mobile-analytics.fitbit.com. All sensor data flows to Fitbit/Google cloud infrastructure. The device cannot function without cloud connectivity — there is no local-only mode. This means Google receives continuous real-time data about your heart rate, stress response, sleep quality, blood oxygen, skin temperature, and exact physical location 24/7.
What they claim: The Fitbit app requests zero trackers according to Exodus Privacy analysis (version 4.63).
What we found: While Exodus detected no embedded tracker signatures in the Fitbit APK, Mozilla's Privacy Not Included review found that Google allows advertising partners to collect information via cookies, and Google itself has been fined $93 million for deceptive location tracking (2023 settlement). The absence of known third-party tracker SDKs does not mean the absence of tracking — Google's own first-party analytics infrastructure (client-analytics-events.fitbit.com, mobile-analytics.fitbit.com) performs extensive data collection without triggering third-party tracker detection.
What they claim: The EU Commission approved the Google-Fitbit acquisition in December 2020 with a 10-year commitment to keep health data separate from ads.
What we found: The forced Google account migration (deadline May 2026) effectively moves all user data under Google's umbrella privacy policy. While the EU commitment technically restricts using 'health and wellness data' for ads, once users are on Google accounts, Google controls the definition of what constitutes 'health' vs 'usage' data. Voice transcripts from Google Assistant interactions about health are already admitted to be usable for ad personalization. The 10-year commitment expires in 2030 — just 4 years away — after which Google faces no restrictions on using Fitbit health data for advertising.
What they claim: Fitbit devices use Bluetooth Low Energy for continuous communication with the companion app and for syncing health data.
What we found: Boston University researchers discovered that Fitbit devices transmit BLE advertising packets with constant, non-randomizing addresses — enabling permanent physical tracking of Fitbit wearers. Unlike iOS and Windows devices which rotate BLE addresses, Fitbit broadcasts a fixed identifier at all times. Additionally, CVE-2019-16336 (SweynTooth) demonstrated that the Cypress PSoC BLE stack used in Fitbit smartwatches is vulnerable to buffer overflow attacks from within radio range. Users cannot disable or mitigate the BLE tracking issue.
What they claim: Fitbit's privacy commitment page states 'For the immediate future, nothing changes' regarding how user data is handled after the Google acquisition.
What we found: Google is forcing all Fitbit users to migrate to Google accounts by May 19, 2026, with data deletion starting July 15, 2026. Once migrated, all Fitbit data — including heart rate, sleep, stress, menstrual tracking, ECG readings — is governed by Google's broader privacy policy, not Fitbit's. This fundamentally changes how data is handled. Many users purchased Fitbit specifically to avoid Google's ecosystem.
What they claim: Fitbit's privacy policy states: 'We believe that transparency is the key to any healthy relationship' and positions itself as a trusted health data steward.
What we found: The Fitbit app requests BODY_SENSORS, READ_HEART_RATE, READ_SLEEP, READ_OXYGEN_SATURATION, READ_SKIN_TEMPERATURE, READ_MENSTRUATION, and 20+ other health data permissions — making it one of the most intimate data collection apps available. Yet the app also requests SEND_SMS, CALL_PHONE, READ_CALL_LOG, and READ_CONTACTS, which are unrelated to health monitoring. Despite claiming transparency, the app provides no clear explanation of why a fitness tracker needs phone call and SMS permissions.