Glow Nurture & Glow Baby

Warning: *Privacy Not Included with this product

Glow Nurture & Glow Baby

Glow Inc
Wi-Fi

Review date: Aug. 9, 2022

|
|

Mozilla says

|
People voted: Super creepy

Glow Inc makes four different sex, period, fertility, ovulation, pregnancy, and baby tracking apps they say cover everything from "period to parenting." There is Glow (fertility), Nurture (pregnancy), Baby (babies), and Eve by Glow (period & sex life). All four apps use the same privacy policy.

Glow's pregnancy tracking and baby apps say they give you things like baby growth and development, kick counter, medical log, contraction timer, postpartum support, baby feeding and sleep schedule, parenting tips, community forums and more. That's a whole lot of personal, sensitive health data they collect to help users during pregnancy and after. So, how does Glow do at protecting the privacy of all this personal information you share about you and your baby? Honestly, they aren't great. Actually, they're pretty bad.

What could happen if something goes wrong?

Uhg, Glow. This will not be a glowing review because Glow raises a whole lot of privacy concerns for us. Where to start?

There's the big old bunch of trouble they got into back in 2020 after Consumer Reports found lots of problems with Glow's privacy and security. And then California settled with them in a case where they were allegedly failing to "adequately safeguard health information," "allowed access to user's information without the user's consent," and had security problems that "could have allowed third parties to reset user account passwords and access information in those accounts without user consent." Very very bad.

And then there's the dishonesty this privacy researcher was really irked by when she reviewed the data privacy information the company shared on its Google Play store data safety page. There they make the claim: "No data shared with third parties. The developer says this app doesn't share user data with other companies or organizations." This claim is easily shown to be false with a read of their privacy policy where they outline sharing data with lots of third party advertisers, business partners, and professional advisors (which seems way beyond the scope of what Google says constitutes what needs to be declared for data sharing.) Misleading and dishonest data safety claims are a HUGE pet peeve of us here at *Privacy Not Included. Unfortunately, with what we've seen so far on Google's new Play store data safety information pages, this self-reported data from companies is too often inaccurate. Glow isn't the only one making misleading claims there.

Glow does state clearly in their privacy policy that they can collect a whole bunch of personal, usage, and health information on their users. Things like name, email, precise location, spouse's name, sexual orientation, health care providers' names, child information, mood, medications, and, of course, sexual activity, fertility, and menstrual cycle information. That's a whole lot of information they can collect, which is not surprising. They are an app designed to do that. What is surprising is when an app that knows they are collecting this much super sensitive, personal, and health related data then goes on to say they can use some of the data for targeted, interest-based advertising purposes or share with "professional advisors" which they say can include "lawyers, auditors, bankers and insurers," or their vague list of affiliates which can include "corporate parent, subsidiaries, and affiliates." That's a lot of potential data sharing with a lot of potential third parties.

Glow also states in their privacy policy that they can collect even more information about you from third-parties sources such as social media and combine that with what they collect on you. They say, "We may combine personal information we receive from you with personal information we obtain from other sources, such as social media accounts ..." This is where we remind you to never, ever log into an account with a social media login like Facebook. It's bad privacy news where even more of your data can be shared with both the social media site and the company. Glow is also a little too vague for our liking in that statement about collecting data from third parties sources. They say they "may" combine data from third party sources "such as" social media accounts. Which seems to indicate to us they could also being collecting data from other third parties sources, for example, data brokers or public sources. Gross.

All of these are some serious privacy red flags we aren't happy about at all. And then there is the question of how Glow says they might share your information with law enforcement. Their privacy policy mentions that in a couple of places where they say, "We may use your personal information to ... comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities." And they say they may share your personal information with "Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes..." This leaves us feeling wary as it seems to indicate Glow might give up a users' data through voluntary disclosure, which is a policy we really don't like here at Mozilla. We much prefer when companies state they won't give up user data to law enforcement unless required to under subpoena, and even then, we like to see them commit to only giving up the bare minimum necessary.

What's the worst that could happen with Glow? Way too much, we're afraid. We'd say this product comes with *Privacy Not Included and recommend you look elsewhere for a privacy protecting pregnancy tracking app. We just don't believe users can or should trust Glow to respect and protect their privacy, no matter what the company states on Twitter or in a press response.

Tips to protect yourself

  • Enable multi-factor authentication to protect your account.
  • In the app settings under "Personal privacy security and data" make sure to uncheck the box for "Internet-based ads."
  • Do not connect Samsung Health, GoogleFit or Apple Health or other wearables to the app.
  • Chose a strong password! You may use a password control tool like 1Password, KeePass, etc.
  • Use your device privacy controls to limit access to your personal information via app (do not give access to your precise location, camera, microphone, images and videos, other files).
  • Keep your app regularly updated.
  • Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization).
  • Request your data be deleted once you stop using the app. Simply deleting an app from your device does not erase your personal data.
  • mobile

Can it snoop on me? information

Camera

Device: N/A

App: Yes

Microphone

Device: N/A

App: Yes

Tracks location

Device: N/A

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product for sharing personal data for advertisement. Their use of some of services may be classified under California law as a “sale” of your Personal Information. We also ding this product for saying they may combine personal data they receive about your with personal data from third party sources, such as social media.

"We, our service providers and our third party advertising partners may collect and use your personal information for the following marketing and advertising purposes: Direct marketing. [...] Interest-based advertising. [...]

"We may engage third-party advertisers or advertising companies to display ads on our Service and other online services. We may also share names, email addresses and device identifiers our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms."

"We may share your personal information with the parties below, with other third parties with your consent, and as otherwise described in this Privacy Policy or at the time of collection: Affiliates. Our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy. Advertising partners. Third party advertisers and advertising companies for the interest-based advertising purposes described above. Advertisers whose ads are posted on our Service may be able to infer information about you when you click on those ads (e.g., that you have a newborn if you click on an ad about a newborn product). Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us."

"Our use of some of these services may be classified under California law as a “sale” of your Personal Information."

"We may combine personal information we receive from you with personal information we obtain from other sources, such as social media accounts that you use to log into or connect to the Service, which will allow us to collect the information you chose to make available in your settings on that social media account. "

How the company says they may share data with law enforcement:
"We may use your personal information to: comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities; protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above. "

How can you control your data?

We ding this product for sharing personal data for advertisement. Their use of some of services may be classified under California law as a “sale” of your Personal Information. We also ding this product for saying they may combine personal data they receive about your with personal data from third party sources, such as social media.

"We, our service providers and our third party advertising partners may collect and use your personal information for the following marketing and advertising purposes: Direct marketing. [...] Interest-based advertising. [...]

"We may engage third-party advertisers or advertising companies to display ads on our Service and other online services. We may also share names, email addresses and device identifiers our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms."

"We may share your personal information with the parties below, with other third parties with your consent, and as otherwise described in this Privacy Policy or at the time of collection: Affiliates. Our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy. Advertising partners. Third party advertisers and advertising companies for the interest-based advertising purposes described above. Advertisers whose ads are posted on our Service may be able to infer information about you when you click on those ads (e.g., that you have a newborn if you click on an ad about a newborn product). Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us."

"Our use of some of these services may be classified under California law as a “sale” of your Personal Information."

"We may combine personal information we receive from you with personal information we obtain from other sources, such as social media accounts that you use to log into or connect to the Service, which will allow us to collect the information you chose to make available in your settings on that social media account. "

How the company says they may share data with law enforcement:
"We may use your personal information to: comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities; protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above. "

What is the company’s known track record of protecting users’ data?

Bad

In 2020, California settled with Glow app over alleged violations of California’s Confidentiality of Medical Information Act (“CMIA”), the Unfair Competition Law (“UCL”), and the False Advertising Law (“FAL”). In addition to a $250,000 civil penalty, the settlement included injunctive terms that require Glow to comply with state consumer protection and privacy laws, and a first-ever injunctive term that requires Glow to consider how privacy or security lapses may uniquely impact women.

The Attorney General's complaint alleged the Glow app:
- Failed to adequately safeguard health information;
- Allowed access to user’s information without the user’s consent; and
- Additional security problems with the app's password change function could have allowed third parties to reset user account passwords and access information in those accounts without user consent.

Already in 2016, a Consumer Reports investigation singled out Glow Inc. for privacy and security flows.

Child Privacy Information

The Service is not intended for use by children under 16 years of age. If the app provider learn that they have collected personal information through the Service from a child under 16 without the consent of the child’s parent or guardian as required by law, they will delete it.

Can this product be used offline?

Yes

User-friendly privacy information?

No

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

Glow claims their data is encrypted in transit in their Google Play store data security information. We could not confirm that Glow encrypts data at rest where it is stored on their end.

Strong password

Yes

Security updates

Yes

Manages vulnerabilities

Yes

You can submit vulnerabilities here: https://glowing.com/security. Glow shares more information for security researcher on a security page on their website.

Privacy policy

Yes

Does the product use AI? information

Yes

Glow predicts women's chance/risk of pregnancy with machine-learning technology.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Perceived chance to get pregnant

Is the company transparent about how the AI works?

No

We found no sources/white papers about how their AI algorithms work

Does the user have control over the AI features?

No

We found no AI controls in the app
*Privacy Not Included

Dive Deeper

  • Serious Privacy Flaws Discovered In Glow Fertility Tracker App
    TechCrunch Link opens in a new tab
  • Glow Pregnancy App Exposed Women to Privacy Threats, Consumer Reports Finds
    Consumer Reports Link opens in a new tab
  • Attorney General Becerra Announces Landmark Settlement Against Glow, Inc. – Fertility App Risked Exposing Millions of Women’s Personal and Medical Information
    State of California Department of Justice Office of the Attorney General Link opens in a new tab
  • California Settles with Glow App Over Alleged Privacy and Security Violations
    WilmerHale Link opens in a new tab
  • Supreme Court overturns Roe v. Wade: Should you delete your period-tracking app?
    TechCrunch Link opens in a new tab
  • ‘Delete every digital trace of any menstrual tracking’: Are period-tracking apps safe to use in a post-Roe world?
    MarketWatch Link opens in a new tab
  • Forget Tracking Your Period—Your Period (App) Is Tracking You
    Marie Claire Link opens in a new tab
  • Fertility and Period Apps Can Be Weaponized in a Post-Roe World
    Wired Link opens in a new tab
  • The data flows: How private are popular period tracker apps?
    Surfshark Link opens in a new tab
  • Supreme Court overturns Roe v. Wade: Should you delete your period-tracking app?
    TechCrunch Link opens in a new tab

Comments

Got a comment? Let us hear it.