How long do period apps keep my data after I delete my account

Retention policies vary. Flo's policy states backups may retain deleted account data for up to 90 days. GDPR requires data to be deleted within a reasonable time after a deletion request but does not specify a number. Some companies retain data indefinitely in aggregate or anonymized form. Look for the 'data retention' section of the privacy policy. If it says data is retained 'for as long as necessary for business purposes,' that is effectively indefinite.

What does GDPR compliance mean in a period app's privacy policy

GDPR compliance means the company has committed to the requirements of the EU General Data Protection Regulation: lawful basis for processing, data minimization, purpose limitation, user rights (access, deletion, portability), and limitations on transfers to non-adequate jurisdictions. For users outside the EU, GDPR compliance at a company often means the company applies GDPR-equivalent protections globally, but this is voluntary unless required by law.

Are health apps covered by HIPAA

Generally no. HIPAA (Health Insurance Portability and Accountability Act) applies to covered entities: healthcare providers, health plans, and healthcare clearinghouses, and their business associates. Period tracker apps that are not operated by these entities are not covered by HIPAA. This is why the FTC's authority, not HIPAA, governed the Flo enforcement action. The lack of HIPAA coverage is a significant gap in US reproductive health app privacy protection.

What is the difference between anonymized data and deleted data

Anonymized data has identifying information removed so it cannot be linked back to a specific person. Some companies retain anonymized data after account deletion for research or product improvement. Deleted data is removed entirely. Privacy policies often distinguish between these, retaining anonymized data indefinitely while committing to delete personal data. If anonymization is done poorly, it can be reversed. True deletion removes the risk.

guides

How to Read a Period App Privacy Policy: What Matters

Privacy policies are long and vague by design. This guide covers the specific clauses that determine how your period data is used, shared, and protected.

Why Privacy Policies Are Hard to Read Privacy policies are legal documents written primarily to satisfy regulatory requirements and limit company liability. They are not written to help users understand what actually happens to their data. Length, technical language, and vague category descriptions are features of this format, not bugs. That said, the information you need is in there. You just need to know where to look and what the standard evasions mean. The Sections That Actually Matter Data collection : What specific data does the app collect Look for a list of data categories. A period tracker should collect cycle dates and symptom logs. If it also collects device identifiers, location data, or usage behavior, that collection is happening regardless of whether you think it is necessary. Data storage : Where is your data stored Look for statements about servers, cloud storage, or local storage. If you cannot find a clear statement, call the company's support and ask. "We use industry standard security" is not an answer to "where is my data stored." Third party sharing : Who else gets your data This section uses category language by design. "Analytics providers," "advertising pa