All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
Researchers have raised new privacy concerns about the popular period-tracking app Stardust after finding it shared users' sensitive reproductive health information with a third-party analytics company — despite its promise that "Your data is private. Period."[1]
“We take your privacy seriously and protect your personal data by anonymizing and encrypting it,” Stardust has written in its data page overview.
According to new research from Mozilla, that’s not exactly the case. Stardust transmitted data including users' birthdates, birth control methods, reproductive goals, and logged symptoms to analytics platform RudderStack.[2]
RudderStack is an agentic, “warehouse native” Customer Data Platform (CDP) designed to make it easy for data engineers and developers to collect, unify, and activate customer data.[3]
While the records did not include users' names, they were linked to unique identifiers that privacy experts say can still be used to identify individuals.
Why this matters
Stardust says the data isn't being sold
Not all period trackers performed the same
How to better protect your health data
Researchers say Stardust shared users' reproductive health data
Mozilla's latest privacy research examined six popular period-tracking apps by analyzing their network traffic to see what information was leaving users' devices.
Of the six apps tested, Stardust was the only one found to be transmitting sensitive reproductive health information to another company.
According to Mozilla, the shared information included:
- Birthdate
- Birth control method
- Reproductive goals
- Specific symptoms entered into the app
While the records did not include users' names, they were associated with a persistent unique identifier instead.
Removing someone's name does not necessarily make health data anonymous. The Federal Trade Commission has previously cautioned that so-called "de-identified" data can often be linked back to individuals when combined with other information.
Why this matters
Many health and wellness apps rely on third-party services to provide analytics, cloud infrastructure, crash reporting, or payment processing. Users often never see these background data transfers happening.
While these services can help developers improve their apps, they also introduce additional privacy risks. Every additional company that receives sensitive information creates another potential point of exposure through security incidents, legal requests or internal misuse.
Those concerns have become especially significant for reproductive health apps since the U.S. Supreme Court overturned Roe v. Wade in 2022.
"We're very concerned in a lot of advocacy spaces about what happens when private corporations or the government can gain access to deeply sensitive data about people's lives and activities," Lydia X. Z. Brown, a policy counsel with the Privacy and Data Project at the Center for Democracy and Technology, told NPR. “That data could put people in vulnerable and marginalized communities at risk for actual harm.”
At the time, millions of people turned to period-tracking apps like Stardust because of their privacy-focused marketing. TechCrunch previously investigated the app in 2022 after it claimed to use end-to-end encryption and reported that those claims did not match the app's actual behavior.
Mozilla's latest findings add fresh scrutiny to how reproductive health information is handled behind the scenes.
Stardust says the data isn't being sold
According to BBC News, a Stardust spokesperson said RudderStack is "contractually prohibited from selling or using it for its own purposes."
However, researchers note that both companies are based in the United States. That means data stored on their servers could still be subject to lawful requests from government agencies or law enforcement.
TechCrunch reported that Stardust founder Rachel Moranis did not respond to questions about Mozilla's findings or whether the company has ever received requests for users' health data.
Not all period trackers performed the same
Mozilla tested six different period-tracking apps as part of its research. The organization singled out Euki as its top privacy recommendation, describing it as "squeaky clean."
Researchers found that Euki did not share users' reproductive health data with third parties during its core functions, and that users' health information remained stored on their devices rather than transmitted elsewhere.
It also happens to be among our favorite period-tracking apps in the market.
How to better protect your health data
We recommend taking a few minutes to review an app's privacy policy and permissions before entering sensitive health information. It's also worth checking whether the app shares data with third parties for analytics, advertising or other purposes.
If you use a period-tracking or other health app, there are a few ways to reduce your privacy risks:
- Review the app's privacy policy before entering sensitive information.
- Check whether the app shares data with third parties for analytics or advertising.
- Disable optional analytics or data-sharing settings if they're available.
- Consider apps that store health information locally on your device instead of transmitting it to external servers.
- Keep your apps updated to receive the latest security improvements.
If you find yourself at the receiving end of a data leak, you could use a data removal service to hunt down and delete your personal information shared to third parties across the internet.
No app can eliminate every privacy risk, but understanding how your health information is collected, stored and shared can help you make a more informed choice.