People in power want the information to identify a narrower set of people who may have been pregnant and then did not have a child and so may have had an abortion.
And facebook doesn't care about people's rights when those people in power are able to block Facebook from acquiring some new startup they want to buy, so facebook is willing to share the information.
> It seems like we can’t just necessarily leave it up to companies – or their ragtag teams of crackpot lawyers rewriting privacy policies every few months – to keep our private data private.
It's not a medical requirement from a doctor, so just keep a diary if you want to. Not everything needs to be an app. All the money spent on regulations and regulators to cover increasingly niche opt-in services that are entirely unnecessary is a waste.
They need to make an example out of these companies. If your whole business model is built around handling sensitive data, and you are caught shipping off that data to brokers, you should be liquidated or at least fined to within an inch of bankruptcy, as basically all of your profits are a sham.
What does thumbing their noses mean? They have been paying while continuing their behavior, or not paying at all?
The first seems like it could be resolved with an escalating fine schedule, and the second could be mitigated by requiring Apple/Google to remove it from the app store (one of the rare cases walled gardens are on consumers' side).
"While Apple implemented App Store policies to allow developers to link to alternative payment options, the policies still required the developer to provide a 27% revenue share back to Apple, and heavily restricted how they could be shown in apps. Epic filed complaints that these changes violated the ruling, and in April 2025 Rogers found for Epic that Apple had willfully violated her injunction, placing further restrictions on Apple including banning them from collecting revenue shares from non-Apple payment methods or imposing any restrictions on links to such alternative payment options. Though Apple is appealing this latest ruling, they approved the return of Fortnite with its third-party payment system to the App Store in May 2025."
Why is it a waste? If you want to provide an app, one should follow the law and the regulations. It isn't the wild west (and even that had regulations).
Nobody is blaming victims, please stop these wild fabulations. OP meant that you can't trust app owners especially long term, as you write its worse than wild west, literally nobody.gives.a.fuck. till they are dragged to the court, then they fight, dissolve company, still sell the data, start a new one and rinse and repeat. People are simply way more greedy than moral on average if there is any lesson in current times.
Look at say zuckenberg - a typical sociopath lying again and again through his nose with big grin just to get what he wants (ie scandals how FB employees go to DB to spy on their exes or enemies is popping up for 10 years at least and there is no stop, every time there is another assurance how it can't be done now blablabla... and thats just specific meta employees).
Nobody likes that, but just sitting and waiting for almighty regulators while blindly trusting apps in good faith to do their jobs is... not working much, is it. Be smart, adapt to real environment out there, not some wishful thinking. In parallel push for change as much as you can, vote with wallet and your time. Once sought-for paradise comes then feel free to use anything anyhow. At least that seems like smarter approach to me.
So add liability for the buyers of the data or any services derived from the data (e.g. targeted ads). Make it so large advertisers demand audits showing privacy laws are being followed. Also have personal criminal liability for people building and maintaining systems that collect, store, or process data for illegal purposes. Executives, PMs, engineers, the whole lot. Put them in prison if they continue.
I don’t have the right configuration of equipment to use an app like this, but does anyone know why this needs to be a service-driven app? What piece of functionality requires a server to track your health?
its crazy to me that Flo is used so widely, as its started by Russian men and their treatment of data has bee public for a while, it just hasnt spread fast enough. I know theres at least one other option called Calessa (http://Calessa.app)
I'll make a period tracker for you for 5 bucks a month. You won't buy it, because it costs 5 bucks a month. So I'll have to find alternative monetisation strategies.
It sounds like the real solution to this is to be able to control permissions at an OS level for network per app, as you would be able to do if you had root access. I have no idea why regular Android distros don't allow you to do this, it seems like a really sensible thing to expose in app settings given the permissions model of Android.
There are four open source period tracking apps on F-droid. I didn't do a full investigation of the source code, but unless your data is being uploaded outside the app (e.g. for backups), I feel safe assuming it will stay local only.
Less a f-u-view, more a f-u-world, the above is pragmatic advice about the actual IRL challenges of keeping data secure.
Further, a view that ignores many real world digital data risks faced by those considered to be useful targets; eg: compromised supply chains delivering "pre hacked" hardware with discreet wifi chips or hidden out of band comms, etc.
My apps are free or freemium with a one time payment. I just started publishing, and my main drive is resentment towards the current state of surveillance in software. It doesn't have to be filled with ads and trackers on top of a subscription.
I’ve also started publishing a small collection of what I call “spite apps” (a reference to Larry David’s spite store when he makes his own coffee shop to go against mocha joe).
These apps are super simple in terms of privacy policy:
- we don’t track you (no telemetry)
- we don’t show you ads
- no account
- free with optional tip
Sure I don’t make much money with them but I feel like I’m pushing back on making humanity worse.
I need a way to make money too, but we have laws saying I can't do it by hitting you over the head with a club and taking yours. We also have laws saying Flo can't do it by lying about who they sell private data to.
I would advise anyone tracking medical data with an app to use something open source and local-only or network-optional if at all possible. I know there are open source cycle tracking apps, but I do not know if they're any good.
“They had to find a way to make money” is not a moral blank check.
By that logic, almost anything becomes defensible. I was out of work, so I became a contract killer. I had to find a way to make money.
No. Companies still have to follow the law. They also have the option of being decent and not tracking or sharing intimate data like sexual preferences with Meta, Google, TikTok, and the advertising industry.
I’ve been asked as a contractor to build this kind of thing. I refused, before and after GDPR. It cost me money. Fine. I can live with that.
What I cannot respect is people who decide that revenue matters more than basic privacy, then hide behind “business needs” as if that ends the conversation.
>By that logic, almost anything becomes defensible. I was out of work, so I became a contract killer. I had to find a way to make money.
Ah, see, that doesn't work because you're a person not a company. The company had to find a way to make money, that's why they denied your chemotherapy. Tough luck for you.
Why would anyone think that a non-HIPPA compliant app would keep medical information private to the level of security needed for medical data? Flo has definitely breached user trust, but that trust seems misplaced from the get-go.
People are used to living in highly regulated markets. When they go to a grocery store to buy lettuce, people don't stop to ask "what regulatory regime is this lettuce being sold under?". They just trust that food being sold in a food store will meet our societal standards for food. I can go to Amazon and order a raw steak for delivery, and still trust it will meet standards.
The situation with wellness apps is that they are a product that are designed specifically to exist outside of the regulatory regime that people associate with them.
>Why would anyone think that a non-HIPPA compliant app would keep medical information private to the level of security needed for medical data?
because lots of people dont know what HIPPA is, and (naively to us more familiar with tech) assume that a medical-related app on a curated app store would be safe for medical-related stuff.
You're right, though; it's much more limited than people think. During COVID people claimed everything violated HIPAA (masks, vaccine requirements, testing), but it only applies in a very narrow subset of patient/provider relationships.
People just wanna track stuff, they don't really look into is something HIPPA compliant or read the ToS. App store push, recommendation, word of mouth are what makes the app like this spread, not really details HIPPA compliance.
Hey surely Meta wouldn’t send that data to a government interested in regulating women’s reproductive rights
I'll bite. Why...?
People in power want the information to identify a narrower set of people who may have been pregnant and then did not have a child and so may have had an abortion.
And facebook doesn't care about people's rights when those people in power are able to block Facebook from acquiring some new startup they want to buy, so facebook is willing to share the information.
> It seems like we can’t just necessarily leave it up to companies – or their ragtag teams of crackpot lawyers rewriting privacy policies every few months – to keep our private data private.
It's not a medical requirement from a doctor, so just keep a diary if you want to. Not everything needs to be an app. All the money spent on regulations and regulators to cover increasingly niche opt-in services that are entirely unnecessary is a waste.
privacy legislation would just solve the problem by itself though.
Privacy legislation by itself does not solve the problem; what Flo did was already illegal. Effective enforcement is also necessary.
They need to make an example out of these companies. If your whole business model is built around handling sensitive data, and you are caught shipping off that data to brokers, you should be liquidated or at least fined to within an inch of bankruptcy, as basically all of your profits are a sham.
They've been thumbing their noses at EU privacy legislation and fines for quite some time already.
What does thumbing their noses mean? They have been paying while continuing their behavior, or not paying at all?
The first seems like it could be resolved with an escalating fine schedule, and the second could be mitigated by requiring Apple/Google to remove it from the app store (one of the rare cases walled gardens are on consumers' side).
> What does thumbing their noses mean? They have been paying while continuing their behavior, or not paying at all?
Malicious compliance. For example: https://en.wikipedia.org/wiki/Epic_Games_v._Apple
"While Apple implemented App Store policies to allow developers to link to alternative payment options, the policies still required the developer to provide a 27% revenue share back to Apple, and heavily restricted how they could be shown in apps. Epic filed complaints that these changes violated the ruling, and in April 2025 Rogers found for Epic that Apple had willfully violated her injunction, placing further restrictions on Apple including banning them from collecting revenue shares from non-Apple payment methods or imposing any restrictions on links to such alternative payment options. Though Apple is appealing this latest ruling, they approved the return of Fortnite with its third-party payment system to the App Store in May 2025."
Or https://developer.apple.com/support/dma-and-apps-in-the-eu/
"UPDATE: Previously, Apple announced plans to remove the Home Screen web apps capability in the EU as part of our efforts to comply with the DMA."
(This one resulted in enough fuss they backed down.)
Ah you mean generally, not in this specific case.
"would just solve", lol.
Why is it a waste? If you want to provide an app, one should follow the law and the regulations. It isn't the wild west (and even that had regulations).
Also: Why blame the victims, not the perp?
Nobody is blaming victims, please stop these wild fabulations. OP meant that you can't trust app owners especially long term, as you write its worse than wild west, literally nobody.gives.a.fuck. till they are dragged to the court, then they fight, dissolve company, still sell the data, start a new one and rinse and repeat. People are simply way more greedy than moral on average if there is any lesson in current times.
Look at say zuckenberg - a typical sociopath lying again and again through his nose with big grin just to get what he wants (ie scandals how FB employees go to DB to spy on their exes or enemies is popping up for 10 years at least and there is no stop, every time there is another assurance how it can't be done now blablabla... and thats just specific meta employees).
Nobody likes that, but just sitting and waiting for almighty regulators while blindly trusting apps in good faith to do their jobs is... not working much, is it. Be smart, adapt to real environment out there, not some wishful thinking. In parallel push for change as much as you can, vote with wallet and your time. Once sought-for paradise comes then feel free to use anything anyhow. At least that seems like smarter approach to me.
> still sell the data
So add liability for the buyers of the data or any services derived from the data (e.g. targeted ads). Make it so large advertisers demand audits showing privacy laws are being followed. Also have personal criminal liability for people building and maintaining systems that collect, store, or process data for illegal purposes. Executives, PMs, engineers, the whole lot. Put them in prison if they continue.
I don’t have the right configuration of equipment to use an app like this, but does anyone know why this needs to be a service-driven app? What piece of functionality requires a server to track your health?
The spying part requires a server.
If you use GrapheneOS, you can enable or disable internet access for each app.
its crazy to me that Flo is used so widely, as its started by Russian men and their treatment of data has bee public for a while, it just hasnt spread fast enough. I know theres at least one other option called Calessa (http://Calessa.app)
It's really sad that we have all this technology but we can't trust any of it.
I'll make a period tracker for you for 5 bucks a month. You won't buy it, because it costs 5 bucks a month. So I'll have to find alternative monetisation strategies.
I don't actually see this as a problem, and instead it's a PSA everyone needs to internalize:
If you put data onto a networked device it may be sent to some place else.
If you don't want your data being shared:
Use a device that does not have any networking capability (both hardware and software wise)
Use a pen and paper, you can shred and destroy as you see fit.
If you're using an application on a mobile device with mobile data/wifi, the chances are, your data is being uploaded.
It sounds like the real solution to this is to be able to control permissions at an OS level for network per app, as you would be able to do if you had root access. I have no idea why regular Android distros don't allow you to do this, it seems like a really sensible thing to expose in app settings given the permissions model of Android.
There are four open source period tracking apps on F-droid. I didn't do a full investigation of the source code, but unless your data is being uploaded outside the app (e.g. for backups), I feel safe assuming it will stay local only.
that is a really fucked up view
Less a f-u-view, more a f-u-world, the above is pragmatic advice about the actual IRL challenges of keeping data secure.
Further, a view that ignores many real world digital data risks faced by those considered to be useful targets; eg: compromised supply chains delivering "pre hacked" hardware with discreet wifi chips or hidden out of band comms, etc.
[flagged]
My apps are free or freemium with a one time payment. I just started publishing, and my main drive is resentment towards the current state of surveillance in software. It doesn't have to be filled with ads and trackers on top of a subscription.
I’ve also started publishing a small collection of what I call “spite apps” (a reference to Larry David’s spite store when he makes his own coffee shop to go against mocha joe).
These apps are super simple in terms of privacy policy: - we don’t track you (no telemetry) - we don’t show you ads - no account - free with optional tip
Sure I don’t make much money with them but I feel like I’m pushing back on making humanity worse.
It's not even a free app, there's like a €10/month premium.
I need a way to make money too, but we have laws saying I can't do it by hitting you over the head with a club and taking yours. We also have laws saying Flo can't do it by lying about who they sell private data to.
I would advise anyone tracking medical data with an app to use something open source and local-only or network-optional if at all possible. I know there are open source cycle tracking apps, but I do not know if they're any good.
“They had to find a way to make money” is not a moral blank check.
By that logic, almost anything becomes defensible. I was out of work, so I became a contract killer. I had to find a way to make money.
No. Companies still have to follow the law. They also have the option of being decent and not tracking or sharing intimate data like sexual preferences with Meta, Google, TikTok, and the advertising industry.
I’ve been asked as a contractor to build this kind of thing. I refused, before and after GDPR. It cost me money. Fine. I can live with that.
What I cannot respect is people who decide that revenue matters more than basic privacy, then hide behind “business needs” as if that ends the conversation.
>By that logic, almost anything becomes defensible. I was out of work, so I became a contract killer. I had to find a way to make money.
Ah, see, that doesn't work because you're a person not a company. The company had to find a way to make money, that's why they denied your chemotherapy. Tough luck for you.
A better way to out this is: if it’s free, you’re the product.
If it's not free (like the app Flo Premium), you're still the product.
where do open source apps fit into this philosophy?
You're the guinea pig
Why would anyone think that a non-HIPPA compliant app would keep medical information private to the level of security needed for medical data? Flo has definitely breached user trust, but that trust seems misplaced from the get-go.
People are used to living in highly regulated markets. When they go to a grocery store to buy lettuce, people don't stop to ask "what regulatory regime is this lettuce being sold under?". They just trust that food being sold in a food store will meet our societal standards for food. I can go to Amazon and order a raw steak for delivery, and still trust it will meet standards.
The situation with wellness apps is that they are a product that are designed specifically to exist outside of the regulatory regime that people associate with them.
>Why would anyone think that a non-HIPPA compliant app would keep medical information private to the level of security needed for medical data?
because lots of people dont know what HIPPA is, and (naively to us more familiar with tech) assume that a medical-related app on a curated app store would be safe for medical-related stuff.
> lots of people dont know what HIPPA is
Ironically, it's HIPAA.
You're right, though; it's much more limited than people think. During COVID people claimed everything violated HIPAA (masks, vaccine requirements, testing), but it only applies in a very narrow subset of patient/provider relationships.
People just wanna track stuff, they don't really look into is something HIPPA compliant or read the ToS. App store push, recommendation, word of mouth are what makes the app like this spread, not really details HIPPA compliance.