Warning: *Privacy Not Included with this product
My Calendar Period Tracker
Here's a period tracking app with over 10 million downloads on the Google Play store that feels rather sketchy to us. Made by app developer AppManage Group #1, LLC under the alias of Simple Innovation, we're left with more questions than answers when we try to learn more about the company. Simple Innovations website is, well, really quite simple. They seem to make four apps in total that they call "simple delights": this period tracking app, a weight tracking app, an egg timer app, and a steak timer app. That's quite the diversity of apps there. They say the period tracking app "is an extremely elegant and easy-to-use application that helps women keep track of periods, cycle, ovulation, and fertile days."
Good luck finding a privacy policy on Simple Innovation's website though, there's not one linked there we could find, which is kinda bad. We did find a security page that told us how to report security vulnerabilities, which is good, we do like to see that information provided. But when it's about the only information provided on the website, we do get a little worried. We did manage to find two separate links to privacy policies on the app pages in the Google Play store and the Apple App store. The privacy policy for the My Calendar Period Tracker app linked from the Google Play was last updated in March, 2021 and the privacy policy linked from the Apple App stores was last updated December, 2019. None of this bodes well for the privacy of this period tracking app. In fact, we'd say, their privacy protections look rather questionable and, unfortunately, their security protections look just as bad.
What could happen if something goes wrong?
There is something kinda funny and also kinda not really funny at all when you see that a period tracking app and an egg timer app made by the same company have basically the same boilerplate privacy policy. We suppose they both kinda deal with eggs, right? It's just that one app could potentially leak or share data that could get you harassed or arrested in states where abortion is no longer legal and the other could leak that you like to hard boil your eggs in your home 5 times a week. See, funny and really not funny at all.
One thing your friendly privacy researchers here at *Privacy Not Included really, really dislike is vagueness in privacy policies. The privacy policy of My Calendar Period Tracker is pretty vague. It says things like, "Information is automatically collected when you use our App. Information collected may include usage details, metadata, and real-time information about the location of your device. We do not generally collect or store information by which we ourselves may personally identify you…" That "may" and "generally" there leave wiggle room we don't feel comfortable with when it comes to what data may be collected on you, especially personally identifiable data and real-time location data.
Another thing your friendly privacy researchers hate is things that make no sense. To us, it makes no sense that the privacy policy says they generally don't collect data that may personally identify you, while stating on the data security section of their Apple App store app page that they use "identifiers" to track you (this could include things like advertising or device IDs, which, eh, aren't exactly your name or email address, but still can be linked to you) and that sensitive information and contact info may be data linked to you. And their Google Play store page clearly states in their data security section that data collected may include name, email, and user IDs. In that same section on the app page, the company says that no data is shared with third parties. And the privacy policy lists a whole host of third-party advertisers like Google, Facebook, and Amazon they share they share data with. All this leaves us scratching our heads. It's also fair to note that Google's own rules for how information is self-reported from companies on these data safety pages is rather confusing and befuddling at times to us.
My Calendar Period Tracker does say they may share some user data with third parties for advertising and personalization services. And they say they "may use and disclose aggregated, or otherwise anonymized information that does not relate to an identifiable natural person without restriction." Now is a good time to remind you that it has been found to be pretty easy to de-anonymize such data, especially if location data is included.
So, the My Calendar Period Tracker app collects data that may or may not be personally identifiable (precise location data is generally pretty identifiable). And they say "When you use the App on an Apple or Android mobile device, certain third parties may use automatic information collection technologies to collect information about you or your device. These third parties may include advertisers, ad networks, ad servers, and analytics companies." So, third parties are collecting information on you as you use this app, including Facebook, Amazon, and other advertising networks. My Calendar also says they can use anonymized information without restriction, even though that data can sometimes be re-identified.
Then there is how My Calendar says they can share information with law enforcement. Here they are very vague. All we found in their privacy policy was this statement, which doesn't inspire a whole lot of confidence that they won't voluntarily disclose their user's data: "We use the information collected through the App to … comply with any court order, law, or legal process."
None of these things makes us feel all that good about the privacy practices of the My Calendar Period Tracker app. Good to note too, that Consumer Reports also had concerns about this app when they reviewed it back in 2020.
And while privacy is a concern with this app, we found security to be an even bigger concern. We were able to log into the app using the incredibly insecure password of "1". Yup, one 1 was allowed as a password for an app that tracks your period. That's pretty bad. All in all, we just don't trust the security of this app. Although, they did make a point of having a way to report security vulnerabilities on a website that contain little other information. Which, on the one hand, is good, we like to see that information made available. It also raises some questions as they didn't feel the need to provide much other information on their website about the company or their privacy policies, which makes us wonder if they expect or experience a lot of security vulnerabilities? We just don't know.
What's the worst that could happen with this period tracking app. Dear lord, please don't download it and find out. It's privacy practices are questionable, at best. It's security practices are weak, at best. The My Calendar Period Tracker app leaves us with way too many questions to feel comfortable. Shoot, we don't even think we'd trust downloading the egg timer app this company makes. There's just too big a chance this app comes with *Privacy Not Included.
Tips to protect yourself
- Add a PIN for your calendar if someone else might be using your phone/other device
- When you no longer use the app, go to "Delete all data and reset" in the app menu
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images and videos)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
Can it snoop on me?
Camera
Device: N/A
App: No
Microphone
Device: N/A
App: No
Tracks location
Device: N/A
App: Yes
What can be used to sign up?
Yes
Phone
No
Third-party account
No
What data does the company collect?
Personal
Real-time location
Body related
Moods, symptoms, temperature, weight, sexual activity, contraception used, medicine taken, etc.
Social
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
No known privacy or security incidents discovered in the last 3 years.
Can this product be used offline?
User-friendly privacy information?
They had different privacy policies linked from the different Google and Apple apps stores. There was no privacy policy we could find linked off of their website.
Links to privacy information
Does this product meet our Minimum Security Standards?
Encryption
Strong password
Managed to sign up with "1" as a password
Security updates
Manages vulnerabilities
If you believe you’ve found a security vulnerability in the software please email it to [email protected].
Privacy policy
Dive Deeper
-
The data flows: How private are popular period tracker apps?Surfshark
-
Forget Tracking Your Period—Your Period (App) Is Tracking YouMarie Claire
-
Supreme Court overturns Roe v. Wade: Should you delete your period-tracking app?TechCrunch
Comments
Got a comment? Let us hear it.