Why Your Period Tracking App Might Be Selling More Than Just Insights
Menstrual cycle tracking apps have become indispensable tools for millions, promising a deeper understanding of our bodies, fertility planning, and even insights into our overall well-being. They’ve revolutionized how we engage with our reproductive health, moving beyond handwritten charts to seamless digital experiences. However, beneath their polished interfaces and compelling promises, a critical question looms: what truly happens to your most intimate health data?
This booming FemTech industry, projected to reach $12 billion by 2028, operates in a largely unregulated space. This lack of oversight has, unfortunately, led to a pattern of opaque data practices and a troubling phenomenon known as “empowerment washing,” where brands use feminist messaging as marketing rather than a foundational mission.
The Illusion of Privacy: When Promises Don’t Align with Practices
Some apps proudly market themselves as privacy-first, even claiming “end-to-end encryption” and “women-owned” status to build user trust. Yet, investigations have revealed that such claims can be misleading. For instance, Stardust, an app that gained viral popularity by positioning itself as a privacy-first alternative in a post-Roe world, was found to store encryption keys on its own servers, undermining the very definition of end-to-end encryption. This means the company could still access user data despite its promises. Furthermore, security researchers found that Stardust was not GDPR compliant, and its privacy policy at one point stated it would comply with law enforcement data requests whether or not legally required, a wording later quietly changed. Its revenue model also raises questions, as it charges for superficial premium features, leading to speculation that users might be “paying” with their data.
Another app, Kandara, which was one of the first digital tools for fertility awareness, shows signs of being quietly abandoned since its acquisition in 2018. Despite no official statements, users report glitches, crashes, and unanswered support requests, while the app remains downloadable and still charges for premium features. Critically, Kandara’s terms of use allow it to sell, lease, or lend aggregated personal information to third parties, even though this data is allegedly anonymized. The issue here is that aggregated data can often be reidentified through the “mosaic effect,”making it incredibly valuable to marketers, insurers, and researchers looking to profit from intimate information.
The Data Sharing Loophole: “We Don’t Sell, But We Share”
Many apps reassure users by stating, “We don’t sell your data”. However, what they often omit is, “We don’t share your data.” Sharing is a highly profitable business model, where data can be leveraged, monetized, and used by trusted partners, affiliate networks, and analytics firms to build lookalike audiences for targeted advertising. This continuous collection of intimate, uniquely female health data—including cycle patterns, symptoms, libido, pregnancy, and loss—has never been captured at this scale before by traditional medical systems or research institutions. Yet, users are often unknowingly groomed to hand it over to tech companies with little accountability.
Real-World Consequences: When Intimate Data Becomes a Commodity
The risks of sensitive health data falling into the wrong hands are not theoretical.
- Flo, one of the most downloaded menstrual cycle tracking apps, settled with the Federal Trade Commission in 2021 after it shared personally identifiable user data, including details about periods and pregnancies, with companies like Facebook and Google without proper disclosure between 2016 and 2019. Although Flo has since taken steps to become GDPR compliant, it means they are now transparent about who they share data with, not necessarily that they have stopped sharing sensitive health data altogether.
- Glow faced similar scrutiny in 2020 for failing to adequately protect user data, with investigators finding significant security flaws that allowed reproductive health information to be accessed without proper authentication. Glow misrepresented the safety of its privacy policies and was required to pay $250,000 in penalties.
The widespread fear that FemTech data could be “weaponized” to monitor women, particularly in the aftermath of changing abortion laws, underscores the urgency of this issue. Such data could be used to target users with ads, influence online content, or, in worst-case scenarios, be used by insurers, employers, or government agencies, with consequences far beyond what users intended.
The Self-Declared “Gold Standard”: GDPR Compliance
Many apps proudly display “GDPR compliant” as a badge of honor, meant to reassure users of their trustworthiness. However, the General Data Protection Regulation (GDPR) is a legal framework, not a real-time regulatory body. It doesn’t perform routine audits or vet apps before launch. When a company claims GDPR compliance, it often means “we wrote a privacy policy and we promise that we’re following it,” without proactive checks to ensure adherence. This loophole allows apps to market themselves as wellness tools, avoid medical regulation, and use vague privacy language to avoid accountability.
Choosing Wisely: Beyond the Pretty Interface
The core issue is a systemic failure in an industry optimized for scale and monetization, where trust and scientific rigor can become secondary. What appears to be “care” is often a strategic business model.
When choosing a reproductive health app, it’s crucial to be discerning. Look beyond the marketing hype and delve into the specifics of their privacy policies. In contrast to the concerns highlighted, some applications like BloomCycleemphasize a privacy-first design with on-device processing for all sensitive health information, ensuring that data never leaves your device without explicit consent. It employs end-to-end encryption (AES-256-GCM) for all sensitive data, including medical-grade PDF exports, and features a unified security system with biometric authentication. BloomCycle also explicitly adheres to HIPAA and GDPR compliance standards, and integrates ethical AI principleslike bias detection, fairness monitoring, and explainable AI, all with processing done locally on-device. This robust approach to data security and user control aims to provide comprehensive reproductive health tracking while prioritizing user privacy and trust.
Ultimately, true empowerment comes from informed choices. Your reproductive health data is incredibly personal. It’s time to demand honesty, transparency, and integrity from the tools we entrust with it.
Leave a Reply