Using A Period Tracking App? This Is Where All Your Personal Info Goes

Half of the world’s population has a menstrual cycle, yet it still triggers shock when our periods turn up unannounced each month. So it’s no surprise that many women have turned to period tracking apps on their smartphones to diarise their monthly cycles.

The femtech revolution has boomed in the last few years, with some of these period tracking apps receiving over a million downloads, suggesting they have become a necessary tool for women worldwide. While they seem to have made women's lives easier and less complicated, questions have been raised over how our intimate data is being handled.

When we use a period tracking app, we input some of the most intimate details about ourselves, such as the dates of our periods, how lumpy our flow is and the last time we had unprotected sex. The apps ask us to track our moods, how much sleep we've had and our energy levels, and require personal data such as our full name, email address, date of birth and weight. These apps also predict your fertility window and are used by women trying to get — or avoid getting – pregnant.

Earlier this year, a report by UK-based charity Privacy International discovered that some of the most popular period-tracking apps had been sharing users' intimate details with Facebook. It was reported that period-tracking app MIA Fem in particular was sending sensitive information, such as contraception use and when users last had unprotected sex, directly to the social media giant. Another app, Maya, was also found to be sharing data with Facebook as soon as users opened the app – before they had a chance to sign the privacy policy. According to the report, sensitive information was shared via Facebook’s Software Development Kit (SDK) which is the integration feature that provides features like analytics or letting users log in to an app with Facebook.

Maya’s developer, Plackal Tech, said it had removed both the Facebook core software development kit and analytics SDK across all its platforms, yet the report highlighted a cause for concern over how data is collected and used, and whether the privacy policies are clear and concise, and easy for users to understand.

There's a lot of information there that we wouldn't share with anyone, so how can we be sure that it isn't being shared with third-party companies? The majority of period tracking apps do have privacy policies. When we looked at the three most popular — Clue, Flo and Eve — we were asked to consent to each app's privacy policy upon opening it after download.

Clue's privacy policy reads: "When you use the Clue app – including use without an account – or when you go on our website, Clue collects, stores and uses some personal and non-personal data and transmits it to some third-party services. We primarily do this to provide you with our services...You can change the settings in the app or your device at any time."

When we contacted Clue, a spokesperson told Refinery29 that the company "does not share any of our users' personal health or menstrual cycle data, nor do we sell any user data to any third-party service, and we never will."

Upon reading its privacy policy in its entirety, we found that Clue does use cookies and third-party services for the purpose of tracking, analysis and improvement of Clue's website and app, as well as for advertising purposes. It states that users' data, when using the app, is shared with eight different third-party services including Google Analytics, Adjust, Apptimize, Amplitude and Facebook Audiences, which generates targeted ads based on that data. Users' data is then stored on each of their servers, but there is no information about how it is handled there.

A Clue spokesperson said that it doesn't share personal information that directly identifies you as a person (such as your first name, surname and email) and removes such data that could be used by third-party services to infer cycle or health data.

Similar to Clue, period-tracking app Eve's privacy policy reads: "We do not sell or rent your personal data to third parties. We don't share your information (other than forum posts) to social networks or other public or semi-public places unless instructed by you to do so." It adds that "it only discloses your information to you or as you authorise us to" although it "may include certain elements of that information in our database on an anonymised basis."

Flo, too, asks users to consent to its privacy policy upon opening the app when first downloaded. The policy states that Flo "may collect your Personal Data and use it for the purpose of the user experience improvement like increasing the accuracy of predictions, personalising the insights you get." However, it does share your information with AppsFlyer, a mobile marketing analytics system.

AppsFlyer is "a service that enables app owners to analyse and interpret the performance of their marketing efforts," and also helps marketers to pinpoint their targeting.

When Privacy International approached AppsFlyer during their investigation into MIA Fem and Maya initially earlier this year, AppsFlyer told them that their terms and conditions actually restrict apps from using their service to collect personal information such as health information.

Eva Blum-Dumontet, the senior research officer at Privacy International, told Refinery29 that there are real issues with data sharing among menstruation apps. She said: "The role of companies like AppsFlyer is reflective of the issues of data sharing with third parties through menstruation apps. At the moment, when you share your most intimate information with a menstruation app, it doesn't just stay between you and the menstruation app. It also goes to the server of other companies, like AppsFlyer.

"When we confronted AppsFlyer about this issue they said: 'Our terms and conditions actually restrict app owners from using our service to collect personal information such as health information.' The reality though, for the app we had looked at, is that it is very much the sensitive health data that users share with their menstruation apps that ended up with AppsFlyer."

That's not the only issue here. The problem is the inaccessibility of privacy policies as a whole. While Flo, Eve and Clue all have privacy policies that pop up immediately after the user opens the app for the first time, they are long-winded and full of legal jargon. Eva agreed that this is what makes these apps problematic.

She said: "When companies ask for our consent to collect and exploit our data, the least we should expect from them is that our consent should be meaningful. Their data protection policy – which explains why and how the data is collected – should be easily accessible. The fact that menstrual app privacy policies remain long and unintelligible is hugely problematic."

It could be argued that people should take more care, but companies – especially those that are handling sensitive data such as medical records and intimate details about our bodies – shouldn't put the onus on their users to comb through a long and complicated legal document.

A Clue spokesperson said: "When setting up an account, users are presented with our privacy policy, which highlights exactly how and why we use data. At this stage, users can either opt in or opt out of sharing their data.

"Users that have opted in may withdraw their consent at any time, by either disabling cookies on their device or following the instructions on how to withdraw their consent individually for each third-party provider Clue uses for its third-party tracking and analysis services. All of our third-party providers are either EU-based or compliant with the EU-US Privacy Shield Framework that ensures that European data privacy requirements are met.

"We think selling data without real consent, and then hiding that process, is totally wrong, which is why we have gone to such great lengths to write our privacy policy and terms of service documents in a way that is not only understandable, but also allows for an informed choice and understanding how users can navigate their data privacy."

Glow Inc, the developer of Eve, said that "it does not sell or rent your personal data to third parties. We don’t share your information (other than forum posts) to social networks or other public or semi-public places unless instructed by you to do so."

A spokesperson for the Information Commissioner's Office told Refinery29: "Under data protection law, organisations have to ensure that their processing is fair, lawful and transparent and that appropriate security is in place.

"In addition, special category data – such as health organisation – requires greater protection because of its sensitivity and the increased risk of harm to or discrimination against individuals. Organisations have to recognise this and take additional steps to address these risks."