Many menstruating individuals today use period-tracking apps as a convenient digital tool on their smart phone to track their menstruation. In the UK, researchers have found that more women are using smartphone apps to track their menstrual cycles for fertility-tracking purposes. In the U.S., the overturning of Roe v. Wade has slightly shifted the tides, with some users seeking out privacy-enhancing period tracking apps over the mainstream apps and other users outright deleting their period tracking apps over privacy fears. And in the current technological climate, it’s worth asking: how responsible with user data are these apps? In 2019, Privacy International (PI) investigated several popular period-tracking apps across the world to examine how they handle users' privacy, particularly the sharing of users' period data with Facebook. We performed a dynamic analysis of ten popular period tracking apps using our data interception environment (DIE), which allowed us to see whether and where these apps were sharing user data. The most popular apps we looked at did not appear to share data with Facebook, but the other apps we examined that still boasted millions of downloads appeared to engage in some extensive sharing of sensitive user cycle data with third parties including Facebook. Our research exposed serious concerns around these apps’ compliance with data protection laws, as well as around companies’ responsibility and accountability when it comes to third-party data-sharing. Since then, data protection and privacy regulations have been ramping up, with increased expectations for user privacy protection in the form of regulations like the European Union (EU) Digital Services Act, the AI Act and continued enforcement of the General Data Protection Regulation (GDPR). However, these privacy regulations have also been coupled with setbacks in the women's health sector, such as the repealing of Roe v. Wade in the U.S. that has put women's sexual and reproductive health data in a more precarious position than ever before. Not to mention in recent years numerous examples of law enforcement using people’s online data for investigation purposes, such as U.S. law enforcement using Facebook chat logs to prosecute an abortion seeker in Nebraska or UK law enforcement reportedly obtaining a woman’s Google search history and sentencing her for taking abortion pills beyond the legal limit. Considering these changes over the past several years in the privacy and political landscape, as well as technological changes such as the expansion of cloud-based services and the AI industry, we undertook another technical investigation into how period tracking apps are handling user data five years later and the implications for users’ privacy. As we will expand on below, our research found that, overall, period tracking apps were not sharing users’ cycle data as egregiously with third parties as we found for some apps in 2019. Though in the course of our investigation, we did observe several categories of third parties that many apps were integrating for different purposes, such as advertising software development kits (SDKs) or application programming interfaces (APIs) to service certain app functionalities, and these third parties often processed some degree of the user's personal or device data. The various technical approaches that period tracking apps utilise to service their app warrant scrutiny in a politically volatile realm. In our report, we explore the various technical methods built into period tracking apps, such as integrating third party deployers and storing user data on servers, and we conclude with how these practices raise crucial questions for the future of privacy in the femtech space.Download the full report