Menstruapps are mobile applications that can track a user’s reproductive cycle, sex life and health in order to provide them with algorithmically derived insights into their body. These apps are now hugely popular, with the most favoured boasting over 100 million downloads. In this study, we investigate the privacy practices of a set of 30 Android menstruapps, a set which accounts for nearly 200 million downloads.We measured how the apps present information and behave on a number of privacy related topics, such as the complexity of the language used, the information collected by them, the involvement of third parties and how they describe user rights. Our results show that while common pieces of personal data such as name, email, etc. are treated appropriately by most applications, reproductive-related data is not covered by the privacy policies and in most cases, completely disregarded, even when it is required for the apps to work. We have informed app developers of our findings and have tried to engage them in dialogue around improving their privacy practices.
 Backes, M., Bugiel, S., and Derr, E. (2016). Reliable thirdparty library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 356–367. ACM.
 Balebako, R., Marsh, A., Lin, J., Hong, J. I., and Cranor, L. F. (2014). The privacy and security behaviors of smartphone app developers.
 Bhatia, J., Breaux, T. D., Reidenberg, J. R., and Norton, T. B. (2016). A theory of vagueness and privacy risk perception. In 2016 IEEE 24th International Requirements Engineering Conference (RE), pages 26–35. IEEE.
 Book, T., Pridgen, A., and Wallach, D. S. (2013). Longitudinal analysis of android ad library permissions. arXiv preprint arXiv:1303.0857.
 Bowers, J., Reaves, B., Sherman, I. N., Traynor, P., and Butler, K. (2017). Regulators, mount up! analysis of privacy policies for mobile money services. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), pages 97–114.
 Brunton, F. and Nissenbaum, H. (2015). Obfuscation: A user’s guide for privacy and protest. Mit Press.
 Cate, F. H. (2010). The limits of notice and choice. IEEE Security & Privacy, 8(2):59–62.
 Council of European Union (2016). Regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (general data protection regulation). https://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX%3A32016R0679.
 Cranor, L. F., Leon, P. G., and Ur, B. (2016). A large-scale evaluation of us financial institutions’ standardized privacy notices. ACM Transactions on the Web (TWEB), 10(3):1–33.
 Das, G., Cheung, C., Nebeker, C., Bietz, M., and Bloss, C. (2018). Privacy policies for apps targeted toward youth: Descriptive analysis of readability. JMIR Mhealth Uhealth, 6(1):e3.
 Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., and Holz, T. (2019). We value your privacy ... now take some cookies: Measuring the gdpr’s impact on web privacy. Proceedings 2019 Network and Distributed System Security Symposium.
 Derr, E., Bugiel, S., Fahl, S., Acar, Y., and Backes, M. (2017). Keep me updated: An empirical study of third-party library updatability on android. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, page 2187–2200, New York, NY, USA. Association for Computing Machinery.
 Epstein, D. A., Lee, N. B., Kang, J. H., Agapie, E., Schroeder, J., Pina, L. R., Fogarty, J., Kientz, J. A., and Munson, S. (2017). Examining menstrual tracking to inform the design of personal informatics tools. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pages 6876–6888. ACM.
 Flemings, M., Kazmi, S., Pak, R., and Shaer, O. (2018). Crimson wave: Shedding light on menstrual health. In Proceedings of the Twelfth International Conference on Tangible, Embedded, and Embodied Interaction, TEI ’18, page 343–348, New York, NY, USA. Association for Computing Machinery.
 Flesch, R. (1979). How to write plain english: Let’s start with the formula. University of Canterbury.
 Gluck, J., Schaub, F., Friedman, A., Habib, H., Sadeh, N., Cranor, L. F., and Agarwal, Y. (2016). How short is too short? implications of length and framing on the effectiveness of privacy notices. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pages 321–340.
 Habib, H., Zou, Y., Jannu, A., Sridhar, N., Swoopes, C., Acquisti, A., Cranor, L. F., Sadeh, N., and Schaub, F. (2019). An empirical analysis of data deletion and opt-out choices on 150 websites. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019).
 Han, C., Reyes, I., Elazari Bar On, A., Reardon, J., Feal, Á., Bamberger, K. A., Egelman, S., and Vallina-Rodriguez, N. (2019). Do you get what you pay for? comparing the privacy behaviors of free vs. paid apps. In The Workshop on Technology and Consumer Protection (ConPro’19).
 Honnibal, M. and Johnson, M. (2015). An improved nonmonotonic transition system for dependency parsing. In Proceedings of the 2015 Conference on Empirical Methods in Natural Language Processing, pages 1373–1378, Lisbon, Portugal. Association for Computational Linguistics.
 Huckvale, K., Prieto, J. T., Tilney, M., Benghozi, P.-J., and Car, J. (2015). Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment. BMC medicine, 13(1):214.
 Hutton, L., Price, B. A., Kelly, R., McCormick, C., Bandara, A. K., Hatzakis, T., Meadows, M., and Nuseibeh, B. (2018). Assessing the privacy of mhealth apps for self-tracking: heuristic evaluation approach. JMIR mHealth and uHealth, 6(10):e185.
 Jensen, C. and Potts, C. (2004). Privacy policies as decision-making tools: an evaluation of online privacy notices. In Proceedings of the SIGCHI conference on Human Factors in Computing Systems, pages 471–478. ACM.
 Levy, J. (2018). Of mobiles and menses: Researching period tracking apps and issues of response-ability. Studies on Home and Community Science, 11(2):108–115.
 Li, L., Bissyandé, T. F., Klein, J., and Le Traon, Y. (2016). An investigation into the use of common libraries in android apps. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), volume 1, pages 403–414. IEEE.
 Liu, X., Liu, J., Zhu, S., Wang, W., and Zhang, X. (2019). Privacy risk analysis and mitigation of analytics libraries in the android ecosystem. IEEE Transactions on Mobile Computing.
 Lupton, D. (2015). ’mastering your fertility’: The digitised reproductive citizen. Chapter for Negotiating Digital Citizenship: Control, Contest and Culture, edited by Anthony Mc-Cosker, Sonja Vivienne and Amelia Johns. To be published by Rowman and Littlefield, London. Forthcoming.
 McDonald, A. M. and Cranor, L. F. (2008). The cost of reading privacy policies. Isjlp, 4:543.
 Mcdonald, A. M., Reeder, R. W., Kelley, P. G., and Cranor, L. F. (2009). A comparative study of online privacy policies and formats. In International Symposium on Privacy Enhancing Technologies Symposium, pages 37–55. Springer.
 Moglia, M. L., Nguyen, H. V., Chyjek, K., Chen, K. T., and Castaño, P. M. (2016). Evaluation of smartphone menstrual cycle tracking applications using an adapted applications scoring system. Obstetrics & Gynecology, 127(6):1153–1160.
 Reidenberg, J. R., Bhatia, J., Breaux, T. D., and Norton, T. B. (2016). Ambiguity in privacy policies and the impact of regulation. The Journal of Legal Studies, 45(S2):S163–S190.
 Reidenberg, J. R., Breaux, T., Cranor, L. F., French, B., Grannis, A., Graves, J. T., Liu, F., McDonald, A., Norton, T. B., and Ramanath, R. (2015). Disagreeable privacy policies: Mismatches between meaning and users’ understanding. Berkeley Tech. LJ, 30:39.
 Rizk, V. and Othman, D. (2016). Quantifying fertility and reproduction through mobile apps: A critical overview. Arrow for change, 22(1):13–21.
 Rosas, C. (2019). The future is femtech: Privacy and data security issues surrounding femtech applications. Hastings Business Law Journal, 15(2):319.
 Sunyaev, A., Dehling, T., Taylor, P. L., and Mandl, K. D. (2014). Availability and quality of mobile health app privacy policies. Journal of the American Medical Informatics Association, 22(e1):e28–e33.
 Wilson, S., Schaub, F., Liu, F., Sathyendra, K. M., Smullen, D., Zimmeck, S., Ramanath, R., Story, P., Liu, F., Sadeh, N., et al. (2018). Analyzing privacy policies at scale: From crowdsourcing to automated annotations. ACM Transactions on the Web (TWEB), 13(1):1–29.
 Yu, L., Luo, X., Liu, X., and Zhang, T. (2016). Can we trust the privacy policies of android apps? In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 538–549. IEEE.
 Zimmeck, S., Story, P., Smullen, D., Ravichander, A., Wang, Z., Reidenberg, J., Russell, N. C., and Sadeh, N. (2019). Maps: Scaling privacy compliance analysis to a million apps. Proceedings on Privacy Enhancing Technologies, 2019(3):66–86.