Legal & Policy

Reproductive Health Apps and the Data Trail They Leave

July 5, 2026 7 min read Haven Team

A cycle-tracking app knows things about you that your closest friends may not: when your period is late, when you are trying to conceive, when a pregnancy ends. In the United States, most of that data sits entirely outside medical privacy law. The enforcement record shows what happens to it, and the record is worth reading closely, because it does not say quite what most people assume.


Start with the legal gap, because everything else follows from it. HIPAA, the law most Americans believe protects "health data," covers healthcare providers, insurers, and their business associates. A consumer app you downloaded from an app store is none of those. The intimate log you keep in a period tracker has, by default, roughly the legal status of your pizza order history: governed by the app's own privacy policy and general consumer protection law, and by nothing medical at all.

What the enforcement record shows

In 2021, the Federal Trade Commission settled with Flo Health, maker of one of the most widely used period trackers. The FTC's complaint said the app had promised users their health details would stay private, then passed app events, including details revealing pregnancy status, to third-party analytics and marketing SDKs from companies including Facebook and Google. No breach, no hack: the data left through the app's ordinary analytics plumbing.

In 2023, the FTC acted against Easy Healthcare, maker of the ovulation tracker Premom, under the Health Breach Notification Rule. The complaint described sensitive health data shared with third-party analytics firms, including two based in China, without user consent. The same year, the FTC's case against GoodRx (a prescription discount service rather than a fertility app) established that sharing health data with advertisers can itself count as a breach under that rule. The regulatory position hardened: analytics SDKs are not a privacy-neutral implementation detail when the payload is health data.

The part most coverage gets wrong

In the criminal cases that followed the Supreme Court's 2022 Dobbs decision, the digital evidence used by prosecutors has come mainly from private messages and search histories, not from period trackers. In a widely reported Nebraska case, the key evidence was unencrypted Facebook messages between a mother and daughter, which Meta produced in response to a warrant. The app category everyone worried about has, so far, mattered less than the messaging apps everyone already uses.

That detail should redirect the threat model. Deleting a period tracker while continuing to discuss reproductive decisions over unencrypted messengers addresses the visible risk and leaves the demonstrated one. Any serious response includes moving sensitive conversations to end-to-end encrypted channels, for the reasons laid out in our whistleblower OPSEC guide: the message archive a company can read is a message archive it can be compelled to produce.

Where the data goes when nothing goes wrong

The Flo and Premom cases involved specific broken promises, but the ordinary data flow in this category is troubling even when the privacy policy is honored. Health apps commonly embed the same advertising and analytics SDKs as games and shopping apps. App events flow to ad networks; advertising identifiers link them to the rest of your profile; and data brokers aggregate the result. Location adds another layer: in 2022, after public pressure, several location data vendors said they would stop selling visits to reproductive health clinics, which tells you such datasets existed to sell. Our post on location data brokers covers how that market works.

A subpoena is not even required for much of this. Data purchased on the open market has no warrant requirement at all, an asymmetry we discuss in geofence warrants explained: when the commercial data exists, legal process is often the second way authorities get it, not the first.

The law is moving, unevenly

Some jurisdictions have responded. Washington State's My Health My Data Act, passed in 2023, covers consumer health data specifically, requires opt-in consent for collection and sharing, and includes a private right of action. California amended its law to restrict cooperation with out-of-state investigations into reproductive care. The EU's GDPR has always classified health data as a special category requiring explicit consent, one of the concrete differences covered in our CCPA vs GDPR comparison. But protection now depends heavily on where you live, and prosecutors in one state can still reach data held by companies in another unless a shield law intervenes.

Tracking without leaving a trail

None of this requires giving up cycle tracking. It requires choosing where the data lives.

The general lesson

Reproductive health data is the clearest current example of a broader rule: the sensitivity of data is set by what it reveals, and the protection of data is set by who holds it, and the two have almost nothing to do with each other. The most intimate log on your phone is protected only as well as the least careful company in its supply chain. Until the law closes that gap, the practical move is to keep the data where no company holds it at all.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →