What happens to your period data? A plain-English guide.

Somewhere between tapping "period started" and getting a prediction for next month, your health data takes a journey most apps never explain. Here's where it goes, who can see it, and why the difference between local and cloud storage matters more than most people realise.

Period tracking apps ask a lot of us. Dates, flow levels, symptoms, mood, sex, sleep, medication. Over months and years, that adds up to one of the most intimate health profiles imaginable. And for a long time, most of us just trusted that it stayed private because the app said so.

It often doesn't.

Understanding why requires knowing a bit about how these apps are built. Not in a technical way, but in a practical one. Once you understand the difference between where your data is stored and how it gets there, a lot of things become clearer.

The two types of storage

Every app that stores data does one of two things: it keeps that data on your device, or it sends it somewhere else. Those two approaches are so fundamentally different in their implications that it's worth understanding each one properly.

Cloud storage

When an app uses cloud storage, your data lives on a server owned or rented by the company. When you open the app, it fetches your data from that server. When you log something new, it sends that information up to be stored remotely.

This is how the vast majority of period tracking apps work. It's convenient because it means your data is backed up and accessible across multiple devices. The problem is that once your health data is on someone else's server, you're no longer in control of it. The company decides who can access it, how long it's kept, whether it gets shared with advertisers or research partners, and what happens to it if they get acquired or go bankrupt.

It also means the data can be subpoenaed. In the United States particularly, period data stored on a company's servers is potentially accessible to law enforcement with the right legal request. This isn't theoretical. Since the Dobbs ruling in 2022, legal advocates have specifically flagged period tracking apps as a risk for women in states with abortion restrictions.

Local storage

Local storage means your data never leaves your phone. It's processed on your device, saved on your device, and the app has no need to communicate with any external server about your personal health information.

There are two meaningful consequences of this. First, there is nothing to breach. A hacker cannot access data that was never uploaded. Second, there is nothing to subpoena from the company, because the company doesn't have it.

The trade-off is that local storage makes syncing across multiple devices more complicated. But that's a solvable engineering problem, not a reason to abandon local storage as a default.

The test worth running: Turn your phone to aeroplane mode and open your cycle tracking app. If it still works completely, your data is stored locally. If it loads a blank screen or prompts you to reconnect, your data lives on someone else's server.

What cycle apps actually collect

Most people think of period apps as collecting their cycle dates. In practice, the data picture is much wider.

The apps with the largest user bases typically collect period dates and duration, flow heaviness, physical symptoms like cramps, headaches and bloating, mood and emotional states, sexual activity, sleep quality, weight, medications including contraceptives, and in some cases location data. When you create an account, they also link all of that to your name, email address, date of birth and sometimes your phone number.

That combination of identity and intimate health data is commercially valuable. Not necessarily because companies are selling it directly (though some have), but because it makes advertising extremely precise. Knowing that a woman is likely approaching her period, has been tracking irregular cycles, or has recently started logging pregnancy symptoms tells an advertiser a great deal.

The data picture gets even more sensitive when you're tracking a medical condition alongside your cycle. Women with PCOS, for example, may be logging symptoms like insulin resistance, hair changes, and anovulatory cycles — information that paints a detailed clinical portrait. Our piece on PCOS and cycle tracking covers why this kind of data deserves local-first storage.

How the data can be shared

Privacy policies are written by lawyers to protect companies, not users. The language is deliberately vague. Phrases like "trusted third parties," "service providers," and "partners" can mean almost anything. Here are the common ways period data ends up somewhere other than where you'd expect.

Advertising and analytics

Many free apps use third-party analytics tools and advertising SDKs that, by design, send user behaviour data to external platforms. In 2021, the FTC found that Flo had shared users' health data with Facebook and Google through these kinds of integrations, despite its privacy policy claiming otherwise. The data shared included whether users were pregnant or trying to conceive.

Research partnerships

Some apps have agreements with pharmaceutical companies, universities, or health research institutions. The data shared is often described as anonymised, but anonymisation of health data is imperfect. A combination of cycle data, location, age and symptoms can be re-identified more easily than most people assume.

Legal requests

Any company storing data on US servers can receive legal requests for that data. They are often prohibited from telling users when this happens. The risk is real enough that the American Civil Liberties Union and several digital rights organisations have specifically recommended deleting period tracking apps or switching to local-storage alternatives.

Acquisitions and mergers

When a company is sold, its user data is typically part of the assets being transferred. The privacy policy you agreed to may not bind the new owner in the same way. This is not a hypothetical. Several health apps have changed hands and subsequently changed their data practices.

Worth knowing: In August 2025, a San Francisco jury found that Meta had illegally collected data from a major period tracking app in violation of wiretap law. The case confirmed what privacy researchers had been warning about for years. The ruling is significant because it establishes legal precedent, not just regulatory guidance.

What a genuinely private app looks like

Privacy in this context is not about having a well-written policy. It's about how the app is built. An app that stores your data locally cannot share it, regardless of what its policy says, because the data never passes through its systems.

The questions worth asking about any cycle tracking app are straightforward. Does it require an account? If so, it knows who you are and can link your health data to your identity. Does it work offline? If not, your data is going somewhere. Does it use any third-party analytics tools? These are often the channel through which data ends up with advertisers. Can you export your data and delete your account completely? Apps that make this difficult are not building with your interests in mind.

We've written a separate piece looking at which apps let you track without an account and why that matters more than most people realise.

A subscription model is also worth looking for, not as a guarantee of good behaviour, but as a signal of alignment. An app that earns money from subscriptions has less incentive to monetise your data than one that earns money from advertising.

What local-first actually looks like

A genuinely local-first tracker has no server receiving your health data. It works completely offline — not as a feature but as a consequence of how it’s built. That’s the architecture behind Ferne: everything stays on your phone, there’s no login, and the business runs on subscriptions rather than data monetisation.

We’re finishing up. Leave your email if you want to be first.

Now you know how the data works.

If you want a tracker that keeps yours where it belongs, we’re almost ready.

✓ You're on the list.

No spam. Unsubscribe any time.

The short version

Most period apps store your data on their servers. That means it can be shared, subpoenaed, breached or transferred to a new owner without your knowledge. Local storage is the only approach that removes those risks structurally rather than just promising to manage them responsibly.

When you're choosing a cycle tracker, the most useful question is not "what does their privacy policy say?" It's "where does my data actually live?" Those are very different questions, and only one of them has an answer you can verify.

This matters even more if you're tracking sensitive patterns alongside your cycle. Women with ADHD, for example, often track how their symptoms change across their menstrual cycle to make better decisions about medication timing and workload. Anyone charting daily mental health data for PMDD diagnosis is building an even more sensitive profile. That's exactly the kind of data you don't want sitting on someone else's server.

If you're in the process of switching apps and want guidance on what to look for, our piece on what to check before switching from Flo covers the practical side of making that move. And if you're moving away from Clue specifically, our guide to Clue alternatives looks at the upselling problem and what to look for instead. And for a side-by-side look at which trackers actually deliver on their privacy promises, see our honest comparison of private period trackers in 2026.