If you use a period tracking app, you're sharing some of the most intimate details of your life: your cycle length, your symptoms, whether you're trying to conceive, your mood, your pain levels. The assumption most people make is that this information stays between them and their app. For many of the most popular apps, that assumption has turned out to be wrong.
This isn't speculation or privacy paranoia. It's a matter of public record, documented in formal government investigations, federal lawsuits, and peer-reviewed research. And it's the exact reason allcycle was built.
Period tracking apps have a data problem
In 2019, a Wall Street Journal investigation found that a number of popular health apps were sending intimate user data to Facebook, even before users had logged in or accepted any terms. The investigation specifically found that one of the world's most popular period tracking apps was sending Facebook information about users' menstrual cycles, including when they were having their period and when they told the app they were trying to get pregnant.
That investigation prompted hundreds of user complaints and a formal government investigation. It wasn't an isolated incident.
A 2019 audit by Privacy International, which analysed 36 menstruation and fertility apps, found that 61% were automatically transferring data to Facebook the moment a user opened the app, before any interaction had even taken place.
The FTC stepped in, twice
The scale of the problem eventually drew formal regulatory action. In January 2021, the US Federal Trade Commission charged Flo Health — the developer of one of the world's most downloaded period tracking apps, used by more than 100 million people — with sharing users' sensitive health data with third parties including Facebook and Google, despite explicitly promising users that their data would remain private. The FTC alleged that Flo had been disclosing data including the fact of a user's pregnancy to those companies' analytics and marketing divisions.
Flo settled with the FTC and was required to overhaul its privacy practices, notify affected users, and instruct third parties to destroy the data they had received. It did not admit wrongdoing.
That case was followed in 2023 by a second enforcement action, this time against Premom, an ovulation tracking app. The FTC alleged that Premom had shared users' sensitive reproductive health data, including dates of menstrual cycles, temperatures, pregnancy status, and hormone results, with multiple third parties including Google, mobile analytics firms, and two China-based companies. It also allegedly shared users' precise GPS coordinates and device identifiers that could be used to track individuals across the internet. The FTC fined Premom $100,000 and permanently barred it from sharing users' health data for advertising purposes.
The director of the FTC's Bureau of Consumer Protection said at the time: "Premom broke its promises and compromised consumers' privacy. We will vigorously enforce the Health Breach Notification Rule to defend consumer's health data from exploitation."
The civil penalties in these cases are only part of the story. In a separate class action lawsuit in California, a jury found Meta liable for using period app users' health data for targeted advertising without consent. Google settled the same case for $48 million. Flo itself paid $8 million into the settlement fund to compensate users whose data was allegedly shared between 2016 and 2019. That's $56 million in settlements from a single lawsuit, and the case against Meta could still result in further damages.
The legal risk most people haven't thought about
Beyond advertising, there's another risk that period tracking app users in both the UK and the US have increasingly had to reckon with. And this is not just an American problem.
In May 2025, the National Police Chiefs' Council published new guidance instructing officers investigating stillbirths, miscarriages, and unexpected pregnancy losses to collect digital evidence including internet searches, text messages, and data from period tracking apps. The stated aim is to establish a woman's knowledge and intention in relation to her pregnancy. According to the guidance, women's homes may also be searched for abortion medication.
This matters in the UK because while abortion is legal up to 24 weeks under the 1967 Abortion Act, terminating a pregnancy outside those circumstances still falls under the Offences Against the Person Act 1861, a Victorian law that carries a maximum sentence of life in prison. According to Humanists UK, around 100 women have been criminally investigated since 2020, with six charged in just the last two years alone. Investigative reporting by Tortoise, cited by Abortion Rights UK, found that police have been requesting data from menstrual tracking applications as part of these investigations for at least three years.
The critical point here is not the legal status of abortion in any jurisdiction. The point is that if an app holds your data on a server, that data can potentially be obtained by law enforcement through a legal request, regardless of whether the company wants to hand it over. A company cannot refuse a lawful court order. With allcycle, you are always in control of where your data is stored. Because there is no allcycle server, there is nothing to request, and nothing to hand over. If you choose to export your data to your own storage, that is your decision and your data to manage.
The broader pattern
Apps that rely on advertising revenue have a structural conflict of interest: the more they know about you, the more valuable their advertising inventory becomes. Premium subscription models reduce this pressure but do not eliminate it entirely.
A 2025 study published in the Journal of Medical Internet Research evaluated four major reproductive health apps against privacy law requirements and found that user expectations for data privacy were not being met, with major concerns centring on IP address tracking and the involvement of third parties for advertising and marketing purposes.
A separate study published in Oxford Open Digital Health in May 2025, led by researchers at Swansea University, interviewed users of period tracking apps specifically about their data privacy experiences and found that apps were widely criticised for poor adherence to privacy laws and inadequate transparency about data sharing practices.
A June 2025 report from the University of Cambridge's Minderoo Centre for Technology and Democracy described period tracking data as a "goldmine" for consumer profiling, noting that the financial worth of this data is vastly underestimated by the users supplying it. The report found that pregnancy data is estimated to be over 200 times more valuable to advertisers than basic data such as age, gender or location, and that the three most popular apps alone had estimated global download figures of a quarter of a billion in 2024. The researchers called for the NHS to develop its own transparent alternative to commercial period tracking apps.
How allcycle is different — by design
allcycle was built with a simple premise: the problems above are structural, not accidental. They happen because period tracking apps are built on a model that requires collecting and holding user data. The solution isn't better privacy policies. It's a different architecture entirely.
- No server, no account. allcycle has no server. Your data is stored only on your device. There is physically nowhere for it to go, and no company, including us, can access it.
- No account required. You never create a login, provide an email, or verify an identity. allcycle doesn't know who you are.
- Delete everything in one tap. Your entire history can be wiped from the Settings screen in seconds. Not deactivated, not archived. Gone.
- Export and import your own CSV. Your data is stored as a plain, human-readable CSV file that you can export at any time, back up to your own cloud storage, and import back if you switch devices. You decide where it goes and who has it.
- Completely free. No ads. No premium tier. No upsells. Every feature is available to everyone, always. There is no paid version and no pressure, ever, to spend money.
- Open source. allcycle's code is publicly available. You don't have to take our word for any of these privacy claims. You can read every line yourself and verify them independently.
The reason we can make these promises isn't willpower or good intentions. It's architecture. A company that holds no data cannot sell it, cannot lose it in a breach, and cannot be compelled to hand it over. There is no data to hand over.
We're aware that allcycle isn't the right fit for everyone. If you want cloud sync across multiple devices right now, or AI-powered health insights that require server-side processing, you'll need to weigh those features against the privacy trade-offs they require. allcycle is for people who have decided that privacy comes first, and that they'd rather manage their own backups than hand that data to a third party.