lead-magnets
Period Tracker Privacy Guide
A practical guide to evaluating period tracker privacy claims, spotting cloud-data risks, and choosing apps that keep reproductive data off company servers.
What "Privacy" Actually Means in Health Apps
When a period tracker says it is "private," that word can mean almost anything. Some apps mean your data is encrypted in transit (which is a bare minimum, not a feature). Others mean they will not sell your data to advertisers (but may still share it with "partners" or "service providers"). A few actually mean your data never leaves your device.
The difference matters more for period tracking than for most app categories. Menstrual cycle data is health data. It can reveal pregnancy, pregnancy loss, fertility treatment, and contraception use. In the post Dobbs legal environment, this data has been sought by law enforcement in multiple states.
To evaluate any period tracker's privacy claims, you need to understand three things:
1. Where your data is stored on your device only, or on the company's servers 2. What data the app collects beyond what it needs to function 3. Who can access your data and under what circumstances
These three questions cut through marketing language and tell you whether an app is private in any meaningful sense.
Where Your Data Lives: The Three Storage Models
Period tracker apps use one of three data storage approaches. Each has different privacy implications.
Cloud first (server side storage). Your data is stored on the company's servers. You might have a local cache for offline use, but the authoritative copy lives in their infrastructure. This is how Flo, Clue, and most popular trackers work.
Privacy implication: The company has your data. Their privacy policy governs what they do with it. If law enforcement serves a subpoena or court order to the company, the company has the data to hand over. Your app password does not protect you because the company has access to the unencrypted data on their servers.
End to end encrypted cloud. Your data is encrypted on your device before it is sent to the company's servers. The company stores encrypted blobs they cannot read. Only your device has the key.
Privacy implication: The company genuinely cannot read your data. If they receive a subpoena, they can hand over encrypted data, but it is useless without your key. This is the model Signal uses for messages. Very few period trackers use this approach.
Local only (on device storage). Core records stay on your phone. There are no servers, no accounts, no cloud sync. The app works entirely offline.
Privacy implication: The strongest privacy model. There is nothing to subpoena because the company does not have your data. The trade off is that you lose your data if you lose your phone (no backup), and you cannot sync between devices. Some local only apps offer optional local backups (to your own iCloud or Google Drive), which puts the data back in a cloud but under your cloud account, not the app company's.
What to ask: When an app says "your data is private," ask: private from whom? If the answer is "from other users" but not from the company itself, that is not meaningful privacy for health data.
What the Flo FTC Case Revealed
In 2021, the FTC finalized a consent order against Flo Health after finding that the company shared users' health data with third party analytics and advertising companies, including Facebook and Google, despite promises that such data would be kept private. A combined class action settlement against Flo, Google, and Flurry reached $59.5 million in September 2025 (as of original publication; check current rates).
The FTC order is worth understanding in detail because it illustrates exactly how privacy promises break down in practice.
What Flo told users: Flo's privacy policy and marketing materials said user health data would not be shared with third parties for advertising purposes.
What Flo actually did: Flo integrated Facebook's SDK and Google's analytics tools into the app. These integrations transmitted event data including app usage patterns that could reveal menstrual cycle details to those companies. When a user logged a period, the app fired analytics events that Facebook and Google received.
Flo's defense: The company argued that the transmitted data was "analytics data," not "health data." The FTC rejected this distinction, noting that the timing and pattern of analytics events from a period tracker app is inherently health data.
What the consent order requires: Flo must obtain affirmative consent before sharing health data, undergo independent privacy assessments for 20 years, and notify users whose data was shared.
The lesson for users: A privacy policy is a legal document that describes what a company can do, not what it will do. The enforcement gap the time between a violation starting and a regulator catching it can be years. During that time, your data has already been shared. No amount of money compensates for health data that is already in the hands of data brokers.
Red Flags in Privacy Policies
You do not need a law degree to spot the warning signs in a period tracker's privacy policy. Look for these specific patterns:
"We may share data with our service providers and partners." This is the loophole that Flo used. "Service providers" can include analytics companies, advertising platforms, and data processors. The word "partners" is intentionally vague.
"We collect data to improve our services." This means the company is analyzing your health data. The question is whether "improving services" includes training algorithms they will monetize, building advertising profiles, or selling aggregate data.
"De identified or aggregated data may be shared." De identification of menstrual health data is harder than companies claim. Research has shown that "anonymized" health datasets can often be re identified when combined with other data. A dataset of menstrual cycles linked to age, zip code, and device type is not truly anonymous.
"We may share data as required by law." Every company will comply with valid legal process. The question is whether the company has your data to share. A cloud first app has everything. A local only app has nothing.
"We use third party analytics." This means your app usage data flows to companies like Google, Facebook, Mixpanel, or Amplitude. Even if the period tracker company does not sell your data directly, the analytics companies are receiving behavioral data from a health app.
The absence of specific commitments is itself a red flag. A privacy policy that does not explicitly state "we do not sell your data" probably does not make that commitment because the company wants the option.
How to Evaluate Any Health App's Privacy
Here is a structured process for evaluating period trackers (or any health app):
Step 1: Check the data storage model. Is your data stored on their servers, encrypted in their cloud, or local to your device? If the app requires an account to function, your data is almost certainly on their servers.
Step 2: Read the privacy policy's "sharing" section. Skip everything else and go straight to the section about sharing with third parties. Look for the red flags listed above.
Step 3: Check what permissions the app requests. A period tracker needs access to nothing, really. It does not need your location, your contacts, your photos, or your microphone. If it is asking for permissions beyond basic storage, question why.
Step 4: Look for a third party security audit. Has the app been independently audited for security and privacy? Companies that invest in audits usually say so publicly. The absence of an audit does not mean the app is insecure, but its presence is a positive signal.
Step 5: Test the "no account" claim. If the app says you do not need an account, verify this. Download it and see if you can use the core features without entering an email address or creating a login. Some apps let you skip account creation initially but nag you constantly or lock features behind registration.
Step 6: Check the app's network activity. This is more technical, but apps like Little Snitch (Mac), Lockdown Privacy (iOS), or TrackerControl (Android) can show you what network connections an app makes. A truly local only app should make zero network connections during normal use.
Data Storage Models Compared
Here is a side by side comparison of what the three storage models mean for you in practice:
Feature: Subpoena resistance Cloud first: None. Company has your data and will comply. E2E encrypted: Strong. Company has encrypted data they cannot read. Local only: Complete. Nothing to subpoena from the company.
Feature: Data breach impact Cloud first: Your health data is exposed. E2E encrypted: Encrypted blobs exposed; useless without your key. Local only: Not applicable; your data is not on their servers.
Feature: Multi device sync Cloud first: Yes, automatic. E2E encrypted: Yes, but more complex setup. Local only: No (unless you manually export/import).
Feature: Data loss risk Cloud first: Low; company backs up their servers. E2E encrypted: Medium; if you lose your key, data is gone. Local only: High; if you lose your phone without a local backup, data is gone.
Feature: Analytics and advertising data Cloud first: Often collected and shared (per privacy policy terms). E2E encrypted: May collect app usage metadata. Local only: None if the app makes no network connections.
The trade off is clear: stronger privacy comes with less convenience. The question is how much convenience you are willing to trade for control over your health data.
What Happened With Other Period Trackers
Flo's FTC case is the most prominent, but it is not the only example of period tracker privacy failures.
Clue (based in Berlin, subject to EU GDPR) has stronger legal privacy protections than US based apps due to European data protection law. However, Clue's business model relies on data analysis for research partnerships. They have published research papers using aggregate user data. GDPR compliance means they need a legal basis for processing, but "legitimate interest" is a broad category.
Ovia (owned by Labcorp since 2021) operates both a consumer app and an employer sponsored version. The employer version raises particular concerns: your employer pays for the app, and Ovia provides aggregate reports to employers about their workforce's reproductive health. Ovia says employers only see aggregate, de identified data. But the fact that your employer has any visibility into reproductive health data collected through an app they subsidize is worth knowing.
Glow settled a privacy complaint with the California Attorney General's office over allegations of inadequate data security practices. User data, including sensitive fertility information, was accessible through API vulnerabilities.
Practical Steps to Protect Your Data Right Now
If you are currently using a cloud based period tracker and want to improve your privacy:
Step 1: Export your data. Most apps offer a data export (GDPR requires it for EU users, and many apps extend this to all users). Download your history before making any changes.
Step 2: Evaluate your current app's privacy policy using the criteria in this guide.
Step 3: If switching, choose a local only or E2E encrypted app. Import your historical data if the new app supports it, or start fresh.
Step 4: Delete your account on the old app. Do not just uninstall it; request account deletion. Under GDPR and several US state privacy laws, the company must delete your data upon request (with some exceptions for legal retention requirements).
Step 5: Review app permissions. On iOS, go to Settings Privacy & Security. On Android, go to Settings Apps Permissions. Remove any permissions your period tracker does not need.
Step 6: Turn off analytics. If your app has an option to opt out of analytics or data collection, enable it. This may be buried in settings.
The Legal Dimension: Reproductive Data and Law Enforcement
Since the Dobbs decision in 2022, reproductive health data has taken on a new legal dimension. In states where abortion is restricted or banned, law enforcement has sought digital evidence including search history, text messages, location data, and health app data.
What law enforcement can access: Data stored on company servers: obtainable via subpoena or court order served on the company Data on your phone: obtainable via search warrant served on you (or a device seizure) Data with third party analytics companies: obtainable via subpoena served on those companies
What makes local only apps different: If the company does not have your data, law enforcement cannot get it from the company. They would need physical access to your device. This does not make you immune to investigation, but it eliminates one avenue.
The practical takeaway: In states with restrictive reproductive health laws, the storage model of your period tracker is a legal question, not just a preference question. An app where the company holds your data on their servers creates a record that can be accessed without your knowledge or consent.
The HIPAA Myth
81% of Americans wrongly believe HIPAA protects their health app data (ClearDATA/Harris Poll, May 2023, n=2,053). Period trackers are not healthcare providers. They are not covered entities under HIPAA. The HIPAA Reproductive Privacy Rule the only federal regulation that would have added protections was vacated by a federal court on June 18, 2025. HHS declined to appeal. There is no federal health data protection for period tracker apps.
HIPAA covers hospitals, insurers, and the providers who treat you. It does not cover the app you downloaded from the App Store, regardless of what kind of health data that app collects. The gap between public perception and legal reality is the single largest source of false confidence in period tracker privacy.
What Your App Actually Sends
When you log a period or symptom, many apps transmit that information to third parties through embedded SDKs. The FTC found Flo Health sending events with descriptive names like R PREGNANCY WEEK CHOSEN and P ACCEPT PUSHES PERIOD to Facebook and Google SDKs. These events were paired with unique advertising identifiers that could be linked to individual devices. Facebook, Google, Flurry, and AppsFlyer all received data that included pregnancy status, period dates, intention to become pregnant, and symptoms. None of these recipients were contractually restricted from using the data for their own purposes.
The mechanism is straightforward: when a user performs an action in the app (logs a period, records a symptom, enters a pregnancy week), the app fires an analytics event. That event has a name that describes the action and is bundled with a device advertising ID. The advertising ID is a persistent identifier that ad networks already associate with a profile of that device's owner. The result is that Facebook and Google received what amounted to pregnancy and menstrual status updates tied to identifiable users.
The Data Broker Ecosystem
Period app data is only one exposure vector. Location data brokers sell information that can identify visits to reproductive health clinics. SafeGraph sold location data covering 600+ Planned Parenthood locations for $160 (as of original publication; check current rates). Vice/Motherboard purchased data from broker Narrative for approximately $100 that identified Android devices with Clue installed. Babel Street's Locate X tool was used to track a device from a residence in Alabama to an abortion clinic in Tallahassee, Florida. The FTC has taken enforcement action against several data brokers since 2022, but the broader ecosystem remains operational.
The implication for period tracker users: even if your app itself is private, your location data and app installation data may be available through other channels. The combination of period tracker data from one source and location data from another creates a more complete picture than either dataset alone. This is why on device storage matters it eliminates one of the data sources that can be combined against you.
Bottom Line: What to Look For
When choosing a period tracker, prioritize these features in this order:
1. Local only or E2E encrypted storage. This is the foundation. Everything else is secondary. 2. No account required. If you do not need to create an account, the company cannot associate data with your identity. 3. No network connections during normal use. The app should work in airplane mode. 4. No third party SDKs (analytics, advertising, social). Check the app's privacy label on the App Store or Play Store. 5. Open source, if possible. Open source code can be audited by independent researchers. 6. Transparent privacy policy with specific commitments. Not vague language about "may share" specific statements about what the app does not do.
The best period tracker for privacy is one where you do not have to trust the company's promises, because the technical architecture makes data sharing impossible.