Privacy-first period apps: what parents need to know.

The question parents started asking in 2022 was a simple one: if my daughter’s period app keeps her cycle data, what happens to that data?

The longer answer matters more now than it did three years ago. Multiple US states have moved on reproductive rights since Dobbs. Period app companies have been sued, settled, and had their data subpoenaed. The Federal Trade Commission has fined the most popular tracker in the world for sharing intimate health data with Facebook and Google. And state legislatures have begun passing laws that require verifiable parental consent for minors to download apps at all.

If you’re a parent putting a period tracker on your daughter’s phone, "private" isn’t an aesthetic preference anymore. It’s a category of features you should be able to evaluate as clearly as price or design.

This is a primer on how to do that.

"Private" means three different things.

When a period app calls itself private, it usually means one of these three things. They are not the same.

1. Private by policy. The company has a privacy policy that promises not to sell your data. This is the weakest form. A policy is a promise, and a promise can be revised, violated, or made meaningless by a third-party SDK the company quietly included. The Flo case is the cautionary tale: the policy said data would be kept private; the data was being shared with Facebook and Google via embedded analytics between 2016 and 2019. The FTC settlement required Flo to update its practices, but the period app a parent installed in 2018 was not, in practice, doing what the policy claimed.

2. Private by jurisdiction. The company is based somewhere with strong privacy law — usually the EU, governed by GDPR — and stores data on servers in that jurisdiction. This is meaningfully stronger than US-based "private by policy" because the company is subject to enforcement that has actual teeth: multi-million-euro fines, mandatory data subject access requests, the right to erasure. Clue is the leading example. The trade-off: the data still exists on servers somewhere; a sufficiently determined adversary (a subpoena, a hack) can in theory reach it.

3. Private by architecture. The company does not have your data because it never has your data. There’s no account, no cloud sync, no server-side database. The data lives on the phone and only on the phone. This is the strongest form because there is nothing on the company’s end to leak, sell, or subpoena. The trade-off: data doesn’t follow you to a new phone automatically; you have to export and import manually.

Each model has its place. But when you read marketing copy claiming "we don’t share your data," ask the next question: because you promised not to, because the law says you can’t, or because you don’t have it in the first place?

What to actually look for in a privacy policy.

The privacy summary on the App Store listing is not the same as the privacy policy. The summary is a marketing artifact written to look reassuring. The policy is the legal document. Read it.

Things to look for, in order of importance:

Third-party SDKs. The Flo case wasn’t about Flo’s own servers. It was about analytics SDKs (Facebook, Google) that Flo embedded into the app. Those SDKs collected health data and sent it to those companies. Search the policy for "third party" or "analytics partners." If the list is long or the language is vague, the app is probably not as private as it claims.

Account requirements. A tracker that needs an email and phone number to create an account is collecting contact info as part of the deal. That contact info can be subpoenaed, leaked, or sold separately from the health data. The fewer fields the app asks for, the less there is to lose.

Cloud sync. If the app stores data in the cloud, ask where that cloud is (US? EU?), who has access (the company? a contractor?), and whether the data is encrypted at rest. End-to-end encryption means the company itself can’t read your daughter’s data even if it wanted to. Standard encrypted cloud storage is different: the company still holds the keys behind the scenes.

Data retention. When you delete the app, what happens to the data on the server? Some apps retain "anonymized" data indefinitely. Others delete on request. Some delete automatically after a period. The policy should say.

Data sharing for marketing, advertising, or research. Even apps that don’t share health data sometimes share other data — device IDs, IP addresses, general location — for ad targeting or research. Clue is upfront about this in its policy. Other apps are less so.

Law enforcement data sharing. A few apps explicitly state they will hand over data without a warrant, or "if requested." Others state they require a warrant or subpoena. The strongest position is the one Stardust now takes: no voluntary data sharing with law enforcement; only the legally compelled minimum.

The track-record check.

A privacy policy is a promise. A track record is evidence. When evaluating any health app, look up:

• Whether the company has been the subject of an FTC enforcement action.
• Whether there are active or settled class actions related to data sharing.
• Whether the privacy policy has changed materially in the last year, and what changed.
• Whether the app has been profiled critically by Mozilla’s Privacy Not Included project, Privacy International, or a major tech publication.

In the period app category specifically, the public record includes:

• The Flo Health FTC settlement (2021)
• The $56 million Google + Flo class action settlement (2025)
• The Flurry $3.5 million Flo-related settlement (April 2025)
• The California jury verdict finding Meta liable for violating the California Invasion of Privacy Act over Flo app data
• The Stardust TechCrunch investigation (2022) that led the company to roll back its end-to-end encryption claim from its privacy policy

A company can recover from a privacy incident, and the record matters as evidence — not as a permanent disqualifier. But it should weigh.

State laws are about to change the calculus.

In 2025 and 2026, multiple US states passed App Store Accountability Acts (ASAAs). The basics are similar across each: app stores must verify a user’s age, and a minor must have a parent’s verifiable consent before downloading an app or making an in-app purchase. The state-by-state timeline as of mid-2026:

• Utah. Law signed May 2025. Developer and app-store requirements effective May 6, 2026. Enforcement starts December 31, 2026. Amended in March 2026 to address constitutional challenges.
• Louisiana. Effective July 1, 2026.
• California (DAAA). Effective January 1, 2027.
• Texas and Alabama. ASAAs passed and rolling out through 2026 and 2027.

For period apps, this shifts who the buyer is. Until recently, a teen could download a free period app independently. By 2027, in most states with ASAAs in force, that download will require parental consent — which means the parent is in the loop from the start. The right question for app developers and the right question for parents become more aligned: what would a parent actually want this app to do, and not do?

What "private by architecture" looks like in practice.

A period app built on the strongest privacy model has the following properties:

• No account creation. No email, no phone, no social login.
• No cloud sync that the company can read. Either no cloud, or end-to-end encryption with a user-controlled key.
• No analytics SDKs that send usage data to third parties.
• No third-party ad networks. (Ad networks are a major source of data leakage.)
• No notifications. (Push notifications can leak content; even silent pings reveal app-open patterns.)
• No social features. (Comments, profiles, and DMs are surveillance surfaces.)
• A clear manual export so the user can move their data themselves.

Few apps meet all of these. The trade-off, candidly, is convenience: no automatic phone-to-phone sync, no cross-device backup, no "log in and your data’s back." That’s the architecture’s actual cost. The benefit is that the company can’t share, sell, leak, or be compelled to disclose what it doesn’t have.

A practical shortlist.

If "private" is your top criterion, the major apps that meet a meaningful privacy bar in 2026 are:

• Clue. Strongest "private by jurisdiction" option. EU-based, GDPR-governed, does not share health data with advertisers. Acceptable for most families. Trade-off: paid premium tier; does share some non-health user data for ads.
• Apple Health. Data stays on device + iCloud (if iCloud is on). Limited as a tracker but solid on privacy. Trade-off: minimum-viable period features.
• Spot On (Planned Parenthood). Non-commercial, designed for teens, no advertising model. Trade-off: overt advocacy framing some families will appreciate and others won’t.
• TeenCycle. Built by our family. 100% offline, no cloud, no account. Disclosure: we built it. Trade-off: manual data export when switching phones.

Apps to weigh more carefully against the track record: Flo, Stardust. Both have had public privacy incidents. Both have updated their practices since. Whether the update is trustworthy is a judgment call you should make with the evidence in front of you.

How to evaluate any app in five minutes.

A shortcut for parents short on time:

1. Open the app and start the onboarding. Note what it asks before you give it any data.
2. Search the app’s name plus "FTC" and "class action." If something comes up, read at least one source.
3. Open the privacy policy and search for "third party," "analytics," and "law enforcement."
4. Search the app’s name plus "Mozilla Privacy Not Included" or "Privacy International." If they’ve reviewed it, that’s the most trustworthy summary you’ll find.
5. If you’re putting it on a minor’s phone, decide whether the answers above are good enough for a 14-year-old, not for yourself.

The answer doesn’t have to be perfect. It has to be one you can live with.

For many parents, the goal isn’t to turn a period tracker into a surveillance system or a social platform. It’s simply to give their daughter a private, low-stress tool that does its job quietly and stays out of the way.

Try TeenCycle free for 7 days.