Health
Period tracking apps have become wildly popular among young women, but they carry privacy risks and the threat of surveillance in a booming femtech market. By Varsha Yajman.
The threat of surveillance in the ‘femtech’ market
Among the unwelcome interruptions in her high-school classroom, Jessica* says she’d never expected to be harassed by her phone offering “blow job tips”.
Jessica started using Eve by Glow, a cycle tracking app (CTA), at 14 to predict when her next period would be. “I also had an inconsistent cycle, so I wanted to keep a record to show my doctor.”
Despite using the app only five or six times a month, she received notifications daily.
“I was always worried my mum would check my phone – as she did when I was that age – and think I was doing something I wasn’t.”
The app became “unusable”, Jessica says. “It would forcefully subscribe me to all these categories of ‘tips’ even when I’d go in and unsubscribe from them,” she says.
“It felt so invasive and weird from an app I’m giving data about my menstrual cycle, so I deleted it.”
CTAs are used by more than 50 million women globally and are hugely popular in Australia. But they do much more than just warn you when your period is coming.
Entire industries are alert to the power of “cycle-based advertising”, which a report by the University of Cambridge’s Minderoo Centre for Technology and Democracy describes as “ads seek[ing] to exploit perceived hormonal weaknesses”. A 2011 study posited that in the first half of the ovulatory cycle, or “mating phase”, users may be more receptive to ads for “revealing clothing and cosmetics”, while in the second half, the “nesting” phase, users may subconsciously seek “home goods or plants”.
All our data has monetary value, but information about someone in the final stages of pregnancy is 220 times more valuable for targeted ads than data on age, gender or location. The time around the birth of a child is when buying habits are most likely to change, and so by tracking women’s period and sex cycles, these apps can harvest and sell the data most prized by prospective advertisers.
Turbocharged by social platforms, this insight has spawned a market projected to be worth more than US$60 billion by 2027.
Among the first CTAs was Clue, whose German co-founder, Ida Tin, is credited with coining the term “femtech”. By 2017 it had eight million active users. Among the most popular CTAs now are Flo, founded in 2015 by Belarusian brothers Dmitry and Yuri Gurski, and fertility app Glow by Max Levchin, the co-founder of PayPal. Australia has also developed one, CHARLI, launched in 2024.
As competition has heated up, more start-ups led by women have sought an edge, claiming to be more attuned to their users’ needs. Stardust, for instance, “blends science and astronomy to track your menstrual cycle”. This does not mean it protects women. Stardust’s privacy policy doesn’t rule out the company handing data over to authorities without a warrant or notifying the user.
Some alleged breaches of privacy have been prosecuted. In 2020, the California attorney-general reached a settlement with Glow in a case related to inadequate verification of requests to change account passwords and of supposed partners requesting to link accounts.
Neither Glow nor Stardust responded to requests for comment.
A year earlier, Flo was investigated by authorities in New York in response to an article in The Wall Street Journal claiming that Facebook could access personal information from such apps almost immediately after users entered it. Flo is also in the midst of a Canadian class action in which the plaintiffs allege the app disseminated highly sensitive personal information to third-party companies without consent.
A 2023 study of the 20 most popular tracking apps available in the United States and Britain found more than a third that claimed not to share personal data with third parties were contradicted by their own privacy policies.
CTAs pose a particularly high risk in states and countries where abortion is illegal. Privacy concerns went viral in the US following the overturning of Roe v Wade, which led to the banning of abortion in several states. Posts appeared widely on social media recommending that women delete their apps.
In the United Kingdom, where abortion is allowed only with permission from two doctors and within 24 weeks of gestation, police can subpoena data from tracking apps where they suspect a miscarriage, stillbirth or early labour has been caused by an illegal abortion. Women can have their phones seized and period tracking apps inspected.
Though abortion is now legal across Australia, within a range of gestation limits, users in this country should still be concerned about how their data may be used.
Amna Qureshi from consultancy AWO, which focuses on data governance, notes how difficult it can be for people to discern whether the app they’re using has appropriate privacy measures in place, as the terms can be “buried” in their policies.
Qureshi points to the Mozilla Foundation’s *Privacy Not Included buyers’ guide, which assesses how companies handle data. The guide assigns a warning label to those that fail to meet Mozilla’s minimum security standards, and ranks brands on a “creep-o-meter”.
Most people who spoke to The Saturday Paper seemed either unaware of or didn’t care about privacy issues. After all, we all give our personal data up every day in online transactions.
Many said they found their tracking app life-changing and educational, that it helped them with their ADHD or just to be a bit kinder to themselves as their period approached. Some CTAs host community forums for users to ask questions and share experiences regarding their cycle, and they offer a range of functions including metabolic analysis, or symptom monitoring for conditions such as polycystic ovary syndrome.
Lizzie O’Shea, the founder of Australian charity Digital Rights Watch, says CTAs are a “special category of app”, as the information is “particularly sensitive and should be subject to data minimisation requirements”.
In June, researchers at the University of Cambridge called for improved regulation of these apps and for public health bodies to launch alternatives. Products within the public system, said research associate Dr Stefanie Felsberger, would not be “driven primarily by profit, will mitigate privacy violations, provide much-needed data on reproductive health and give people more agency over how their menstrual data is used”.
O’Shea says non-profit organisations are also “much less likely to hold information”, though their insecure funding could be a risk. Both she and Qureshi note that regardless of who owns the data, however, Australia lacks many of the privacy regulations that other countries have, and minimising privacy risks is difficult without strong safeguards.
Unlike the European Union, the UK and California, Australia doesn’t recognise consumers’ right to erasure of their data. This legal right means that any party holding consumer information must erase it without undue delay when it’s no longer necessary for their specified purposes.
Australian citizens are protected against the misuse of their information only by Australian Privacy Principles under the Commonwealth Privacy Act 1988, and traditional remedies such as the tort of defamation. The principles allow individuals to request corrections to their information but not necessarily deletion or erasure.
Flo states in its privacy policy that upon deleting its app, it “retains your personal data for a period of 3 years in case you decide to re-activate”.
“Improving the experience of the app” shouldn’t be a reason to hold your data, O’Shea says. She also notes the low penalties in Australia compared with other countries for companies that breach privacy laws.
The Attorney-General’s Department released the Privacy Act Review Report in 2023. Since then, the Privacy Act has been subject to reform, with some amendments passed in December 2024.
Nevertheless, Attorney-General Michelle Rowland told The Australian Financial Review last month the current legislation is “not fit for the digital age” and that a second set of reforms is being prepared.
Until the Privacy Act finally addresses these flaws, the best way to secure your most intimate data is to choose a privacy-focused app – after a close read of the fine print.
* Name has been changed.
This article was first published in the print edition of The Saturday Paper on August 2, 2025 as "The business of cycles".
For almost a decade, The Saturday Paper has published Australia’s leading writers and thinkers. We have pursued stories that are ignored elsewhere, covering them with sensitivity and depth. We have done this on refugee policy, on government integrity, on robo-debt, on aged care, on climate change, on the pandemic.
All our journalism is fiercely independent. It relies on the support of readers. By subscribing to The Saturday Paper, you are ensuring that we can continue to produce essential, issue-defining coverage, to dig out stories that take time, to doggedly hold to account politicians and the political class.
There are very few titles that have the freedom and the space to produce journalism like this. In a country with a concentration of media ownership unlike anything else in the world, it is vitally important. Your subscription helps make it possible.
Subscriber exclusive
Send this article to a friend for free.
Share this subscriber exclusive article with a friend or family member using share credits.
