My Calendar Period Tracker

Ostrzeżenie: *Prywatność dla tego produktu do nabycia osobno

My Calendar Period Tracker

Data recenzji: 9 sierpnia 2022

|
|

Według Mozilli:

|
Według użytkowników: Ogromnie przerażające

Here's a period tracking app with over 10 million downloads on the Google Play store that feels rather sketchy to us. Made by app developer AppManage Group #1, LLC under the alias of Simple Innovation, we're left with more questions than answers when we try to learn more about the company. Simple Innovations website is, well, really quite simple. They seem to make four apps in total that they call "simple delights": this period tracking app, a weight tracking app, an egg timer app, and a steak timer app. That's quite the diversity of apps there. They say the period tracking app "is an extremely elegant and easy-to-use application that helps women keep track of periods, cycle, ovulation, and fertile days."

Good luck finding a privacy policy on Simple Innovation's website though, there's not one linked there we could find, which is kinda bad. We did find a security page that told us how to report security vulnerabilities, which is good, we do like to see that information provided. But when it's about the only information provided on the website, we do get a little worried. We did manage to find two separate links to privacy policies on the app pages in the Google Play store and the Apple App store. The privacy policy for the My Calendar Period Tracker app linked from the Google Play was last updated in March, 2021 and the privacy policy linked from the Apple App stores was last updated December, 2019. None of this bodes well for the privacy of this period tracking app. In fact, we'd say, their privacy protections look rather questionable and, unfortunately, their security protections look just as bad.

Co się może stać, jeśli coś pójdzie nie tak?

There is something kinda funny and also kinda not really funny at all when you see that a period tracking app and an egg timer app made by the same company have basically the same boilerplate privacy policy. We suppose they both kinda deal with eggs, right? It's just that one app could potentially leak or share data that could get you harassed or arrested in states where abortion is no longer legal and the other could leak that you like to hard boil your eggs in your home 5 times a week. See, funny and really not funny at all.

One thing your friendly privacy researchers here at *Privacy Not Included really, really dislike is vagueness in privacy policies. The privacy policy of My Calendar Period Tracker is pretty vague. It says things like, "Information is automatically collected when you use our App. Information collected may include usage details, metadata, and real-time information about the location of your device. We do not generally collect or store information by which we ourselves may personally identify you…" That "may" and "generally" there leave wiggle room we don't feel comfortable with when it comes to what data may be collected on you, especially personally identifiable data and real-time location data.

Another thing your friendly privacy researchers hate is things that make no sense. To us, it makes no sense that the privacy policy says they generally don't collect data that may personally identify you, while stating on the data security section of their Apple App store app page that they use "identifiers" to track you (this could include things like advertising or device IDs, which, eh, aren't exactly your name or email address, but still can be linked to you) and that sensitive information and contact info may be data linked to you. And their Google Play store page clearly states in their data security section that data collected may include name, email, and user IDs. In that same section on the app page, the company says that no data is shared with third parties. And the privacy policy lists a whole host of third-party advertisers like Google, Facebook, and Amazon they share they share data with. All this leaves us scratching our heads. It's also fair to note that Google's own rules for how information is self-reported from companies on these data safety pages is rather confusing and befuddling at times to us.

My Calendar Period Tracker does say they may share some user data with third parties for advertising and personalization services. And they say they "may use and disclose aggregated, or otherwise anonymized information that does not relate to an identifiable natural person without restriction." Now is a good time to remind you that it has been found to be pretty easy to de-anonymize such data, especially if location data is included.

So, the My Calendar Period Tracker app collects data that may or may not be personally identifiable (precise location data is generally pretty identifiable). And they say "When you use the App on an Apple or Android mobile device, certain third parties may use automatic information collection technologies to collect information about you or your device. These third parties may include advertisers, ad networks, ad servers, and analytics companies." So, third parties are collecting information on you as you use this app, including Facebook, Amazon, and other advertising networks. My Calendar also says they can use anonymized information without restriction, even though that data can sometimes be re-identified.

Then there is how My Calendar says they can share information with law enforcement. Here they are very vague. All we found in their privacy policy was this statement, which doesn't inspire a whole lot of confidence that they won't voluntarily disclose their user's data: "We use the information collected through the App to … comply with any court order, law, or legal process."

None of these things makes us feel all that good about the privacy practices of the My Calendar Period Tracker app. Good to note too, that Consumer Reports also had concerns about this app when they reviewed it back in 2020.

And while privacy is a concern with this app, we found security to be an even bigger concern. We were able to log into the app using the incredibly insecure password of "1". Yup, one 1 was allowed as a password for an app that tracks your period. That's pretty bad. All in all, we just don't trust the security of this app. Although, they did make a point of having a way to report security vulnerabilities on a website that contain little other information. Which, on the one hand, is good, we like to see that information made available. It also raises some questions as they didn't feel the need to provide much other information on their website about the company or their privacy policies, which makes us wonder if they expect or experience a lot of security vulnerabilities? We just don't know.

What's the worst that could happen with this period tracking app. Dear lord, please don't download it and find out. It's privacy practices are questionable, at best. It's security practices are weak, at best. The My Calendar Period Tracker app leaves us with way too many questions to feel comfortable. Shoot, we don't even think we'd trust downloading the egg timer app this company makes. There's just too big a chance this app comes with *Privacy Not Included.

Wskazówki, jak się chronić

  • Add a PIN for your calendar if someone else might be using your phone/other device
  • When you no longer use the app, go to "Delete all data and reset" in the app menu
  • Chose a strong password! You may use a password control tool like 1Password, KeePass etc
  • Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images and videos)
  • Keep your app regularly updated
  • Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
mobile Prywatność ostrzeżenie Bezpieczeństwo ostrzeżenie Sztuczna inteligencja

Czy może mnie podsłuchiwać? informacje

Aparat

Urządzenie: Nie dotyczy

Aplikacja: Nie

Mikrofon

Urządzenie: Nie dotyczy

Aplikacja: Nie

Śledzi położenie

Urządzenie: Nie dotyczy

Aplikacja: Tak

Czego można użyć do rejestracji?

Jakie dane zbiera ta firma?

Jak ta firma wykorzystuje te dane?

We ding this product for sharing real-time location data for advertisement. And for using some collected data without restriction.

"The Company may use and disclose aggregated, or otherwise anonymized information that does not relate to an identifiable natural person without restriction." It means that the data may be sold. Given that a company collects metadata and real-time location data, it raises privacy concerns.

"The Company provides the advertising ID generated by the Apple or Android mobile device (which is a non-persistent identifier of your device that you can reset at any time) and may also provide real-time location data, usage data, or other information related to your use of the App and other services via your mobile device (but will not provide your name, or your email address,) to these third-party ad servers or ad networks (“Advertisers”). Advertisers may also use tracking technologies to collect information about you when you use the App. Advertisers may collect information about online activities over time and across different websites, apps and other online services websites under a specific advertising ID. Advertisers may use this information (including the information we provide to them) to provide interest-based (behavioral) advertising or other targeted content to your mobile device."

Privacy policy lists such advertisers as Facebook, Google, Amazon, etc.

"Information is automatically collected when you use our App. Information collected may include usage details, metadata, and real-time information about the location of your device. We do not generally collect or store information by which we ourselves may personally identify you (“Personally Identifiable Information” or “PII”) through the App."

"We may also use information that we cannot use to identify you personally in order to optimize and to improve our services; to provide custom, personalized content in the App; to display targeted advertisements; for any other purpose disclosed by us when you provide the information or to protect the rights, property, or safety of the Company, our customers or others."

How the company says they may share data with law enforcement:
"We use the information collected through the App to […] comply with any court order, law, or legal process."

Jak możesz kontrolować swoje dane?

We ding this app because no clear data retention details are mentioned and it is not clear that every user of the app has the same right to access and delete any data this app collects.

If for any reason you wish your user data to be deleted from the app's systems, you may send an email to [[email protected]] with the subject "Delete Data Request". Note, we reached out to this email address with our privacy-related questions three time and never received a response.

No retention details are mentioned.

Their privacy policy states, "Should you not wish to have your information gathered or used as described in this policy, you may uninstall the App from the device(s) on which you have downloaded it." AND "You can stop all collection of information by the App by uninstalling the App"

Jaka jest znana historia tej firmy w zakresie ochrony danych użytkowników?

Średnia

No known privacy or security incidents discovered in the last 3 years.

Czy ten produkt może być używany bez połączenia z siecią?

Tak

Przyjazne dla użytkownika informacje o prywatności?

Nie

They had different privacy policies linked from the different Google and Apple apps stores. There was no privacy policy we could find linked off of their website.

Odnośniki do informacji o prywatności

Czy ten produkt spełnia nasze minimalne standardy bezpieczeństwa? informacje

Nie

Szyfrowanie

Tak

Silne hasło

Nie

Managed to sign up with "1" as a password

Aktualizacje zabezpieczeń

Tak

Zajmuje się problemami z bezpieczeństwem

Tak

If you believe you’ve found a security vulnerability in the software please email it to [email protected]

Zasady ochrony prywatności

Tak

Czy produkt wykorzystuje sztuczną inteligencję? informacje

Nie można ustalić

Czy tej sztucznej inteligencji nie można ufać?

Nie można ustalić

Jakie decyzje sztuczna inteligencja podejmuje o Tobie lub za Ciebie?

Czy firma jest przejrzysta w kwestii działania sztucznej inteligencji?

Nie można ustalić

Czy użytkownik ma kontrolę nad funkcjami sztucznej inteligencji?

Nie można ustalić

*Prywatność do nabycia osobno

Dowiedz się więcej

  • The data flows: How private are popular period tracker apps?
    Surfshark
  • Forget Tracking Your Period—Your Period (App) Is Tracking You
    Marie Claire
  • Supreme Court overturns Roe v. Wade: Should you delete your period-tracking app?
    TechCrunch

Komentarze

Masz uwagi? Podziel się nimi z nami.