After all, maybe it wasn’t all so harmless.
Turns out, the matter of sharing data around my circle, and possibly even more private information about my intimate experiences, was not as much a matter of choice as I had expected. Worse, it might have been used to sell me stretchmark cream or dental dams.
bloody hand caught
Period tracking app, Flow, has been found liable in relation to selling user data to Meta, despite promising their users that they were protecting their privacy. The class action suit included 13 million Flow users as plaintiffs, which is a sizable chunk of angry users among their reported 75 million-strong user base.
The lawsuits against Meta and Flow, which were first filed in the US and Canada in 2021, highlight a larger issue in non-medical health tracking software – there is too much ambiguity around consent when it comes to selling your health information to advertisers.
The important thing about the legal precedent being set is that it highlights how existing guidelines around health data privacy (such as HIPAA) are woefully lagging behind the health tracking technology already available directly to users. This raises several important questions:
-
What does this legal ambiguity mean for how we self-monitor our biological markers?
-
In a post-Dobbs environment, how do concerns over digital privacy impact our consumers’ choices in sexual health and period tracking apps?
-
Why is it still up to the consumer to do safety checks when product teams and healthtech brands should have a role in creating less creepy technology?
-
Do we really need to be tracking every possible symptom, mood, and convulsion and letting private tech companies decide what to do with that data?
Feeling “creamy” today? Great, we’ll tell Mark Zuckerberg.
Joking about the consistency of my ovulation was already too far and a line I chose not to dare cross with said boyfriend. If I masturbated or had unprotected sex any day I certainly would not voluntarily announce it to anyone analyzing data on Meta. However, the Flow app may have made this decision for me.
For all my mental confusion about whether or not one should actually send one’s cycling calendar to a partner, Flo might as well have been sending the intimate details of our sexual relationship to a group of tech bros behind our backs. Turns out, Flow had embedded a secret “eavesdropping” tool that sent information like menstrual cycles, ovulation, and if a user was trying to get pregnant to Meta, despite clearly claiming not to be the case in their privacy policy.
Slippery like ovulation flow, Flow was telling us that our private data was safely hidden from prying eyes. Guilty verdict in August 2025 fresco vs flow The lawsuit proved otherwise:
“Flo, through the Flow app, unlawfully shared users’ sensitive health data – including information related to menstrual cycles, ovulation and pregnancy – with third parties such as Meta, Google and Flurry for their own commercial use.”Burr & Forman, 2025).”
The jury found Meta liable for collecting sensitive reproductive health data and using it for its own benefit. The other parties listed settled out of court, meaning their involvement in the breach will remain more private than the health data of Flow users between 2016 and 2019.
Feminism doesn’t need anything more than a little irony these days, right?
This was not a hack. This was a design decision.
It is important to point out that these third-party platforms have not hacked the Flow app. The people in charge of making privacy decisions at Flow handed them our sensitive data on a silver platter. This was simple track-and-sell data sharing and we probably should have seen it coming.
I have written before howpink wash‘Femtech can hide many unethical product decisions. Even before I moved on to greener and more personal pastures with my period tracking app selection, Flow was already starting to give me the ick. The UX design was becoming more complex, more cluttered, more cartoonish with each update.
Increasingly, the Flo Home screen was becoming more bloated than the late-luteal phase belly. Opening the app to log whether I saw something that morning or had insomnia or tender breasts was like navigating a minefield of tired female designs and unnecessary reminders to meditate.
With each update, the home display presented me with an ever-increasing choice of opportunities for negative symptom reporting. Everything seemed absolutely pathological, without any discrimination in the hierarchy. Symptoms became more and more prominent and advice appeared at every turn, effectively making the actual cycle tracker disappear.
In the context of flow-meta filing, this makes sense – focusing on the “problems” of periods can help increase sales of items that alleviate the symptoms. There’s not much to be gained from a simple period calendar, is there? It’s sad to realize that the emphasis on symptomatology is helping drive advertising on recently found sites. liable for personal injury The equivalent of tobacco companies.
At the end of the day, no amount of rose-tinted ’empowerment’ or ‘evolved’ mentions of sex toys and self-pleasure can hide who benefits from these design choices*.
The difference between HIPAA and ‘wellness’ is where consent ends
Flo made major changes to its privacy policy 13 times Over the three years (2016-2019) relating to legal claims. These lawsuits show that all those edits did nothing to make the consent that users might have thought they were giving real in any meaningful way.
Lawsuits like the Flo-Meta lawsuit are notable in that they are helping to build the foundation of legal precedent within the gray zone of non-HIPAA compliant wellness technology. Most health technology, including many reproductive health technologies currently on the market, are not explicitly diagnostic or tied to direct communication with a healthcare provider.
Which means, you can log some deep information about your body functions and be given automated advice on making adjustments to potentially improve these bodily functions, and in all likelihood, it doesn’t fall under the protection of current health and privacy laws. This means it is at the discretion of the apps themselves to create policies about what data to share or sell or report to government agencies.
They have fairly wide discretion in designs around the consent they are willing and able to give to users. Design decisions and agreed frameworks in the product may be guided by best practices, but those choices are still largely driven by opinions within product teams. This is how careless consent patterns continue to be passed on to users, even when the product may be dealing with incredibly sensitive data collection.
It wasn’t that there were any cyber criminals holding Flow ransom, these were embedded legal, design, engineering and sales positions that were obtained through a series of employees who ultimately threw users under the bus for profit.
It is difficult to track exact information on the number of employees employed by Flow from 2016-2019 and who was directly responsible for these choices. By most accounts, it was a small operation – perhaps about 350 employees at any one time in those years. This is a very small group of people making potentially important decisions about how highly sensitive health data is collected, stored and shared, as well as how those processes and policies are communicated to their millions of users around the world.
If we are left to our own devices, who will protect us?
It seems we can’t essentially leave it up to companies — or their ragtag teams of crackpot lawyers who rewrite privacy policies every few months — to keep our personal data private. I guess we’re left with the need to repeatedly hurt Mark Zuckerberg’s feelings in order to use our vibrators in peace.
The law has been slow to catch up, especially when it comes to regulating technology. This troubles me when I consider the rush to increase collection of data related to women’s health in an effort to close the data gap. It’s a worthy aim, but how much can we really trust private companies operating outside medically directed structures?
That’s before we even take into account the increasing use of generic AI in populating health advice within apps, which intentionally disrupt the healthcare sector and thus don’t have to conform to user safety under that hierarchical umbrella. There is such a thing as too much data, although try telling that to a PM trying to create his KPIs. If data comes from unmanaged flows, collection methods are prioritized for third-party advertising sales, and is done without users’ direct consent, how much can we trust derivative generator outputs? Is this the standard we want to set for collecting women’s health data? Is it worth all the costs?
Personally, I smell it like moving too fast and breaking things. Flow definitely broke my trust along with that of at least 13 million former Flow users. With (allegedly) over a third of US women using period tracking apps and similar rates of usage among women in the EU, there is a significant market to capture here. Unlike 2016, when Flow was one of the few players on the field, today there are hundreds of cycle tracking apps for discerning users to choose from, not to mention the growing availability of other health apps and built-in cycle trackers within wearable devices.
Although Flow remains one of the top downloaded ones, for many of us, it’s a case of get burned once, get embarrassed twice. Personally, I’m a big fan of WildAI, which doesn’t bother to ask me if I rubbed anyone and therefore has no interest in telling any tech giant if I bother to note if I was thirsty and aroused and hungry all in the same day. You and Mark can guess how much space those notes take up on my cycling calendar. I like it that way, and Flo should too.
*Let’s consider for a moment how the devs setting up personalized ad gating at Google might be tracking the prevalence of sex toy use and anal sex among Flow users so they can increase pay per click (PPC) rates on your apps. Obviously, this is feminism at its best.
**It may be worth debating whether, in a post-Dobbs world and in countries with absurd digital privacy standards, the potential health benefits of carefully logging sexy self-play may not be worth the risk of it falling into the hands of such lax data brokers. It’s bad enough we have to worry about it Violation of privacy of self vibrator. Maybe a “dumb” dildo really is the better choice these days. We’ll have to get into that in another post.
<a href