eriod tracking apps, categorized by data privacy: Flo, Clue, Stardust, Period Calendar, Period Tracker


This not only shifts the burden of risk assessment onto individual users, but also makes it difficult to assess app privacy and security. To do this, we consulted assessment frameworks developed by Beth Israel Deaconess Medical Center (MIND) and The Digital Standard to arrive at four fundamental questions to guide our study.

*A score of (0) = the app has not met the privacy requirement, (1) = the app has partially met the privacy requirement, (2) = the app has met the requirement privacy and (3) = the application has fulfilled the privacy requirement well

**“Clear Specification” is defined here as an index of third-party companies and the data they receive.

Local or cloud storage

Agreement where companies store your data is essential to assess the privacy risk associated with the use of their products. The most popular mobile apps store user data in the cloud, on multiple servers in multiple locations, allowing them to process large amounts of easily retrievable information. It also means your data is more vulnerable to bad actors. That’s why organizations like Givens prefer apps that store information directly on users’ devices. If an application stores data directly on your mobile phone, you will have more complete control of it. None of the apps reviewed above gave users the ability to store their data locally, but Euki and Mozilla Foundation-backed Drip does.

Sharing with third parties

If you’ve recently used Facebook to log into a website or app, you’re already familiar with some of the ways app developers share information with third parties. Understanding which third parties a company works with and what type of data is transmitted to them is a useful way to assess your level of protection. For example, Period Tracker’s privacy policy admits sharing user device IDs with advertising networks, which is quite risky. It also expresses their willingness to sell or transfer user data as a result of a merger or corporate sale. As a general rule, apps that make it clear who they’re providing information to and why, like Clue does, are more trustworthy.

It is also useful to know if the data is systematically anonymized (stripped of user identification information) before being shared with these third parties. However, it is not a panacea. Stripped data may still refer to individual users under certain conditions. Machine learning makes this threat even more real, as the technology can speed up shady “re-identification” processes. Although it has promised to refrain from sharing user data itself, Clue does provide anonymized data to certain third-party research groups. Although Stardust is committed to limiting the information shared with third parties, its policy states that it may share information in order to “comply or respond to law enforcement authorities” or to protect “company security. “. Ideally, apps are extremely selective with which third parties they are willing to share information with, or they don’t share with third parties at all.

Data deletion

Every app should have established protocols that allow users to remove their personal data from developers’ systems at will. Although many US-based apps include these protocols to comply with the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), users should research privacy policies that clearly extend these erasure privileges to all users, regardless of location. Even so, it can be tricky, says Givens: “If you’re not a resident of the jurisdiction covered by the law, there’s no guarantee they’re going to honor it.”

Even apps that prompt for data deletion requests may not always execute them in a timely or complete manner. Flo, whose security practices brought them under FTC scrutiny in 2021, specifically states in their privacy policy that upon deletion of their app, they “retain your personal data for a period of 3 years in case you would decide to reactivate them”. Period Tracker admits to retaining users’ mobile device IDs “for up to 24 months” after receiving a request. The most secure apps should retain your data for 30 days or less and ideally submit deletion requests to third parties on your behalf, as Clue does.


If an app explicitly stores location data (like Period Calendar and Period Tracker do), it presents a bigger privacy concern. While three of the five apps analyzed here didn’t appear to explicitly log location data, each app logs users’ IP addresses, which can be used to determine someone’s general location. Flo, for example, explicitly shares IP addresses with third parties such as AppsFlyer.

Stardust’s practices decouple users’ IP addresses from their health data, which increases security. But critics say their methods don’t allow for true end-to-end encryption. Either way, when IP addresses are combined with outside data, such as a user’s search history or even other publicly available information about the user, it can easily reveal the identity. of that person and their activities. The CDT and other privacy advocates have warned that users’ text messages and search histories have already been used against them in legal proceedings involving their reproductive health, and the practice is likely to grow.

The essential

Ultimately, a period tracking app like Clue presents users with slightly less risk than apps like Flo, Stardust, Period Calendar, and Period Tracker. However, these five apps, chosen for their outsized popularity, fall short of more secure options like Euki and Drip, as Consumer Reports corroborates. To the extent that it is possible for users to analyze everything of their apps against the standards set out in The Digital Standard, Mhealth Index and elsewhere, users can make informed decisions about which companies to align with, but assessing the risks of using specific apps is an imperfect science . Besides being extremely time-consuming and often confusing, it is far from an adequate substitute for the lack of pervasive legal privacy protections available to all Americans.

According to privacy experts like Givens, period tracking apps represent the tip of the iceberg when it comes to digital privacy and security afterdeer. The CDT recommends people assess their own level of risk to determine if using a period-tracking app is worth it. In the meantime, it’s probably more worthwhile to take steps to secure your personal information such as text messages and search histories.

For those looking to make a difference, experts recommend advocating directly with tech companies, especially pioneering organizations like Google and Meta (formerly Facebook) to demand better individual protections. These are the companies that will eventually have to respond to law enforcement demands for user data, and many are already promising to reduce their surveillance (but also to lobby aggressively against privacy laws and regulations) . To pave the way for better policy, tech companies should strive to take a serious inventory of the data they collect, regularly file transparency reports and, above all, take public positions in defense of the right to privacy. privacy early and often.


Comments are closed.