The data flows: How private are popular period tracker apps?

Nobody really wants to keep track of their periods in their minds or a wall calendar, which makes period trackers really popular. But are they tracking more than menstrual cycles? To find that out, we took a look at 20 period tracking apps popular in the US and compared their data collection practices. 

    Which period tracker apps track you the most?

    All the apps came from the Apple App Store, which categorizes 32 different types of possible data that may be collected. That’s what we used to create our data sensitivity index. 

    Note that apps from the Google Play Store may have different privacy settings.

    The index measures each app’s score based not only on the quantity but also on the sensitivity of the collected data. Each data point is measured on our simple point system, with the points added up to create the index. Here are our criteria: 

    • 1 point: data that’s not linked to a user’s identity (such as app crash data).
    • 2 points: data that could be linked to a user’s identity (such as name).
    • 3 points: data that could track users across apps and websites (such as user ID).

    And here are the results (remember: high score = bad):

    Eve, Glow, and Ovia are the three most data-hungry period tracking apps

    Among the top 20 thirsty for blood-data apps and the amount of data points they collect in each category, Eve, Glow, and Ovia take the top 3. 

    Eve (67.2 points)

    The app really bites off a chunk of the Apple of Knowledge as it collects 18 out of the 32 possible data points. 7 of them allow the app to track users across platforms: name, email address, product interaction, coarse location, device ID, purchase history, and advertising data. The last 4 data points are also used for third-party advertising. 

    Glow (64.8 points)

    Both Eve and Glow come from the same developer, so it’s no surprise their data collection practices are very similar. Glow collects just one less data point than Eve – 17 out of the 32 possible. 

    The only difference is that Glow doesn’t collect the user’s phone number (Eve does but this data point isn’t used for tracking even if it’s linked to the user). Like with Eve, 4 out of 7 data points that allow the app to track users across platforms, are used for third-party advertising. Not much of a glow-up!

    Ovia (62.4 points)

    Ovia collects 19 out of the 32 possible data points. This is more than the first two apps, but its data-hungriness index is lower since less of the data is used for tracking (5 data points as opposed to 7). The 5 data points used to track you are coarse location, device ID, product interaction, advertising data, and performance data. 

    On the downside, Ovia collects a lot more data for third-party advertising – name, coarse location, health, email address, user ID, device ID, other financial info, product interaction, advertising data, sensitive info and performance data (11 in total). This is ovia-sly annoying. 

    How private are Clue and Flo apps?

    Clue and Flo are probably the two most-known period tracking apps. However, they both collect more data points than the average (11), suggesting that they are not the most private femtech choices out there.

    Both collect a similar amount of data points: Flo takes 15 and Clue gets 13. But our aunt app is much nosier as Flo’s index is significantly (1.7 times) larger than Clue’s. That’s because it collects more data points used to track you – 5 as opposed to 1. 

    Flo also collects more data points linked to your flow (15 as opposed to 10). In fact, it doesn’t collect any data points that wouldn’t be linked to you (while Clue collects 3 such points). Both apps collect contact info – specifically, name and email address – and use this data to track you. 

    On the plus side, neither app is trying to sell you carbon nanotube period panties that don’t work as they don’t use third-party advertising. However, a 2019 report from The Wall Street Journal revealed that Flo was secretly sharing sensitive user data with Facebook. The company settled the charges in 2021.

    Dangers of tech companies collecting data

    Do you really want your phone to know more about your cycle than you? Recent journalist investigations suggest that your phone could reveal if you’ve had an abortion, as “internet searches, visits to clinics and period-tracking apps leave digital trails.” If you want to keep that information to yourself, keep it away from track-happy apps.

    Not to mention, third-party advertising is another consequence arising from tech companies collecting your data. It’s safe to say, you don’t need to have an instinctive hatred of ads to realize that period tracking apps based in the US and ranking high on the data-hungriness index might not be the best choice for your privacy.

    First off, the US government is known to request user data from tech companies. For the period of 2013-2020, it was 5th by requests per 100k people, and 1st in overall requests. During this period, the US government made at least 23,972 user data requests from Apple, which is 56% of the total requests that the tech giant had received. Percentage of fully or partially disclosed user data requests (accumulated yearly US average)? 51%.

    A large part of the apps examined are based in the US. As such, it’s worth having the 2018 United States CLOUD act in mind when choosing your period tracker. The act states that companies subject to U.S. jurisdiction are required to disclose data (e.g., user data) for legal purposes, regardless of where the company stores the data. This means that officials can possibly get access to information such as ethnicity, menstrual cycle info, weight and even information about sexual activities.

    Period-tracking apps that use your data for third-party advertising

    Third-party advertising means all those annoying ads you see on your app – and possibly the sharing of your personal data with companies that provide those ads. Nearly half (9) of all examined apps use users’ data for third-party advertising: Ovia, Eve, Glow, Period Tracker by GP Apps, Clover, Period Calendar Period Tracker, My Calendar – Period Tracker, Spot On and Teen Period Tracker (MagicGirl). All but one of them are based in the US, and the list features three of the most data-hungry apps as well.

    Unfortunately, Spot On, an app provided by Planned Parenthood, makes the list. Using it means that data such as user ID and email address is linked to you. The small sliver of silver lining here is that  neither data is used to track you.

    MagicGirl, a period-tracking app marketed for teen girls, also uses your data for third-party advertising. And although that data is not linked directly to users, teens probably don’t need more targeted advertising aimed at them. The fact that MagicGirl tracks (teen) users’ coarse location and device ID is also something that feels a lot more wrong when the subject is underage.

    Should you care about your data being shared with third party advertising entities? Past cases have proven that purveyors of targeted ads may know extensive amounts of information about your life, including knowing when you’re pregnant. Famously, Target once sent coupons for baby clothes and cribs to a teenage girl way before her father found out she was pregnant. There was also debate about whether Amazon has a pregnancy-prediction mechanism in place after an email with a baby gift was accidentally sent to a large portion of customers.

    A deep-dive into period-tracking app data collection practices

    So, aside from tracking teens, what data are period trackers most interested in? The most collected information is product interaction data, health data and sensitive info (17 apps do this). That last category can include anything from race and religion to sexual orientation and pregnancy information. 

    While 75% of the examined apps collect contact info such as name, email address and/or phone number, the rest (that’s 5 apps) don’t. 3 of them are based in the US (Life, Cycle Tracking (Apple) and Teen Period Tracker (MagicGirl)), and 2 in Europe (Clover and Cycles). On the other hand, all of these apps collect Device ID which is unique to every single device and could be traced back to the cell phone owner.

    Out of the 32 possible data points, there are 7 that none of the apps collect. Most notably – precise location, browsing history, and payment and credit info. 

    While none of the apps collect your exact location, half of them collect your coarse location. This information can be used for different reasons. For example, as per Clue’s Privacy Policy, approximate location is used for “statistical and analytics purposes, and for regulatory compliance in different countries”. But while coarse data might be used to pinpoint your address, they would be able to narrow your location down to state.

    8 apps additionally collect users’ photo and video library data. As per Glow’s Privacy Policy, this includes “user generated content that you upload, generate, transmit, or otherwise make available on the service, such as profile pictures, photos, videos, images.” We should note that, when it comes to data hygiene, it’s not a good idea to grant data collection permissions that are not necessary for the app to work.

    While the average of the collected data points is 11, half of the apps collect more – so it’s not just some freaky outlier skewing the curve. Additionally, all the apps that collect an above-average amount of data points also track some of them, with the exception of Cycles and BellaBeat only. And you thought the apps only knew your (or your partner’s) menstrual cycle.

    Acknowledging apps that respect your period privacy

    The two most (Eve and Glow) and the two least (Life and Apple’s Cycle Tracking) data-hungry period tracking apps are all based in the US. But while Eve and Glow collect plenty of data that can be used to track you, Life and Cycle Tracking don’t. So there are privacy-oriented US-based options, too.

    The apps we’d recommend are Apple’s Cycle Tracking and Life. Both have low indices of 4 – none of the 4 data points they collect are linked to or used to track the user. No data is used for third-party advertising either. 

    It’s worth noting that Apple’s Cycle Tracking Privacy Policy was taken from its standalone app for Apple Watch. Cycle Tracking on other Apple devices is accessed through the Apple Health app which collects 6 more data points, but neither is linked to you or used to track you, and they’re not used for third-party advertising either.

    You deserve your privacy. Period. 

    Periods are a near-unavoidable fact of a female-bodied person’s life, and it’s good that there are technical solutions that can help alleviate the pains of tracking them. However, the utility of such apps doesn’t mean that they should know more about you than your gynecologist. So we hope that our research will help you make an informed decision about your time-of-the-month app. 

    Methodology

    We compared data collected by 20 period tracking apps based on the 32 types of data listed by the Apple App Store. Apps from the Google Play Store might have different privacy settings.

    The index was calculated by assigning the value from 1-3 to each data point by how much it could potentially expose the user:

    • 1 point: “Data Not Linked to a user” – data that is not linked to a user’s identity (such as app crash data)
    • 2 points: “Data Linked to a user” – data that may be linked to a user’s identity (such as name)
    • 3 points: “Data Used to Track users” – data that may be used to track users across apps and websites owned by other companies (such as User ID).

    An additional 20% of the sum points were added if the company uses the collected data for “Third-Party advertising”. Apps were ranked by the index value in descending order.

    According to Apple guidelines for developers, using data for third-party advertising means: “Such as displaying third-party ads in your app, or sharing data with entities who display third-party ads.”

    Apps were selected based upon US Apple App Store rankings using the AppMagic tool as a reference and medically reviewed lists from Healthline and MedicalNewsToday

    For the full research material behind this study, feel free to visit here.

    Sources:

    What data can government get from tech companies

    User Data Surveillance Report

    US CLOUD act

    CLOUD act FAQs

    How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did

    Has Amazon gotten so big it knows you’re pregnant before you do?

    All data used in the study was accessed or collected on May 13th, 2022.