Menstrual cycle tracking apps (CTAs) have a history of selling female health data to third parties for large profits. In the face of increasingly strict regulations around sensitive data, there may be room to improve the current reproductive health data landscape through careful consideration of best practice and compliance with legislation such as GDPR.
For investors — particularly in private equity — the sector presents a mix of reputational risk and strategic opportunity. Cycle tracking sits at the intersection of consumer health and digital infrastructure, where strong governance can become a source of long-term value creation.
Previously, mental health apps such as BetterHelp and Cerebral have been charged with irresponsible disclosure and misuse of health data, shared with platforms like Facebook and Snapchat for advertising purposes.
In 2024, HBI released a Special Report on major EU technology regulations that would affect the use of health data. A digital health expert commented: “A big part of regulation is the fostering of trust. We should be talking more with the public writ large about what they expect to see in order for them to trust their health data is being used effectively, efficiently and appropriately.”
While there is a separate conversation to be had about the use of health data within healthcare provision and research spaces, a large part of the current pushback against digital health providers relates to the practice of selling data to third parties for non-medical purposes such as advertising. Even in cases where data is being used for medical purposes, companies must take steps to ensure that data is anonymised and cannot be used against users in future.
CTAs and misuse of data
In 2023, Premom, a fertility app, was charged by the American Federal Trade Commission (FTC) with deceiving users by disclosing their health data to third parties such as Google and AppsFlyer, and violating Health Breach Notification Rules. The information included Premom users’ social media accounts, precise geolocation data, as well as mobile and Wi-Fi network identifiers (which are non-resettable).
Period tracking data is considered a “special category” under UK data protection law, receiving similar safeguards to data on genetics and ethnicity. However, because CTAs are marketed as non-medical “wellness” tools, the data they collect is often not granted these same protections. This creates a grey area that can leave users exposed and poses a growing governance concern for investors.
Most menstrual tracking apps follow a freemium model, offering features to track ovulation, periods and other health information. Many also encourage users to share data about their menstrual cycles, fertility and pregnancy, and to sync that data with other device-based health platforms.
A research team at the Organisation for the Review of Care and Health Apps (ORCHA) examined 25 period trackers and found that only one kept all users’ sensitive data stored on the device. 84% of the apps allowed sharing of health data with third parties, and 68% did so for marketing purposes. Only one of the apps that shared data had asked for user permission explicitly within the app — rather than funneling it into the terms and conditions. Five of the apps provided no telephone or email contact for the developer, despite this being a legal requirement to allow users to request data deletion.
Menstrual health data warrants specific attention in discussions around digital health, as it presents unique risks. Research from the Minderoo Centre for Technology and Democracy at Cambridge University has warned that this data, in the wrong hands, could affect employment prospects, result in insurance discrimination, limit access to fertility services, and in some cases has even been used as legal evidence against women.
As one expert told HBI: “I recently heard a UK-based person say: ‘Don’t tell me how you’re protecting my data; tell me how you’re using it to improve health services and overall health in the community — and assure me that it is being protected.’”
A way forward — and a commercial opportunity?
HBI has previously reported on how Flo, a cycle tracking app with 62 million active users, has faced scrutiny over its data practices. In 2021, Flo settled allegations from the FTC that it had misled consumers about how their health data was being disclosed.
Against this backdrop, the UK Information Commissioner’s Office (ICO) issued four key recommendations for app developers aiming to protect user data:
In 2022, following the US Supreme Court’s decision to overturn constitutional abortion rights, usage of CTA apps fell globally by 7%. Flo responded by introducing a free “anonymous mode”, allowing users to access the app without linking any personal information. The company has since open-sourced the technology behind this feature — part of a broader shift in the femtech sector towards transparency and user control. Flo meanwhile has gone from strength to strength.
There is a clear push for femtech companies to offer privacy-conscious design and “clear consent” pathways, in contrast to all-or-nothing data collection models. This shift is not just about compliance — it reflects increasing market demand for digital health solutions that combine efficacy with trust.
The femtech sector is projected to be worth over 60 billion US dollars by 2027, with cycle tracking apps accounting for around half the market. Given strong consumer demand for these services and growing awareness of data protection issues, there may now be a real opportunity for private healthcare investors to step in — bringing rigour, governance and clinical alignment to a space that is poised for growth, but still maturing in trust and infrastructure.