Period tracking app, Flo, found to be selling user data to Meta
campuscodi
341 points
228 comments
April 28, 2026
Related Discussions
Found 5 related stories in 97.0ms across 8,303 title embeddings via pgvector HNSW
- Meta, TikTok Recv Personal Data from Health Exchanges Alarming Privacy Experts 1vuio0pswjnm7 · 11 pts · May 05, 2026 · 54% similar
- FBI is buying data that can be used to track people, Patel says elsewhen · 12 pts · March 18, 2026 · 47% similar
- Woman's Talkspace therapy app sessions exposed in court g8oz · 19 pts · May 05, 2026 · 47% similar
- Meta told to pay $375M for misleading users over child safety testrun · 421 pts · March 25, 2026 · 46% similar
- FBI is buying location data to track US citizens, director confirms jbegley · 434 pts · March 18, 2026 · 46% similar
Discussion Highlights (20 comments)
philipallstar
> It seems like we can’t just necessarily leave it up to companies – or their ragtag teams of crackpot lawyers rewriting privacy policies every few months – to keep our private data private. It's not a medical requirement from a doctor, so just keep a diary if you want to. Not everything needs to be an app. All the money spent on regulations and regulators to cover increasingly niche opt-in services that are entirely unnecessary is a waste.
2OEH8eoCRo0
It's really sad that we have all this technology but we can't trust any of it.
moffers
I don’t have the right configuration of equipment to use an app like this, but does anyone know why this needs to be a service-driven app? What piece of functionality requires a server to track your health?
childofhedgehog
Why would anyone think that a non-HIPPA compliant app would keep medical information private to the level of security needed for medical data? Flo has definitely breached user trust, but that trust seems misplaced from the get-go.
frankdenbow
its crazy to me that Flo is used so widely, as its started by Russian men and their treatment of data has bee public for a while, it just hasnt spread fast enough. I know theres at least one other option called Calessa ( http://Calessa.app )
aboringusername
I don't actually see this as a problem, and instead it's a PSA everyone needs to internalize: If you put data onto a networked device it may be sent to some place else. If you don't want your data being shared: Use a device that does not have any networking capability (both hardware and software wise) Use a pen and paper, you can shred and destroy as you see fit. If you're using an application on a mobile device with mobile data/wifi, the chances are, your data is being uploaded.
ronbenton
Hey surely Meta wouldn’t send that data to a government interested in regulating women’s reproductive rights
arkwin
Now is a good time to bring up. https://bloodyhealth.gitlab.io A secure open source period tracking app.
jeffbee
Does anyone happen to know if Meta and Google have ever recovered these judgements from the app developers? All of the industry terms of service specifically forbid SDK licensees from sending sensitive personal data to the platforms, and they require the licensee to indemnify the platform against any judgement that arises from violating those terms. See Meta's statement on this verdict, which seems pretty reasonable to me. This 100% looks like the fault of the app developer: “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.
mghackerlady
I don't have a period, so I'm not the best person to do it, but there really needs to be a solid FOSS alternative to flo. If GNU had more women, it'd probably already exist
theptip
This one seems clear cut as a HIPAA violation. Glad to hear that interpretation was upheld. However, regardless, we really need to just kill the data broker business model. Speaking as someone who implemented GDPR for my startup when the law first came into effect, there were certainly rough edges. But the core premise that you simply cannot sell user data to sub-processors without consent is a powerful one that I believe would fix a lot of broken things in the US system. (Not least because the USG buys private data that would be unconstitutional for it to directly collect, but also things like the incentives for your cell phone provider to sell your location data to advertisers.)
culi
[drip.]( https://bloodyhealth.gitlab.io/ ) [source]( https://gitlab.com/bloodyhealth/drip ) - around since 2019. Last update 2 months ago - iOS, Android - React Native Mensinator [source]( https://github.com/EmmaTellblom/Mensinator ) - around since 2024. Last update 2 weeks ago - Android - Kotlin [Menstrudel]( https://menstrudel.app/ ) [source]( https://github.com/J-shw/Menstrudel ) - around since 2015. Last updated 3 weeks ago. - iOS and Android - Dart [Tyd]( https://unobserved.io/tyd/ ) [source]( https://github.com/unobserved-io/tyd ) - around since 2023. Last updated 2 years ago. - iOS - Swift EDIT: Someone else pointed out this closed-source alternative that got a 92% by ORCHA: https://www.my28x.com/ I think the biggest thing I'd like to see is a data format standard defined. You should be able to "take your data with you" and go anywhere you like. If you decide an app is unethical or if your favorite OSS app stops being updated, it should be simple to switch. Many apps let you export your data. Maybe someone can make a converter between popular proprietary apps and a common data structure spec
josefritzishere
That's incredibly creepy.
pascal-maker
At this point, if you don't trust that they share your data with third parties with the AI tools available and open-source LLMs, just vibe-code your own health apps and keep them stored on a Mac mini or something else for the female devs here.
DauntingPear7
I will say, with codex/cc access and a free weekend you could make an app that covers like 99% of this app’s purpose. The harder part would be the art/making it cutesy, as some other commenters have pointed out. Plain SwiftUI or compose just isn’t eye catching enough
freediddy
Meta only cares about ad revenue so could they be researching or have discovered a link between buying trends and links to a woman's cycle?
gowld
This article is about a lawsuit filed in 2021. https://www.labaton.com/cases/frasco-v-flo-health-inc
deferredgrant
This is one more reason sector-specific privacy expectations probably need to be harder-coded. Hoping every consumer app will independently exercise restraint has not gone especially well.
Cider9986
Privacyguides has some recs for private health apps ( https://www.privacyguides.org/en/health-and-wellness/#menstr... )
everdrive
If the app could make another $0.05 selling your location to kidnapping gangs, they'd do it. There's no such thing as an app that cares about your privacy or your interests.