The apps women trust with their bodies are often the ones leaking their data

A menopause app can know things about a woman that her closest friends do not. The night the sleep stopped. The days the moods turned. The dose of hormones she takes, and the day she changed it. Memory lapses she has told no one about. This is not a generic health record. It is a timestamped picture of a hormonal life.

Most menopause apps are free. Free usually means the woman is not the customer. She is the product.

Why can't I see what a health app does with my data?

The problem is not that these apps lie. A privacy policy can say all the right things. The problem is that its really hard to see what the software does once it is running on the phone.

A policy is a promise. A promise can be rewritten overnight. App store approval checks that an app works, not where it sends your data. So the careful apps and the careless ones sit on the same shelf and look like equally safe choices. The woman downloading one has no way to tell them apart.

The scale of this is not small. In 2022, a study of women's health apps found that 87 percent shared user data with third parties. Flo, one of the most popular apps in the category, settled with the US Federal Trade Commission in 2021 over sharing menstrual and pregnancy data with firms including Meta and Google, without users' consent. In 2025, Flo and Google agreed to pay a combined 56 million dollars to settle a class action over the same kind of data. A California jury found Meta liable in the same case. When Mozilla reviewed 25 reproductive health apps and devices in 2022, one met its top privacy standard. One.

What happens when you test an app that thinks it is clean?

Here is the part that should give every app maker pause.

TALIA is a menopause and Hormone Replacement Therapy (HRT) tracking app built in Cornwall. Its founders, Kate and Brent Kirkman, built it on a single promise: everything a woman records stays on her device.

"I wanted an app to help me in this period of transition, but I couldn't find one on the market that didn't turn me into the product. So I wanted us to build one that that respected the users privacy", says Kate.

They were certain the app was clean. They asked to have it tested anyway.

The scan found something. A third-party payment component built into the app was sending data off the device. The founders had not put it there to track anyone. It arrived inside a tool, the way these things do. They had not seen it.

They removed it. Only then did the app reach Gold.

"We were certain we were clean. The scan proved we weren't, and showed us exactly what to fix. That is the whole point. A certificate is worthless if it can't fail you", Kate says.

The leak was not malice. It was invisibility. And if a team that cared this much, led by a builder who knew exactly where these leaks hide, still shipped one without knowing, then the problem is not a handful of bad actors. It is structural.

A trust mark you earn by being tested

Stempli is a public registry where iOS apps are tested and graded on what they do. Not on what they say. An autonomous agent downloads the live app from the App Store and uses it the way a person would. It records every place the app sends data, every identifier it sets, every permission it asks for. The app is graded on that behaviour.

Findings are detected, not declared. The developer does not fill in a form. The developer cannot influence the result. That is what independence means here. A certificate is earned, not bought. Peak Privacy issues it when the scan meets the standard, and withdraws it when a release no longer does.

How to read what a scan finds

A scan produces evidence, and evidence needs reading.

An IP address is personal data. It is also present on every connection a phone makes. A server cannot reply without seeing the address it is replying to. So an IP address on its own is not proof of tracking, even though it is personally identifiable data. What matters is also what else is sent, and what the receiver does with it. Are they building profils of the users, for example?

Where a server sits is not the same as who controls it. A server in Germany run by a US company is still reachable under US law. Stempli shows both: where the data went, and whose jurisdiction governs the company that holds it. The two can differ. The difference is the point.

Some things act as a name tag for a device. An advertising ID. A cookie. A fingerprint built from the phone's own characteristics. On their own they can look harmless, but combined they are the raw material of profiling. They let one company recognise a device and join its activity to data from somewhere else.

What the tiers mean

The tiers are drawn around one question: how much data leaves the device, and to whom.

Gold is the cleanest. Data goes to no one but the app's own service. No third parties. No tracking. No hidden identifiers. TALIA sits there. Silver and Bronze sit below it, drawn around who receives data. No tier, at any level, permits advertising identifiers or a connection to adtech vendors.

An app can also be tested and shown with no tier at all. Tested is not the same as failed. It means the evidence is public and the app has not earned a mark. The point is never to shame. The point is to make it easy for you and me to quickly see if privacy is included in app one may consider to download.

A deliberate start

Stempli opens with its first verified apps. It will grow. Currently we scan more than a thousand apps regularly, and most of them will make it on to Stempli in the near future, and many more after that. Every app, certified or not, is double checked by hand before it goes live. PPCS version 1.0 is a first standard. It will be refined as the registry grows.

Peak Privacy is based in Copenhagen and built for the long term.

Why "Stempli"

The name comes from the Swedish stämpel and German Stempel: a stamp, a seal, the mark left when something has been checked. In Swedish, stämpel av godkännande means a stamp of approval. A stamp is applied after inspection, never before. The name says what the thing is. A mark you can trust, because someone independent put it there.

See for yourself

TALIA's certificate is public. A full scan report will be downloadable from each certified app on Stemp.li. To see TALIA's full scan report download it below.

Read more from TALIA: their press release, their press page, and the app itself.

If you make an app that handles sensitive data, you can request an assessment.

New study on menopause apps coming

This is the first of a series. In the coming weeks Peak Privacy will publish what its scans found across menopause apps, read against what those apps promise. The same method. The same standard.

• For more information contact Vibeke Specht, Data Protection Specialist and co-founder of Peak Privacy at vibeke[@]peakprivacy.eu