Ovia Pregnancy

When people ask us here at *Privacy Not Included what we do for a living we often joke that we read privacy policies so you don't have to. Well, you all are going to be super, duper glad we read Ovia's Health App Privacy Policy (they have another one that doesn't cover their apps) because it is 34 pages long with nearly 12,000 words. YIKES! Also, you're welcome.

So, what did we find in Ovia's War and Peace of privacy policies? Well, some stuff that has us worried about your privacy, unfortunately. First, Ovia says they can collect a whole lot of personal information on you. Things like name, email address, location, advertising ID, IP address, data about your activity in the apps, date of birth, cycle type and length, date of last menstrual period, baby’s name or nickname, and expected due date, information you give to Ovia's coaches, and any health tracking data you submit which could include weight, period, moods, symptoms, and more. So, like most fertility tracking apps, Ovia collects a whole lot of personal and usage information. Ovia also has this line in their privacy policy, "For marketing purposes, we may collect personal data about you through social media or from third parties who provide marketing services to us." So yeah, Ovia has a lot of info on you.

How do they say they plan to use this information? Well, in the free consumer version of the app, to show you ads and sponsored content using an advertising profile they create on you (nothing is ever free, remember). Ovia does clarify that they will only share personal information that directly identifies with advertisers and sponsors if you opt-in. We're unsure how clear this opt-in process is, though, so be careful when using the app and don't opt-in to any data sharing that directly identifies you. Ovia also says they can use your information for personalization of content, to send advertising and marketing content, market their products and services, and to conduct clinical and scientific research.

Who does Ovia say they can share the information they collect on you with? Well, a number of third parties, advertisers, health providers and employers it seems. This line from their privacy policy really jumped out at us, "We use Facebook technology in our apps so that users can log on via Facebook. This allows Facebook to collect device information, and data relating to your engagement with our apps, whether or not you use the Facebook login feature. Facebook may use that data to personalize advertising to you, both on and off Facebook." It's no secret we here at *Privacy Not Included are not big fans of Facebook due to their lack of respect for everyone's privacy. The fact that Ovia says they allow Facebook to collect information on their users, whether or not you use the Facebook login feature, really irks us.

There are also some questions that linger about Ovia's data sharing with health providers and employers. In 2019, the Washington Post reported concerns about Ovia sharing health data with employers. According to their privacy policy, Ovia says, "If you receive Ovia as a benefit from your employer, we do not share your health data with your employer unless you expressly opt-in for a specific purpose; … However, we may share personal data with your employer health plan and their business associates, and with employee benefits management vendors, consistent with HIPAA or other privacy laws."
And in 2020, Consumer Reports reported on some concerns about privacy shortcomings period tracking apps, including Ovia, had when it came to the handling of the sensitive user data it can collect.

FInally, Ovia says they use personal information to create de-identified data that they can then use for research purposes. They also say they can use personal data to create aggregated analytic data and statistics which they may share or sell with third parties. Finally, the say they "may disclose or sell de-identified data derived from patient information (as defined by the California Consumer Privacy Act); if so, such patient information is de identified in accordance with HIPAA safe harbor or expert determination de identification requirements." We hope all this de-identified and aggregate data is handled properly so no one can ever be re-identified by their patient or personal data. However, we should mention that it has been found to be relatively easy to re-identify some anonymized data, especially if location data is included.

We do want to give credit where credit is due. Ovia does do a good job explaining how they will handle law enforcement and government requests for their users' data. The have a page on their site that outlines how they handle such data requests and it does all the things we like to see here at Mozilla. They indicate they won't voluntarily disclose users data, that they require valid and legally binding court orders such as subpoenas with clear requests for what data law enforcement is requesting, and that they won't provide data beyond the scope of the valid request and, when possible, will try to limit the scope of data provided. This is all great stuff in our post-Roe v Wade world. Good on you Ovia for providing this clarification.

What's the worst that could happen with Ovia. Well, Ovia does offer coaching services that happen online or over the telephone. And they say that "we collect the information you give to our coaches, which may occur online or through recording of telephone coaching sessions for quality control and monitoring purposes." They also say "your health coach and managers will access your personal data to help you. If you receive Ovia as a benefit from your health insurer or employer health plan, nurse care managers from your health plan (and your employer, if you opt-in to such data sharing) may also have access to your personal data." That's a lot of people who could potentially have access to some sensitive, personal information. Could that data be leaked or shared or accessed by an employee who shouldn't have access or, even worse, handed over to your employer if you weren't clear you were giving consent? It seems possible, if hopefully unlikely. Still, something to consider. And don't forget, Ovia is sharing data about you with Facebook. whether you like it or not. BOO!