Period tracking app has been yapping about your flow to Meta

Flo, a popular period tracking app, faced legal action for sharing sensitive user health data with Meta and other third parties despite privacy promises. The case highlights a significant gap in health data protection laws for non-clinical wellness applications.
Your period tracking app has been yapping about your flow to Meta
What does this vagueness by-design mean for how we choose to self monitor our biological markers?
A few years back, I had a running joke with the guy I was seeing about adding him to my period tracker. Being a women’s health expert, I enjoy weaving nerdy anecdotes about cycles and attraction and desires into my flirtations and marveling at my own wit and woo-woo mastery of my cyclical body. This ruse seemed like a harmless jab at my digitally tracked self-awareness – a very *late millennial feminist living in the Bay Area *version of coquetry.
*It maybe wasn’t all that harmless, after all. *
Turns out, the matter of sharing the data around my cycle, and potentially the even more private information about my intimate experiences, wasn’t as much of a matter of choice as I might have expected. Worse, it might have been used to sell me stretchmark creme or dental dams.
Caught bloody handed
That period tracking app, Flo, has been found liable in connection with selling user data to Meta all the while promising their users they were protecting their privacy. The class action suit had 13 million Flo users included as plaintiffs, which is a sizeable chunk of pissed off users amongst their reported 75 million-strong user base.
Those lawsuits against Meta and Flo, first filed in 2021 with more in the US and Canada, reveal a bigger issue in non-medical health tracking software – there’s too much gray area around consent when it comes to selling your health information to advertisers.
What’s important about the legal precedent being set is in highlighting how the current guidelines around health data privacy (like HIPAA) are woefully lagging behind the health tracking tech already available directly to users. It raises a number of critical questions:
What does this legal vagueness mean for how we choose to self monitor our biological markers?
In a post-Dobbs environment, how do concerns around digital privacy impact our consumer choices in sexual health and period tracking apps?
Why is it still up to the consumer to run safety checks when it should be the role of product teams and healthtech brands to build less creepy tech?
Do we really need to be tracking every possible symptom and mood and cramp and letting private tech companies decide what to do with that data?
Feeling “creamy” today? Great, we’ll let Mark Zuckerberg know.
Joking about the consistency of my ovulation was already a bridge too far and a line I opted not to venture to cross with said beau. I certainly wouldn’t have willingly announced to anyone parsing through data at Meta if I had masturbated or had unprotected sex on any given day. The Flo app might have made that decision for me, though.
For all my mental back and forths about whether or not to actually send a partner my cycle calendar, Flo might have been sending the intimate details of our sexual encounters to a bunch of tech bros behind my back. Turns out, Flo had embedded a secret “eavesdropping” tool which passed along information like menstruation cycle, ovulation, and if a user was trying to get pregnant to Meta, even while explicitly claiming not to in their privacy policy.
As slippery as an ovulation flow, Flo was telling us our private data was safely hidden from prying eyes. The guilty verdict in the August 2025 Frasco v. Flo lawsuit proved otherwise:
“Flo, through the Flo App, unlawfully shared users’ sensitive health data – including menstrual cycle, ovulation, and pregnancy-related information – with third parties such as Meta, Google, and Flurry for their own commercial use (Burr & Forman, 2025).”
The jury found Meta liable for collecting sensitive reproductive health data and using it for its own gain. The other parties listed settled out of court, which means their involvement in the breach gets to stay more private than the health data of Flo users between 2016 and 2019.
Nothing feminism needs more nowadays than a bit more irony, right?
This wasn’t a hack. It was a design decision.
It’s important to call out that these third-party platforms didn’t hack into the Flo app. The folks in charge of making privacy decisions at Flo handed them our sensitive data on a silver platter. It was simple track-and-sell data sharing and we maybe should have seen it coming.
I’ve written before about how ‘pinkwashing’ femtech can disguise a whole host of unethical product decisions. Prior to heading for greener and more private pastures with my period tracking app selection, Flo was already starting to give me the ick. The UX design was getting more convoluted, more cluttered, more cartoonish with every update.
Quickly, the Flo home screen was becoming more bloated than a late-luteal phase tummy. Opening the app to log whether I had spotted a bit that morning or had insomnia or tender breasts was like navigating a minefield of tired femme designs and redundant reminders to meditate.
With each update, the home display presented me with the option for ever growing opportunities for negative symptom reporting. Without any differentiation in hierarchy, everything seemed flatly pathological. The symptoms were pushed more and more to the front and advice popped out at every turn, essentially burying the actual cycle tracker.
In the context of the Flo-Meta filings, this makes sense – focusing on the “problems” of periods can help drive sales of items purporting to alleviate symptoms. There isn’t much to monetize from a simple period calendar, is there? It’s dystopian to realize the emphasis on symptomology was helping to drive advertising on sites even more recently found liable for personal harm on par with tobacco companies.
At the end of the day, no amount of pinkwashed ‘empowerment’ or ‘evolved’ mentions of sex toys and self pleasure can cover up who benefitted* from these design choices.
The gap between HIPAA and ‘wellness’ is where consent goes to die
Flo changed its privacy policy a whopping 13 times in the three years relevant to the legal claims (2016-2019). These lawsuits show that all those edits did nothing to make the consent users might have thought they were giving real in any meaningful way.
Lawsuits like the Flo-Meta lawsuits are notable in that they are helping to build a foundation of legal precedent within the gray zone of non-HIPAA compliant wellness tech. Much of health tech, which includes a lot of reproductive health tech currently on the market, isn’t explicitly clinical or directly tied to communications with a healthcare provider.
Which means, you can be logging some deep information about the functions of your body and given automated advice on making adjustments to potentially improve these bodily functions, and in all likelihood, it manages to not fall under the protection of current health and privacy laws. This means that it is at the discretion of the apps themselves to create the policies around what data to share or sell or report to government agencies themselves.
They also have pretty broad discretion in the designs around consent they are willing and able to offer users. The design decisions and consent frameworks in-product can be guided by best-practices, but those choices are still largely driven by the opinions within product teams. This is how sloppy consent patterns continue to get shipped out to users, even when the product might deal in incredibly sensitive data collection.
It wasn’t like some cyber criminal was holding Flo ransom, these were embedded legal, design, engineering, and sales positions that got through a chain of employees that ultimately threw users under the bus for profit.
Source: Hacker News















