Warning: *Privacy Not Included with this product
The good news with the Preglife Pregnancy tracking app — which has things like a contraction counter, pregnancy journal, week to week baby development, tips for pregnant women and their partners, photos of the growing baby, and much more — is that it is created by a Sweden-based company. That means stricter privacy laws are the default thanks to Europe's stricter privacy law known as GDPR. According to Preglife, this app is "used by 90% of mothers-to-be in Sweden" and Sweden has "an almost zero maternal death rate." All that sounds great! And this app does seem to do well from what we can tell from a privacy perspective. However, we had to give it our *Privacy Not Included warning label because it doesn't meet our Minimum Security Standards because it has a fairly weak password requirement. That's a bummer because it has one of the better privacy policies we've read for pregnancy apps.
What could happen if something goes wrong?
As a privacy researcher, it sure is nice (and rare) to read a privacy policy where you can tell the company is trying to actually protect their users' privacy. Preglife's privacy policy is solid. This Sweden-based company does seem to care about, and think through how to protect, their users' privacy. They say they will never share or sell any of your data to third parties unless required to by law or as stipulated in a short list of instances in their privacy policy. We'd love to see that "as required by law" statement clarified a bit more to make it clear they won't do any voluntary disclosure of information to law enforcement. We also understand that at company based in Sweden is potentially going to be less likely to share data with US law enforcement under most circumstances (we hope!).
All in all, Preglife's privacy policy doesn't worry us too much. The best part is they say that users can chose to not register for an account and still use the app. This means that all the personal information you enter into the app will be stored locally on your device and not be processed by Preglife. That's great! It does mean that you won't be able to access that data from another device or retrieve it if it gets accidentally deleted. These feel like small trade-offs to make to protect your personal information though. If you do chose to register for a Preglife account, Preglife says to their Google Play store data safety page they can collect things like email address, user ID, address, and phone number and share that data with third-parties for account management, but hopefully not for advertising purposes.
Preglife's privacy policy also has an entire section on consent, which is amazing and another rare thing to find in privacy policies these days, from our experience. They make it clear when and for what consent is required, which is super nice. Because users can enter a good amount of personal information into Preglife if they chose. Things like email address, estimated due date, data about your child like birth date and age, pictures, pregnancy diary notes, and more. Fortunately, users can choose to not register with the app and keep all this personal information stored locally on their phone where Preglife won't process it.
They do say they "may share aggregate demographic information about Preglife members with third-party organizations and companies as well as with the authorities, Such information cannot be used to identify individual Users" and "We may also share information at aggregate levels with third parties that carry out analyses on our behalf." This is fairly common and aggregate demographic data is, hopefully, better than de-identified user data. Still, it's a good time to slip in this reminder that it has been found to be pretty easy to de-anonymize data, especially if location data is included.
Unfortunately, Preglife does slip up when it comes to their security practices. When we downloaded the device, we found we were able to create and login with the weak password "111111". That's not great. We would love to see them require a stronger password and if you do use this app, please use a stronger password. This weak password requirement, as well as the fact that we were unable to confirm they use encryption at transit and at rest and they have a way to manage security vulnerabilities, means they don't meet our Minimum Security Standards. We did email them four times asking for answers to our privacy-related questions at the address listed in their privacy policy. Unfortunately we never heard back from them, which is a bummer, we love to see companies be more responsive to privacy-related questions from both us and from their users.
What's the worst that could happen with Preglife? Well, we'd hate to see a user download this app because the company does seem to do pretty good with respecting their users' privacy, set the app up and use "111111" as a crappy, weak password, the phone falls into the wrong hands after a miscarried pregnancy, and someone is able to guess the password, access all that personal information, and use against it against someone to raise questions about why their pregnancy ended. No one needs that after the tragedy of a miscarriage. We really hope that never happens! Please always use strong password people!
Tips to protect yourself
- Choose not to register yourself as a User. You can still access and use the app, however, all data will be stored locally and personal information will not be processed by Preglife. The only downside is you will not be able to access the data saved to an account on another device.
- When you no longer use the app, go to "Delete account" in the app menu
- Never enter data for another user in the app without their consent
- Chose a strong password! You may use a password control tool like 1Password or KeePass
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images and videos)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
Can it snoop on me?
Camera
Device: N/A
App: No
Microphone
Device: N/A
App: No
Tracks location
Device: N/A
App: No
What can be used to sign up?
Yes
Phone
No
Third-party account
No
What data does the company collect?
Personal
Body related
Estimated due date, data about the child, medical conditions, vaccines and other health-related data. All usage of the application is done voluntarily and it is always you as User who decides which information you want to enter.
Social
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
No known privacy or security incidents discovered in the last 3 years.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Links to privacy information
Does this product meet our Minimum Security Standards?
Encryption
According to self-reported information from the company in the Google Play store, this app encrypts data in transit. We were unable to confirm they encrypt any data they store on you at rest on their servers.
Strong password
Managed to log in with '111111'. There is at least a requirement for 6 digits minimum.
Comments
Got a comment? Let us hear it.