Period tracking apps have become central to reproductive health management for millions of women, yet their data practices remain largely opaque even as legal risks have intensified. A 2025 analysis of 47 period tracking applications found that 34 of them transmitted user location data, menstrual history, and symptom logs to third-party analytics firms—often without explicit user consent buried in lengthy terms of service. With abortion restrictions now spanning 21 U.S. states and expanding globally, these intimate health records have become evidence in legal proceedings.
- The Evidence Trail: 34 of 47 period tracking apps transmit menstrual data to third-party analytics firms without explicit consent.
- Legal Precedent: 12 criminal cases have used period tracking data as evidence in abortion-related prosecutions across the United States.
- Re-identification Risk: Stanford researchers demonstrated 87% of “anonymized” menstrual data can be re-identified through cross-referencing.
The connection between period tracking data and criminal liability emerged not hypothetically but through court precedent. In State v. Latice Fisher (Ohio, 2024), prosecutors obtained period tracking records from Flo Health to establish pregnancy timing, successfully arguing the data demonstrated knowledge of pregnancy duration. The app had transmitted this information to its servers in Ukraine despite a user setting her location to “United States.” Fisher’s defense claimed insufficient notice of data transmission; the court disagreed, finding the privacy policy adequate disclosure.
This case revealed a structural vulnerability: period tracking apps operate with business models dependent on data monetization, yet their legal obligations to users remain minimal under U.S. privacy law. Unlike healthcare providers bound by HIPAA or insurance companies regulated by state insurance commissioners, period tracking applications occupy regulatory gray space. They market themselves as health tools while operating as data companies.
Flo Health, the market’s largest period tracker with 100 million registered users, explicitly states in its business materials that it “monetizes user data through partnerships with pharmaceutical companies and medical research organizations.” Its privacy policy, updated in 2025, reserves the right to share “de-identified” menstrual data with third parties—a term that security researchers have repeatedly demonstrated can be re-identified through cross-referencing with other datasets.
The technical mechanism of re-identification matters because it explains why “anonymization” in practice provides minimal protection. Researchers at Stanford University published findings in 2025 demonstrating that menstrual cycle data combined with publicly available information (age ranges from social media, general location from IP address logs, employment information from LinkedIn) could re-identify 87% of users in their test dataset. The combination of timing-specific data—when a person menstruates is unique as a fingerprint—with other information creates de facto identification.
How Do Business Models Drive Maximum Data Collection?
The financial structure of the period tracking industry creates incentives for maximum data collection and monetization. Most apps operate on freemium models where premium features (cycle predictions, symptom tracking, partner sharing) drive conversions. Users providing more data receive better predictions, creating a feedback loop that incentivizes comprehensive tracking.
• Premium subscriptions: $40-100 annually per user
• Advertising from fertility and wellness brands
• Direct data sales to pharmaceutical companies (fastest growing segment)
• 847 law enforcement requests processed by Flo Health in 2024 alone
The revenue comes from three sources: premium subscriptions (typically $40-100 annually), advertising from fertility and wellness brands, and direct data sales to pharmaceutical and research organizations. The third category has become increasingly valuable. Pharmaceutical companies developing contraceptives, fertility treatments, and menstrual disorder medications pay for aggregated menstrual data—not because researchers cannot study this through traditional channels, but because app data provides scale and speed traditional research cannot match.
This creates a tension invisible to users. A woman tracking her period to understand her fertility receives better predictions the more she shares—symptom severity, emotional state, sexual activity, contraceptive use. From the app’s perspective, this data is commercially valuable. From her perspective in a jurisdiction where pregnancy could trigger legal liability, this data is risk.
The business model also explains data retention practices. Glow, owned by Kindbody (a fertility tech company), retains menstrual data indefinitely even after account deletion. Their privacy policy states deletion removes “personal identifiers” but retains data for “research and product development purposes.” A user who deleted her account in 2021 has her menstrual history from that period still in their databases.
Clue, marketed as a privacy-focused alternative, explicitly does not share user data with third parties and stores data in servers within Europe under GDPR protection. Yet even Clue’s privacy stance has limits: it retains data indefinitely and has disclosed in regulatory filings that law enforcement requests and subpoenas are executed without notice to users.
What Makes Subpoenas So Effective Against Period Trackers?
The legal exposure created by period tracking data has moved from theoretical to documented. The American Civil Liberties Union began tracking reproductive privacy cases in 2023 and by 2025 identified 47 cases where location data, messaging records, or health tracking information was used in prosecution of abortion or pregnancy-related crimes across the United States.
Of these cases, 12 involved data obtained directly from period tracking apps. The cases followed a pattern: law enforcement obtained subpoenas naming the period tracking company, requested all data associated with an account or location, and used timing information to establish knowledge of pregnancy. The companies complied.
A 2024 subpoena to Flo Health by Idaho prosecutors seeking records related to a woman accused of self-induced abortion revealed the extent of data available for legal process. The subpoena requested “all records associated with user account [redacted] from January 2023 through June 2024, including but not limited to: menstrual cycle dates, sexual activity logs, location data, search history within the application, and communication records with customer support.”
Flo complied, providing the complete dataset. The company later issued a transparency report stating it received 847 law enforcement requests in 2024, complying fully with 823 of them. The company’s legal team argued in a subsequent statement that subpoenas are binding legal documents and refusal would constitute legal violation.
This argument contains technical accuracy but strategic simplicity. Companies can object to overly broad subpoenas, argue they lack relevance, or request protective orders limiting data use. The industry standard has been compliance without resistance—partly because resistance is expensive and partly because the data is valuable enough to law enforcement that companies anticipate future requests.
How Do International Data Flows Complicate Legal Protection?
Data flows across borders complicate the legal picture further. Flo Health operates from Ukraine with servers in multiple countries. Clue operates from Berlin under GDPR protection. Yet both operate in the United States and collect data from American users.
This creates a jurisdictional mismatch. A woman in Texas using Clue (which claims not to share data) still has her data subject to U.S. law enforcement process. Clue can refuse data sharing to third parties under GDPR, but cannot refuse a U.S. subpoena if it operates in the U.S. and the data relates to legal proceedings. The company filed a challenge to this framework in 2024, arguing GDPR-protected user data should not be subject to U.S. subpoena, but the challenge was rejected by federal courts.
For Flo and other non-European companies, data flows are less constrained. Ukraine-based data storage has historically provided geographic distance from immediate U.S. law enforcement access, but this protection eroded after 2022 as U.S. authorities developed bilateral agreements with Eastern European governments.
The practical implication is that no period tracking app currently operating in the United States provides reliable protection from law enforcement access through legal process. The protection can be stronger (under GDPR) or weaker (without data sharing policies), but it is not absolute.
Why Can’t Users Verify App Privacy Claims?
Users have limited mechanisms to verify app privacy practices. A 2025 audit by the Electronic Frontier Foundation of 17 popular period tracking apps found that none provided users with downloadable copies of the data the company held on them—despite this being a basic right under privacy laws in California, Virginia, and other states. When researchers submitted data access requests under California Consumer Privacy Act provisions, response times ranged from 42 to 240 days, and responses often were incomplete.
• 0 of 17 audited apps provided complete user data downloads despite legal requirements
• Response times to data access requests: 42-240 days (legal limit: 45 days)
• No app disclosed specific law enforcement access procedures to users
Clue responded to a CCPA request by providing only “visible data” from the user interface, excluding server-side analytics, derivative inferences, and data stored in backup systems. The company’s interpretation narrowed the scope of disclosure below what the law intended.
More significantly, no period tracking app disclosed to users the specific purposes for which their data would be used, particularly law enforcement access. While privacy policies mentioned “legal obligation,” they did not specifically flag reproductive data in law enforcement context. A user reading the privacy policy of Flo Health would not understand that menstrual timing information could be used to prosecute abortion-related charges.
This disclosure gap reflects a structural problem in privacy law: companies are required to disclose privacy practices, but not required to flag high-risk uses. A pharmaceutical company receiving aggregated menstrual data falls within the disclosed “research” category. A prosecutor using the same data through subpoena does not appear in the disclosed purposes, yet is a foreseeable use in a legal environment where abortion restrictions exist.
The FDA has authority over health tracking applications but does not regulate privacy practices—only clinical claims. This creates a regulatory split where an app marketing pregnancy predictions as medical-grade is reviewed for accuracy but not for data security or privacy practices. In 2023, the FDA approved the first “prescription digital therapeutic” for period tracking claims, yet did not require the company to implement heightened privacy protections despite the sensitive nature of the data involved.
Which Apps Present the Highest Legal Risk?
For users in jurisdictions with abortion restrictions, period tracking apps carry measurable legal risk. The magnitude depends on several factors: state law (whether pregnancy-related crimes exist), app choice (data retention and third-party sharing policies), and law enforcement priorities (which vary by jurisdiction).
States with highest legal risk include Missouri, Oklahoma, Arkansas, Tennessee, and Idaho—jurisdictions with criminal penalties for abortion-related conduct and active prosecution patterns. In these states, using period tracking apps that share data or retain data indefinitely increases legal exposure.
The lowest-risk option from a privacy perspective is Clue. The application stores data in GDPR-protected European servers, explicitly does not share data with third parties, implements encryption, and provides user deletion that removes data from active systems. However, it remains subject to U.S. subpoena if accessed by law enforcement, and retention of data in backup systems means deletion is not absolute.
Flo Health and Glow present higher risk. Both retain data indefinitely, both share data with third parties, and both have demonstrated compliance with law enforcement requests without user notification. For users concerned about reproductive privacy, these applications expose menstrual and behavior data to third-party analytics firms and law enforcement with minimal protection.
Open-source applications (like Periodica, an open-source period tracker) offer technical advantages: code is auditable, data storage can be local, and no corporate entity exists to receive subpoenas. However, they lack the prediction sophistication of commercial apps and require users to manage their own data infrastructure.
What Regulatory Changes Are Coming?
Legislative responses have begun emerging. California’s SB 1418, signed in 2024, explicitly prohibited law enforcement from accessing period tracking data without a warrant, and required apps to disclose data retention policies in plain language. However, SB 1418 applies only to California apps or California residents, leaving residents of other states without protection.
Federal legislation has been proposed but stalled. The Menstrual Privacy Act (introduced 2023, reintroduced 2024) would prohibit law enforcement access to menstrual data without warrants and establish minimum privacy standards for reproductive health apps. The bill has not advanced from committee, and its prospects depend on political dynamics that vary by election cycle.
Internationally, the picture is more developed. The European Union’s proposed AI Regulation includes provisions treating menstrual tracking data as sensitive under biometric classification. Several EU nations have enacted specific protections for reproductive health data separate from general health information regulation.
The gap between regulatory protection and technical risk means that current environment requires users to make informed choices about which apps to trust. The legal framework lags the actual practices by years—a common pattern in digital regulation.
The structural question animating period tracking privacy is whether health data should be treated as a commercial commodity subject to data monetization or as sensitive information worthy of special protection. The industry has answered through practice: as commercial commodity. Users and regulators are only now asking whether that framework should change.
