If the authorities that are supposed to enforce GDPR (and other data protection laws around the world) were doing their job, app makers would be a lot more careful with what they embed and what data they send where. Because these authorities don't seem to have been doing anything useful, it's now so normalized that you could probably send a $20M fine to every major app and be right about it.
If you use GrapheneOS, you can enable or disable internet access for each app.
Not sure what information you're expecting the app in question to surface if you disable internet access for it.
There are almost certainly other apps in the space that don’t need a server, don’t phone home to Meta, and are lower priced, but they probably aren’t as good at marketing.
From my experience in the startup world, I would wager that this developer probably wanted to track marketing campaign installs (Meta library is required to close the loop on Facebook/Instagram ad conversions after app install) or wanted a feature from some Meta library they integrated but didn’t realize or care about the consequences.
I guess you could do it with some sort of P2P sync with cryptography involved locally instead, and/or E2E for stuff sent via the servers. Kind of surprised me they didn't have E2E already, but I guess I shouldn't be surprised anymore.
If you have an irregular period, does this app help "guess" when it's going to start/end?
If you have a regular period, why do you need an app at all?
The main useful feature of the apps (or Apple Health’s tracker which is entirely adequate) is that it sends reminders on the estimated period start date, and then a few days afterwards if you haven’t recorded the end date.
Even “regular” periods often aren’t perfectly regular, or can become irregular when they were regular. (Which is often very important health information.)
It also automatically calculates median period length and typical variation/range.
All unnecessary for some people but very useful for others.
This was what my partner found useful to share with her doctor while trying to figure out a medical issue. Of course it could have been done typing dates and notes into excel, and manually creating charts, but the chance that she (or most people) would consistently follow that workflow (pun not intended, but I like it) is nil.
I'm guessing P2P technology isn't really sufficiently easy for developers yet, so when you have two users using an app that are supposed to share something between the two, most of us default to building server-side services. That + the "dynamic" list of articles and "help" Flo offer I'm guessing is the main reason for them having servers in the first place.
.. To be clear, "wired app to standard ad-tech surveillance plumbing, sending concepts like user logged period and pregnancy mode entered, through its pipes, to improve ad revenues through Meta's targeting platform" .. ad-events .. this is the kind of behavior that happened, in plain-ish speaking terms, per what I read in my non-expert capacity.
Q: (answered) Now I want to know who runs (ran?) Flo - can we find their Board of Directors & C-level people on LinkedIn to profile what kind of industries lead to this kind of (I believe) privacy violating behaviors? It's a biased question on my part, as Correlation is not Causality! Onwards ..
My limited, biased, AI-driven research suggests the violating behavior ran from June 2016 through February 2019, and that generally the Company was designed to be consumer-app with subscriptions and is healthcare-adjacent, targeting an unregulated non-HIPPA market.
- INVESTORS = consumer subscription apps with ad-driven growth loops
- BUSINESS MODEL =
(1) free or freemium consumer apps where
(2) growth depends on paid acquisition through Meta/Google/TikTok ad platforms, which
(3) requires sending conversion events back to those platforms to optimize ad spend, and
(4) the SDKs that do this are designed by ad networks to hoover up everything by default.
- EXECUTIVE =
* No Privacy / Data Protection C-level officers during violating period
- around since 2019. Last update 2 months ago
- iOS, Android
- React Native
- around since 2024. Last update 2 weeks ago
- Android
- Kotlin
- around since 2015. Last updated 3 weeks ago.
- iOS and Android
- Dart
- around since 2023. Last updated 2 years ago.
- iOS
- Swift
I think the biggest thing I'd like to see is a data format standard defined. You should be able to "take your data with you" and go anywhere you like. If you decide an app is unethical or if your favorite OSS app stops being updated, it should be simple to switch. Many apps let you export your data. Maybe someone can make a converter between popular proprietary apps and a common data structure spec
The situation with wellness apps is that they are a product that are designed specifically to exist outside of the regulatory regime that people associate with them.
because lots of people dont know what HIPPA is, and (naively to us more familiar with tech) assume that a medical-related app on a curated app store would be safe for medical-related stuff.
Ironically, it's HIPAA.
You're right, though; it's much more limited than people think. During COVID people claimed everything violated HIPAA (masks, vaccine requirements, testing), but it only applies in a very narrow subset of patient/provider relationships.
"Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Answer: Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization."
Source: https://www.hhs.gov/hipaa/for-professionals/faq/481/does-hip...
I think FLOSS apps often forget that not everyone is a developer or a nerd who prioritizes privacy and ethics over design, which is a real problem since people end up using proprietary apps that data-mine them.
That your comment even implied that would be acceptable in this context is appalling.
> only biological women have periods
generally, yes, but there are so many edge cases there with intersex people that it is far easier and more inclusive to just say roughly 50 percent of the human population has periods and avoid having to deal with the million asterisks that come with that statement
You don't have to speak like a lawyer.
There is no intersex person waiting to jump out and yell accusatory things at you because you didn't include sufficient asterisks or you said statements that are 99.9999% true.
> Not another cute, pink app. drip. is designed with gender inclusivity in mindful
so a FOSS community should bimboify their app because your friend wants her data pinkwashed more than she wants her data safe? sounds like a her problem but she could always fork herself
iOS/watchOS has had period tracking functionality with completely sterile design and people use it just fine.
https://bloodyhealth.gitlab.io
A secure open source period tracking app.
https://help.flo.health/hc/en-us/articles/4411278780564-What...
For instance, if you need to track your period, the built in iOS apps are secure, especially if you're using advanced icloud encryption.
It's not a medical requirement from a doctor, so just keep a diary if you want to. Not everything needs to be an app. All the money spent on regulations and regulators to cover increasingly niche opt-in services that are entirely unnecessary is a waste.
The trick is to "give a tool for 1-2 generations of customers" , and then they'll be fully dependent on the tool.
kids today cannot navigate without turn-by-turn. nobody looks at the map to get names of major streets, they just blindly follow the directions. I learned how to navigate as a kid just by being bored and staring out the window and being able to recognize things. Now, kids don't even look out the window as they keep their heads down and eyes glued to a screen.
No, many can feel it beforehand, and you notice it when you go to the bathroom before as well, as certain things change their properties slightly, it's not a "nothing" phase and then "floods out of your body".
It's borderline parody how little education there is for males when it comes to things like this.
I've been for a "corporate death penalty" (if companies are people, they can be executed) which would result in the shareholders losing everything along with executives being perp-walked.
The first seems like it could be resolved with an escalating fine schedule, and the second could be mitigated by requiring Apple/Google to remove it from the app store (one of the rare cases walled gardens are on consumers' side).
Malicious compliance. For example: https://en.wikipedia.org/wiki/Epic_Games_v._Apple
"While Apple implemented App Store policies to allow developers to link to alternative payment options, the policies still required the developer to provide a 27% revenue share back to Apple, and heavily restricted how they could be shown in apps. Epic filed complaints that these changes violated the ruling, and in April 2025 Rogers found for Epic that Apple had willfully violated her injunction, placing further restrictions on Apple including banning them from collecting revenue shares from non-Apple payment methods or imposing any restrictions on links to such alternative payment options. Though Apple is appealing this latest ruling, they approved the return of Fortnite with its third-party payment system to the App Store in May 2025."
Or https://developer.apple.com/support/dma-and-apps-in-the-eu/
"UPDATE: Previously, Apple announced plans to remove the Home Screen web apps capability in the EU as part of our efforts to comply with the DMA."
(This one resulted in enough fuss they backed down.)
Just like banning drugs and murder did!
That isn't what's happening. The regulations don't get little niche cases added to them, they're writen to be generally applicable to all niches.
> It's not a medical requirement from a doctor, so just keep a diary if you want to.
"Just don't use the computer if you don't want companies to rat you out to the fascist government that'll imprison or kill you for having a miscarriage" is a ridiculous victim-blaming position.
It's the practical reality of a fascist government that they won't enact privacy laws. And yes, women really shouldn't be using period tracking apps in the US, or made by the US. But that doesn't mean privacy laws are some "silly waste of my tax money".
It's not a "medical requirement" except for the many many many cases where it is. Similarly, this position extends to literally everything. Nothing "needs to be an app". But unless we want to pack up and discard the entire software industry, it really ought to be better about privacy like this.
Also: Why blame the victims, not the perp?
Look at say zuckenberg - a typical sociopath lying again and again through his nose with big grin just to get what he wants (ie scandals how FB employees go to DB to spy on their exes or enemies is popping up for 10 years at least and there is no stop, every time there is another assurance how it can't be done now blablabla... and thats just specific meta employees).
Nobody likes that, but just sitting and waiting for almighty regulators while blindly trusting apps in good faith to do their jobs is... not working much, is it. Be smart, adapt to real environment out there, not some wishful thinking. In parallel push for change as much as you can, vote with wallet and your time. Once sought-for paradise comes then feel free to use anything anyhow. At least that seems like smarter approach to me.
So add liability for the buyers of the data or any services derived from the data (e.g. targeted ads). Make it so large advertisers demand audits showing privacy laws are being followed. Also have personal criminal liability for people building and maintaining systems that collect, store, or process data for illegal purposes. Executives, PMs, engineers, the whole lot. Put them in prison if they continue.
And facebook doesn't care about people's rights when those people in power are able to block Facebook from acquiring some new startup they want to buy, so facebook is willing to share the information.
And what will people in power do with this information?
It's actually quite difficult to investigate an abortion, though. Abortion isn't "real", in the sense that there's no obvious difference between a natural abortion (read: miscarriage) and a purposeful one.
The thing that means abortion abortion colloquially is the purposeful-ness of it. If you knowingly terminate a pregnancy, that's an abortion. If your body terminates its own pregnancy, for a variety of reasons because the human body is very complicated, that's not an abortion.
Generally trusting people with that nuance is, I think, asking for trouble.
[1] https://www.npr.org/2022/07/11/1107741175/texas-abortion-bou...
NO, that's why I asked. As per John Oliver's last week tonight, "Did you know there are countries that are not America?"
The people prosecuting women for abortions aren't looking for reasons not to arrest and prosecute them.
Who are these people doing this?
> Nationally, about 20% of pregnancies end in a loss, which includes miscarriage or spontaneous abortion, ectopic pregnancy, stillbirth or fetal death, according to federal data. Only a small number are investigated as crimes. But advocates say the growing number of laws in some states place people’s actions following pregnancy loss under greater scrutiny from law enforcement.
> Women in South Carolina, Georgia, Ohio, Arkansas, Texas, Mississippi, Oklahoma and several other states have faced criminal charges after a miscarriage or stillbirth for failing to seek immediate medical treatment, not pursuing prenatal care or disposing of the fetal remains in a way that law enforcement or prosecutors considered improper.
https://www.themarshallproject.org/2024/10/31/stillbirth-okl...
Many states prosecute black women who miscarry and one of their claims is that the woman took some (illegal - allegedly) drug that caused the miscarriage.
> In the year after the U.S. Supreme Court dismantled the constitutional right to abortion in June 2022, more than 200 pregnant women faced criminal charges for conduct associated with their pregnancy, pregnancy loss or birth, according to a new report.
https://missouriindependent.com/2024/10/01/200-women-faced-c...
https://www.newsweek.com/texas-gop-meeting-death-penalty-wom...
https://www.theguardian.com/us-news/2025/sep/30/pregnancy-us...
https://www.pbs.org/newshour/show/after-overturn-of-roe-more...
"Abstract
When Dobbs v. Jackson Women’s Health first overturned long-standing precedent protecting a woman's fundamental right to abortion, pro-choice leaders issued warnings about the possibility of prosecuting women for abortions. These concerns were dismissed as hysterical or as political theatrics because, in the past, women were rarely prosecuted for their own abortions. This note analyzes the history of illegal abortion before the Supreme Court’s ruling in Roe v. Wade to demonstrate that women were targeted, used as leverage against abortion providers, and sometimes arrested for their roles in the procedure." https://scholarship.law.slu.edu/lj/vol69/iss4/11/
mainly because I have no idea whether it's realistic to imagine what prosecutors do. I can also easily imagine it to be illegal and wildly unrealistic behaviour for a prosecutor, in my ignorance.
> Warrants related to people getting an abortion?
The question here isn't whether abortion is illegal in some states, but about period tracking data could be used as evidence, or justify an investigation - especially data that is seemingly illegally obtained. AFAIK, illegally obtained evidence is normally not valid grounds for investigation, and might actually weaken the case based on "fruit of the poisonous tree" doctrine.
It's not [1]. There's no safeguards on information available for purchase like this. The US has very little in the way of digital privacy laws.
> especially data that is seemingly illegally obtained.
That's the thing, it's not illegal to sell private data. It's not illegal for prosecutors and cops to buy private data.
It definitely feels like it should be, so I get why you'd think that. Feels aren't the legal code.
[1] https://www.npr.org/2026/03/25/nx-s1-5752369/ice-surveillanc...
It's not illegal to purchase bulk data without a warrant. [1]
It should be.
So yes, there is precedent of prosecutors buying bulk data and using it in prosecutions.
In fact, that's basically a huge part of the "value add" of palantir.
[1] https://www.npr.org/2026/03/25/nx-s1-5752369/ice-surveillanc...
This whole data economy has significantly undermined privacy, including 4th amendment protections.
Facebook previously gave private Messenger chats to Nebraska police, these messages were used as key evidence to charge a mother and daughter over an alleged illegal abortion[1]
[1] https://www.theguardian.com/us-news/2022/aug/10/facebook-use...
However, regardless, we really need to just kill the data broker business model.
Speaking as someone who implemented GDPR for my startup when the law first came into effect, there were certainly rough edges.
But the core premise that you simply cannot sell user data to sub-processors without consent is a powerful one that I believe would fix a lot of broken things in the US system.
(Not least because the USG buys private data that would be unconstitutional for it to directly collect, but also things like the incentives for your cell phone provider to sell your location data to advertisers.)
Health and wellness apps aren’t covered entities under HIPAA so these disclosures are not violations of it.
Same video, different platforms:
(https://odysee.com/@NaomiBrockwell:4/HIPAA:7)
TL;DW: HIPAA was actually created to allow insurance companies to share patient data without having to get patient consent. Before HIPAA, data was more fractured and less commonly shared. The only privacy protections it offers is, e.g., your doctor not giving your data to your boss. But about 1.5 million private entities can legally access your data (everything from health startups to insurance companies to hospitals)
S8.E5 The Package
(https://redlib.catsarch.com/r/seinfeld/comments/168m2d9/anyo...)
I doubt it was a critique of HIPPA, although the episode was published a little under 2 months after HIPPA was signed.
How great would it be for our privacy if they went back to paper records, though.
Somewhat. They are allowed to access it "for treatment purposes", not just to nose around out of curiosity.
I found myself explaining this to a number of my patients (I used to be a paramedic) who were irate about disclosures they'd made to their therapist, doctor, etc., that they had said they didn't want revealed to other providers (but were actually germane to their care).
"Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Answer: Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization."
https://www.hhs.gov/hipaa/for-professionals/faq/481/does-hip...
“User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.
Not a word I use much myself except when referring to “yappy little dogs”, but it is definitely common among those the generation above me and that above them.
These apps are super simple in terms of privacy policy: - we don’t track you (no telemetry) - we don’t show you ads - no account - free with optional tip
Sure I don’t make much money with them but I feel like I’m pushing back on making humanity worse.
I would advise anyone tracking medical data with an app to use something open source and local-only or network-optional if at all possible. I know there are open source cycle tracking apps, but I do not know if they're any good.
By that logic, almost anything becomes defensible. I was out of work, so I became a contract killer. I had to find a way to make money.
No. Companies still have to follow the law. They also have the option of being decent and not tracking or sharing intimate data like sexual preferences with Meta, Google, TikTok, and the advertising industry.
I’ve been asked as a contractor to build this kind of thing. I refused, before and after GDPR. It cost me money. Fine. I can live with that.
What I cannot respect is people who decide that revenue matters more than basic privacy, then hide behind “business needs” as if that ends the conversation.
Ah, see, that doesn't work because you're a person not a company. The company had to find a way to make money, that's why they denied your chemotherapy. Tough luck for you.
If you put data onto a networked device it may be sent to some place else.
If you don't want your data being shared:
Use a device that does not have any networking capability (both hardware and software wise)
Use a pen and paper, you can shred and destroy as you see fit.
If you're using an application on a mobile device with mobile data/wifi, the chances are, your data is being uploaded.
| I don't actually see this as a problem
Okay, go on, perhaps you have an interesting point
| and instead it's a PSA everyone needs to internalize
If it's not a problem, it's not a PSA because nobody needs to know or care. If it's something worthy of a PSA, then it must stem from a problem.
Having said that, you're right to be suspicious of commercial services, even that you pay for. Someone can found a startup with a strong commitment to customer privacy and the best of intentions, but a few acquisitions or near bankruptcies later, those commitments will go out the window.
The small chance that they might go out of their way to not sell premium users data doesn't seem worth much.
Further, a view that ignores many real world digital data risks faced by those considered to be useful targets; eg: compromised supply chains delivering "pre hacked" hardware with discreet wifi chips or hidden out of band comms, etc.