Does Flo Sell Your Data? What the FTC Found

FTC Section 5: The section of the Federal Trade Commission Act that prohibits unfair or deceptive acts or practices in commerce. The FTC used Section 5 to take enforcement action against Flo in 2021 after finding the company shared user health data with third parties contrary to its privacy promises.

Third-party SDK: A software development kit embedded by app developers to add analytics, advertising, or crash reporting features. SDKs operate as code within an app and can transmit user data to the SDK provider's servers. The FTC found that Flo's integration of Facebook and Google SDKs allowed those companies to receive sensitive health data.

Data broker: A company that aggregates personal data from multiple sources and resells it, typically to advertisers or insurers. Period tracker data reaching advertising networks often passes through data brokers who link health signals to user profiles.

What the FTC Found

In January 2021, the Federal Trade Commission announced an enforcement action against Flo Health, Inc. The FTC found that between 2016 and 2019, Flo shared users’ reproductive health information (period dates, pregnancy status, and health symptoms) with Facebook and Google via embedded third-party SDKs.

The SDKs, integrated to provide analytics and performance data, automatically transmitted health events to Facebook’s analytics platform and Google’s Firebase Analytics. Users had no way to prevent this transmission, and Flo’s privacy policy at the time stated that user data would not be shared with third parties except as required to operate the service.

The FTC concluded this constituted an unfair and deceptive practice under Section 5 of the FTC Act. The consent order required Flo to notify affected users and direct Facebook, Google, and Flurry to delete the improperly shared data. Read the FTC case at ftc.gov/cases-proceedings/192-3133-flo-health-inc.

The Class Action

The same conduct prompted a class action lawsuit. In September 2025, Reuters reported that a combined $59.5M settlement resolved claims against Google, Flo Health, and Flurry. A jury on August 1, 2025 separately found Meta liable in the Frasco v. Flo Health case related to Facebook SDK data access.

The settlement covers affected US users. Eligibility and payment amounts were defined in the settlement terms. Per-person payouts in class actions of this scale are typically modest, but the enforcement action set a precedent for how regulators treat health data sharing by consumer apps.

What Flo Changed After the FTC Action

After the FTC action, Flo introduced Anonymous Mode, which claims to remove identifying information from cycle data. It requires a paid premium subscription. Basic privacy costs extra.

The underlying architecture did not change. Flo still stores cycle data on its servers. The consent order addresses what Flo does with that data, not whether the data reaches a server at all. Any data stored on a company’s server can be accessed via a court order or government subpoena.

The Architectural Alternative

Apps that store data only on your device, never transmitting it to company servers, cannot hand over what they do not have. The difference is architectural, not just a matter of policy. Law enforcement can only receive data a company possesses.

Floriva stores all cycle data on your device using encrypted local storage. No Floriva servers hold your reproductive health data. On-device is the only architecture Floriva ships. There is no server-dependent mode to opt into.

Did Flo sell my period data?

The FTC found that Flo shared users' reproductive health data — including period dates, pregnancy status, and health symptoms — with Facebook and Google via embedded SDKs, without users' knowledge or meaningful consent. Whether this constitutes a 'sale' in the strict legal sense depends on the definition, but the practical effect was that advertising companies received intimate health data. A $59.5M class action resolved in September 2025 (Reuters) covered affected users.

What data did Flo share with Facebook and Google?

According to the FTC's complaint, Flo transmitted health events — such as when a user indicated they were pregnant, trying to conceive, or experiencing specific symptoms — to Facebook's analytics platform and Google's Firebase Analytics. The data was shared through standard SDK integrations, meaning the transfer was automatic and users had no way to prevent it without deleting the app.

Does Flo still share user data?

Following the FTC enforcement action, Flo launched Anonymous Mode, which claims to decouple cycle data from user identity. However, Anonymous Mode requires a paid subscription, meaning basic privacy is paywalled. The underlying architecture remains cloud-based: Flo still stores your data on its servers, which are accessible to law enforcement via subpoena regardless of whether Anonymous Mode is enabled.

Is Flo safe to use after the settlement?

The settlement resolved the class action claims from the original FTC-investigated conduct. It did not change Flo's data architecture. Your data is still stored on Flo's servers. The FTC consent order requires Flo to notify users about prior data sharing and implement a privacy program, but these are policy controls — not architectural ones. A server that exists can be subpoenaed.

Take back your privacy.

Floriva is built on the architecture you just read about.

Want a tracker built on real privacy architecture?

14-day free trial
No account required
Data never leaves your device

Learn More

Frequently Asked Questions

What is the FTC enforcement action against Flo?

In January 2021, the FTC announced an enforcement action against Flo Health, Inc. The FTC found that Flo had shared users' sensitive health information — including period and pregnancy data — with Facebook and Google contrary to Flo's stated privacy policy. The consent order required Flo to notify affected users and instruct those companies to delete the data.

How much was the Flo settlement?

A combined $59.5M class action settlement was reached in September 2025 covering claims against Google, Flo Health, and Flurry (Yahoo) related to the same data sharing conduct identified by the FTC. Individual settlement amounts in class actions are typically modest. The FTC enforcement action itself resulted in a consent order, not a financial penalty — the money came from the civil class action.

How do I delete my data from Flo?

To delete your data from Flo: open the app, go to Profile > Settings > Privacy > Delete Account. Deleting your account initiates a data deletion request for Flo's servers. Note that data already shared with third-party SDKs before the FTC action may have been retained by those parties — Flo's consent order required it to ask Facebook, Google, and Flurry to delete the data.

Ready to track with real privacy?

Start Your Free Trial

Related Guides

Flo App Alternative: 7 Period Trackers That Don't Sell Your Data

Looking for a Flo alternative? We document what Flo did with your data and which period trackers store everything on your device instead.

Flo Health Pricing: What $4.99/mo Actually Costs You

Flo offers a free tier and a $4.99/mo premium plan. We break down the real tiers, the hidden costs the FTC documented, and how Floriva compares at $2.99/mo.

Flo vs Clue: Which Period Tracker Is Actually Private?

Flo settled a $59.5M class action for selling your data. Clue is GDPR-compliant but still stores everything server-side. Here's what the difference means for your privacy.

How Period Tracker Apps Collect and Use Your Data

Period tracker apps collect far more than cycle dates. This guide explains what data is collected, how it is used, and what the FTC enforcement actions against Flo and Premom revealed.

Are Period Tracker Apps Covered by HIPAA?

Most period tracker apps are not covered by HIPAA. This guide explains which law actually governs consumer health apps, what protections you do and do not have, and what the FTC can do.