Period Trackers Leak Sensitive Data | Analysis by Brian Moineau

TL;DR

  • Mozilla’s tests found one period tracker, Stardust, routing reproductive health events (pregnancy status, birth control, symptoms) to RudderStack while also pinging Meta and AppsFlyer, contradicting the app’s “Your data is private. Period.” slogan [1][2].
  • The exposure isn’t just what you type; it’s where those events travel: every third‑party SDK or data “pipe” multiplies legal risk after Dobbs v. Jackson Women’s Health Organization (2022), while HIPAA’s April 26, 2024 update shields clinical PHI but not most consumer apps [3][7].
  • Enforcement signals are clear—FTC actions involving Flo (2021), GoodRx ($1.5M in 2023), and BetterHelp ($7.8M in 2023) preview how “privacy promises vs. practice” cases will hit femtech and its vendors next [4][5][6].

What the source said

In July 2026, BBC Future reported on Mozilla Foundation’s hands‑on testing of six period trackers—Flo, Clue, Stardust, Spot On, Period Calendar, and Euki—showing stark differences in how they transmit private data from the United States and Europe [1]. Mozilla and BBC found Stardust was the only app that sent labeled reproductive health events to RudderStack, a routing service not named in Stardust’s policy, while also sharing identifiers with Meta and AppsFlyer; Stardust says RudderStack can’t identify users and is contractually barred from repurposing data [1][2]. Spot On’s in‑app links to Planned Parenthood’s site exposed visits (e.g., for HIV testing or gender‑affirming care) to AB Tasty, while Period Calendar sent device IDs to Google and InMobi without an opt‑out; Mozilla called Euki “squeaky clean” by comparison [1].

Why it matters

Two groups have the most at stake in 2024–2026. First: users whose menstrual logs can imply pregnancy, fertility struggles, or miscarriage in states that criminalize aspects of reproductive care after the 2022 Dobbs ruling; HIPAA’s April 26, 2024 reproductive‑privacy rule protects clinical PHI but does not reach most consumer trackers, creating a gap prosecutors can exploit with subpoenas or geofence warrants [3][7]. Second: the femtech stack—app publishers, attribution firms, analytics routers, and ad platforms—because one mislabeled or misrouted event can turn “we protect your privacy” into Exhibit A for the FTC or a state AG, echoing Flo (2021), GoodRx (2023), and BetterHelp (2023) outcomes [4][5][6].

Original analysis

Consensus view: “Fix period tracker privacy with end‑to‑end encryption and you’re safe.” Contrarian read: encryption helps, but the weak link is metadata exhaust and server‑side event routing that Apple’s App Tracking Transparency dialog doesn’t meaningfully police, so sensitive streams can leave at app open to partners like RudderStack, AppsFlyer, or Meta, even before a user toggles a setting [2]. In discovery, the map of who received which payloads on which dates typically matters more than whether fields were encrypted in transit [4][5][6].

Historical analogue: Flo’s 2021 settlement and GoodRx’s 2023 penalty. In Flo, the FTC alleged the app labeled events like “Pregnancy” and sent them with identifiers to Facebook, Google, Flurry, Fabric, and AppsFlyer, contrary to public promises, leading to an order requiring affirmative express consent and external assessments [6]. GoodRx paid $1.5 million and was banned from sharing health information for advertising after claiming to be “HIPAA secure” while not being a covered entity; DOJ and FTC highlighted the mismatch between claims and data flows [5]. BetterHelp paid $7.8 million and faced a ban on sharing sensitive health data for ads, reinforcing that regulators don’t need a breach to act—just a broken promise with corroborating packet logs [4].

Back‑of‑envelope calculation (example math using 13 cycles/year and 2M MAUs):

  • Assumptions: a typical user logs 8 items per cycle (bleeding, PMS, two symptoms, mood, sex, contraception, note). At 13 cycles/year, that’s ~104 health events per user/year (author’s calc).
  • If an app routes those to 3 partners (analytics, attribution, data router), that’s ~312 transmissions per user/year (author’s calc).
  • With 2 million monthly actives sustaining this cadence, that’s roughly 624 million transmissions/year—a compounding discovery, breach, and subpoena surface if IDs or device metadata allow linkage later (author’s calc).

Period tracker privacy: a 2x2 that predicts risk based on Mozilla/BBC’s 2026 findings [1]

  • Axes: “Visibility of data flows” (transparent logs, partner lists, on‑device options such as iOS 17’s App Privacy Report) vs. “Third‑party dependence” (count and criticality of external SDKs/pipes on iOS 17 and Android 14).
Quadrant What defines it Example placement (from reporting/tests)
High visibility + Low dependence Clear partner registry, minimal SDKs, local storage by default Euki (“squeaky clean” per Mozilla/BBC) [1]
High visibility + High dependence Lots of SDKs but a detailed map and user controls Few period apps today; a target state
Low visibility + Low dependence Few partners but opaque disclosures Gap apps not audited this round
Low visibility + High dependence Multiple partners, event routing, limited controls Stardust (RudderStack for health data; AppsFlyer/Meta identifiers) [1][2]; Period Calendar (Google, InMobi, no user opt‑out per report) [1]; Spot On’s linked web features leaking to AB Tasty [1]

Named‑stakeholder breakdown (4 groups, 2024–2026):

  • App publishers (Stardust, Period Calendar, Spot On): if your privacy page and packet captures diverge, you are replaying Flo/GoodRx’s storyline in a harsher legal climate spanning Washington to Texas [1][5][6].
  • Data routers/SDKs (RudderStack, AppsFlyer, Meta): you are “processors,” and Washington’s My Health My Data Act (RCW 19.373, 2023) regulates processors via contracts, logs, and retention duties that will surface in discovery [7].
  • Regulators (FTC, state AGs, HHS OCR): toolkits and precedent—Flo (2021), BetterHelp (2023), GoodRx (2023)—align with HIPAA’s 2024 rule that clarifies covered‑entity limits and spotlights the consumer‑app gap [3][4][5][6].
  • Users: the safest default is local‑only logging or apps proven to avoid third‑party transmission of health events (Mozilla highlighted Euki in 2026 testing) [1][2].

What others are missing

The overlooked angle is vendor‑chain accountability one layer downstream of the app: event‑routing platforms that shuttle payloads between mobile clients and data warehouses in Seattle‑to‑San Francisco stacks. Washington’s My Health My Data Act (RCW 19.373) binds publishers and processors alike and compels a homepage‑linked health data policy, opt‑in consent, and deletion rights with concrete effective dates (large entities by March 31, 2024; small businesses by June 30, 2024) [7]. HIPAA’s April 26, 2024 reproductive‑privacy rule tightens disclosures inside clinics yet explicitly doesn’t cover fertility/period apps that aren’t regulated entities, so compliance pivots on state law and SDK contracts instead of hospital playbooks [3][7].

What to watch next

  1. By Q4 2026, at least one state attorney general will file a My Health My Data Act action against a consumer reproductive‑health app or a processor for undisclosed sharing of cycle or pregnancy events, citing packet logs and partner contracts as evidence.
  2. By Q2 2027, a top‑5 mobile analytics or attribution vendor (by market share in North America) will ship a “reproductive‑health safe mode” that rejects cycle‑ or pregnancy‑labeled events and enforces 30‑day deletion SLAs, and at least one major tracker will announce adoption in a press release.
  3. By Q1 2027, Apple or Google will update platform policy to restrict server‑side routing of sensitive health events to non‑clinical processors without explicit, in‑context consent and an in‑app partner list, with enforcement via app rejections.

My take

If you ship a period tracker in 2026, you can’t outsource privacy to your SDKs or routers. The rule of thumb is simple: if your network logs show pregnancy or symptom events leaving the device, you’re building a plaintiff’s timeline for the FTC or a state AG. Build a data diode now: keep health events on‑device, publish a partner bill of materials, and ban reproductive‑health labels in analytics streams. HIPAA’s 2024 fix protects clinic charts, not your app; FTC precedent punishes broken promises; Washington’s MHMD creates direct exposure for processors—choose the “squeaky clean” quadrant or budget for discovery [1][3][5][6][7].

Sources

  1. The privacy problems hidden in your period tracker — BBC (https://www.bbc.com/future/article/20260715-how-period-trackers-share-womens-private-details) — Core report from July 2026 based on Mozilla’s testing; details on Stardust–RudderStack, Spot On’s AB Tasty issue, Period Calendar’s tracking, and Euki’s “squeaky clean” status.

  2. Privacy Review: Stardust Period Tracker — Mozilla Foundation (https://www.mozillafoundation.org/en/nothing-personal/stardust-privacy-review/) — Confirms health‑event transmission to RudderStack and identifiers to AppsFlyer/Meta; explains why Apple’s ATT doesn’t constrain these pipes.

  3. The HIPAA Privacy Rule (incl. Apr 26, 2024 Final Rule to Support Reproductive Health Care Privacy) — HHS.gov (https://www.hhs.gov/hipaa/for-professionals/privacy/index.html) — Establishes scope and the 2024 reproductive‑privacy update; clarifies covered entities/business associates vs. consumer apps.

  4. FTC Gives Final Approval to Order Banning BetterHelp from Sharing Sensitive Health Data for Advertising, Requiring It to Pay $7.8 Million — Federal Trade Commission (https://www.ftc.gov/news-events/news/press-releases/2023/07/ftc-gives-final-approval-order-banning-betterhelp-sharing-sensitive-health-data-advertising) — Shows FTC bans on ad uses of sensitive health data and monetary relief.

  5. Digital Healthcare Platform Ordered to Pay Civil Penalties… (GoodRx) — U.S. Department of Justice (https://www.justice.gov/archives/opa/pr/digital-healthcare-platform-ordered-pay-civil-penalties-and-take-corrective-action) — Details $1.5M penalty and advertising bans for sharing health data despite privacy claims.

  6. FTC Finalizes Order with Flo Health, a Fertility‑Tracking App that Shared Sensitive Health Data — Federal Trade Commission (https://search.ftc.gov/news-events/news/press-releases/2021/06/ftc-finalizes-order-flo-health-fertility-tracking-app-shared-sensitive-health-data-facebook-google) — Lays out how labeled pregnancy/period events went to analytics firms and the remedial order (consent, audits).

  7. Protecting Washingtonians’ Personal Health Data and Privacy (My Health My Data Act FAQ) — Washington State Attorney General (https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy) — Clarifies RCW 19.373 scope, effective dates (Mar 31 and Jun 30, 2024), policy‑link requirement, and that processors are in scope.