A popular period tracking app is secretly funneling users' intimate health data to an analytics company, according to new research from Mozilla published today. The findings expose a dangerous privacy gap in the femtech space, where millions of users trust apps with their most sensitive reproductive health information. While one tracker tested by Mozilla earned a 'squeaky clean' rating, Stardust was caught red-handed sharing health data with third-party analytics firms, raising urgent questions about how femtech companies handle medical information in a post-Roe landscape.
Mozilla just dropped a bombshell privacy audit that's sending shockwaves through the femtech industry. The nonprofit's Privacy Not Included research team tested multiple period tracking apps and discovered Stardust, a tracker used by millions, actively shares users' reproductive health data with analytics companies - a practice that directly contradicts the app's privacy-first marketing.
The timing couldn't be more critical. Period tracking apps have faced intense scrutiny since 2022, when fears about reproductive health data being weaponized in legal cases exploded following the overturning of Roe v. Wade. Women across the country scrambled to delete period trackers, worried their menstrual data could be subpoenaed and used against them. App makers rushed to reassure users with promises of end-to-end encryption and strict data policies.
But Mozilla's findings reveal those promises ring hollow for some apps. According to the research published on TechCrunch, Stardust's data sharing practices stand in stark contrast to competitors that actually protect user privacy. One unnamed app tested by Mozilla earned what researchers called a 'squeaky clean' rating, demonstrating it's entirely possible to build a functional period tracker without compromising user data.
The contrast underscores what privacy advocates have warned about for years - health apps operate in a regulatory gray zone where HIPAA protections don't apply. Unlike medical providers bound by strict privacy laws, consumer health apps can collect, share, and monetize intimate health data with few legal constraints. The $50 billion femtech market has exploded over the past decade, but regulatory frameworks haven't kept pace.
Stardust hasn't publicly responded to Mozilla's findings, and the company's privacy policy remains live on its website. But the damage to user trust may already be done. Period tracking requires users to input extraordinarily sensitive information - menstrual cycles, sexual activity, pregnancy attempts, contraception use, symptoms, and mood changes. This data creates detailed profiles of users' reproductive health and intimate lives.
Mozilla's Privacy Not Included initiative has become the tech industry's most feared privacy watchdog since launching in 2017. The program systematically tests consumer tech products for privacy and security flaws, publishing detailed reports that have forced companies to change data practices. Previous investigations have exposed smart home devices transmitting unencrypted data, kids' toys with security vulnerabilities, and mental health apps sharing user information with advertisers.
The period tracker findings arrive as lawmakers debate federal privacy legislation that could finally impose rules on health app data practices. The American Data Privacy and Protection Act, stalled in Congress since 2023, includes provisions specifically addressing sensitive health information collected by consumer apps. But without federal action, users remain vulnerable to data collection practices they often don't understand and can't control.
Security researchers point out that even anonymized health data can be remarkably easy to de-anonymize when combined with other data points. A 2019 study found that menstrual cycle data combined with location information could identify individual users with alarming accuracy. Analytics companies receiving period tracker data might claim it's aggregated and anonymous, but experts say that provides cold comfort given sophisticated re-identification techniques.
The femtech industry now faces a reckoning. Apps that genuinely protect privacy have a competitive advantage in a market where trust is everything. Those caught cutting corners with user data risk not just bad press, but potential legal liability as state-level privacy laws gain teeth. California's Consumer Privacy Act and similar legislation in Virginia, Colorado, and other states give consumers new rights around health data, though enforcement remains inconsistent.
For the millions of people using period trackers, Mozilla's research offers a stark reminder to read privacy policies carefully and understand exactly what happens to the intimate health data they're sharing. The assumption that health apps inherently protect health information is dangerously wrong.
Mozilla's investigation pulls back the curtain on a femtech industry where privacy promises don't always match reality. The stark difference between Stardust's data sharing and competitors' protective practices proves that period trackers can function perfectly well without compromising user privacy - companies just have to choose to prioritize it. As reproductive rights remain under siege and health data becomes increasingly valuable, users deserve apps that treat their intimate information with the sensitivity it demands. The real test now is whether the femtech industry responds with genuine reform or just better marketing.