Is Your Data Secure in a Period-Tracking App?

A person tracks their period in a period tracking app.
Adobe Stock

ScoreCard Research

The U.S. Supreme Court overturning Roe v. Wade last week has reignited the conversation about privacy within period-tracking apps.

With abortion now outlawed or restricted in many states, privacy experts are cautioning that data entered into period-tracking apps could be used against a user who had or considered having an abortion.

That data could be vulnerable to a subpoena in a criminal case or even sold to a third party — like an activist group on either side — that’s interested in that type of information. Any information stored digitally could also be exposed in a data breach.

There are ways to better protect your data in a health app — like using a paid app that only stores information on your device — but there isn’t a 100% risk-free option to track periods in an app.

You’ll have to weigh the potential security risks against convenience for yourself.

Should You Quit Using a Period-Tracking App?

So what should you do right now? Here are some options to protect your info:

  1. Switch to paper and pen. Until there’s more information and precedent, the safest option is to not use a period-tracking app and return to a pen-and-calendar method of tracking. Yes, an app is convenient but there’s no guarantee that your data is 100% safe.
  2. Delete your account. If you quit using an app, deactivate or delete your account if possible before deleting the app.
  3. Change your privacy and permission settings. If you do use a period-tracking app, select the highest privacy setting available and use a paid app as your data is less likely to be tracked or monetized. Check your permissions, too, to see what the app has access to on your phone and restrict those as needed.
  4. Move your data out of the cloud and onto your device. Make sure that any data you put into an app is only stored on your device and the app has strict privacy standards and takes additional security measures, such as anonymizing information.

Your Data Has Already Been Shared

There have already been examples of period-tracking apps choosing to share personal health data with third parties.

Flo — a women’s health app with more than 100 million users — shared sensitive information with Facebook, Google and other platforms until the practice was outed in 2019. Flo reached a settlement with the Federal Trade Commission last year over misleading users that data would be kept private.

Flo no longer shares your personal data and has announced plans to launch an “anonymous mode” for increased identity protection.

There’s a history of data sharing in less specific health apps, too. A 2019 study published in The BMJ medical journal found that 79% of health apps shared data from their users outside of the app.

“Sharing of user data is routine, yet far from transparent,” researchers concluded.

Many health and fitness apps — from Apple Health to Fitbit to Garmin Connect — offer the ability to track periods, so keep those apps in mind when evaluating your security.

HIPAA Won’t Protect You

Unlike what you share with a medical provider, period-tracking apps are not bound by HIPAA (Health Insurance Portability and Accountability Act), which protects your health information.

Health care providers and your health insurance company do have to keep your medical records and anything you tell them private.

All this means that any information in a health or period-tracking app isn’t protected under HIPAA and could be disclosed without your consent or knowledge, depending on privacy policies.

Beyond apps sharing your information for their own use, the major concern is that your data could be subpoenaed in an investigation or court case or purchased by a third party.

Where Your Data Is Kept Matters

How your data is stored in a health or period-tracking app and the app’s privacy policy are important.

You don’t own health data stored in the cloud by a period-tracking app. The company owns that information and can be subpoenaed to release it to a court. The bar is lower for a subpoena than a warrant, which means your data is less secure. Your information could also be at risk if the company has a data breach.

However, you do own data that is only stored locally on your device. A search warrant would be required to obtain that information, offering more protection for your period-tracking data.

Be sure to read through the app’s disclosures about data and privacy before just clicking that you agree and review any policies that you’ve already consented to. What you find may influence your decision to use or quit the app.

Michael Archambault is a senior writer with The Penny Hoarder specializing in technology. Johna Strickland is a senior editor with The Penny Hoarder.