Femtech × privacy · 6 min

Ad-free cycle tracking app — what actually to check

"Ad-free" in an App Store / Google Play listing usually means: you won't see a banner in the UI. It does not mean: data about your cycle and mood doesn't leave your phone. These two things get confused, and the difference is fundamental.

Ads and tracking are not the same

An app can be completely free of in-UI ads and at the same time send analytics and marketing data to a dozen third parties in the background. The traditional model of major cycle apps was exactly that: monetisation via sale / sharing of behavioural data to data brokers, ad networks and research partners — not via a banner mid-screen.

After Dobbs v. Jackson (2022) in the US, this started getting serious attention because cycle-app data is admissible evidence in several jurisdictions. In the EU it is protected by GDPR and — since 2024 — by the DSA, but that doesn't excuse skipping the specifics.

What to actually check

1. Tracker SDKs in the build

Fastest tool: Exodus Privacy (reports.exodus-privacy.eu.org). Enter the app name and you see which tracker SDKs are compiled into the APK. "0 trackers" is a different world from "12 trackers (Google Analytics, Facebook, AppsFlyer, Adjust…)". Tracker presence alone doesn't mean health data leaves — but it means the pipes are built in.

2. Privacy policy — specific questions, not generalities

Read policies against three questions:

  • Is health data (cycle, mood, symptoms) shared with third parties — and for what purpose, with whom?
  • Is it sold / "shared with marketing partners" / "shared with research partners"?
  • If a legal request arrives (court, prosecutor), will the company hand over raw data, or does it even have the technical means to decrypt it?

3. Server jurisdiction

Where the data physically sits: EU (GDPR, access and deletion rights), US (varies by state), elsewhere. This affects who can legally request data and how effectively you can delete it. The policy must disclose this.

4. Export and hard account deletion

Check Settings: is there an export option (PDF / JSON / CSV) and a hard account deletion you can trigger from the app? Lack of that in 2026 is a sign that data is treated as a company asset, not your property.

5. Client-side data minimisation

Check whether data you enter is pushed to the server immediately or held locally until sync, and whether encryption is end-to-end. The shorter the path from your phone to a third-party server, the fewer the risks.

What normalnie says about itself

An account with a 7-day trial that requires a card (19.90 PLN/month after the trial, cancel from Settings). Data is encrypted at rest on an EU server. No ad-tracker SDKs (Meta Pixel, Google Analytics, AppsFlyer, Adjust — none). No third-party data sharing for marketing. Entries are never used to train AI models. PDF export and hard account deletion are available from Settings in one click.

Full details in the privacy policy and the femtech privacy article.

Start observing

Czytaj po polsku