Health Connect Policy Requirement FAQs

Stay organized with collections Save and categorize content based on your preferences.

Health Connect apps collect health and fitness data, which may contain personal and sensitive data. Apps must meet specific policy requirements in order to read and/or write data to Health Connect.

What apps are eligible for Health Connect?

To be eligible to read and/or write data to Health Connect, an app must fall under an approved use case. These use cases include:

  1. Applications, services, or features designed with the primary purpose to benefit users' health and fitness via a user interface allowing users to directly journal, report, monitor, and/or analyze their physical activity, sleep, mental well-being, nutrition, health measurements, physical descriptions, and/or other health or wellness-related descriptions and measurements.

  2. Applications, services, or features designed with the primary purpose to benefit users' health and fitness via a user interface allowing users to sync their physical activity, sleep, mental well-being, nutrition, health measurements, physical descriptions, and/or other health or wellness-related descriptions and measurements.

App requirements

1. Privacy requirements

Apps that read and/or write to Health Connect must meet privacy requirements outlined in the Health Connect Permissions section of Permissions and APIs that Access Sensitive Information as part of Google Play policy.

To be eligible to read and/or write to Health Connect, all apps must strictly follow all Health Connect Permissions policies, including but not limited to the following requirements:

  • Health Connect may only be used for approved use cases. Additionally, apps may only request access to permissions that are critical to implementing the application or service's functionality.

  • Apps reading and/or writing to Health Connect can only transfer data to third parties for reasons that include providing or improving an app’s appropriate use case or features that are clear from the requesting application's user interface and only with the user’s consent. All other transfers, uses, or sale of user data is completely prohibited, including transferring or selling user data to third parties like advertising platforms, data brokers, or any information resellers.

  • An affirmative statement that an app’s use of Health Connect data complies with the Limited Use restrictions must be disclosed in your application or on a website belonging to your web-service or application; for example, a link on the homepage to a dedicated page or privacy policy noting: “The use of information received from Health Connect will adhere to the Health Connect Permissions Policy, including the Limited Use requirements.”

  • Apps reading and/or writing to Health Connect can only request access to the permissions necessary to implement the app’s features or services.

  • Apps reading and/or writing to Health Connect must have a publicly accessible privacy policy that comprehensively discloses the access, collection, use and sharing of personal and sensitive user data.

  • Apps reading and/or writing to Health Connect must provide user help documentation that explains how users can manage and delete their data from the app.

2. Security requirements

Apps that read and/or write to Health Connect must meet the secure data handling requirements outlined in the Health Connect Permissions section of Permissions and APIs that Access Sensitive Information of Google Play Policy.

Depending on the data types requested and number of user grants or users, apps are required to go through a security assessment from Google empanelled security assessors. Google uses the Application Security Verification Standard (ASVS 4.0) framework by Open Web Application Security Project (OWASP) for evaluating security posture of web and API security controls.

See Cloud Application Security Assessment (CASA) for more information on security assessment tiers.

Frequently Asked Questions (FAQ)

What are the approved use cases for Health Connect permissions?

For applications requesting access to any Health Connect permissions, approved use cases include fitness and wellness, rewards, fitness coaching, corporate wellness, medical care, health research, and games. Applications granted access to this permission may not extend its use to undisclosed or non-permitted purposes.

Approved use cases
Fitness and Wellness

Applications that allow users to track their fitness / wellness and progress to their goals using phone sensors, manual journalling or participating in digital classes and guided sessions.

Rewards

Applications that encourage users to adopt and maintain healthy habits in exchange for financial rewards.

Fitness Coaching

Applications that feature virtual human fitness coaching helping users to achieve a health or fitness goal. Human coaches have access to user data to check on progress and provide guidance and support.

Corporate Wellness

Enterprise focused platforms that enable wellness managers to distribute and manage wellness programs for employees.

Medical Care

Applications that help users receive and manage clinical care. These applications may provide services that exchange health and fitness data with clinical teams, such as condition management apps focused on medical conditions like diabetes or hypertension.

Health Connect is a general purpose data sharing platform that allows users to aggregate health and fitness data from various sources on-device and share it with third parties at their election. The data doesn't necessarily originate with Google or any Google affiliates and hasn't been reviewed by Google. It is your responsibility to assess whether Health Connect is appropriate for your intended use and to investigate and vet the source and quality of any data from Health Connect in connection with any purpose, and, in particular, for research, health, or medical uses.

Health Research

Applications give users the opportunity to donate their data for health research studies. These studies are typically approved by an Institutional Review Board (IRB) or Ethics Committee (EC) and collect user consent for conducting health research.

Apps conducting health-related human subject research using data obtained through Health Connect must obtain consent from participants or, in the case of minors, their parent or guardian. Such consent must include the (a) nature, purpose, and duration of the research; (b) procedures, risks, and benefits to the participant; (c) information about confidentiality and handling of data (including any sharing with third parties); (d) a point of contact for participant questions; and (e) the withdrawal process. Apps conducting health-related human subject research using data obtained through Health Connect must receive approval from an independent board whose aim is 1) to protect the rights, safety, and well-being of participants and 2) with the authority to scrutinize, modify, and approve human subjects research. Proof of such approval must be provided upon request.

Game

Applications where a user’s progress in a game is influenced or impacted by their fitness and/or wellness. These are games that collect a user’s activity data as a way to advance game play.

What happens if my app does not pass privacy and security verification?

If your app doesn't pass privacy and security verification, your app will not have the ability to read and/or write to Health Connect. As long as your app meets all other Play policy requirements, your app may remain available through the Google Play Store.

How do I determine if my app needs a security assessment?

If your app uses any restricted data types and has exceeded 100 users, then it needs a security assessment. You will be separately informed that you need to go through verification and security assessment. For more information about the security standards used, please refer to this App Defense Alliance security assessment FAQ.

How do I get a security assessment if my app needs one?

When you are informed that you need to go through verification, you will be provided with details of how to get a security assessment.

What are the restricted Health Connect data types?

The following categories of data types are restricted: body measurements, cycle tracking, sleep, and vitals. Here are the specific data types.

Data Category Data Type
Body measurements Body Fat
Body measurements Bone Mass
Body measurements Height
Body measurements Hip Circumference
Body measurements Lean Body Mass
Body measurements Basal Metabolic Rate
Body measurements Waist Circumference
Body measurements Weight
Cycle Tracking Cervical Mucus
Cycle Tracking Cervical Position
Cycle Tracking Menstruation
Cycle Tracking Ovulation Test
Cycle Tracking Sexual Activity
Cycle Tracking Intermenstrual Bleeding
Cycle Tracking Lactation
Sleep Sleep Session
Sleep Sleep Stage
Vitals Basal Body Temperature
Vitals Blood Glucose
Vitals Blood Pressure
Vitals Body Temperature
Vitals Heart Rate
Vitals Heart Rate Variability
Vitals Oxygen Saturation
Vitals Respiratory Rate
Vitals Resting Heart Rate