(early) Back-to-School sale - 30% off every planner, applied automatically. Ends Aug 31.

Shop the sale →

Womens Health

Do period apps sell your data? A calm look at what really happens

Do period apps sell your data? A calm, factual look at how free trackers make money, what data sharing really means, and how to read a privacy policy.

Some period apps effectively do, and some genuinely do not. Most free trackers do not hand over a spreadsheet with your name on it, but many make their money from advertising, and the common mechanism is third-party code inside the app that sends usage and health-related data to advertising and analytics companies. That can amount to something close to selling, even when the policy never uses the word. The only way to know for any specific app is to read what it says and check where your data goes.

This is a practical guide to the mechanics, without alarm and without politics. The goal is to make you able to read a privacy policy and decide for yourself.

How free tracker apps usually make money

A free app still has costs, so the money comes from somewhere. For a large share of free period trackers, that somewhere is advertising. Ads are sold more effectively when they can be targeted, and targeting runs on data about who you are and how you behave.

This is not unique to period apps. It is the standard model for a great deal of free software. What makes period apps sensitive is the nature of what you type in: cycle dates, symptoms, moods, and sometimes pregnancy intentions. That is a far more personal dataset than, say, a flashlight app collects.

What “sharing” actually means

“We may share data with third parties” is doing a lot of quiet work in most policies. In practice it usually refers to a few concrete mechanisms.

  • Third-party SDKs. Many apps include software development kits from advertising and analytics companies. An SDK is a block of someone else’s code bundled into the app, and it can send information out to that company as you use the app. You never see it, and it often runs regardless of what you type.
  • Advertising identifiers. Your device carries an ad ID that lets separate apps and companies recognize the same device over time, which is how a profile gets built across services.
  • Aggregated or de-identified data. Policies often say shared data is de-identified, meaning direct identifiers are stripped, or aggregated into totals. This lowers the risk but does not erase it, because de-identified data can sometimes be re-connected to a person when combined with other datasets.

None of this requires anyone to literally sell a file labeled with your name. Data can move, be matched, and be monetized through steps that each look modest on their own.

Why period data gets extra attention

Reproductive and health-related data is valued highly by advertisers, because it signals life stages and intentions that are commercially useful. Information that suggests someone may be pregnant, or trying to be, is worth more to an advertiser than routine details like age or city. That economic reality is why the sharing happens, and why the topic keeps coming up.

The regulatory picture, briefly

Two facts are worth knowing, both verifiable and neither dramatic.

First, most consumer period apps are not covered by HIPAA. HIPAA protects data held by healthcare providers, health plans, and their business associates. It generally does not reach information you type directly into an app you downloaded yourself. So the assumption that “it is health data, so it must be protected” does not hold for a typical tracker. The app’s own privacy policy is what governs your entries.

Second, regulators have acted when apps shared data in ways that conflicted with their own promises. In the United States, the Federal Trade Commission has brought cases against fertility and period tracking apps, including settlements with Flo Health and Premom, concerning how sensitive health information was shared with outside companies. These are matters of public record in the FTC’s own announcements. The point is not to single out any one app but to show that the mechanism is real enough to have drawn enforcement.

How to read a period app’s privacy policy

You do not need to read every line. Search the document for a handful of terms and see how the app answers them.

Look forWhat you are checking
”third part”Who else receives your data, and for what
”advertising” or “partners”Whether your data feeds ad targeting
”sell” or “share”The app’s own stated position, in its own words
”de-identified” or “aggregated”Whether sharing is claimed to be anonymized, and how strongly
”retain” or “delete”How long data is kept and whether you can remove it
”on your device” or “locally”Whether data ever leaves your phone at all

If the policy is vague where it should be specific, especially about third parties and advertising, treat the vagueness itself as the answer. Clear, confident privacy tends to be stated plainly because it is a selling point.

What “on-device only” means

The strongest privacy claim an app can make is that your data never leaves your device. Stored locally, no account, no upload: if there is nothing sent, there is nothing to share, sell, or breach. An offline file simply cannot transmit what you type, because it makes no network requests in the first place.

This is the model behind PeriodOS, a single offline HTML file that keeps every entry in your own browser with no account and nothing uploaded. It is one example of the on-device approach, and the broader point stands whatever tool you choose: the safest data is the data that never travels. If you would rather use no app at all, how to track your period privately walks through paper and device-only methods.

What to do with this

You do not have to abandon apps or become an expert. Before you trust one with your cycle, do three things: read how it makes money, search its policy for the terms above, and ask whether the data leaves your device. If those answers are unclear, that is useful information on its own.

The same habits apply to any health app you rely on, including trackers for related conditions. If you are managing something like PCOS, the same questions about where the data lives are worth asking, and the PCOS symptom tracking guide covers what that record should contain.

This article is general education about data practices, not legal or medical advice. Privacy terms and company practices change over time, so check the current policy of any app you use.

Frequently asked questions

Do period tracker apps sell your data?

Some do and some do not, and the honest answer is that it depends entirely on the app. Many free trackers make money from advertising and share usage and health-related data with third-party advertising and analytics companies, which can look a lot like selling even when the policy avoids that word. The only way to know for a specific app is to read its privacy policy and check what it does with the data you enter.

Are period apps covered by HIPAA?

Usually not. HIPAA applies to healthcare providers, health plans, and their business associates, not to most consumer apps you download yourself. That means the health information you type into a typical period app is generally not protected by HIPAA, which surprises many people. The app's own privacy policy, not HIPAA, is what governs that data.

What does de-identified or aggregated data actually mean?

De-identified data has had direct identifiers like your name removed, and aggregated data is combined across many users into totals. Both reduce risk, but neither is a guarantee, because de-identified data can sometimes be re-linked to a person when combined with other information. Treat these terms as meaningful but not absolute.

How can I tell if a period app keeps my data private?

Read the privacy policy and look for who the data is shared with, whether it is used for advertising, and whether it ever leaves your device. An app that stores everything locally and makes no network requests cannot transmit your entries at all. If the policy is vague about third parties or advertising partners, treat that as a warning sign.

Has anyone actually been penalized for sharing period app data?

Yes. In the United States the Federal Trade Commission has taken action against fertility and period tracking apps, including settlements with Flo Health and Premom, over how they shared users' sensitive health information. These cases are documented in the FTC's own public announcements and are a large part of why the topic gets attention.


Ecuato builds interactive dashboard planners as single offline HTML apps. Browse all planners or visit the Etsy shop.