Is there a simple way to check if a period app is safe

Three questions cover most of what matters: Does the app require creating an account (If yes, your data is linked to your identity on their servers.) Does the app work completely offline after setup (If it requires internet for basic functions, it is transmitting data somewhere.) Does the privacy policy mention third-party analytics partners (If yes, data is being shared with those partners per their terms.) Apps that fail all three questions have structural data exposure regardless of their privacy marketing.

Can I trust a period app that says it does not sell data

The phrase 'we do not sell your data' is narrowly meaningful. It typically means the company does not sell your raw data to data brokers in a direct transaction. It does not cover sharing data with analytics partners, sharing data for 'service improvement,' or the behavior of embedded third-party SDKs. Flo did not technically sell data in the way the phrase implies, but the FTC found it shared data with advertising platforms. Evaluate the full data handling picture, not just the 'sell' language.

Does an app need my real name or email to track my period

No. A period tracker only needs cycle dates and whatever symptoms you choose to log to perform its core function. Requiring an email or name is a choice to tie your identity to your health data for account management, marketing, and data linking purposes. Apps that do not require an account, like Floriva, Euki, and Drip, demonstrate that account creation is not technically necessary for period tracking.

guides

How to Audit Any Period App's Privacy Before Trusting It

A practical framework for evaluating period tracker privacy beyond marketing claims. What to look for in privacy policies, permissions, and SDK behavior.

Why Privacy Policy Language Is Not Enough In January 2021, the FTC took enforcement action against Flo Health based on a finding that the company shared user health data with Facebook and Google via embedded analytics SDKs. Flo's own privacy policy stated it would not share health information with third parties. The discrepancy was not that Flo deliberately lied. The SDKs did what analytics SDKs do: they transmitted user behavior and device data, which in this case included health information, to the SDK providers. Flo's privacy policy was written about Flo's own data handling practices, not about the third party code embedded in the app. This case illustrates why reading a privacy policy is necessary but not sufficient. You also need to know what third party code is in the app and what that code does. The Four Part Audit Framework 1. Where is the data stored Read the privacy policy's storage and retention section. Look for "our servers," "cloud based storage," or "transmitted to our systems." If you see any of these, the data lives on the company's infrastructure and can be accessed by the company, subpoenaed by courts, or exposed in a breach. Apps with genuine on device storage w