Period tracking apps (Flo, Clue, Natural Cycles) collect intimate health data—menstrual cycle timing, flow, symptoms, sexual activity, contraceptive use—and share it with advertisers, data brokers, and third-party analytics. Post-Dobbs decision, this data is legally exploitable by law enforcement in states criminalizing abortion. Flo has admitted sharing data without consent; Clue recently encrypted data by default but collects anyway; Natural Cycles’ failure to protect users resulted in lawsuits. For privacy, use open-source tools (Gnome Calendar with local tracking, Drip, or Periodica), offline-first apps, or simple calendar notation. Understand each app’s data practices before use. Delete accounts and request data erasure from companies. Consider periodic in-app anonymization: use aliases, track minimal data, avoid sharing with apps and platforms.

Why Period Tracking Data Is Sensitive

Period tracking apps record:

• Exact menstrual cycle dates (when you menstruate)
• Flow severity (light, medium, heavy)
• Symptoms (cramps, mood, energy, pain)
• Sexual activity dates
• Contraceptive use and type
• Pregnancy intentions
• Medication and supplement use
• Weight and mood variations

This is deeply personal medical information. Individually, dates and symptoms seem innocuous. Aggregated, the data reveals:

• Fertility windows (when you’re most likely to conceive)
• Whether you’re pregnant and at what stage
• Contraceptive compliance
• Sexual frequency and partners
• Health conditions (PCOS, endometriosis, hormonal disorders)

In the context of post-Dobbs America, where abortion is criminalized in multiple states, this data is legally dangerous. Law enforcement can subpoena app providers for users’ location, device information, and cycle data to prosecute women seeking abortions. Data brokers can sell this information. Insurance companies can use it to deny coverage.

The legal landscape is evolving: 14 states have explicit protections for reproductive health data, but most states lack protection. Federal protections are limited. App providers’ privacy policies can change at any time.

Major App Platforms and Their Data Practices

Flo: Data Sharing Admitted

Flo (owned by Knowwomen) is the largest period tracking app with 20+ million users. In 2021, Flo admitted sharing user data with third parties—including Facebook, Google, Amazon—without explicit consent.

Data practices:

• Shares identifiers (device IDs, IP addresses) with analytics platforms
• Sends encrypted data to third-party analytics (AppsFlyer, Amplitude, Mixpanel)
• Allows third-party advertisers to target based on app usage patterns
• Previously shared data with social media platforms (Facebook admitted receiving Flo user data)

Privacy policy changes:

• Policy has changed multiple times, each version loosening data protections
• “Health insights” feature shares data with “research partners” without explicit consent
• Unclear what “research partners” means; data could be sold to insurance companies

Legal actions:

• Multiple class-action lawsuits filed in 2021 for sharing data without consent
• In 2023, Flo agreed to $100M+ settlement (not yet finalized) and promised data minimization
• Despite settlement, data sharing continues; unclear if minimization was enforced

Assessment: Flo is among the worst offenders. Avoid unless you have strong technical controls (VPN, burner phone, minimal data entry).

Clue: Encryption as PR Stunt?

Clue is marketed as privacy-first. In 2022, Clue announced end-to-end encryption for user data. However, Clue still collects extensive usage data.

Data practices:

• Uses local encryption for stored cycle data (positive step)
• Collects analytics about app usage: which features you use, how often, timing
• Shares usage analytics with third parties (Firebase, Amplitude)
• Does not encrypt analytics data
• Syncs data across devices (requires account, unencrypted during transit)

Privacy improvements:

• Encryption at rest (when data stored on servers) is now standard
• No longer requires location permission on Android (previously did)
• Clear data deletion option (truly removes data within 30 days)

Remaining risks:

• Analytics data reveals behavior patterns (if you frequently check fertility window, that signals fertility focus)
• Company is backed by VC funds with exit incentives (pressure to monetize data)
• Can still subpoena user records (encryption protects only against passive eavesdropping)

Assessment: Clue has improved privacy posture but analytics collection remains concerning. Better than Flo but not ideal.

Natural Cycles: Contraceptive Failure and Data Misuse

Natural Cycles is marketed as an FDA-cleared contraceptive. In 2018, Swedish regulators found Natural Cycles’ security was inadequate and contraceptive efficacy claims were overstated. Users became pregnant despite using the app correctly.

Data practices:

• Collects detailed cycle data, temperature readings, sexual activity
• Shares de-identified data with researchers and third parties
• Data breaches: in 2019, users’ data was exposed (though de-identified, could be re-identified)
• Servers located in Europe but subject to US legal requests

Legal issues:

• Multiple lawsuits filed by women who became pregnant while using app
• Swedish court fined company for failing to verify contraceptive claims
• Data breach resulted in regulatory fines

Assessment: Natural Cycles combines inadequate security with health claims they cannot meet. Avoid entirely if seeking reliable birth control; consider only if using as tracking tool with backup contraception.

Periodica: Privacy-Respecting Alternative

Periodica (open-source, built by Privacy Guides) is designed as a privacy-respecting period tracker.

Data practices:

• All data stored locally on your device (no servers)
• Offline-first: works without internet
• Open-source code (anyone can audit security)
• No analytics or tracking
• No ads or data sales

Limitations:

• Features minimal (tracking, prediction, export to CSV)
• No cloud sync (data on one device only)
• Small community (fewer users = less bug testing)

Assessment: Excellent privacy choice if you want digital tracking without surveillance. Suitable for technical users; non-technical users may find setup challenging.

Drip: Privacy-First Open-Source

Drip is another privacy-focused period tracker (open-source, Android app).

Data practices:

• Data stored locally in encrypted database
• Optional: sync to your own secure server
• No cloud service (you control infrastructure)
• No ads, tracking, or data collection

Limitations:

• Minimal UI compared to commercial apps
• Requires understanding of privacy concepts to use securely
• Limited prediction and health insight features

Assessment: Best privacy choice for technical users willing to maintain infrastructure.

Legal Risks Post-Dobbs

Post-Dobbs decision (June 2022), reproductive health data became legally vulnerable in ways it wasn’t before.

State Criminalization of Abortion

As of March 2026:

• 14 states have total abortion bans (with narrow exceptions)
• 21 states enforce bans from 6-15 weeks of pregnancy
• Penalties range from felony charges to imprisonment

In criminalization states, period tracking data becomes evidence:

• Law enforcement can request app data to identify women seeking abortion
• Pattern of missing periods + travel to abortion-legal state = motive
• Pregnancy tracking app data + no birth = evidence of abortion

Data Requests and Subpoenas

App companies can and do receive subpoenas:

• In 2022, Dobbs decision followed by police requests for app data
• Police in Idaho attempted to access Google location data to investigate abortion seekers
• App companies have turned over user data in response to subpoenas (some refused, but outcome unclear)

Legal protections vary by state:

• 14 states explicitly protect reproductive health data from law enforcement
• Most states have no explicit protection
• Federal HIPAA protections do not apply to consumer apps (only healthcare providers)

Data Broker Risk

Data brokers aggregate data and sell to law enforcement:

• Flo data (through third-party analytics) could be resold
• Brokers explicitly market “fertility data” to law enforcement for investigations
• Your location history + period tracking = identifiable reproductive behavior

Safe Tracking Practices

If you choose to track your period, minimize data exposure:

Use Offline-First Tools

• Gnome Calendar: Desktop calendar app, local storage only
• Periodica (open-source): Android app, stores data locally
• Drip (open-source): Android app, encrypted local storage
• Paper calendar: Analog, no digital footprint

Minimize Data Entry

• Track only essential: period start date, end date
• Avoid: symptoms, sexual activity, contraceptive type, pregnancy intentions
• These details are often the most incriminating in legal contexts

Anonymization Tactics

• Use burner phone or secondary device for tracking app only
• Don’t sync tracking app with cloud accounts (Google, Apple, Microsoft)
• Don’t allow app to access location, contacts, or calendar
• Use VPN if you must use cloud-based tracker
• Rotate device identity (clear app cache, use different login methods)

Data Deletion from Commercial Apps

Flo data deletion:

1. Open Flo app
2. Settings → Account → Delete account
3. Confirm deletion in email
4. Flo states data deleted within 30 days
5. Request independent confirmation (write to privacy@flo.health)
6. Check data broker sites (spokeo, whitepages) for remaining data

Clue data deletion:

1. Open Clue app
2. Settings → Account → Delete account
3. Choose "Delete all my data"
4. Confirm in email
5. Clue deletes data within 30 days (verified)
6. Request confirmation of deletion

Natural Cycles data deletion:

1. Log in to account at app.naturalcycles.com
2. Settings → Account deletion
3. Confirm with email verification
4. Company confirms deletion within 60 days
5. Note: if data was de-identified and shared with researchers,
   you cannot retrieve it (already sold/shared)

Data Broker Removal

After deleting from app, remove from data brokers:

Major brokers (handle data sales):
1. Spokeo.com - remove profile
2. Whitepages.com - remove profile
3. PeopleFinder.com - remove profile
4. TruthFinder.com - remove profile
5. Radaris.com - remove profile

For each site:
- Search for your name/phone
- Click "remove my information"
- Verify removal (some require email confirmation)
- Repeat quarterly (brokers re-list data)

Legal Advocacy

Individual privacy practices matter but are insufficient. Systemic change requires advocacy:

Support reproductive health data protection bills:

• Multiple states considering “Reproductive Privacy Act” protecting app data
• Federal “My Body, My Data Act” would create nationwide protections
• Contact representatives to support these bills

Support app regulation:

• Call for FDA oversight of medical claims (Natural Cycles, Flo)
• Support state laws requiring data deletion (some states now have “right to be forgotten” laws)
• Demand transparency: app providers must disclose data sharing

Support data broker regulation:

• Data brokers sell reproductive health data to law enforcement
• Push for state laws requiring brokers to stop selling this category of data
• Support “Remove My Data Act” limiting broker sales

Recommendations Summary

Best privacy: Use open-source, offline-first tracker (Periodica, Drip) on device without internet connectivity.

Good privacy: Use Clue (improved encryption) on device with strong authentication, disable app permissions (location, contacts), no cloud sync.

Acceptable privacy: Use Gnome Calendar (desktop) for local tracking, nothing shared.

Avoid completely: Flo (known data sharing and lack of consent), Natural Cycles (security failures and false claims).

If using any commercial app:

1. Assume your data may be subpoenaed
2. Track minimal information (dates only, no symptoms or sexual activity)
3. Use burner phone or isolated device
4. Delete account and request data erasure after use
5. Check data brokers and request removal
6. Advocate for legal protections in your state

Related Articles

• Health Data Privacy and Digital Rights 2026
• Removing Yourself from Data Brokers Permanently
• Understanding Your Privacy Rights Post-Dobbs
• Claude vs ChatGPT for Drafting Gdpr Compliant Privacy
• AI Third Party Risk Management Tools Comparison 2026

Built by theluckystrike — More at zovo.one