#privacy: Menstruation-tracking apps found sharing user data with Facebook

Privacy International (PI) has found that period-tracking apps have been sharing the intimate data of users to third-party services. 

In a new report by the UK-based privacy watchdog, out of the 36 apps that were tests, it was identified that 61% of them automatically transfer data to Facebook the instance a user opens the app. 

The data will be transferred whether the user has a Facebook account or not, and whether they are logged in or not. It was also identified that the apps would regularly send Facebook extremely sensitive and detailed intimate data. 

Menstruation apps doesn’t just collect information about users menstruation cycles, but as presented in research by Coding Rights, the apps also collect information about a user’s health, their sexual life, their mood and more – “all in exchange for telling you what day of the month you’re most fertile or the date of your next period. In fact, the data you share with your menstruation app is probably information you would not share with others.” 

The data is shared through the Facebook Software Development Kit (SDK), which are tools that can be utilised to develop apps for a specific operating system. The kit can also be used by apps to make money by reaching advertisers. 

Some of the apps PI tested included Period Tracker by Leap Fitness Group; Period Tracker Flo by Flo Health, Inc.; Clue Period Tracker by Biowink; and Period Tracker by Simple Design Ltd. It was found that none of these apps shared their data with Facebook. 

However other apps tested  such as Maya by Plackal Tech and MIA by Mobapp Development Limited, was found to extensively share sensitive personal data with third parties. 

The report was shared with Maya by Plackal Tech, and they responded: “We understand your concern that in addition to providing the analytics SDK, Facebook is also a social network and an ad network. We have hence removed both the Facebook core SDK and Analytics SDK from Maya.”

The company did state it would continue to use SDK, “post opt-in to our terms and conditions and privacy policy.”

PI wrote: “There is a reason why advertisers are so interested in your mood; understanding when a person is in a vulnerable state of mind means you can strategically target them. Knowing when a teenager is feeling low means an advertiser might try and sell them a food supplement that is supposed to make them feel strong and focused. 

“Understanding people’s mood is an entry point for manipulating them. And that is all the more worrying in an age when Facebook is having so much impact on our democracies, as the Cambridge Analytica scandal revealed.”

PI concluded its findings stating that its research raises serious concerns as to how apps are compliant with their GDPR obligations, especially around transparency and consent. 

“The responsibility should not be on users to worry about what they are sharing with the apps they have chosen. The responsibility should be on the companies to comply with their legal obligations and live up to the trust that users will have placed in them when deciding to use their service.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.