Half of the world’s population has a menstrual cycle, yet it still triggers shock when our periods turn up unannounced each month. So it’s no surprise that many women have turned to period tracking apps on their smartphones to diarise their monthly cycles.
The femtech revolution has boomed in the last few years, with some of these period tracking apps receiving over a million downloads, suggesting they have become a necessary tool for women worldwide. While they seem to have made women's lives easier and less complicated, questions have been raised over how our intimate data is being handled.
When we use a period tracking app, we input some of the most intimate details about ourselves, such as the dates of our periods, how lumpy our flow is and the last time we had unprotected sex. The apps ask us to track our moods, how much sleep we've had and our energy levels, and require personal data such as our full name, email address, date of birth and weight. These apps also predict your fertility window and are used by women trying to get — or avoid getting – pregnant.
When we use a period tracking app, we input intimate details about ourselves, such as the dates of our periods, how lumpy our flow is and the last time we had unprotected sex.
Maya’s developer, Plackal Tech, said it had removed both the Facebook core software development kit and analytics SDK across all its platforms, yet the report highlighted a cause for concern over how data is collected and used, and whether the privacy policies are clear and concise, and easy for users to understand.
When we contacted Clue, a spokesperson told Refinery29 that the company "does not share any of our users' personal health or menstrual cycle data, nor do we sell any user data to any third-party service, and we never will."
A Clue spokesperson said that it doesn't share personal information that directly identifies you as a person (such as your first name, surname and email) and removes such data that could be used by third-party services to infer cycle or health data.
AppsFlyer is "a service that enables app owners to analyse and interpret the performance of their marketing efforts," and also helps marketers to pinpoint their targeting.
When Privacy International approached AppsFlyer during their investigation into MIA Fem and Maya initially earlier this year, AppsFlyer told them that their terms and conditions actually restrict apps from using their service to collect personal information such as health information.
Eva Blum-Dumontet, the senior research officer at Privacy International, told Refinery29 that there are real issues with data sharing among menstruation apps. She said: "The role of companies like AppsFlyer is reflective of the issues of data sharing with third parties through menstruation apps. At the moment, when you share your most intimate information with a menstruation app, it doesn't just stay between you and the menstruation app. It also goes to the server of other companies, like AppsFlyer.
"When we confronted AppsFlyer about this issue they said: 'Our terms and conditions actually restrict app owners from using our service to collect personal information such as health information.' The reality though, for the app we had looked at, is that it is very much the sensitive health data that users share with their menstruation apps that ended up with AppsFlyer."
That's not the only issue here. The problem is the inaccessibility of privacy policies as a whole. While Flo, Eve and Clue all have privacy policies that pop up immediately after the user opens the app for the first time, they are long-winded and full of legal jargon. Eva agreed that this is what makes these apps problematic.
The fact that menstrual app privacy policies remain long and unintelligible is hugely problematic.
Eva Blum-dumontet, privacy international
She said: "When companies ask for our consent to collect and exploit our data, the least we should expect from them is that our consent should be meaningful. Their data protection policy – which explains why and how the data is collected – should be easily accessible. The fact that menstrual app privacy policies remain long and unintelligible is hugely problematic."
It could be argued that people should take more care, but companies – especially those that are handling sensitive data such as medical records and intimate details about our bodies – shouldn't put the onus on their users to comb through a long and complicated legal document.
"Users that have opted in may withdraw their consent at any time, by either disabling cookies on their device or following the instructions on how to withdraw their consent individually for each third-party provider Clue uses for its third-party tracking and analysis services. All of our third-party providers are either EU-based or compliant with the EU-US Privacy Shield Framework that ensures that European data privacy requirements are met.
Glow Inc, the developer of Eve, said that "it does not sell or rent your personal data to third parties. We don’t share your information (other than forum posts) to social networks or other public or semi-public places unless instructed by you to do so."
A spokesperson for the Information Commissioner's Office told Refinery29: "Under data protection law, organisations have to ensure that their processing is fair, lawful and transparent and that appropriate security is in place.
"In addition, special category data – such as health organisation – requires greater protection because of its sensitivity and the increased risk of harm to or discrimination against individuals. Organisations have to recognise this and take additional steps to address these risks."
Flo has been contacted by Refinery29 for comment.