Does Health (Flutter) require disclosure in my privacy policy?

Yes. Health (Flutter) collects special category health data under GDPR Article 9, requiring explicit consent disclosure. Your privacy policy must identify Health (Flutter) by name, explain what health metrics are accessed, and clearly state that users are consenting to collection of sensitive health information. This is a legal requirement, not optional.

What specific data does Health (Flutter) collect?

Health (Flutter) accesses heart rate, blood pressure, steps, distance, calories burned, sleep data and sleep stages, body measurements (weight, height, BMI), workout and activity sessions, blood glucose, oxygen saturation (SpO2), and nutrition data. Your app only collects data it explicitly requests permission for on each platform.

Does Health (Flutter) require a cookie consent banner?

No. Health (Flutter) does not use cookies or similar tracking technologies. However, you must still obtain explicit user consent for health data access through platform-native permission prompts (iOS HealthKit and Android Health Connect permissions), which are separate from cookie consent.

Who processes Health (Flutter) data and where is it stored?

Health (Flutter) is self-hosted with no third-party data processors. Health data remains on the user's device and is only transferred to your servers if your application explicitly sends it. Apple HealthKit and Google Health Connect act as data sources, not processors of your application's data handling.

Health & Fitness

Privacy policy clauses for Health (Flutter)

Health (Flutter) is a cross-platform software library that enables Flutter applications to access health and fitness data from Apple HealthKit (iOS) and Google Health Connect (Android). It allows apps to read and write data such as heart rate, steps, sleep, and workout information directly from device health platforms.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Health (Flutter) collects

Your privacy policy must disclose each of the following data types when you use Health (Flutter).

Heart rate and blood pressure

Steps, distance, and calories

Sleep data and stages

Body measurements

Workout and activity sessions

Blood glucose and oxygen saturation

Nutrition data

When does Health (Flutter) trigger privacy obligations?

Immediate Obligation: Health (Flutter) Triggers Special Category Processing Under GDPR

Common compliance pitfalls

Pitfall 1: Conflating Device Permissions with Legal Consent

The mistake: Relying solely on iOS system permission prompts ("Allow HealthKit access?") or Android Health Connect permission dialogs to satisfy GDPR Article 7 consent.

Why it happens with Health (Flutter): Health (Flutter) integrates with native OS permission systems, so developers assume the system dialog is enough. It isn't. OS prompts inform users of *technical* access; they don't disclose *why* you need the data, what you'll do with it, or how long you'll keep it.

Consequence: Regulators (ICO, CNIL, BfDI) treat system permissions as notification, not consent. GDPR Article 4(11) requires consent to be informed and freely given. In enforcement actions (e.g., *British Airways/ICO* 2020), regulators have penalized companies that relied on device permissions alone. You face fines up to €10 million or 2% of global turnover, whichever is higher, under Article 83(4).

Pitfall 2: Missing or Vague Data Retention Disclosure

The mistake: Failing to specify how long heart rate, blood glucose, sleep, or workout data is stored, or stating "as long as the app is installed" without detail.

Why it happens with Health (Flutter): Because Health (Flutter) reads directly from HealthKit/Health Connect, developers assume data stays on-device and don't document retention. But if your app caches, logs, or syncs any of this data (even locally), you must disclose it.

Consequence: GDPR Article 5(1)(e) requires storage limitation—data must not be kept longer than necessary. Vague or absent retention policies violate this and trigger DPA investigations. Under Article 13, you must provide specific retention periods or criteria for erasure. Fines can reach €20 million or 4% of global turnover (Article 83(5)).

Pitfall 3: No Data Processing Agreement (DPA) with Apple/Google

The mistake: Not acknowledging that Apple HealthKit and Google Health Connect are *data processors* in the chain, and failing to secure written agreements.

Why it happens with Health (Flutter): Health (Flutter) documentation focuses on SDK integration, not legal processor obligations. Developers see "self-hosted" and assume no processor agreement is needed.

Consequence: GDPR Article 28 mandates a Data Processing Agreement with every processor. While Apple and Google's standard terms (their privacy policies and developer agreements) may suffice as processor terms, many DPAs interpret these as inadequate without explicit data processing addenda. UK ICO and EDPB guidance emphasize written agreements. Missing a DPA can void your data protection impact assessment and open you to enforcement action.

Privacy policy clauses for Health (Flutter)

What data Health (Flutter) collects

When does Health (Flutter) trigger privacy obligations?

Immediate Obligation: Health (Flutter) Triggers Special Category Processing Under GDPR

Common compliance pitfalls

Pitfall 1: Conflating Device Permissions with Legal Consent

Pitfall 2: Missing or Vague Data Retention Disclosure

Pitfall 3: No Data Processing Agreement (DPA) with Apple/Google

Legal note

Sample privacy policy clause

What regulators look for

Regulatory Audit Priorities for Health (Flutter)

Frequently asked questions

Does Health (Flutter) require disclosure in my privacy policy?

What specific data does Health (Flutter) collect?

Does Health (Flutter) require a cookie consent banner?

Who processes Health (Flutter) data and where is it stored?

Don't ship without Bandit.