Fitbit has a privacy policy that says they won't sell or transfer your data IIRC, but that does not prevent them from doing so in the case of a sale or merger. I hate those clauses: the hypothetical argument is always 'what if some data miner buys them' ?
Ironically, the security of the data is probably higher when controlled and operated by Google. That protection is at the cost of linkage with the other data which Google has.
> If we are involved in a merger, acquisition, or sale of assets, we will continue to take measures to protect the confidentiality of personal information and give affected users notice before transferring any personal information to a new entity.
Interestingly, if we had something like the GDPR in the USA, we should be able to force them to delete our data before the merger. I assume people in the EU who may have Fitbit devices might be able to have their data scrubbed from the Fitbit servers. Also they do use open formats if I remember correctly so some people have utilities to extract data and chart it and such.
This is health data we're talking about