Does GDPR apply to American users of EU-based apps

GDPR applies based on the data subject's location, not citizenship. If you are physically in the EU, GDPR protects your data regardless of your nationality. If you are in the US using a Berlin-based app like Clue, GDPR does not apply to your data — the app's US-facing privacy policy governs instead.

Can EU users request all their period data from any app

Yes. GDPR Article 15 gives EU residents the right to a copy of all personal data an organization holds about them, provided free of charge within one month. This includes cycle dates, symptoms, notes, and any derived analytics. Companies that refuse or delay face potential DPA enforcement.

Which US states have the strongest period data protections

Washington's My Health My Data Act is the strongest, explicitly covering reproductive health data with a private right of action. California's CCPA/CPRA provides broad consumer data rights including health data. Connecticut and a handful of other states have enacted consumer privacy laws with health data provisions. Most states have no specific consumer health data law.

guides

EU vs US: How Period Tracker Privacy Laws Compare

GDPR gives EU users enforceable rights over period tracker data. US users face a patchwork of state laws and no federal equivalent. Here is how the two systems compare for reproductive health privacy.

Two Fundamentally Different Approaches The EU and the US took opposite approaches to data protection, and the gap is nowhere more consequential than in reproductive health. The EU built a comprehensive framework — GDPR — that treats health data as a special category deserving heightened protection. It applies to every organization that processes personal data of EU residents, regardless of industry, size, or business model. The US built nothing equivalent at the federal level. Health data protection exists only through HIPAA, which covers healthcare providers and insurers but not consumer apps. What fills the gap is a patchwork: state consumer privacy laws (where they exist), FTC enforcement authority (reactive, not proactive), and whatever companies voluntarily promise in their privacy policies. For period tracker users, this difference is not abstract. It determines whether you have enforceable rights over your most intimate health data or whether you are relying on a company's good faith. GDPR: What EU Users Get GDPR provides EU residents with specific, enforceable rights over their period tracker data: Explicit consent requirement (Article 9) : Health data — including menstrual