Period-tracking applications ask users to record some of the most intimate information a technology company can collect.
A typical app may know when a user menstruates, whether a period is late, when the user had sex, whether contraception was used, when symptoms began, whether the user is trying to become pregnant, and whether a pregnancy ended in birth, miscarriage, or abortion.
Those details may be entered gradually, one tap at a time. Together, however, they can create an unusually detailed record of a person’s reproductive health, sexual activity, physical symptoms, habits, and life events.
That makes the privacy practices of period trackers more consequential than those of an ordinary calendar, fitness application, or shopping platform.
On July 16, 2026, Mozilla Foundation published the results of a hands-on privacy investigation of six popular period and ovulation trackers:
- Euki
- Clue
- Flo
- Period Calendar
- Planned Parenthood’s Spot On
- Stardust
The results ranged from a perfect 10 out of 10 for Euki to 2 out of 10 for Stardust. Mozilla’s researchers examined the applications through manual use and network analysis, worked with Harvard’s Berkman Klein Center Transparency Hub to review historical changes to privacy policies, and received additional Android testing assistance from the University of Illinois.
The investigation did not conclude that every lower-scoring app was directly selling menstrual histories or transmitting every recorded symptom to advertisers.
What it found was more nuanced—and in some ways more important.
An app can keep a user’s actual period dates inside its own systems while still telling advertising or analytics companies that a specific device is using a reproductive-health application. An app can protect its central tracking feature while allowing an in-app browser to transmit abortion-provider searches, age information, or the date of a user’s last period. An application can provide meaningful privacy settings while collecting an extensive long-term reproductive-health profile.
The report demonstrates why health privacy cannot be reduced to one question:
Did the company sell the user’s medical data?
A serious privacy assessment must also ask what the app collects, what vendors receive, what can be inferred from contextual signals, whether identifiers persist across services, and whether privacy protections operate automatically or depend on users finding the right setting.
Mozilla’s Period Tracker Privacy Rankings
Mozilla awarded the six applications the following scores:
- Euki: 10/10
- Clue: 8/10
- Flo: 7/10
- Period Calendar: 6/10
- Spot On: 5/10
- Stardust: 2/10
The gap between the highest and lowest scores was not simply based on which app offered the most features.
It reflected fundamentally different privacy architectures.
Euki was designed to avoid receiving most user information in the first place. Other applications collected or processed more information and then relied on policies, consent settings, contracts, analytics configurations, and security controls to manage the resulting risk.
That distinction is central to modern privacy engineering.
The strongest way to protect sensitive information is often not to collect it centrally at all.
Euki Earned 10/10 by Having Almost Nothing to Disclose
Mozilla identified Euki as the clear privacy leader.
Euki is an open-source, nonprofit-operated reproductive-health application. It allows users to track periods, pregnancy-related information, symptoms, and other health details without creating an account.
Most importantly, Euki stores the information entered by a user locally on that user’s device.
The app does not operate a back-end database containing individual cycle histories. It does not require cloud synchronization, and Mozilla found no third-party tracking embedded in the application. Euki also provides features such as optional PIN protection and the ability to delete data from the device.
This design eliminates several risks before they arise.
If Euki does not possess a centralized copy of a user’s health history:
- It cannot sell that history.
- It cannot use it for advertising.
- It cannot disclose it to an analytics provider.
- A breach of Euki’s corporate systems cannot expose a database that does not exist.
- The company cannot be compelled to produce records it never received.
- A third-party vendor cannot misuse data it was never given.
Local storage does not eliminate every possible threat. Someone with access to an unlocked phone could potentially view locally stored information. A user could lose the device or expose it through an insecure backup process.
But Euki’s architecture dramatically reduces corporate and vendor exposure.
The perfect score illustrates a privacy principle that many businesses acknowledge in policy documents but fail to implement technically:
Data minimization is stronger than a promise not to misuse data.
A company may sincerely promise to protect sensitive information. But once it collects that information, it must secure it, govern it, limit employee access, manage vendor access, respond to legal demands, enforce retention, and prepare for breaches.
Euki avoids much of that burden because its central systems do not receive the underlying health record.

Clue Scored 8/10 for Transparency and Meaningful User Choice
Clue, a German period tracker, received the second-highest score.
Mozilla found that Clue collects a substantial amount of health and behavioral information because its core service depends on users entering detailed symptoms and events. Users can record cycle dates, bleeding, cramps, headaches, cravings, stress, sleep, alcohol use, smoking, travel, social activity, and other details.
Clue therefore cannot be described as a low-data application.
What distinguished it was how it handled the information and presented choices to users.
Mozilla found that Clue separated different forms of consent rather than placing analytics, advertising, research, and recommendations behind one broad acceptance button. The app also allowed users to return to those settings and modify their choices later.
During its testing, Mozilla did not observe Clue broadly transmitting sensitive cycle or reproductive-health entries to its outside partners. Its internal analytics did record detailed application events, including timestamps and values associated with certain symptoms, but the researchers did not see those health details being sent to the third parties integrated into the application.
Clue’s result shows that meaningful consent involves more than displaying a privacy policy.
A well-designed consent process should allow users to understand and separately control materially different purposes, such as:
- Operating the application
- Product analytics
- Scientific research
- Personalized recommendations
- Advertising
- External sharing
Consent should also remain accessible after onboarding.
Too many mobile applications treat consent as a single event that occurs while a user is rushing through account setup. Once the user makes a choice, the controls become difficult to find or impossible to reverse.
Clue’s approach appears to give users more continuing control than many consumer applications.
However, Mozilla still found that external providers could receive enough contextual information to recognize that a particular device was using Clue, even when they did not receive the user’s underlying menstrual records.
That remaining exposure helps explain why Clue received an 8 rather than a 10.
Flo Scored 7/10 After Making Significant Privacy Improvements
Flo received a score of 7 out of 10.
The result is notable because Flo has a complicated privacy history.
In 2021, the Federal Trade Commission alleged that Flo had disclosed sensitive health information to marketing and analytics providers after telling users that their information would remain private. The FTC’s complaint identified third parties that included analytics services associated with Facebook and Google, AppsFlyer, Fabric, and Flurry. Flo entered into a settlement requiring, among other obligations, affirmative consent before sharing certain health information and an independent review of its privacy practices.
Mozilla’s 2026 testing found a more privacy-conscious product than that historical record might lead users to expect.
The researchers did not observe Flo sending logged symptoms, fertility predictions, pregnancy details, or cycle classifications to outside analytics and advertising companies during the test.
Flo also provides a feature called Anonymous Mode. When Mozilla enabled it, AppsFlyer communications stopped, and Flo’s traffic began passing through a Cloudflare relay intended to prevent Flo from receiving the user’s original IP address.
However, the timing mattered.
Mozilla enabled Anonymous Mode several minutes after beginning its session. By then, AppsFlyer had already received a device identifier in unencrypted form. The privacy protection worked after activation, but some identifying information had already left the device.
This is an important lesson for privacy engineers.
A privacy-enhancing mode should ideally operate before analytics and attribution software initializes. When tracking begins during an application’s first launch, asking users to locate and activate a protective setting later may be too late to prevent the initial disclosure.
Mozilla also found that Flo maintains an extensive analytics and attribution infrastructure. Although the test did not show detailed reproductive-health information flowing to those third parties, the app itself still develops a highly detailed and structured profile of each user’s health over time.
This presents a different kind of privacy risk.
An app does not need to sell information to create exposure. A large centralized repository of intimate data can create:
- Security risk
- Employee-access risk
- Vendor risk
- Acquisition risk
- Litigation-discovery risk
- Government-demand risk
- Retention risk
- Future secondary-use risk
Flo received credit for more granular controls, clearer explanations, PIN protection, Anonymous Mode, and apparent containment of sensitive health details.
The remaining concern is how much information one company can accumulate about an individual—and how long that information remains useful to the application.
Period Calendar Scored 6/10 Because Advertising Is Built Into the Product
Period Calendar was the only ad-supported application in Mozilla’s review. It received 6 out of 10.
Mozilla did not observe the app directly transmitting logged cycle information, contraceptive choices, or symptoms to advertisers.
Nevertheless, the application began sending device and advertising signals to outside companies as soon as it opened. Mozilla observed information such as device model, screen dimensions, timezone, and persistent identifiers being transmitted to advertising systems operated by companies including Google and InMobi.
Each transmission also identified the application from which it originated.
That is where context becomes sensitive.
An advertising company may not need to receive a user’s exact period date to learn something about reproductive health. Knowing that a persistent device identifier regularly uses an application called “Period Calendar” is itself a reproductive-health signal.
That signal can become part of a larger advertising profile assembled from activity across applications, websites, locations, purchases, and devices.
This is sometimes treated as harmless metadata because it does not contain the obvious health record.
But metadata can become highly revealing when connected to context.
Consider the difference between these two technical events:
- Device 123 opened a generic utility application.
- Device 123 opened a period and ovulation tracker.
The fields may look similar in a network log. Their privacy implications are not.
Mozilla found no complete in-app mechanism for disabling the advertising ecosystem on which Period Calendar depends. The app’s policy instead directs users toward external Google settings for managing ad personalization.
That arrangement shifts the compliance burden from the business to the consumer.
A user must understand which advertising systems are involved, locate settings maintained by a separate company, and determine whether disabling personalization actually prevents collection or merely changes how information is used.
For an application processing reproductive-health context, that is an inadequate model of privacy by default.
Spot On Scored 5/10 Because Privacy Broke at the Web Boundary
Planned Parenthood’s Spot On application received 5 out of 10.
Mozilla found that the application’s core features performed relatively well. Users could track cycles, log symptoms, and establish birth-control reminders without the researchers observing those activities being shared with external advertising companies.
The privacy problems emerged when users left the native app experience and entered web pages through Spot On’s in-app browser.
Features such as the provider finder and Roo sexual-health chatbot opened Planned Parenthood web content. At that point, website tracking technologies activated.
During provider searches, Mozilla observed the user’s city and the type of medical care being sought transmitted to AB Tasty, a web analytics and personalization company. During searches for abortion providers, the transmitted details also included the user’s age and the date of the last menstrual period entered into the search.
That is not merely generic website telemetry.
The combination of location, requested service, age, and last menstrual period can reveal exceptionally sensitive reproductive-health circumstances.
Mozilla also observed several trackers loading when the Roo chatbot page opened, including services associated with Google, Microsoft, TikTok, and Pinterest. The researchers did not see the sensitive substance of questions submitted to Roo transmitted to those companies. The observed information was more contextual, such as operating system, language, visit time, and identifiers associated with the session.
Still, the context itself mattered.
A third party may not know what question a user asked. It may know that a recognizable device visited a sexual-health chatbot operated by Planned Parenthood at a specific time.
Spot On demonstrates a recurring failure in privacy programs: organizations evaluate a native application and website as separate products even when the user experiences them as one continuous service.
From the user’s perspective, tapping a button inside Spot On does not feel like leaving a privacy-protected environment. The page opens inside the application. The brand remains Planned Parenthood. The transition may be nearly invisible.
Technically, however, the user has entered a different tracking environment.
Companies must therefore assess the full journey rather than only the primary interface.
An application cannot credibly claim that a sensitive workflow is private when the final step opens a webpage containing analytics and advertising technologies that were never approved for the original health-data context.
Stardust Received 2/10 After Mozilla Observed Symptom Data Reaching RudderStack
Stardust received the lowest score in Mozilla’s investigation: 2 out of 10.
The astrology-themed period tracker allows users to record a wide range of reproductive-health and lifestyle details, including moods, cramps, appetite, pregnancy status, birth-control use, and other symptoms.
Mozilla identified RudderStack as the one outside partner observed receiving detailed health information directly. When researchers entered a symptom, RudderStack received the symptom, the time it was recorded, and a persistent user identifier.
Stardust told Mozilla that RudderStack functions as an intermediary that carries information into Stardust’s own analytics environment. The company also said it did not provide RudderStack with information that identifies the user.
That distinction deserves careful examination.
A company may argue that a vendor merely transports data on its behalf and does not independently use it. That may reduce certain risks, depending on the contract and technical configuration.
But transmitting reproductive-health events to an analytics intermediary still means another company’s infrastructure processes the information.
The privacy assessment should therefore consider:
- Whether the vendor can access the data
- Whether the data is encrypted in transit and at rest
- Whether persistent identifiers can be connected to a person
- Whether the vendor may use telemetry for its own purposes
- How long the vendor retains event data
- Which subprocessors are involved
- Whether data is used to improve the vendor’s services
- What happens when the contract ends
- Whether deletion requests flow downstream
- Whether security incidents must be reported promptly
Mozilla also highlighted Stardust’s history of marketing itself as an encrypted, privacy-safe service following the overturning of Roe v. Wade. Reporters later questioned whether its encryption claims implied stronger end-to-end protection than the application actually provided, and the language was subsequently removed.
The episode illustrates the danger of privacy-washing.
Terms such as “encrypted,” “anonymous,” “private,” and “secure” are not interchangeable.
A service may encrypt data while it travels over the internet but retain readable copies on its own servers. It may remove a person’s name while preserving a stable identifier that allows activity to be connected over time. It may describe data as anonymous even when the surrounding attributes make reidentification possible.
Privacy claims must identify what protection exists, which data it covers, who holds the keys, and who can still access the information.
Why the App’s Name Can Be Sensitive Data
One of Mozilla’s most important findings is that simply revealing the use of a period tracker can create privacy risk.
Traditional compliance reviews often focus on the contents of form fields.
Did the tracker transmit “pregnant”? Did an advertising pixel receive “abortion”? Did an analytics event include a menstrual date?
Those questions remain essential, but they are incomplete.
The name of the application, the page URL, the button selected, the service category, and the destination of a provider search can all communicate sensitive meaning.
A persistent advertising identifier associated with a reproductive-health app can be combined with other signals, including:
- Location
- Search history
- Pharmacy visits
- Clinic visits
- Purchasing activity
- Website browsing
- Demographic information
- Device graph data
- Other health application use
The resulting profile may reveal more than any single field.
Privacy programs must therefore evaluate semantic context, not merely data types.
A device identifier may look like ordinary pseudonymous technical data. When attached to a reproductive-health event, it can become sensitive health information.
The In-App Browser Is a Major Compliance Blind Spot
Mozilla’s findings regarding Spot On demonstrate how quickly privacy controls can fail when an application opens web content.
Native mobile applications and webpages often use different development teams, consent systems, analytics platforms, vendors, and configuration processes.
A company may remove tracking software from the app but leave the same tracking active on the website. When the website appears inside an in-app browser, the company may not recognize that the sensitive application workflow has crossed into an uncontrolled web environment.
Organizations offering health, financial, legal, insurance, or children’s services should test every external transition.
That includes:
- Provider directories
- Appointment pages
- Chatbots
- Knowledge centers
- Payment pages
- Authentication screens
- Help centers
- Embedded videos
- Surveys
- Customer-support portals
The privacy review should capture the exact parameters transmitted during each interaction.
A generic scan of the homepage will not reveal what happens after a user selects “abortion care,” enters a ZIP code, reports a last menstrual period, or opens a health chatbot.
Most Consumer Health Apps Are Not Automatically Protected by HIPAA
Consumers frequently assume that any application processing health information must comply with the Health Insurance Portability and Accountability Act.
That is not correct.
HIPAA generally applies to covered healthcare providers, health plans, healthcare clearinghouses, and qualifying business associates. A direct-to-consumer health application may fall outside HIPAA when it is not operating for a covered entity or business associate. HHS specifically notes that HIPAA may not protect health information a person voluntarily enters into an app offered by an entity that is not regulated by HIPAA.
That does not mean health applications operate without legal obligations.
The FTC’s Health Breach Notification Rule applies to certain vendors of personal health records and related entities outside HIPAA. The FTC amended the rule in 2024 to clarify its application to health apps and similar technologies. The amended rule also recognizes that an unauthorized disclosure by the company itself—not only an external cyberattack—can constitute a breach requiring notification.
Health applications may also be subject to:
- The FTC Act’s prohibition against deceptive or unfair practices
- State consumer privacy laws
- State consumer health-data statutes
- State breach-notification laws
- Biometric and genetic privacy laws
- Contractual promises
- App-store requirements
- International privacy laws
A privacy policy that promises not to share health information can itself create enforcement exposure when the company’s software sends inconsistent data to analytics or advertising vendors.
The FTC’s prior case against Flo is a clear example of why product behavior must match public representations.
What Period Tracker Developers Should Learn From Mozilla’s Test
The Mozilla investigation should be treated as a product-design audit, not merely a consumer-app ranking.
Keep Sensitive Data on the Device When Possible
Euki’s result demonstrates the value of local processing.
Not every application can operate entirely without cloud infrastructure. Features such as account recovery, synchronization, research programs, remote access, and cross-device services may require server-side processing.
But developers should still ask which functions genuinely require centralized collection.
Predictions may sometimes be calculated locally. Sensitive events can be separated from account information. Cloud backup can be optional rather than automatic.
Do Not Initialize Trackers Before Consent
Privacy controls lose much of their value when identifiers are transmitted during startup and the protective setting appears later.
Consent and privacy-state checks should occur before analytics, attribution, advertising, or personalization software loads.
Treat App Identity as Sensitive Context
Developers should assume that disclosing an app name, package identifier, page path, or event label can reveal the nature of the service.
Analytics schemas should be reviewed for semantic meaning, not just obvious health fields.
Audit In-App Browsers and Linked Webpages
Every page opened inside an application should be tested as part of the application’s privacy environment.
Sensitive flows should not inherit a generic marketing website’s tag-manager configuration.
Separate Essential Analytics From Advertising
A company may legitimately need limited operational analytics to diagnose crashes, measure performance, or understand feature reliability.
That does not justify loading a broad advertising and attribution ecosystem into a reproductive-health service.
Verify Every Public Privacy Claim
Statements such as “we never share your data,” “anonymous,” or “end-to-end encrypted” must be technically accurate and appropriately qualified.
Marketing language should be reviewed against network behavior, vendor contracts, and system architecture.
Apply Vendor Governance to Analytics Providers
An analytics platform processing health events is not merely a marketing tool. It is part of the regulated data environment.
The provider should be assessed, contracted, monitored, and included in data maps, retention schedules, incident-response plans, and deletion workflows.
Privacy Should Not Become More Work for the User
One theme in Mozilla’s findings is the amount of labor placed on consumers.
Users may be expected to:
- Reject operating-system tracking
- Find an anonymous mode
- Disable ad personalization in a separate Google account
- Avoid certain in-app pages
- Use a different mobile browser
- Limit which symptoms they record
- Review privacy settings after every update
- Understand the difference between native and web environments
Those steps may reduce risk. But they are not substitutes for responsible product design.
The person seeking to track a period, monitor birth control, understand a symptom, or locate reproductive care should not need to operate as a forensic privacy engineer.
For highly sensitive applications, privacy should be the default state.
The Captain Compliance View
Mozilla’s investigation reinforces a principle that applies far beyond period trackers:
The greatest privacy risks frequently exist in the connections between systems.
An application may protect its primary database but expose context through an analytics vendor. A native feature may be private while its linked webpage is not. A consent toggle may function correctly after a device identifier has already been transmitted. A privacy policy may address health records while ignoring metadata that communicates the same information indirectly.
Captain Compliance helps organizations operationalize privacy across these boundaries through data mapping, vendor governance, consent management, tracking detection, privacy assessments, consumer-rights workflows, and ongoing monitoring.
For health applications, a defensible privacy program should be able to answer:
- What information does each feature collect?
- Which processing occurs locally?
- Which data leaves the device?
- Which vendors receive it?
- Which identifiers accompany it?
- What can those vendors infer?
- What consent applies?
- Can the user later withdraw that consent?
- Does the privacy notice accurately describe the behavior?
- Do linked webpages follow the same standard?
- Can the organization honor deletion requests across every recipient?
- Is the company prepared to respond to an unauthorized disclosure?
Mozilla’s results show that period trackers do not all make the same privacy tradeoffs.
One application earned a perfect score because it was designed around a simple principle: the company cannot leak a reproductive-health database that it never collects.
That should not be viewed as an unusual feature.
For data this sensitive, it should be the standard against which every application is measured.
Frequently Asked Questions
Which period tracker received Mozilla’s highest privacy score?
Euki received 10 out of 10. Mozilla found that the app keeps entered health information on the user’s device, does not require an account, and does not include third-party tracking.
Which app received the lowest score?
Stardust received 2 out of 10. Mozilla observed symptom information, timestamps, and a persistent identifier being transmitted through RudderStack.
Did Mozilla find every period tracker selling menstrual data?
No. The findings were more complex. Some apps kept direct cycle information inside their own systems while still transmitting device identifiers, analytics events, app identity, or sensitive webpage activity to third parties.
Why is knowing that someone uses a period tracker sensitive?
The use of a reproductive-health application can become part of an advertising or behavioral profile. When combined with location, browsing, purchasing, and other signals, it may permit sensitive inferences about health or pregnancy.
Are period trackers covered by HIPAA?
Not necessarily. Many direct-to-consumer health applications are not HIPAA-covered entities or business associates. Other requirements, including the FTC Act, the FTC Health Breach Notification Rule, and state privacy laws, may still apply.
What is the privacy risk of an in-app browser?
An in-app browser can load a company’s ordinary website, including its analytics and advertising trackers. Users may believe they remain inside a protected application even though their activity has entered a different data-collection environment.
What should period tracker companies do first?
They should map every data flow, remove unnecessary collection, test network activity before and after consent, review in-app browser pages, assess analytics vendors, and verify that public privacy claims match actual product behavior.