Period apps are a privacy nightmare – should you still use them? An expert explains the risks

Samantha Lee/Business Insider
  • Period-tracking apps collect incredibly intimate data about their users.
  • They also have a track record of shaky privacy practices.
  • Insider spoke to an expert about what happens to do your data – and whether you should use the apps
  • Visit Business Insider’s homepage for more stories.

When you tell an app about your period, it’s hard to know exactly where that data is going.

Period-tracking apps offer clear health benefits to users, allowing them to track and anticipate symptoms, as well as providing an aid for people hoping to conceive. They are also hugely popular — period tracker app Flo has more than 50 million downloads on the Google Play store. Its next big competitor Clue has more than 10 million. It’s a competitive market, and even Apple launched its own period-tracking app in 2019.

Unfortunately, menstruation apps also have a track record of throwing up big privacy red flags.

This manifested last week, when popular period-tracking app Flo reached a settlement with the Federal Trade Commission (FTC) after the FTC alleged it shared sensitive user data with third parties including Facebook and Google — a practice that was revealed by a Wall Street Journal investigation in 2019.

Stories like Flo’s leave users wondering: do the health benefits of using a period tracker outweigh the privacy risks?

Privacy International in December published an analysis of how five period and fertility monitoring apps (including Flo and Clue) moved their users’ data around.

Eva Blum-Dumontet, the researcher who led Privacy International’s report, said even though she has been studying the field for years, she was taken aback by just how much data the apps stored about their users. This included the contents of notes on users’ masturbation habits and how frequently they go to the bathroom.

Carrie Walter, general counsel at Berlin-based Clue, said the amount of data Clue processes is no cause for concern.

“The fact that every interaction with the app generates data stored on our servers is neither surprising nor inappropriate. We are a cycle tracking app, dedicated to providing our users with personalised insights about their wellbeing based on the data they track. We could not provide this service if we did not store the data that people choose to input,” she said in an email to Insider.

Could your data be used to target you with ads?

Exactly what happens after apps collect this data and pass it on can be fairly opaque, especially to consumers. This makes it hard to confirm definitively whether information you give to a menstruation app could be used to target you with ads elsewhere on the internet.

Privacy International report found some period-trackers, including Clue, were sharing data with third parties. This data isn’t being used elsewhere online, but it can be used to target users with ads inside the apps.

There is functionality behind this; some period apps process their users’ data in order to target them with articles — for example if a user frequently gets oily skin around their period, the app will give them skincare advice.

While Privacy International’s research showed some of the third parties processing period-tracking data included big household name tech companies like Amazon and Google, Blum-Dumontet said that isn’t a big concern for her, as Amazon and Google provide very rudimentary services such as web hosting.

She instead pointed to a handful of companies that showed up in her research, which specialise in profiling and targeting users including Braze and Amplitude.

“What they are offering as a service to those apps is to be able to target and to create a profile of you — and again that’s not to say the profile will be shared with others, but it is using your data to target and and to build a profile and expectations of what you want to see, what kind of ads you should be receiving,” she said.

In a statement to Insider, a spokeswoman for Clue said the app doesn’t send these companies any health data, and that they are used for internal analytics and functions including in-app messaging and notifications. She added that Clue is in the process of building an internal analytics tool to replace Amplitude.

“This is part of our broader roadmap to replace third party services with self-built tools whenever possible,” the spokeswoman said.

Walter emphasised that none of the data entered into Clue into ad networks, and that Clue does not allow outside advertisers to target people inside the app.

“We are a company that needs to pay its own way, so we do use ad networks for online marketing. But, again, the crucial point is in the detail: we are extremely careful with users’ health data. It never goes to ad networks, nor do we use it to target ads on behalf of others in our own app,” she said.

Braze’s Vice President of Customer and Partner Marketing Will Crocker Hay told Insider in a statement: “We are a privacy-focused company that complies with all applicable privacy laws. Simply put, brands use Braze to create better experiences for consumers based on their preferences. Our customers have complete control over what data they share with us, and we only collect first-party data that we never sell to anyone else.”

Could your data be passed along to medical insurers?

Blum-Dumontet said there was no evidence in her research that data from menstruation apps is being passed along to entities like medical insurers, and in the UK and EU countries data protection laws forbid companies from repackaging data for purposes other than what users consented for it to be used for.

In the rest of the world — including the US — regulation is less robust, and Blum-Dumontet thinks it’s possible menstruation app data could end up feeding into companies including insurers. “Outside of the European Union or the UK it’s essentially a data wild west, and yeah this is definitely a scenario that could happen,” she said.

Blum-Dumontet doesn’t want to see period-tracking apps eradicated, and she doesn’t even think users should necessarily delete their apps.


Read more:
Pioneering femtech startup Elvie is bringing Apple’s model to women’s health despite coronavirus disruption

“Meeting people who use menstruation apps it’s always the question that comes up […] do I have to delete it. And my answer to that question is: if it is useful to you no, don’t delete it,” she said.

She believes it’s the companies, not the consumers, that need to change their behaviour.

The first change she thinks they should implement is designing their apps to store and process data locally on users’ phones, rather than siphoning it off to a central server where they have access to it. Secondly, she says apps can minimise the amount of data they collect in the first place.

“We really have to ask ourselves what data is essential for the app to function. They also have to ask themselves what services are essential,” she said.

The period-tracking app industry has already shown some signs of shifting. In 2019, Privacy International discovered some apps were sharing alarming amounts of intimate data with Facebook, and developer behind menstruation app Maya modified its app to stop this.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.