Fitabase takes privacy and security seriously. Our platform has been used by hundreds of researchers in research studies and clinical trials overseen by IRBs. We’ve developed the following information in response to common questions and concerns we receive. Feel free to use the following in your IRB submissions.
1. How does Fitabase maintain data security?
Our data is housed in secure Azure (Microsoft) servers. Our Security and Privacy document includes information pertaining to data security, encryption, and backups.
2. Do you sell your data to a third party?
No. We never sell, release, or make your collected data available to third parties. The data we collect on your behalf is only made available to you. In circumstances that dictate it, Fitabase staff may access your data in order to provide support.
3. How does Fitabase access Fitbit data?
Once you connect Fitbit accounts to Fitabase, we subscribe to all new data that is collected by that device (Fitbit account). When the device syncs, we are notified of new data availability, request the new data, and then process that data in order to make it available to you.
4. Does Fitabase collect personally identifiable data?
When you authorize Fitabase to collect data from a Fitbit account we ask that you associate it with a de-identified participant ID. This can be any alphanumeric string you prefer. We then associate a profile ID with that string in our internal systems. Our profile ID (a long 16+ character value) is linked to an authentication token passed to us from Fitbit. We've also written our connection to the Fitbit API in such a way as to not collect potentially personally identifiable information. We do not receive the associated email address, Fitbit account name, Friends list, and we currently do not support any GPS data as that is potentially identifiable as well.
5. Do you have any IRB documentation available?
Yes, we have developed example IRB text that we freely share. We also make available an example consent form that was used in a Fitabase-supported study conducted at the University of California, San Diego.
Please keep in mind that the example text and consent form should be used informational purposes only. Due to differences among IRBs, we are unable to guarantee the use of the example language provided will be deemed acceptable by your IRB.