This is the second time [1] that analytics in period apps have been problematic, and also follows the recent hack of MixPanel [2] exposing OpenAI usage data. Seems like 3rd-party analytics are becoming a new frontier for security issues.
That one was a security incident—data that had been legitimately collected by an analytics provider was exposed due to a breach.
This one is about privacy — what data an app chooses to collect and which third parties it intentionally sends that data to. The concern isn't that someone hacked those companies. The distinction is important for us.
Whenever this issue comes up I feel the need to relay a story about a meeting with a databroker in 1998 who was tracking menstrual cycles using purchasing records of a wide variety of consumer goods. They will track you to optimize their manipulative, targeted advertising whether you have an invasive app or not.
You are misremembering, what it you're referring to is the Target pregnancy prediction score which was advertised a lot in the early 2010s as the way "big data" was going to change the world because they figured pregnant women bought similar things
Any behavioral pattern with a 28 day correlation will pop out. Once you get a rough estimate, you can aggregate subjects with dates shifted into alignment to find more subtle correlations.
I'm male, and clearly don't know enough about this--are there any benefits for the user that a period tracking app can provide by reaching out to the cloud? I guess backing up your data is an obvious one.
I thought entering the information is like 90% of the tracking, everything else is mostly calculation/averaging and none of it needs to live on a server. The Euki app seems like my idea of what it would always be.
Yes, backing up is the most obvious reason to have it live on a server from the user POV. And of course the app vendor will want more lockin and be able to keep the data hostage.
Paying for apps doesn't help as much as expected, as they'll want to keep the revenue stream alive. Solving this conundrum would require to deal with both side of the coin.
The real solution to this would be to give everyone and their dog a standardised online server with legally enforced privacy, and have sandboxed apps manage data in and out in a interexchangeable format, but I feel like I'm asking for peace on earth.
PS: we have banks for money, there should really be something similar for data.
> PS: we have banks for money, there should really be something similar for data.
It's very hard to imagine a government who would have this too far up their list of priorities. Switzerland maybe. Then Germany, France. Maybe. It's hard to imagine it catching on between the monied interests who can influence government and the lack of consumer awareness of the problem it is solving.
Not quite what you're suggesting, but at least Nextcloud (and other open self-hosting platform) servers are a thing.
All you need is for the app to provide the option of saving to local storage – your cloud server software provides a local storage endpoint and does the rest.
If the vendors cared they'd encrypt it client-side and update at regular intervals so that whatever they stored on the servers was unreadable to them. My understanding is that this data isn't covered by HIPAA, which only covers licensed medical providers; you'd think that such personal information would automatically qualify for privacy protections, but [helpless shrug]
I use Macrofactor (macro tracking app for lifters with good privacy/UI) as a weight/period tracker, and occasional macro tracker. I don't think anybody is going to go to the effort to hack their databases to find the 100 women tracking our periods on it.
The one downside is that they do days since last period as days since the end of your last period, not days since the start, unlike literally every woman and gynecologist ever.
MacroFactor is very rare in the modern software world, probably because it was created by fitness science junkies rather than VCs or engineers. Greg was extremely adamant from the start that they're charging money, take it or leave it, but selling the product itself is all they're ever going to sell. No monetizing user data. No dark patterns to drive engagement and keep you in the app. All they're trying to drive is better lifting and better eating because that's honest to god Greg and Lindsay Nuckols passions in life, not getting rich. Classic lifestyle business that'll never eat the world, but it'll pay the rent in North Carolina for two 40 year-olds with no kids.
Greg isn't the only person who owns MF, there are people like Nippard who call it (my app and are either shareholder or promoter with a lot of influence), if you look at the whole hussein and julian fiasco and solomon nelson episode well...
This is kinda misleading. First of all, MacroFactor uses the Gemini API for photo to calorie/macro estimation, so the data does leave their premises. It does not work completely offline, so it does call home, and after that, you never really know what happens with the data.
MacroFactor charges roughly $70 a year. MacroCodex is free and doesn't require an internet connection to work. It can also offset random weight gain due to PMS or other short term hormonal cyclical issues, as well as other water retention issues. It doesn't even ask for your phone number or email or even date of birth!! (it just asks age) on Android. On the web app, an email is required only for storing your data (due to the volatile web storage offered in PWAs, where the OS/browser can evict storage under memory pressure).
If an app doesn't collect your personal identifiable data it cannot sell it, if it's capable of running offline it can be put behind a firewall rule and/or diagnostic/telemetry data disabled in setting though i'd argue if it's not collecting your personal info and want data for improvement of specific app feature (which benefit from data analysis) then you should perhaps analyze the risk of this decision.
I've been using Macrofactor for many years (after a HN recommendation) and now that you mention it, I've been super happy with the experience and don't detect a whiff of dark patterns, unwarranted tracking, or bad business practices that plague other apps.
The value of tracking my diet and health has been well worth it. I will happily pay their asking price and it's heartening to hear that the founders/owners are committed to good practices.
Side note: I recently switched over fully to the Proton Unlimited ecosystem. Another ethical service that I will happily pay for.
I'm beginning to think that we might be able to turn this shitty ad-industry-lead ship around, folks. Or at least we have strong alternatives these days for the people who care.
Now if I can just get my social groups to use Signal.
I would never trust any private health data to an app. I don't care what promises or claims they make. The technology is fundamentally untrustable, and even if a vendor is doing the right thing today, they (or any intermediary) could change tomorrow.
> even if a vendor is doing the right thing today,
... they could fail to realize that they were hacked last year.
Sadly, the same issues apply to the copies of your private health data in your doctor's computer, your insurance company's computer, your hospital's computer, your pharmacy's computer, etc.
Avoiding the app reduces the attack surface. With the minor moral victory of not having gone out of your way to make it easy for the enemies of your privacy.
Only one (of the six reviewed) that I'd call acceptable -
> Euki is the only app Mozilla recommends without reservations. "Euki is special," Wodinsky* says.
> Unlike the other apps on this list, Mozilla says Euki keeps all your health information stored on your device, without even sending it to the company's servers.
> You don't even need to make an account, so you can stay completely anonymous. Euki also offers a "decoy" feature that shows fake, harmless information if someone gets your phone and tries to snoop.
*Shoshana Wodinsky, a privacy research analyst who tested 6 period tracker on behalf of the Mozilla Foundation
It indeed looks like the rest are "you're the product" (tm) type apps. Honestly, I don't expect much from Play Store (or App Store for that matter) these days but as a developer it's terrible what hoops you have to go through to publish your app.. Endless forms to fill out manually and then the overall store quality is just disappointing. Ads, ads, more ads and privacy and security debacles. Now it also looks like locking down on outside app stores like F-Droid.. Developers and hackers will find solutions but for the general population I'm not very hopeful. As to the period apps:
> This is also not Planned Parenthood's first run in with privacy criticisms. I wrote about similar problems four years ago, for example. The organisation didn't respond to a request for comment.
.. And it doesn't look like they care to change anything about it.
Who can end this on a positive note? I hate to be this negative but I don't see it.
As others in the thread have pointed out, Euki is a wonderful application and having interacted with members of their team, I know they are committed to maintaining their liberating privacy stances.
Nobody cares that you're fat. But apparently (some) Americans care if your tracker shows that you've missed your period for one or two months before resuming as normal (indicating a possible abortion).
Why not something p2p and encrypted? https://peerloomllc.com/pearpetal/ No servers, no problem. You fear losing your device? I'm sure you have more than one, any additional one you have is a fully functional backup.
Or better yet. Why trust this one (even though the source is on github)? You can just ask your AI agent to build you your custom one on the basis of this technology.
Period trackers are the perfect usecase for homomorphic encryption, where the system can operate on the data without knowing what the data says. It's slow and has a lot of overhead, but it's an active area of research. That way, the platform doesn't know what you're telling it. You have to trust the platform to have implemented it properly, and it's rather nerdy a detail, so it's no surprise there isn't one yet.
Although the article doesn't accuse us of doing anything improper, we weren't contacted for comment, so I'd like to clarify our role.
We are customer data infrastructure, not a data broker. We do not buy, sell or monetize the customer data that passes through our systems.
Our role is analogous to infrastructure: customers choose what data to send, and RudderStack routes that data to the destinations they configure (analytics tools, data warehouses, marketing platforms, etc.). The customer owns the data and decides where it goes; RudderStack does not repurpose it for its own business.
Infrastructure providers like us should be held to high standards for security and privacy, but we should not be confused with companies that collect or monetize end-user data.
Are analytics tools, data warehouses, and marketing platforms the only types of destinations you support? Because if that's the case then your system appears to only be useful for privacy invasions.
And others - customer support, feature flags, personalization, data quality, machine learning, internal BI, operational databases, security systems etc.
Ultimately, RudderStack is infrastructure that moves first-party data between systems more like message queues.
The article did not accuse you of anything and went so far as to say “There's nothing unlawful going on, and there's no reason to think RudderStack (or any company mentioned in this story) is doing something nefarious.”
I’m struggling to understand why you would feel the need to comment. Or why you even think the BBC would have contacted you. This is one of those moments in PR where a response with no reason makes reasonable people wonder why.
My concern is that terms like "data management company" (and another article described us as an "analytics company") are broad enough that many readers could reasonably infer we're collecting, storing, or monetizing sensitive end-user data.
I wanted to clarify that distinction because we've already had people reach out asking whether we were involved in collecting or using this data.
I disagree. The article very clearly makes it sound like there is some reason RudderStack ought to be listed by name in the privacy policy of the Stardust app. When in reality, it would make no more sense to list them by name, than it would make sense to list AWS or CloudFlare or any other technical infrastructure through which customer data passes.
> Mozilla uncovered numerous privacy problems across various apps, but Stardust was the only one found sharing detailed reproductive health data with another company.
> The report found that Stardust sends users' health information to a data management company called RudderStack, which isn't named in its privacy policy. That data includes pregnancy status, birth control, moods, alcohol consumption and specific symptoms like tender breasts and stomach cramps.
> Companies often share data with outside services to process information and analyse user behaviour. There's nothing unlawful going on, and there's no reason to think RudderStack (or any company mentioned in this story) is doing something nefarious.
> However, experts say it's inherently risky when your data spreads to more places. It creates another opportunity for security breaches or legal requests for information. Besides, you may just be uncomfortable with another company seeing your health data.
> A Stardust spokesperson says the company only uses RudderStack as a "technical pipeline" to route data into its own analytics systems, and the app doesn't share anything that could allow RudderStack to identify your name or contact information. "Additionally, RudderStack is contractually prohibited from selling or using it for its own purposes," and RudderStack doesn't store the data long-term, the spokesperson says.
> "People deserve better," says Shoshana Wodinsky, a privacy research analyst who conducted Mozilla's tests. At the very least, she says, you should know what's happening.
Even the statement, "RudderStack is contractually prohibited from selling or using it for its own purposes," implies that the "contract" is what prevents us from selling customer data. In reality, that's not our business model and not how we operate.
Granted, that statement came from our customer and not incorrect, but these small things can be mis-interpreted.
This is the second time [1] that analytics in period apps have been problematic, and also follows the recent hack of MixPanel [2] exposing OpenAI usage data. Seems like 3rd-party analytics are becoming a new frontier for security issues.
[1] https://www.thebureauinvestigates.com/stories/2025-09-03/met...
[2] https://openai.com/index/mixpanel-incident/
That one was a security incident—data that had been legitimately collected by an analytics provider was exposed due to a breach.
This one is about privacy — what data an app chooses to collect and which third parties it intentionally sends that data to. The concern isn't that someone hacked those companies. The distinction is important for us.
Disclaimer: RudderStack founder.
Somebody on HN recommended drip awhile ago:
https://f-droid.org/packages/com.drip/
It's not mentioned in the article.
Like Euki it's local-only. I don't know how they compare as far as features but it's cool that there are two good apps out there.
List of recommended ones: https://www.privacyguides.org/en/health-and-wellness/#menstr...
>Drip, Euki, and Apple Health
Whenever this issue comes up I feel the need to relay a story about a meeting with a databroker in 1998 who was tracking menstrual cycles using purchasing records of a wide variety of consumer goods. They will track you to optimize their manipulative, targeted advertising whether you have an invasive app or not.
I've heard rumors, maybe that far back, of women getting mail ads for baby clothes a couple weeks before having a positive pregnancy test.
You are misremembering, what it you're referring to is the Target pregnancy prediction score which was advertised a lot in the early 2010s as the way "big data" was going to change the world because they figured pregnant women bought similar things
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...
I wonder about not only baby or feminine supplies, but also snack coupons and dating apps
Any behavioral pattern with a 28 day correlation will pop out. Once you get a rough estimate, you can aggregate subjects with dates shifted into alignment to find more subtle correlations.
I'm male, and clearly don't know enough about this--are there any benefits for the user that a period tracking app can provide by reaching out to the cloud? I guess backing up your data is an obvious one.
I thought entering the information is like 90% of the tracking, everything else is mostly calculation/averaging and none of it needs to live on a server. The Euki app seems like my idea of what it would always be.
Yes, backing up is the most obvious reason to have it live on a server from the user POV. And of course the app vendor will want more lockin and be able to keep the data hostage.
Paying for apps doesn't help as much as expected, as they'll want to keep the revenue stream alive. Solving this conundrum would require to deal with both side of the coin.
The real solution to this would be to give everyone and their dog a standardised online server with legally enforced privacy, and have sandboxed apps manage data in and out in a interexchangeable format, but I feel like I'm asking for peace on earth.
PS: we have banks for money, there should really be something similar for data.
> PS: we have banks for money, there should really be something similar for data.
It's very hard to imagine a government who would have this too far up their list of priorities. Switzerland maybe. Then Germany, France. Maybe. It's hard to imagine it catching on between the monied interests who can influence government and the lack of consumer awareness of the problem it is solving.
Not quite what you're suggesting, but at least Nextcloud (and other open self-hosting platform) servers are a thing.
All you need is for the app to provide the option of saving to local storage – your cloud server software provides a local storage endpoint and does the rest.
If the vendors cared they'd encrypt it client-side and update at regular intervals so that whatever they stored on the servers was unreadable to them. My understanding is that this data isn't covered by HIPAA, which only covers licensed medical providers; you'd think that such personal information would automatically qualify for privacy protections, but [helpless shrug]
I use Macrofactor (macro tracking app for lifters with good privacy/UI) as a weight/period tracker, and occasional macro tracker. I don't think anybody is going to go to the effort to hack their databases to find the 100 women tracking our periods on it.
The one downside is that they do days since last period as days since the end of your last period, not days since the start, unlike literally every woman and gynecologist ever.
MacroFactor is very rare in the modern software world, probably because it was created by fitness science junkies rather than VCs or engineers. Greg was extremely adamant from the start that they're charging money, take it or leave it, but selling the product itself is all they're ever going to sell. No monetizing user data. No dark patterns to drive engagement and keep you in the app. All they're trying to drive is better lifting and better eating because that's honest to god Greg and Lindsay Nuckols passions in life, not getting rich. Classic lifestyle business that'll never eat the world, but it'll pay the rent in North Carolina for two 40 year-olds with no kids.
Greg isn't the only person who owns MF, there are people like Nippard who call it (my app and are either shareholder or promoter with a lot of influence), if you look at the whole hussein and julian fiasco and solomon nelson episode well...
This is kinda misleading. First of all, MacroFactor uses the Gemini API for photo to calorie/macro estimation, so the data does leave their premises. It does not work completely offline, so it does call home, and after that, you never really know what happens with the data.
MacroFactor charges roughly $70 a year. MacroCodex is free and doesn't require an internet connection to work. It can also offset random weight gain due to PMS or other short term hormonal cyclical issues, as well as other water retention issues. It doesn't even ask for your phone number or email or even date of birth!! (it just asks age) on Android. On the web app, an email is required only for storing your data (due to the volatile web storage offered in PWAs, where the OS/browser can evict storage under memory pressure).
If an app doesn't collect your personal identifiable data it cannot sell it, if it's capable of running offline it can be put behind a firewall rule and/or diagnostic/telemetry data disabled in setting though i'd argue if it's not collecting your personal info and want data for improvement of specific app feature (which benefit from data analysis) then you should perhaps analyze the risk of this decision.
I do find that the best apps are the paid ones, they don't need to be relying on selling user data to make a profit.
Sadly, a lot of the great boutique lifestyle business paid apps are apple only, and I can't stand the typing experience on iphones.
I've been using Macrofactor for many years (after a HN recommendation) and now that you mention it, I've been super happy with the experience and don't detect a whiff of dark patterns, unwarranted tracking, or bad business practices that plague other apps.
The value of tracking my diet and health has been well worth it. I will happily pay their asking price and it's heartening to hear that the founders/owners are committed to good practices.
Side note: I recently switched over fully to the Proton Unlimited ecosystem. Another ethical service that I will happily pay for.
I'm beginning to think that we might be able to turn this shitty ad-industry-lead ship around, folks. Or at least we have strong alternatives these days for the people who care.
Now if I can just get my social groups to use Signal.
I would never trust any private health data to an app. I don't care what promises or claims they make. The technology is fundamentally untrustable, and even if a vendor is doing the right thing today, they (or any intermediary) could change tomorrow.
> even if a vendor is doing the right thing today,
... they could fail to realize that they were hacked last year.
Sadly, the same issues apply to the copies of your private health data in your doctor's computer, your insurance company's computer, your hospital's computer, your pharmacy's computer, etc.
Avoiding the app reduces the attack surface. With the minor moral victory of not having gone out of your way to make it easy for the enemies of your privacy.
Apple Health was not among the reviewed?
It's e2ee and only part of your icloud backup if you enable it. And you can separately manage read/write access from other apps.
https://support.apple.com/en-gb/guide/security/sec88be9900f/...
Only one (of the six reviewed) that I'd call acceptable -
> Euki is the only app Mozilla recommends without reservations. "Euki is special," Wodinsky* says.
> Unlike the other apps on this list, Mozilla says Euki keeps all your health information stored on your device, without even sending it to the company's servers.
> You don't even need to make an account, so you can stay completely anonymous. Euki also offers a "decoy" feature that shows fake, harmless information if someone gets your phone and tries to snoop.
*Shoshana Wodinsky, a privacy research analyst who tested 6 period tracker on behalf of the Mozilla Foundation
It's really sad to see that this is not the usual kind of software people are exposed too.
It indeed looks like the rest are "you're the product" (tm) type apps. Honestly, I don't expect much from Play Store (or App Store for that matter) these days but as a developer it's terrible what hoops you have to go through to publish your app.. Endless forms to fill out manually and then the overall store quality is just disappointing. Ads, ads, more ads and privacy and security debacles. Now it also looks like locking down on outside app stores like F-Droid.. Developers and hackers will find solutions but for the general population I'm not very hopeful. As to the period apps:
> This is also not Planned Parenthood's first run in with privacy criticisms. I wrote about similar problems four years ago, for example. The organisation didn't respond to a request for comment.
.. And it doesn't look like they care to change anything about it. Who can end this on a positive note? I hate to be this negative but I don't see it.
As others in the thread have pointed out, Euki is a wonderful application and having interacted with members of their team, I know they are committed to maintaining their liberating privacy stances.
What is the privacy concern vs a weight loss tracker?
Nobody cares that you're fat. But apparently (some) Americans care if your tracker shows that you've missed your period for one or two months before resuming as normal (indicating a possible abortion).
Why not something p2p and encrypted? https://peerloomllc.com/pearpetal/ No servers, no problem. You fear losing your device? I'm sure you have more than one, any additional one you have is a fully functional backup.
The technology it is built on is extremely cool. http://pears.com/
Or better yet. Why trust this one (even though the source is on github)? You can just ask your AI agent to build you your custom one on the basis of this technology.
Period trackers are the perfect usecase for homomorphic encryption, where the system can operate on the data without knowing what the data says. It's slow and has a lot of overhead, but it's an active area of research. That way, the platform doesn't know what you're telling it. You have to trust the platform to have implemented it properly, and it's rather nerdy a detail, so it's no surprise there isn't one yet.
I love this stuff, even though its way over my head
> We are a community of researchers and developers interested in advancing Fully Homomorphic Encryption (FHE) and other secure computation techniques.
https://fhe.org/
(edit: formatting)
RudderStack founder here.
Although the article doesn't accuse us of doing anything improper, we weren't contacted for comment, so I'd like to clarify our role.
We are customer data infrastructure, not a data broker. We do not buy, sell or monetize the customer data that passes through our systems.
Our role is analogous to infrastructure: customers choose what data to send, and RudderStack routes that data to the destinations they configure (analytics tools, data warehouses, marketing platforms, etc.). The customer owns the data and decides where it goes; RudderStack does not repurpose it for its own business.
Infrastructure providers like us should be held to high standards for security and privacy, but we should not be confused with companies that collect or monetize end-user data.
fyi you can report an editorial issue via email https://www.bbc.com/news/55077304
Even this page is behind a paywall :)
Managed to copy the email though. Thanks for the pointer
Are analytics tools, data warehouses, and marketing platforms the only types of destinations you support? Because if that's the case then your system appears to only be useful for privacy invasions.
And others - customer support, feature flags, personalization, data quality, machine learning, internal BI, operational databases, security systems etc.
Ultimately, RudderStack is infrastructure that moves first-party data between systems more like message queues.
The article did not accuse you of anything and went so far as to say “There's nothing unlawful going on, and there's no reason to think RudderStack (or any company mentioned in this story) is doing something nefarious.”
I’m struggling to understand why you would feel the need to comment. Or why you even think the BBC would have contacted you. This is one of those moments in PR where a response with no reason makes reasonable people wonder why.
My concern is that terms like "data management company" (and another article described us as an "analytics company") are broad enough that many readers could reasonably infer we're collecting, storing, or monetizing sensitive end-user data.
I wanted to clarify that distinction because we've already had people reach out asking whether we were involved in collecting or using this data.
Its bad PR for us
I disagree. The article very clearly makes it sound like there is some reason RudderStack ought to be listed by name in the privacy policy of the Stardust app. When in reality, it would make no more sense to list them by name, than it would make sense to list AWS or CloudFlare or any other technical infrastructure through which customer data passes.
> Mozilla uncovered numerous privacy problems across various apps, but Stardust was the only one found sharing detailed reproductive health data with another company.
> The report found that Stardust sends users' health information to a data management company called RudderStack, which isn't named in its privacy policy. That data includes pregnancy status, birth control, moods, alcohol consumption and specific symptoms like tender breasts and stomach cramps.
> Companies often share data with outside services to process information and analyse user behaviour. There's nothing unlawful going on, and there's no reason to think RudderStack (or any company mentioned in this story) is doing something nefarious.
> However, experts say it's inherently risky when your data spreads to more places. It creates another opportunity for security breaches or legal requests for information. Besides, you may just be uncomfortable with another company seeing your health data.
> A Stardust spokesperson says the company only uses RudderStack as a "technical pipeline" to route data into its own analytics systems, and the app doesn't share anything that could allow RudderStack to identify your name or contact information. "Additionally, RudderStack is contractually prohibited from selling or using it for its own purposes," and RudderStack doesn't store the data long-term, the spokesperson says.
> "People deserve better," says Shoshana Wodinsky, a privacy research analyst who conducted Mozilla's tests. At the very least, she says, you should know what's happening.
Even the statement, "RudderStack is contractually prohibited from selling or using it for its own purposes," implies that the "contract" is what prevents us from selling customer data. In reality, that's not our business model and not how we operate.
Granted, that statement came from our customer and not incorrect, but these small things can be mis-interpreted.
Awesome insight. Thanks for clarifying! @bbc please update because there's definitely an implicit complicity in your article.
Will do. Thanks