Health Connect apps collect health and fitness data, which may contain personal and sensitive data. Apps must meet specific policy requirements in order to read and/or write data to Health Connect.
What apps are eligible for Health Connect?
To be eligible to read and/or write data to Health Connect, an app must fall under an approved use case. These use cases include:
Applications, services, or features designed with the primary purpose to benefit users' health and fitness via a user interface allowing users to directly journal, report, monitor, and/or analyze their physical activity, sleep, mental well-being, nutrition, health measurements, physical descriptions, and/or other health or wellness-related descriptions and measurements.
Applications, services, or features designed with the primary purpose to benefit users' health and fitness via a user interface allowing users to sync their physical activity, sleep, mental well-being, nutrition, health measurements, physical descriptions, and/or other health or wellness-related descriptions and measurements.
1. Privacy requirements
Apps that read and/or write to Health Connect must meet privacy requirements outlined in the Health Connect Permissions section of Permissions and APIs that Access Sensitive Information as part of Google Play policy.
To be eligible to read and/or write to Health Connect, all apps must strictly follow all Health Connect Permissions policies, including but not limited to the following requirements:
Health Connect may only be used for approved use cases. Additionally, apps may only request access to permissions that are critical to implementing the application or service's functionality.
Apps reading and/or writing to Health Connect can only transfer data to third parties for reasons that include providing or improving an app’s appropriate use case or features that are clear from the requesting application's user interface and only with the user’s consent. All other transfers, uses, or sale of user data is completely prohibited, including transferring or selling user data to third parties like advertising platforms, data brokers, or any information resellers.
Apps reading and/or writing to Health Connect can only request access to the permissions necessary to implement the app’s features or services.
Apps reading and/or writing to Health Connect must provide user help documentation that explains how users can manage and delete their data from the app.
2. Security requirements
Apps that read and/or write to Health Connect must meet the secure data handling requirements outlined in the Health Connect Permissions section of Permissions and APIs that Access Sensitive Information of Google Play Policy.
Depending on the data types requested and number of user grants or users, apps are required to go through a security assessment from Google empanelled security assessors. Google uses the Application Security Verification Standard (ASVS 4.0) framework by Open Web Application Security Project (OWASP) for evaluating security posture of web and API security controls.
Frequently Asked Questions (FAQ)
What are the approved use cases for Health Connect permissions?
For applications requesting access to any Health Connect permissions, approved use cases include fitness and wellness, rewards, fitness coaching, corporate wellness, medical care, health research, and games. Applications granted access to this permission may not extend its use to undisclosed or non-permitted purposes.
|Approved use cases|
|Fitness and Wellness
Applications that allow users to track their fitness / wellness and progress to their goals using phone sensors, manual journalling or participating in digital classes and guided sessions.
Applications that encourage users to adopt and maintain healthy habits in exchange for financial rewards.
Applications that feature virtual human fitness coaching helping users to achieve a health or fitness goal. Human coaches have access to user data to check on progress and provide guidance and support.
Enterprise focused platforms that enable wellness managers to distribute and manage wellness programs for employees.
Applications that help users receive and manage clinical care. These applications may provide services that exchange health and fitness data with clinical teams, such as condition management apps focused on medical conditions like diabetes or hypertension.
Health Connect is a general purpose data sharing platform that allows users to aggregate health and fitness data from various sources on-device and share it with third parties at their election. The data doesn't necessarily originate with Google or any Google affiliates and hasn't been reviewed by Google. It is your responsibility to assess whether Health Connect is appropriate for your intended use and to investigate and vet the source and quality of any data from Health Connect in connection with any purpose, and, in particular, for research, health, or medical uses.
Applications give users the opportunity to donate their data for health research studies. These studies are typically approved by an Internal Review Board (IRB) or Ethics Committee (EC) and collect user consent for conducting health research.
Apps conducting health-related human subject research using data obtained through Health Connect must obtain consent from participants or, in the case of minors, their parent or guardian. Such consent must include the (a) nature, purpose, and duration of the research; (b) procedures, risks, and benefits to the participant; (c) information about confidentiality and handling of data (including any sharing with third parties); (d) a point of contact for participant questions; and (e) the withdrawal process. Apps conducting health-related human subject research using data obtained through Health Connect must receive approval from an independent board whose aim is 1) to protect the rights, safety, and well-being of participants and 2) with the authority to scrutinize, modify, and approve human subjects research. Proof of such approval must be provided upon request.
Applications where a user’s progress in a game is influenced or impacted by their fitness and/or wellness. These are games that collect a user’s activity data as a way to advance game play.
What happens if my app does not pass privacy and security verification?
If your app doesn't pass privacy and security verification, your app will not have the ability to read and/or write to Health Connect. As long as your app meets all other Play policy requirements, your app may remain available through the Google Play Store.
How do I determine if my app needs a security assessment?
If your app uses any restricted data types, and has exceeded 100 users then it will need a security assessment. You will be separately informed that you need to go through verification and security assessment. For more information about the security standards used, please refer to this App Defense Alliance security assessment FAQ.
How do I get a security assessment if my app needs one?
When you are informed that you need to go through verification, you will be provided with details of how to get a security assessment.
What are the restricted Health Connect data types?
The following categories of data types are restricted: body measurements, cycle tracking, sleep, and vitals. Here are the specific data types.
|Data Category||Data Type|
|Body measurements||Body Fat|
|Body measurements||Bone Mass|
|Body measurements||Hip Circumference|
|Body measurements||Lean Body Mass|
|Body measurements||Basal Metabolic Rate|
|Body measurements||Waist Circumference|
|Cycle Tracking||Cervical Mucus|
|Cycle Tracking||Cervical Position|
|Cycle Tracking||Ovulation Test|
|Cycle Tracking||Sexual Activity|
|Cycle Tracking||Intermenstrual Bleeding|
|Vitals||Basal Body Temperature|
|Vitals||Heart Rate Variability|
|Vitals||Resting Heart Rate|