Start with the legal gap, because everything else follows from it. HIPAA, the law most Americans believe protects "health data," covers healthcare providers, insurers, and their business associates. A consumer app you downloaded from an app store is none of those. The intimate log you keep in a period tracker has, by default, roughly the legal status of your pizza order history: governed by the app's own privacy policy and general consumer protection law, and by nothing medical at all.
What the enforcement record shows
In 2021, the Federal Trade Commission settled with Flo Health, maker of one of the most widely used period trackers. The FTC's complaint said the app had promised users their health details would stay private, then passed app events, including details revealing pregnancy status, to third-party analytics and marketing SDKs from companies including Facebook and Google. No breach, no hack: the data left through the app's ordinary analytics plumbing.
In 2023, the FTC acted against Easy Healthcare, maker of the ovulation tracker Premom, under the Health Breach Notification Rule. The complaint described sensitive health data shared with third-party analytics firms, including two based in China, without user consent. The same year, the FTC's case against GoodRx (a prescription discount service rather than a fertility app) established that sharing health data with advertisers can itself count as a breach under that rule. The regulatory position hardened: analytics SDKs are not a privacy-neutral implementation detail when the payload is health data.
In the criminal cases that followed the Supreme Court's 2022 Dobbs decision, the digital evidence used by prosecutors has come mainly from private messages and search histories, not from period trackers. In a widely reported Nebraska case, the key evidence was unencrypted Facebook messages between a mother and daughter, which Meta produced in response to a warrant. The app category everyone worried about has, so far, mattered less than the messaging apps everyone already uses.
That detail should redirect the threat model. Deleting a period tracker while continuing to discuss reproductive decisions over unencrypted messengers addresses the visible risk and leaves the demonstrated one. Any serious response includes moving sensitive conversations to end-to-end encrypted channels, for the reasons laid out in our whistleblower OPSEC guide: the message archive a company can read is a message archive it can be compelled to produce.
Where the data goes when nothing goes wrong
The Flo and Premom cases involved specific broken promises, but the ordinary data flow in this category is troubling even when the privacy policy is honored. Health apps commonly embed the same advertising and analytics SDKs as games and shopping apps. App events flow to ad networks; advertising identifiers link them to the rest of your profile; and data brokers aggregate the result. Location adds another layer: in 2022, after public pressure, several location data vendors said they would stop selling visits to reproductive health clinics, which tells you such datasets existed to sell. Our post on location data brokers covers how that market works.
A subpoena is not even required for much of this. Data purchased on the open market has no warrant requirement at all, an asymmetry we discuss in geofence warrants explained: when the commercial data exists, legal process is often the second way authorities get it, not the first.
The law is moving, unevenly
Some jurisdictions have responded. Washington State's My Health My Data Act, passed in 2023, covers consumer health data specifically, requires opt-in consent for collection and sharing, and includes a private right of action. California amended its law to restrict cooperation with out-of-state investigations into reproductive care. The EU's GDPR has always classified health data as a special category requiring explicit consent, one of the concrete differences covered in our CCPA vs GDPR comparison. But protection now depends heavily on where you live, and prosecutors in one state can still reach data held by companies in another unless a shield law intervenes.
Tracking without leaving a trail
None of this requires giving up cycle tracking. It requires choosing where the data lives.
- Prefer local-only storage. Some trackers are built to keep data on the device with no account and no server copy: drip, from Bloody Health, is open source and stores everything locally; Euki, from a reproductive health nonprofit, does the same and offers a PIN that opens a decoy view. Data that never reaches a server cannot be subpoenaed from one.
- If you use a cloud tracker, read for three things: whether health entries are end-to-end encrypted (rare), whether the company publishes a policy on law enforcement requests, and whether anonymous use without an account is possible.
- Check the platform layer. Cycle data stored in Apple Health syncs end-to-end encrypted when your account has two-factor authentication, and Apple cannot produce it in readable form. Whether a third-party app keeps its own server-side copy is a separate question from what the platform stores.
- Deny the incidental permissions. A cycle tracker does not need your location or contacts. See mobile permissions privacy for the general discipline.
- Move the conversations, not just the logs. The prosecutions to date turned on messages. End-to-end encrypted messaging, with disappearing messages where retention is a risk, addresses the failure mode that has actually occurred.
The general lesson
Reproductive health data is the clearest current example of a broader rule: the sensitivity of data is set by what it reveals, and the protection of data is set by who holds it, and the two have almost nothing to do with each other. The most intimate log on your phone is protected only as well as the least careful company in its supply chain. Until the law closes that gap, the practical move is to keep the data where no company holds it at all.