“Your data is private. Period,” period tracker Stardust says on its website. As new Mozilla research has discovered, some users may find that claim to be a stretch.
According to Mozilla’s latest findings In looking into the privacy practices of period tracking apps, Stardust was found to be sharing sensitive user health information with third-party analytics firm RudderStack. This data included the user’s date of birth, type of birth control, reproductive goals, and specific symptoms the user was experiencing and associated this record with a unique identifier in place of the person’s name. (The FTC has long warned (that this does not anonymize the data or prevent it from being linked to an individual.)
Mozilla’s research highlights the security and privacy risks of using period trackers and other health apps that share data with third parties. Often this happens as background activity within the application and is not visible to the user. It’s not uncommon for apps to share data with other services for storage, analytics, and payments, but sharing user information with third parties inherently carries risks, such as potential security gaps, data breaches, or data searches by law enforcement.
TechCrunch previously wrote about Stardust in 2022, after the app’s downloads surged after the constitutional right to seek an abortion was overturned in the United States. Stardust claimed it was end-to-end encrypted — meaning even the company couldn’t access its users’ data — but TechCrunch found by analyzing the app’s network traffic that the company’s claim was false.
Mozilla security researcher Shoshana Wodinsky used a similar technique of analyzing the network traffic of several period trackers, including Stardust, to understand how apps collected and shared data (if at all) with third parties. Wodinsky found that Stardust was the only app of the six tested that shared a user’s sensitive health data with another company.
As reported by BBC Newsa Stardust spokesperson said RudderStack is “contractually prohibited from selling or using it for its own purposes.” As US-based companies, both Stardust and RudderStack may still receive user information requests from law enforcement authorities for user health information stored on their servers.
Stardust founder Rachel Moranis did not respond to TechCrunch’s request for comment Thursday, or questions about whether the company has received demands for its user data. A spokesperson said in an email after the publication that the company “has never received any requests, demands or legal process for user data from authorities or third parties.”
Of the six apps Wodinsky tested, Mozilla recommended Euki as “squeaky clean,” as the app didn’t appear to share data with third parties with its basic functionality and the user’s health data didn’t leave their device.
Updated with comment from Stardust.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.