Thursday, July 16, 2026

The privacy problems hidden in your period tracker – BBC

by admin
0 comments

BBC/ Serenity Strull/ Getty Images A stylised graphic of a red blood drop containing an eye, displayed on a smartphone screen. Parts of a woman's face are seen on a file folder behind the smartphone (Credit: BBC/ Serenity Strull/ Getty Images)BBC/ Serenity Strull/ Getty Images

(Credit: BBC/ Serenity Strull/ Getty Images)

Some apps are sharing users’ health data. New research uncovers which apps lock down your privacy, and which don’t.

Stardust is a period tracking app that combines users’ menstrual cycles with astrology and horoscopes. It also makes bold privacy promises.

“Your data is private,” Stardust says on its website. “Period.”

The problem, according to a new report shared exclusively with the BBC, is you and Stardust may have different definitions of “private”.

The Mozilla Foundation, creator of the Firefox web browser, investigated the privacy practices of six popular period trackers: Flo, Clue, Stardust, Spot On, Period Calendar and Euki.

Some apps have strong protections. Others handle data in ways you might find disturbing, like sharing information with Google, Meta and TikTok, alongside other companies you’ve likely never heard of.

But there’s good news too. This isn’t the first time period trackers have been criticised for privacy problems, but Mozilla found some apps have cleaned up their acts, and others make privacy their whole mission. Mozilla described Euki, for example, as “squeaky clean”.

With Mozilla’s help, I want to guide you through the different ways that period trackers handle your data.

Here are four questions that can help you protect your privacy when choosing a menstrual cycle tracker.

Who sees your health data?

Mozilla uncovered numerous privacy problems across various apps, but Stardust was the only one found sharing detailed reproductive health data with another company.

The report found that Stardust sends users’ health information to a data management company called RudderStack, which isn’t named in its privacy policy. That data includes pregnancy status, birth control, moods, alcohol consumption and specific symptoms like tender breasts and stomach cramps.

Companies often share data with outside services to process information and analyse user behaviour. There’s nothing unlawful going on, and there’s no reason to think RudderStack (or any company mentioned in this story) is doing something nefarious.

However, experts say it’s inherently risky when your data spreads to more places. It creates another opportunity for security breaches or legal requests for information. Besides, you may just be uncomfortable with another company seeing your health data.

A Stardust spokesperson says the company only uses RudderStack as a “technical pipeline” to route data into its own analytics systems, and the app doesn’t share anything that could allow RudderStack to identify your name or contact information. “Additionally, RudderStack is contractually prohibited from selling or using it for its own purposes,” and RudderStack doesn’t store the data long-term, the spokesperson says.

“People deserve better,” says Shoshana Wodinsky, a privacy research analyst who conducted Mozilla’s tests. At the very least, she says, you should know what’s happening.

Spot On, an app made by the sexual health organisation Planned Parenthood, had its own privacy issues related to health information, but the situation was more complicated.

The Spot On app itself doesn’t share data with other companies or try to track users, Mozilla says. But tapping certain features – an AI chatbot called Roo and a healthcare provider search tool – opens Planned Parenthood’s website in a browser. Mozilla says the website is less secure.

The most striking example: Planned Parenthood’s website shares information about what kind of healthcare you’re looking for with an analytics company called AB Tasty. This includes whether you’re looking for HIV testing or gender-affirming care.

Wodinsky says it would be easy to configure the website to make it harder for outside services to know what you’re looking at. “Someone could probably fix this in an afternoon,” she says.

This is also not Planned Parenthood’s first run in with privacy criticisms. I wrote about similar problems four years ago, for example. The organisation didn’t respond to a request for comment.

Who sees that you’ve used the app?

Mozilla says most apps in the report do not share details about your health. However, some track you in other ways.

Many of the apps sent basic user information to advertising and analytics services, including platforms run by Google, Meta, Microsoft and TikTok.

Typically, such data includes an ID number or other information that’s used to identify you. This can be used for targeted ads, and in some cases, to help tech companies track you across other parts of the internet. You give your consent to this when you “read” the apps’ privacy policies.

This may or may not bother you. But simply revealing the fact that you use a reproductive health app can have consequences, says Sara Geoghegan, director of the Consumer Privacy Program at the Electronic Privacy Information Center, an advocacy group.

Among other things, it could let law enforcement know there’s a trove of health data to get their hands on.

“Data collected from a period tracking app can be part of a whole tapestry woven from many different threads of surveillance,” says Geoghegan. “That can be very revealing.”

For example, Period Calendar – also known as “Period Tracker Period Calendar” – sent ID numbers and information about your device to Google and the advertising company InMobi, Mozilla says. According to the report, there’s no way to prevent this.

The report found Stardust shares the same kind of data with Facebook and AppsFlyer, an advertising analytics company, though you can opt out using your phone’s privacy settings. When you access Planned Parenthood’s website through the Spot On app, it shares similar information with companies including Google, Microsoft, TikTok and Pinterest, and Mozilla says there’s no way to prevent this.

“We do not share any health data with advertising platforms,” a Stardust spokesperson says. “We use AppsFlyer and Meta to measure and optimise our advertising campaigns.”

Period Calendar didn’t respond to a request for comment.

Where does the app store your data?

Euki is the only app Mozilla recommends without reservations. “Euki is special,” Wodinsky says.

Unlike the other apps on this list, Mozilla says Euki keeps all your health information stored on your device, without even sending it to the company’s servers.

You don’t even need to make an account, so you can stay completely anonymous. Euki also offers a “decoy” feature that shows fake, harmless information if someone gets your phone and tries to snoop.

It proves there’s a better way to do things, says Geoghegan. “We can and we should have technology that isn’t built upon harmful practices,’ she says.

Flo and Clue weren’t as locked down as Euki, but they scored relatively well thanks to real transparency and granular privacy controls.

As far as Mozilla can tell, neither app shares health information with third parties under any circumstances. Flo and Clue do tell their advertising and analytics partners when you use their apps, as they explain in privacy policies and consent pop-ups, but you can easily disable this using privacy settings.

However, Mozilla criticised Flo and Clue for collecting far more health information than other apps and then storing it on their own servers. Compare that to Euki, which just keeps that data on your device instead.

Even if Flo and Clue never share this information, the fact that they keep a copy of it could expose you to data breaches or legal requests from governments, says Wodinsky. That’s a trade-off you need to weigh.

Spokespeople for Flo and Clue reject the idea of a trade-off. The companies say storing this information in the cloud is necessary for their services and they have safeguards in place to make it secure.

Flo spokeswoman Samantha Wannemacher says users worried about government requests for data can use the app’s “Anonymous Mode”, which ensures that no one – including Flo itself – holds “both a user’s identity and their health data at the same time”. She says Flo has never received a subpoena for user data, which the company would fight.

Both Clue and Flo are based in Europe, which would make such legal requests form the US more challenging. “We have never disclosed private health data to any authority, and we never will,” says Rhiannon White, Clue’s chief executive.

What is the app’s track record on privacy?

To ensure your information is truly secure, you should probably consider more than an app’s current practices. Mozilla says you also need to examine their track record.

Flo, for example, settled a case with the US Federal Trade Commission in 2021 over allegations that the company shared sensitive user information with Meta, Google and others after promising to keep the data private.

According to Mozilla, Flo’s practices improved dramatically in the face of this criticism. But after initially locking down, Flo’s privacy policy expanded to include new advertising partnerships with services run Google, Meta and others. Though again, you can disable that with privacy settings.

A Flo spokesperson says the FTC settlement involved practices that ended five years ago and the company did not admit wrongdoing. Flo says its privacy and transparency practices exceed industry standards.

Other apps have had their own run ins with privacy scandals.

Reports of privacy problems on the Planned Parenthood website date back years, for example.

A 2022 investigation found lists of individual devices that use Clue, Period Calendar and other period trackers for sale online. (White says the data came from the mobile advertising ecosystem, not Clue’s app, and that Clue has “never and will never sell user data to third parties”.)

And after Stardust initially seemed to promise end-to-end encryption, which makes data particularly secure and private, the company scrubbed these references from its website after questions from reporters. Stardust’s spokesperson didn’t address this.

“People are rightfully concerned, because we live in a world that has combined ubiquitous surveillance with the criminalisation of abortion,” says Geoghegan.

The risks highlight the need for regulation in the US, she says, where unlike Europe, there is no national privacy law.

Plus privacy issues have other consequences too, she says, like causing fear and anxiety that prevent people from using tools that are meant to improve their health.

For more details on each individual app in the study, complete with tips on how to choose a period tracker, check out Mozilla’s full report.

For more insights, sign up to our Tech Decoded newsletter, where Thomas and Lily Jamali break down the biggest stories of the tech world, and help you live a better digital life. Sign up for free here.

For more science, technology, environment and health stories from the BBC, follow us on Facebook and Instagram.

You may also like