lead-magnets

Period App Privacy Audit Kit

A full audit kit for period app privacy: a plain checklist, a privacy-policy worksheet, a data map, a calendar checklist, an employer wellness audit, a pharmacy checklist, and an app comparison matrix.

Period tracking apps hold some of the most sensitive health information you have: cycle dates, sexual activity, pregnancy attempts, symptoms, and mood patterns. This kit helps you audit any app, plus the calendar, employer wellness, and pharmacy tools nearby that can leak the same details.

It is not legal advice.

It does not tell you which app to use.

Why this matters

The problem is not that every app sells data on purpose. The bigger issue is that many apps store data in ways that make it reachable by third parties, whether or not the company wants to hand it over. A subpoena does not care about a company's values. It cares about what data exists on its servers.

81% of Americans wrongly believe HIPAA covers health apps (ClearDATA/Harris Poll, May 2023, n=2,053, as reported in prior published guidance). HIPAA applies to covered entities such as healthcare providers, insurers, and clearinghouses, and to their business associates. Most consumer period trackers and most employer wellness apps are not covered entities.

Part 1: Data storage and account checklist

Where your data lives decides who can reach it. This is the most important section.

Storage location

Data is stored only on your device (no cloud sync). If cloud sync exists, it is optional and off by default. If cloud storage is used, data is encrypted before leaving your device (end to end encryption). The company cannot read your data even if it wanted to (zero knowledge model). Data is not stored on servers in countries with weak privacy laws.

Account requirements

App works without creating an account. App works without an email address. App does not require your real name. App does not require phone number verification. App does not link to your Apple ID or Google account for data purposes (only for app store purchase).

How to check: Look at the app's settings for sync or backup options. If there is no way to turn off cloud sync, your data is on the company's servers. If an account is required to function, your data is tied to an identity the company controls.

Red flags: "Your data is backed up to our secure servers" with no way to turn it off. Account creation required before you can log a single day. The app loses data if you sign out of a linked cloud account.

Part 2: Third party SDKs and tracking

Most free apps include code from advertising and analytics companies. These SDKs can collect data on their own, separate from what the app's privacy policy describes.

App does not include advertising SDKs (Google AdMob, Facebook Audience Network, and similar). App does not include analytics SDKs that send data to third parties, unless anonymized and aggregated. App does not include social media SDKs. App does not fingerprint your device for cross app tracking. App respects tracking opt out settings such as iOS "Ask App Not to Track."

How to check without technical tools: Look for targeted ads inside the app. Check the App Store privacy label (iOS) or Data Safety section (Android). Search " app name privacy SDK" for independent audits. Notice whether the app asks for tracking permission on first launch.

Red flags: Personalized ads related to health or fertility. A policy that mentions sharing "anonymized" or "aggregated" data with partners (menstrual data is unusually hard to truly anonymize). Requests for permissions, such as contacts or location, that have nothing to do with cycle tracking.

Part 3: Data sharing and monetization

This section covers what a company does with data on purpose, as part of its business model.

Privacy policy explicitly states data is not sold. Privacy policy explicitly states data is not shared with data brokers. Privacy policy explicitly states health data is not used for ad targeting. No "research" program that sends data to unnamed third parties. No data sharing with employers or insurance companies. If there is a free tier, it is not funded by data monetization.

How to read the policy quickly: Search for "share," "disclose," "third party," "partner," "aggregate," "anonymize," "research," "advertising," and "marketing." Read the full paragraph around each match. Watch the gap between "we do not sell your data" and "we do not share your data" many companies define "sell" narrowly while sharing freely with "partners."

Red flags: Vague language such as "we may share data with trusted partners to improve our services." A policy longer than 5,000 words. A policy that reserves the right to change terms without telling users.

Part 4: Law enforcement and legal requests

This is the post Dobbs concern: if law enforcement requests cycle data, what happens next.

Company publishes a transparency report on government data requests. Company states it requires a warrant, not just a subpoena, for health data. Company retains data for the minimum time necessary. Company does not proactively report user data to any government entity. Core data is stored on device only, so the company has less to hand over.

The critical question: can the company hand over cycle data if served with a legal order? If data is on company servers and not end to end encrypted, the answer is yes, no matter what the marketing page says. No privacy policy overrides a court order. The strongest technical protection is keeping core records on device so there is less company held data to produce.

Part 5: Deletion and portability

App offers a data export (CSV, PDF, or similar). Export includes everything you entered. Account deletion is available in app settings, not only by emailing support. Deletion request states a timeline. Company confirms when deletion is complete. Backup copies on company servers are included in the deletion. Deletion is permanent, not a "soft delete."

How to verify deletion: After requesting deletion, wait the stated period, then try to log in. If the account is recoverable, the data was not fully deleted.

For a full walk through of deletion requests and receipts, use the delete and move your period data guide.

Part 6: Enforcement history

Search FTC enforcement actions against the app (ftc.gov/cases proceedings). Check state attorney general settlements or investigations. Search for class action lawsuits about data sharing. Check whether Mozilla's Privacy Not Included review flagged the app.

Mozilla found 18 of 25 popular period and pregnancy tracking products received its Privacy Not Included warning label in 2022. The FTC finalized an order in 2021 requiring Flo Health to get affirmative consent before sharing users' health data, after alleging Flo misled users about how it shared data with outside firms. The FTC's case page for Premom's developer, Easy Healthcare, says its 2023 final order bars the company from sharing health data for advertising.

Red flags: A prior FTC consent order or settlement. A state AG investigation, even if settled without an admission of wrongdoing. A Mozilla warning label.

Part 7: Reading the privacy policy line by line

A privacy policy can look calm and still leave a company wide room to share data. Use this before you add health data to any app, new or existing.

Open the policy in a browser and use Find to search these words:

share • sell • disclose • partner • service provider • advertising • marketing • analytics • location • health • reproductive • law enforcement • subpoena • delete • retain • de identified • aggregate

Copy the full sentence around each match.

Word found What the policy says Plain meaning Pass, concern, or fail share advertising analytics location delete retain

Then check the data list. Mark every type the policy says the app may collect: period dates, symptoms, sex or intimacy logs, pregnancy status, fertility goals, notes or journal text, email, phone number, device ID, advertising ID, location, app use data, purchase data. Ask: does the app need this data for cycle tracking?

Score the sharing terms:

Policy line Pass Concern Fail Names each service provider Says health data is not used for ads Says data is not sold Explains analytics data Explains location data Explains law enforcement requests Explains deletion and retention

Use "concern" whenever the policy uses broad words like partners, business purposes, or improve our services without naming the data.

If the policy is unclear, send this to support or the privacy contact:

text Subject: Privacy policy questions about health data

Hello,

I am reviewing your privacy policy before I enter period or health data.

Can you answer these questions?

1. Do you share period, symptom, fertility, pregnancy, or sex log data with advertisers? 2. Do you share that data with analytics vendors? 3. Do you sell or share device IDs, advertising IDs, or location data? 4. Can your staff or servers read my period data? 5. What data is kept after account deletion? 6. How long do backups keep deleted account data? 7. Do you require a warrant, subpoena, or other legal order before sharing user data with law enforcement?

Please answer in plain terms and link to the policy section that applies.

Thank you, your name

Save the reply with the policy date. Policies change.

Part 8: Map where your data actually lives

Deleting an app is not the same as deleting the data. Use this map before you delete anything or send a deletion request.

Field Your notes App name Account email or phone Paid plan or subscription Last login date Export option found Yes / no / not sure Deletion option found Yes / no / not sure Support or privacy email Policy URL

Then check health hubs and loose copies:

Place to check What to look for Apple Health Apps with read or write access to cycle data Health Connect Connected apps and data permissions Wearable app Cycle, sleep, heart rate, or symptom links Partner app Shared cycle view or invite access Export file Downloads folder, cloud drive, email Screenshot Photos, messages, notes Backup iCloud, Google backup, device backup Old phone Retired device or trade in phone

Apple says the Health app lists which apps and devices requested access to Health data, and lets you turn read or write access on or off. Google says Health Connect lets you manage connected apps and choose data permissions.

Part 9: Calendars, widgets, and shared accounts

A period calendar can leave private labels, widgets, screenshots, exports, backups, and shared account copies even after you delete an event.

Home screen and lock screen widgets. Tablet, watch, laptop, and car display widgets. Family, partner, work, and school shared calendars. Screenshots, PDFs, calendar files, and email attachments. Phone and photo backups, and calendar sync settings.

Use a low detail label if a calendar is shared: "Cycle day," "Check app," or "Health note" instead of specific words. The Office on Women's Health and MedlinePlus both note that tracking helps you know your usual cycle and next period timing that value does not require sharing every detail on a shared calendar.

Part 10: Employer wellness apps

Many employees use a workplace wellness app because of a financial incentive, not by choice. Wellness incentive rules permit financial pressure of up to 30% of health coverage cost, which is not a fully free choice.

Does the privacy policy state exactly what data is shared with your employer? Is shared data aggregate only, with a stated minimum group size (best practice: 50+ people per group)? Is there a signed Business Associate Agreement between the vendor and your employer's health plan? Without one, HIPAA does not apply. Can you use the platform without logging reproductive health data? Can you opt into general wellness features without opting into cycle tracking?

If you face this trade off: complete the required activity, such as a biometric screening, and skip optional tracking. Keep reproductive health notes in a separate, personal, on device place instead of a workplace platform.

Part 11: Pharmacy and prescription trails

Pharmacy records can reveal reproductive health context even when the app itself is fine: medicine names in text previews, refill reminders on a shared lock screen, receipts, delivery labels, family account access, and insurance claims.

Place to check What could show Pharmacy app Medicine names and refill status Text and email alerts Pickup or refill previews Receipts Medicine name, store, date, card Delivery Package labels and address Family account Who can view or manage records Insurance claim Medicine, prescriber, cost, date

HHS says people have HIPAA rights to see and get a copy of health records, ask for corrections, and get a notice of privacy practices. HHS also explains that the HIPAA Privacy Rule applies to covered health plans, healthcare clearinghouses, and certain providers, and that health plans include prescription drug insurers. This does not make every pharmacy interaction private by default check refill alerts, family access, and receipt settings directly with the pharmacy.

This is not medication advice. Ask a clinician or pharmacist about medicine questions.

Part 12: How apps compare

No single feature makes an app "safe." Structural choices where data lives, whether an account is required are harder for a company to quietly reverse than a policy promise is. Apps built around on device storage or end to end encryption keep less data reachable by a subpoena or a breach, because there is less readable data on a server to begin with.

When comparing apps, prioritize in this order:

1. Local only or end to end encrypted storage. 2. No account required. 3. No network connections during normal use (the app should work in airplane mode). 4. No third party advertising, analytics, or social SDKs. 5. Open source, if available, since it can be independently audited. 6. A privacy policy with specific commitments, not vague "may share" language.

Your audit summary

Category Pass Concern Fail Data storage and accounts Third party SDKs and tracking Data sharing and monetization Law enforcement policies Data deletion and portability Calendar and shared account exposure Employer or pharmacy exposure

If you have 2 or more Fail marks, consider switching to an app that scores better, or move to a fully offline method for sensitive notes. If you have mostly Concern marks, weigh whether the risk fits your situation. Re audit yearly: privacy policies change, companies get acquired, and business models shift.

Floriva note

Floriva should pass the same audit as any other app in this kit. Ask the same questions about storage, accounts, SDKs, and deletion.

No app can control screenshots, exports, backups, shared devices, employer systems, or pharmacy records outside its own walls.

For deletion steps and receipts when you leave an old app, use the delete and move your period data guide. For state level legal risk context, see the post Dobbs digital safety and state risk kit.