Warning: *privacy not included with this product
Clue Period & Cycle Tracker
Clue is a German-based period to pregnancy tracking app. Being based in Germany is an important selling point for Clue because it means they are governed by Europe's stricter GDPR privacy laws, meant to do a better job at protecting consumers privacy than laws just about anywhere else in the world. Clue says it uses 30+ different tracking options to help you understand how your menstrual cycle affects things such as mood, skin, cravings, energy levels, ovulation, fetal development, pregnancy symptoms, and more. Free to download, Clue offers a yearly subscription for about $40. How does Clue look from a privacy perspective? Well, we think they're OK. We also see a couple places where we think they could do a bit better.
What could happen if something goes wrong?
It's always nice to see a company that makes an app that collects such sensitive health data tell us they take privacy and security seriously in ways that are accessible to all their users. We appreciate that. That said, we do have some concerns about Clue's privacy and security. Clue is so close to being good at privacy, from our perspective. Unfortunately, it seems they just miss the mark in a couple of places that leave us a little concerned.
First, for the good. Clue states they never sell your data. Yay! And, because Clue is based in Germany and governed by GDPR, Europe's stricter privacy laws, and most user data is stored there, it does provide users with better and stronger privacy when it comes to how their data can be used and what rights they have to access it and delete it. And Clue, as seen in their many blog posts above, does understand that people in the US are concerned about the privacy of their reproductive health data following the end of Roe vs Wade.
But there are concerns. First, Clue does collect a whole lot of information. Things like name, age, email address (if you create an account), device and app usage data such as device ID, IP address, location (but not precise location), and sensitive health data you chose to track in the app such as weight, body temperature, period length, sexual activity, birth control methods, cravings, mood, energy levels, and more. Clue does say they store your personal profile data separately from your cycle tracking data, which is good. Still, that's a whole lot of information the app can collect on you and store. Clue says they store things securely, but we always have to remind people, nothing stored on the internet is ever 100% safe.
It is great that Clue says they don't sell your information. They do however share some data with third parties for advertising, marketing, and research purposes. Clue says, "we do share a minimal amount of data about our users with advertising networks (but we never share the menstrual or other health data you track in the app)… If you are not comfortable with any data being shared for ad optimization, then you can go to Settings and change your preferences." So, you must opt out of your data being shared for advertising. Too bad it's not opt-in, we'd much prefer that. And Clue is very clear that they "do not share any of the data you track with advertisers or other third parties for their use." This is good.
When it comes to sharing data for research purposes, Clue says, "we share data with carefully vetted researchers to advance female health studies. For that purpose we de-identify your personal data by removing or hashing personal identifiers so that neither the researchers nor any third parties can link it to you." This is generally OK. However, we do like to remind folks that it has been found to be pretty easy to re-identify such data, especially if location data is included.
And recently, Motherboard reported they were able to purchase data from the data broker, Narrative, that could be used to identify users of the Clue app. According to the article, "The data does not include information harvested from the Clue app itself, but rather is a list of devices that have the app installed that in turn could be used to identify users." This reporting raised enough concerns that the US Congress launched an investigation into data brokers and period tracking apps, including Clue, to try and better understand what data was available to buy and how better to protect consumers' privacy on this front. We're not sure Clue did anything wrong here. The data economy and data tracking is a vast and complicated world. Still, we think it's important for potential users of Clue to know this happened. We did reach out to Narrative with some questions about purchasing this data and they told us, "prior to May 2022, some data providers had data products regarding period tracking app installs available for purchase in the Narrative Data Streams Marketplace," and " in anticipation of the increased attention to women's health and privacy in light of the Supreme Court's decision to strike down Roe v. Wade, we updated our policy to remove any pregnancy/menstruation/other reproductive health app install data from the Marketplace to prevent any potential misuse of the data." So, here's hoping for the best in regards to buying this sort of data from data brokers (but still, we recommend you plan for the worst).
Probably the biggest concern we found with Clue is on the security front. Unfortunately, Clue doesn't meet our Minimum Security Standards because they don't require a strong password. We were able to log in to the app with the very weak password of "1". That's bad. When we reached out to Clue to ask about this, they told us: "Clue requires authentication that can be done … by using an email / password combination. Encouraging even stronger password complexity will be addressed in the next major release planned for this summer." So, at least they know they need to do better and seem to have plans to upgrade their password requirement. We will update this review once we have confirmed a stronger password requirement has been implemented.
Tips to protect yourself
- Use the app without creating a profile: this way, your data will be processed at your device only, and will less likely end up in hands of data brokers.
- Go to settings and opt out of data sharing for advertising purposes!
- Activate a unique PIN code or activate TouchID (iPhone 5S-8) for the Clue app.
- Do not sign up with third-party accounts such as Facebook or Google! It's better to login with email and password.
- Chose a strong password! You may use a password control tool like 1Password, KeePass, etc.
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images and videos).
- Keep your app regularly updated.
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization).
- Request your data be deleted once you stop using the app. Simply deleting an app from your device does not erase your personal data.
What can be used to sign up?
Facebook and Google account sign-ups available
What data does the company collect?
If you create an account: Email, name, age
If you create an account: Your cycle information (e.g., period length, pain, or spotting) and depending on the data you provide, it may also contain information about your general health (e.g., weight, body temperature, hair quality, and if/how you engage in sexual intercourse)
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In 2020 privacy researchers raised a concern that a birthday is used as a advertisement identifier. The practice still continues.
In May 2022, reporters from Vice managed to purchase a list of devices using Clue from data broker Narrative for $100. According to the report, "The data does not include information harvested from the Clue app itself, but rather is a list of devices that have the app installed that in turn could be used to identify users." The fault doesn't likely lie with Clue for data brokers obtaining this information. Still, this data was available for purchase from at least one data broker as recently as May 2022, which is a concern.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Links to privacy information
Does this product meet our Minimum Security Standards?
Managed to sign up with "1" as a password. Clue wrote to us that "Clue requires authentication that can be done … by using an email / password combination. Encouraging even stronger password complexity will be addressed in the next major release planned for this summer." We will update this review once we have confirmed a stronger password requirement has been implemented.
Clue has information security staff that manage reported vulnerabilities. They can be reported via security.text file (which outlines further scope and details), or by contacting the Clue Support Team via their app or website.
An app tracks a woman’s menstrual cycle through machine learning. The app says they work closely with universities and scientists to improve female health and to find insights that benefit our users. The app also says it is not an AI: "The product uses data analysis and machine learning to calculate the user’s personalised cycle predictions, however this is not an AI."
Congress to Investigate Data Brokers and Period Tracking AppsVice
Data Marketplace Selling Info About Who Uses Period Tracking AppsVice
Supreme Court overturns Roe v. Wade: Should you delete your period-tracking app?TechCrunch
Here’s What Period Tracking Apps Say They Do With Your DataVice
We asked 12 period-tracking apps about their post-Roe privacy policiesInput
Consumers swap period tracking apps in search of increased privacy following Roe v. Wade rulingTechCrunch
Forget Tracking Your Period—Your Period (App) Is Tracking YouMarie Claire
Got a comment? Let us hear it.