
Ostrzeżenie: *Prywatność dla tego produktu do nabycia osobno
My Calendar Period Tracker
Here's a period tracking app with over 10 million downloads on the Google Play store that feels rather sketchy to us. Made by app developer AppManage Group #1, LLC under the alias of Simple Innovation, we're left with more questions than answers when we try to learn more about the company. Simple Innovations website is, well, really quite simple. They seem to make four apps in total that they call "simple delights": this period tracking app, a weight tracking app, an egg timer app, and a steak timer app. That's quite the diversity of apps there. They say the period tracking app "is an extremely elegant and easy-to-use application that helps women keep track of periods, cycle, ovulation, and fertile days."
Good luck finding a privacy policy on Simple Innovation's website though, there's not one linked there we could find, which is kinda bad. We did find a security page that told us how to report security vulnerabilities, which is good, we do like to see that information provided. But when it's about the only information provided on the website, we do get a little worried. We did manage to find two separate links to privacy policies on the app pages in the Google Play store and the Apple App store. The privacy policy for the My Calendar Period Tracker app linked from the Google Play was last updated in March, 2021 and the privacy policy linked from the Apple App stores was last updated December, 2019. None of this bodes well for the privacy of this period tracking app. In fact, we'd say, their privacy protections look rather questionable and, unfortunately, their security protections look just as bad.
Co się może stać, jeśli coś pójdzie nie tak?
There is something kinda funny and also kinda not really funny at all when you see that a period tracking app and an egg timer app made by the same company have basically the same boilerplate privacy policy. We suppose they both kinda deal with eggs, right? It's just that one app could potentially leak or share data that could get you harassed or arrested in states where abortion is no longer legal and the other could leak that you like to hard boil your eggs in your home 5 times a week. See, funny and really not funny at all.
One thing your friendly privacy researchers here at *Privacy Not Included really, really dislike is vagueness in privacy policies. The privacy policy of My Calendar Period Tracker is pretty vague. It says things like, "Information is automatically collected when you use our App. Information collected may include usage details, metadata, and real-time information about the location of your device. We do not generally collect or store information by which we ourselves may personally identify you…" That "may" and "generally" there leave wiggle room we don't feel comfortable with when it comes to what data may be collected on you, especially personally identifiable data and real-time location data.
Another thing your friendly privacy researchers hate is things that make no sense. To us, it makes no sense that the privacy policy says they generally don't collect data that may personally identify you, while stating on the data security section of their Apple App store app page that they use "identifiers" to track you (this could include things like advertising or device IDs, which, eh, aren't exactly your name or email address, but still can be linked to you) and that sensitive information and contact info may be data linked to you. And their Google Play store page clearly states in their data security section that data collected may include name, email, and user IDs. In that same section on the app page, the company says that no data is shared with third parties. And the privacy policy lists a whole host of third-party advertisers like Google, Facebook, and Amazon they share they share data with. All this leaves us scratching our heads. It's also fair to note that Google's own rules for how information is self-reported from companies on these data safety pages is rather confusing and befuddling at times to us.
My Calendar Period Tracker does say they may share some user data with third parties for advertising and personalization services. And they say they "may use and disclose aggregated, or otherwise anonymized information that does not relate to an identifiable natural person without restriction." Now is a good time to remind you that it has been found to be pretty easy to de-anonymize such data, especially if location data is included.
So, the My Calendar Period Tracker app collects data that may or may not be personally identifiable (precise location data is generally pretty identifiable). And they say "When you use the App on an Apple or Android mobile device, certain third parties may use automatic information collection technologies to collect information about you or your device. These third parties may include advertisers, ad networks, ad servers, and analytics companies." So, third parties are collecting information on you as you use this app, including Facebook, Amazon, and other advertising networks. My Calendar also says they can use anonymized information without restriction, even though that data can sometimes be re-identified.
Then there is how My Calendar says they can share information with law enforcement. Here they are very vague. All we found in their privacy policy was this statement, which doesn't inspire a whole lot of confidence that they won't voluntarily disclose their user's data: "We use the information collected through the App to … comply with any court order, law, or legal process."
None of these things makes us feel all that good about the privacy practices of the My Calendar Period Tracker app. Good to note too, that Consumer Reports also had concerns about this app when they reviewed it back in 2020.
And while privacy is a concern with this app, we found security to be an even bigger concern. We were able to log into the app using the incredibly insecure password of "1". Yup, one 1 was allowed as a password for an app that tracks your period. That's pretty bad. All in all, we just don't trust the security of this app. Although, they did make a point of having a way to report security vulnerabilities on a website that contain little other information. Which, on the one hand, is good, we like to see that information made available. It also raises some questions as they didn't feel the need to provide much other information on their website about the company or their privacy policies, which makes us wonder if they expect or experience a lot of security vulnerabilities? We just don't know.
What's the worst that could happen with this period tracking app. Dear lord, please don't download it and find out. It's privacy practices are questionable, at best. It's security practices are weak, at best. The My Calendar Period Tracker app leaves us with way too many questions to feel comfortable. Shoot, we don't even think we'd trust downloading the egg timer app this company makes. There's just too big a chance this app comes with *Privacy Not Included.
Wskazówki, jak się chronić
- Add a PIN for your calendar if someone else might be using your phone/other device
- When you no longer use the app, go to "Delete all data and reset" in the app menu
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images and videos)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
Czy może mnie podsłuchiwać?
Aparat
Urządzenie: Nie dotyczy
Aplikacja: Nie
Mikrofon
Urządzenie: Nie dotyczy
Aplikacja: Nie
Śledzi położenie
Urządzenie: Nie dotyczy
Aplikacja: Tak
Czego można użyć do rejestracji?
Tak
Telefon
Nie
Konto firmy trzeciej
Nie
Jakie dane zbiera ta firma?
Osobiste
Real-time location
Związane z ciałem
Moods, symptoms, temperature, weight, sexual activity, contraception used, medicine taken, etc.
Społecznościowe
Jak ta firma wykorzystuje te dane?
Jak możesz kontrolować swoje dane?
Jaka jest znana historia tej firmy w zakresie ochrony danych użytkowników?
No known privacy or security incidents discovered in the last 3 years.
Czy ten produkt może być używany bez połączenia z siecią?
Przyjazne dla użytkownika informacje o prywatności?
They had different privacy policies linked from the different Google and Apple apps stores. There was no privacy policy we could find linked off of their website.
Odnośniki do informacji o prywatności
Czy ten produkt spełnia nasze minimalne standardy bezpieczeństwa?
Szyfrowanie
Silne hasło
Managed to sign up with "1" as a password
Aktualizacje zabezpieczeń
Zajmuje się problemami z bezpieczeństwem
If you believe you’ve found a security vulnerability in the software please email it to [email protected].
Zasady ochrony prywatności
Dowiedz się więcej
-
The data flows: How private are popular period tracker apps?Surfshark
-
Forget Tracking Your Period—Your Period (App) Is Tracking YouMarie Claire
-
Supreme Court overturns Roe v. Wade: Should you delete your period-tracking app?TechCrunch
Komentarze
Masz uwagi? Podziel się nimi z nami.