Period Tracker

Being a privacy researcher means reading lots and lots of privacy policies, security documents, and FAQ pages. So when I stumbled across Period Tracker FAQ page, I was rather excited to see a question smack in the middle of the page with the question, "Does Period Tracker sell or share my data with any third parties?" I love it when I find privacy information on FAQ pages! Imagine my disappointment when I clicked on that link and up popped the dreaded "This page doesn't seem to exist." page. Bother! So, back to the privacy policy I head to try and find out if Period Tracker does, indeed, share data with third parties. I wasn't feeling too great about things given the broken link on their FAQ page.

So, does Period Tracker share your data with third parties? The answer seems to be yes, but maybe not too much. Here's what we found. Period Tracker's privacy policy says they share data you directly input into the app under certain circumstances like with "trusted service providers" and "as required by law, such as to comply with a subpoena, or similar legal process," and "when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or to investigate fraud." So, they may share the personal info you input into the app with third parties, but probably (hopefully) not with advertisers.

On that front they say, "We work with advertisers and third party advertising networks, who need to know how you interact with advertising provided in the Application which helps us keep the cost of the Application low. Advertisers and advertising networks use some of the information collected by the Application, including, but not limited to, the unique advertising ID of your mobile device. Data directly inputted by users (ie., periods, notes, email, account info, etc) is not shared with advertisers." So, it seems Period Tracker does share some data with advertisers, but many not things like when your period starts or what your mood is. Still, they do share data with advertisers to target you with ads, which we don't love.

And Period Tracker does say they will share data with law enforcement, but their statement of when and why they do that is a little too vague for our comfort. We would love to see them state clearly that they only share data when required by law enforcement through subpoena and not leave any open questions that they might share data with law enforcement through voluntary disclosure, which we here at Mozilla don't like as a policy.

The biggest concern with have with Period Tracker, alongside their rather short, vague, boilerplate privacy policy, is that their security measures don't meet our Minimum Security Standards. We were able to set the app up using the weak password "1111," which isn't good at all if you're trying to protect sensitive health information on your phone. We also couldn't confirm if they use encryption, which isn't great either, you want the data you share with them to be encrypted in transit and at rest where they store it. We emailed the company three times at the email address listed in their privacy policy for privacy related questions and never received a response. Again, not great. So, we'd say this line in their privacy policy is a good reminder to beware of sharing personal information with this app, "Please be aware that, although we endeavor provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches."

Is Period Tracker the worst period tracking app we reviewed? No, it doesn't seem so. Does it raise red flags for us from a privacy perspective. Yes, absolutely. Their privacy policy is short and vague and leaves us with questions. The privacy question on the FAQ page leads to a broken link, which tells us they aren't super into keeping their privacy information updated for their users. Their security measures are questionable and don't meet our Minimum Security Standards. And they aren't responsive to privacy-related questions. What's the worst that could happen? Well, here's hoping you don't share your period frequency and moods and symptoms with this app and then have that data leaked on the dark web through a security breach where it could be bought up by "anti-abortion activists" looking for data they could us to out someone who may have had an abortion. That would suck really really bad. Here's hoping that never happens.