Period Trackers Betray Users: Mozilla Exposes Stardust’s Data Sharing

Mozilla's July 2026 tests of six period trackers found Stardust sharing birthdates, symptoms, and reproductive goals with RudderStack. Euki scored a perfect 10/10 by keeping data on-device. Flo improved to 7/10 after past scandals. The findings highlight ongoing risks in femtech apps.
Period Trackers Betray Users: Mozilla Exposes Stardust’s Data Sharing
Written by Ava Callegari

Stardust promises privacy. “Your data is private. Period.” The slogan appears front and center on its website. Yet Mozilla’s latest hands-on tests tell another story. The astrology-themed app funnels sensitive reproductive health details to an analytics company. Birthdates. Birth control methods. Reproductive goals. Symptoms. All tied to a unique identifier.

Researchers at the Mozilla Foundation examined six popular period and ovulation trackers. They published findings July 16, 2026. Reviewer Shoshana Wodinsky logged hours dissecting network traffic. She uncovered sharp differences in how these apps guard intimate data. One stood out for all the wrong reasons.

Stardust earned a dismal 2 out of 10. It was the only app among those tested that sent detailed health information to a third party. That partner, RudderStack, received records linked to a unique ID rather than a name. The TechCrunch report on the study notes the Federal Trade Commission has long warned that such identifiers fail to anonymize data. Re-identification remains possible.

Wodinsky captured the problem in plain terms. “Oftentimes this happens as background activity within the app, and isn’t visible to the user.” Users tap predictions or log moods. Behind the scenes, packets fly to analytics servers. No obvious prompt. No clear consent for that flow.

The discovery lands years after Roe v. Wade fell. Downloads of period trackers spiked in 2022 as women sought offline options. Some apps touted encryption. Stardust did too. But a TechCrunch investigation that year already showed its claims did not match observed traffic. The company later removed prominent encryption language from its marketing.

A spokesperson for Stardust told investigators that RudderStack operates under contract. The firm, they said, is barred from selling the data or using it for its own purposes. No law enforcement requests have arrived, according to the company. Yet the data still leaves the device. And U.S. companies remain subject to subpoenas.

Contrast that performance with Euki. The open-source app scored a perfect 10 out of 10. Nothing leaves the phone for its core functions. Data stays local. No third-party sharing. Mozilla called it “squeaky clean.” Wodinsky highlighted its simplicity as a feature, not a flaw. Users avoid the hidden costs that come with data-hungry services.

Flo, with 81 million monthly active users, landed at 7 out of 10. The app collects granular details. Mood swings. Aches. Symptoms tied to cycle phases. Its AI chatbot prompts for even more. Yet in Mozilla’s 2026 tests, Flo kept reproductive health data from flowing to advertising partners. That marked an improvement over past behavior.

The company’s record tells a longer tale. A 2019 Wall Street Journal investigation revealed Flo sent data to Facebook. The FTC secured a settlement in 2021. Another case brought an $8 million payment in 2025. Flo has since added plain-language explanations and GDPR compliance tables. A spokesperson stressed that health data stays out of ad systems. “Since 2021, Flo has made significant investments to strengthen its privacy and security program,” the company said.

Clue followed with an 8 out of 10. The Germany-based app adopts a clinical tone. Its privacy practices reflect stricter EU rules. Some data sharing occurs, but less aggressively than peers. Period Calendar scored 6 out of 10. Ads support the free version. That model brings tracking risks. Planned Parenthood’s Spot On received 5 out of 10. Some sharing appeared in tests despite the nonprofit backing.

These scores reflect more than technical slips. They expose a market where privacy claims often outpace actual safeguards. Femtech has grown into a multibillion-dollar sector. Investors pour money into apps that promise insights on fertility, cycles, menopause. Yet the data they gather sits outside HIPAA protections in most cases. Law enforcement, ex-partners, or data brokers could seek access.

Recent coverage echoes the concern. The BBC reported on July 15, 2026, that some trackers lock down privacy while others fall short. It pointed to Euki as a model and noted Mozilla’s finding that Stardust alone sent sensitive details outward. A Cyber Insider article from July 17, 2026, reinforced Euki’s top ranking after reviewing the same tests.

Discussions on X amplified the report within hours of publication. Users shared the TechCrunch story. One thread laid out the risks in a post-Roe world. “Period apps can look identical in the store and still treat privacy completely differently under the hood,” it read. Another highlighted that background SDKs move intimate information without notice. Hashtags around privacy and health data trended briefly among tech and women’s health accounts.

The Mozilla team partnered with academic groups for this round. They combined manual testing with network analysis. That approach revealed what privacy policies obscure. Many policies contain broad language. They allow sharing with “service providers” or for “business purposes.” Users click agree once and forget.

Wodinsky advised caution. Read policies. Check for local storage options. Consider open-source tools. Avoid apps that mix health tracking with heavy analytics or advertising. The difference between an app that scores 10 and one that scores 2 can feel invisible until the traffic logs appear.

Stardust’s founder did not respond to follow-up questions about law enforcement data demands. The company maintains its marketing now aligns with practices. But the low score and documented sharing suggest users should look elsewhere if control over cycle data matters most.

Broader questions linger. Should health apps face stricter rules when they handle menstrual information? Can meaningful consent exist for data sent in the background? Regulators in Europe tighten requirements. American lawmakers debate. The apps themselves keep updating. Flo touts its AI. Stardust keeps its astrological angle. Euki stays plain.

Women track periods for many reasons. Conception. Contraception. Health monitoring. Peace of mind. The data reveals patterns that feel deeply personal. When that information travels to unknown servers, the sense of exposure grows. Mozilla’s work strips away the marketing gloss. It shows which apps treat period data as the private matter it claims to be. And which ones treat it as another data point to route and analyze.

Users now face clearer choices. Euki offers one path. Others may improve. But the test results deliver a direct warning. Check under the hood. Your cycle data depends on it.

Subscribe for Updates

AppSecurityUpdate Newsletter

Critical application security news and insights developers and security teams need—covering real-world vulnerabilities, emerging risks, and practical remediation without the noise.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us