What does a period app privacy audit actually check?

A thorough audit checks five things: where the data is stored (device vs. server), what the privacy policy permits for sharing and analytics, whether there is enforcement or class action history, whether the data deletion process works, and what happens to your data in an acquisition. The most important check is storage architecture. On-device apps cannot transmit your data to advertisers or hand it over in response to a subpoena, regardless of what the privacy policy says.

How long does a period app privacy audit take?

A basic audit, checking account requirements, offline functionality, and skimming the privacy policy for key sections, takes about 20 to 30 minutes. A thorough audit including an FTC enforcement search, deletion test, and policy comparison takes 30 to 60 minutes. The deletion test (create an account, log a few entries, delete the account, verify it worked) can take 24 to 48 hours because you need to wait for deletion to process before confirming.

Does HIPAA protect my period tracker data?

No. HIPAA applies to covered entities: hospitals, insurance companies, healthcare providers, and their business associates. Consumer period tracking apps are not covered entities. The FTC enforcement action against Flo in 2021 was a consumer protection case, not a HIPAA violation. Your cycle data in an app is governed by that app's privacy policy and consumer protection law.

What happened with the Flo FTC enforcement action?

In 2021, the FTC took enforcement action against Flo Health for sharing reproductive health data, including period dates, pregnancy status, and health symptoms, with Facebook, Google, and Flurry, without disclosing this to users or getting meaningful consent. The sharing happened through embedded SDKs that sent data automatically, regardless of device ad-tracking settings. A $59.5M class action settlement followed in September 2025. The FTC case is documented at ftc.gov/cases-proceedings/192-3133-flo-health-inc.

alternatives

How to Audit Any Period Tracker App for Real Privacy

A practical checklist for evaluating period tracker privacy: what questions to ask, what answers reveal, and what red flags mean in plain terms.

Why privacy claims are not privacy guarantees When Flo was sharing period data with Facebook and Google, its privacy policy promised to protect user data. When the FTC took enforcement action in 2021, Flo's marketing still described the app as safe and private. The settlement came four years later. Privacy claims are easy to write. Architecture is harder to fake. This guide focuses on auditing the architecture, not the marketing. The audit below takes 30 60 minutes for a thorough review of any period tracking app. You can do it before you download, before you enter data, or before you decide to leave an app you're already using. Section 1: Where is the data stored This is the most important question. Everything else is downstream of it. The question to ask: Does the app require an account? Is internet access required for the app to work? Does the privacy policy reference "our servers" or "cloud storage"? What the answers mean: Requires account + internet connection: Data is stored server side. The app cannot function without syncing your data to the company's servers. This is the default architecture for most mainstream period trackers. No account required, works offline: Data is s