Your Period Tracker May Be Sending Your Health Data to Strangers
A new privacy audit found that one popular app shares intimate health details with ad firms before you even type a word. Here is what the audit found, and which app actually keeps your data safe.

Key points
- The Mozilla Foundation, working with Harvard's Berkman Klein Center, graded six popular period-tracking apps on privacy in 2025.
- Stardust, an astrology-themed period tracker, scored 2 out of 10, the lowest in the group.
- Stardust sends users' reproductive health details to a third-party data firm not named in its own privacy policy, first reported by the BBC.
- Euki, a nonprofit-run tracker, scored a perfect 10 and stores all health data on the user's phone only.
- Stardust also passes an advertising identifier to Facebook, linking in-app behaviour to users' existing Facebook profiles.
Imagine opening an app to log a headache or a mood, before you have typed a single letter, and your phone has already told a data company you are there. That is what Mozilla researcher Shoshana Wodinsky found happening with Stardust, one of the most downloaded period-tracking apps in the United States.
Stardust pings third-party tracking software the instant the app opens. When a user logs a symptom, details including pregnancy status, birth control type, and specific physical symptoms travel to an analytics firm called RudderStack, packaged with a persistent ID that follows the user across sessions. There is no in-app switch to turn this off.
RudderStack is built to forward data to other destinations. Mozilla could not see where it went next.
Stardust also hands Facebook an advertising identifier, a small tag that connects what you do inside the app to your existing Facebook profile. The company told reporters it has never received a legal demand for user data. That is not the same as saying the data stays private.
The audit scored Stardust 2 out of 10.
The contrast with the top scorer could hardly be sharper. Euki, run by a nonprofit, earned a perfect 10. It requires no account. Health data never leaves your phone. Users can set a PIN, schedule automatic deletion, or activate a decoy screen if someone forces them to open the app. Its only soft spot is a built-in browser for educational articles, which loads standard web trackers, though it resets identifiers between visits.
Should you delete your period tracker?
Not necessarily, but you should check which one you are using. If it is Stardust, the audit suggests your intimate health details are reaching companies you have never heard of, with no clear way to stop it. Switching to Euki costs nothing and requires no sign-up.
This matters beyond convenience. Reproductive health data is among the most sensitive information a phone can hold. In states where abortion access is restricted, records of missed periods or pregnancy status could, in theory, surface in legal proceedings.
A few things worth checking on any health app you use: read the privacy policy before trusting it with medical details, search for the app's name alongside the word "privacy audit", and look for an option to export or delete your data. If those options do not exist, that tells you something.
If you handle personal data at work or manage a team that does, security-awareness training that covers data-sharing risks is a practical next step. Train2Secure offers exactly that kind of training, including modules on how apps and phishing attacks exploit personal information.



