Privacy × femtech · 7 min

Anonymous accounts in femtech: what's behind the label

Most period-tracking apps advertise an "anonymous account" as a privacy guarantee. In practice it's a marketing term, not a technical one — and it rarely means what users assume it means.

Why cycle data is unusually sensitive

Menstrual cycle, pregnancy, miscarriage, attempts to conceive, libido, medications, mental symptoms — it's one of the densest health datasets a person can record about themselves. In several jurisdictions (the US after Dobbs, countries with restrictive abortion laws) this data can be subject to law-enforcement requests. Independently of that — it is unusually valuable to advertisers, because it predicts purchasing behaviour better than almost any other category.

What "anonymous account" usually means

Usually: "we don't require an email at signup." That's it. The account is still linked to:

  • A device identifier (advertising ID, IDFA on iOS, GAID on Android) — a stable or semi-stable number tied to the phone.
  • The IP address on every server request — enough to associate the account with a location and often with a specific person.
  • A device fingerprint — combination of phone model, OS version, language settings, time zone, list of installed fonts. In practice unique.
  • Ad SDKs (Facebook, Google, AppsFlyer, Adjust) — embedded in the app, sending events to third parties regardless of whether you have an account.

In other words: the absence of an email does not make the data unidentifiable. The identifier is just different.

What happens during a breach

If the database leaks or is sold, "anonymous" accounts can usually be de-anonymised by matching the device identifier against other databases in which the same identifier appears alongside an email or phone number. The technique is well-known and used commercially by data brokers.

AI in health apps

More and more apps add AI: a chatbot, "smart insights", personalised recommendations. Three things worth knowing:

  • If the app sends your data to an external model (OpenAI, Anthropic, Google), it is processed on someone else's servers, under that company's terms — not the app's.
  • Some model providers reserve the right to train on user data unless the customer pays for a tier with explicit opt-out.
  • Data you paste directly into the public ChatGPT, Gemini or Claude is not anonymous — it is linked to your account with the AI provider, regardless of what the app you copied the text from promises.

What to actually check in a privacy policy

Privacy policies are long and deliberately vague, but a few specific phrases tell you more than the rest:

  • "We may share data with advertising partners" — data goes to third parties, regardless of "anonymity".
  • "Aggregated and de-identified data" — selling data in "aggregated" form is standard practice. "De-identified" rarely means irreversibly.
  • The list of "third-party processors" — if you see Facebook, Google Ads, AppsFlyer, Adjust, Mixpanel, Amplitude — your in-app events are sent there.
  • No mention of "end-to-end encryption" for note contents — by default assume a company employee can read them.
  • "We may disclose data in response to legal process" — a standard clause, but for cycle and pregnancy data it has real consequences in some jurisdictions.

What local data (on-device) gives you

An app that keeps data locally on the phone and does not send it to a server has a fundamentally different risk profile. There's no server-side database that can leak. No events streamed to advertisers. No log a support employee can open after logging into an admin panel. This is not "a better privacy policy" — it is a different architecture, in which some risks simply do not exist.

Trade-off: no cross-device sync without an explicit user decision. Some people don't want that — and it's a sensible choice if it's a conscious one.

Questions worth asking the app

  • Does my data leave the phone? If so — when, where to, in what form.
  • Can I use the app without an account? If yes — does data still go to the server without an account?
  • Are there tracking SDKs in the app (Facebook, Google, AppsFlyer, Adjust)? The privacy policy must disclose this.
  • Can I export all my data and delete it? How long are backups retained after account deletion?
  • Do you use AI? If yes — whose, under what terms, does it train on my data.

A practical heuristic

If an app is free and looks polished — running it costs money. The question isn't "do you pay with data", it's "to whom and how much". An app on a subscription model with no ads and no tracking SDKs has a clearer business model. None of this is a privacy guarantee, but it gives you a starting point for judgement.

Start observing

Czytaj po polsku