Journal

Journal · May 30, 2026 · 8 min read

Are period tracker apps safe? What we found in 2026

The honest version, without panic: four ways a period app can be unsafe in 2026, what the evidence shows, and how to pick one that isn't.

"Are period tracker apps safe?" is one of the most-asked questions about this category of software in 2026, and the honest answer is: some are, most aren't, and the difference is structural.

Safety in this context means four separate things — they get blurred together in headlines but they aren't the same problem. Below, each of them, what the evidence shows, and what you can actually do about it.

1. Is the data being sold?

The most common failure mode. Many free period trackers fund themselves the same way most free apps do — by including SDKs from ad networks (Meta, Google, AppLovin, AppsFlyer, Branch) that observe what users do inside the app and send those signals to advertisers.

The most-cited case: Flo, which in 2021 settled FTC allegations that it shared users' menstrual and pregnancy data with third parties — named in the FTC's complaint as Facebook, Google, and AppsFlyer — despite promising in its privacy policy that it wouldn't. The settlement carried no fine and no admission of wrongdoing; Flo says it has since changed its practices. The FTC's public consent order is a record of the concerns regulators raised about how the industry was operating.

How to tell: Open the app's privacy policy and search for the words "third-party," "partners," "ad networks," "analytics providers," "marketing partners," and "service providers." Anything beyond Apple-platform services (App Store, TestFlight) means data is leaving the device.

2. Could the data be subpoenaed?

After the 2022 Dobbs decision in the United States, this stopped being theoretical. State prosecutors in some U.S. jurisdictions have requested cycle data from third-party period apps in criminal proceedings related to abortion. The cases are still unfolding, but the pattern is clear: data that exists on a server can be subpoenaed; data that lives only on a phone cannot.

For users in those jurisdictions — or anyone who wants their reproductive history unreachable to law enforcement — the only durable defense is an app that structurally cannot hand over the data.

How to tell: If the app has accounts, it has a database. If it has a database, the data is reachable. Look for "on-device only," "end-to-end encrypted," or "we have no copy" in the privacy promise. If those phrases aren't there, assume the data is reachable.

3. Has the company been breached?

Even apps that don't sell data can leak it. Health and fertility apps as a category have had documented security incidents over the years — from misconfigured APIs to unsecured databases left open to the internet (the "left an S3 bucket open" pattern). The point isn't any single company; it's that any data sitting on a server is data that can be exposed.

Breaches happen even to companies with the best intentions. The only protection against breach is to not have your data on a server in the first place.

How to tell: Search "[app name] breach" or "[app name] security incident" before installing. Check Have I Been Pwned for the app's domain.

4. Is the cycle prediction itself safe?

Separate from data privacy: most period trackers are NOT regulated medical devices. Their predictions are estimates, not medical guidance. Apps that claim contraceptive efficacy (Natural Cycles is the main one) ARE regulated and have FDA clearance. Apps that don't claim it shouldn't be relied on for contraception or fertility guidance.

This is a category-wide note: even a "safe" app from a privacy standpoint should not be your sole source of fertility planning. Talk to a doctor.

The safest options in 2026

Based on the four criteria above, here's where the major apps land:

  • Safe on all four: Dew, Apple Health Cycle Tracking, Euki, Drip. On-device data, no third-party SDKs, nothing on a server to breach.
  • Safe on most, mid on data-sale risk: Clue. Cloud-stored but under German privacy law, no advertising SDKs, account deletion honored.
  • Improved but with history: Flo. Has updated practices but the FTC consent decree is recent and Anonymous Mode is a feature, not a default.
  • Skip: Free trackers funded by ads (any of them — look for the ads, that's the tell), small unbranded apps from the App Store with no clear company behind them.

What "safe" looks like in practice

If you want a fast safety check before installing any period app, run these four questions:

  1. Does it require an account? (If yes, your identity is tied to your data.)
  2. Does the privacy policy mention third-party partners? (If yes, data is leaving the device.)
  3. Does the app work offline? (If no, data is syncing somewhere.)
  4. Is the company based in a jurisdiction with strong health-data law? (If you don't know, look it up.)

An app that answers no, no, yes, yes is structurally safe. An app that answers yes, yes, no, no is structurally unsafe, no matter what the marketing says.

What we did about it

We built Dew so that the four-question check returns the safe answer in every column: no account, no third parties in the privacy policy, fully offline-capable, based on Apple-platform-only infrastructure. The architecture is the protection — not the promise.

For more on how the comparison shakes out across apps, see Flo, Clue, Stardust, Dew: a privacy comparison.

Common questions

Frequently asked

Are period tracker apps safe to use?
Some are, most aren't, and the difference is structural. Apps that keep your data on your device with no account (Dew, Euki, Drip, Apple Health) are safe in the strongest sense — there's no server copy to sell, breach, or subpoena. Apps that store readable data on company servers can be safe-ish but rely on policy and good conduct, which can change.
Can period tracker data be subpoenaed?
If a company holds readable data on a server, it can in principle be compelled to produce it under a valid legal request. This became a real concern after the 2022 Dobbs decision in the US. An app that holds no copy of your data has nothing to hand over, which removes the risk entirely rather than mitigating it.
Have period tracker apps had data breaches?
Health apps in general have suffered breaches and regulatory action, and period apps specifically have been investigated for sharing sensitive data — most notably Flo's 2021 FTC settlement. The only data that can't be breached is data that was never collected, which is why on-device storage is the safest model.
How do I pick a safe period tracker?
Ask four questions: does it need an account, where does the data live, does the privacy policy mention third parties or ad networks, and does it work offline without location access. An app that needs no account, stores on-device, names no third parties, and works offline is the safe end of the spectrum.

The app

Get Dew on the App Store. Quiet by design.

A private period tracker that lives on your iPhone. No account, no ads, no data sold — by design. Free on the App Store.

Download on the App Store →

Dew tracks cycles. It does not diagnose or replace a doctor.