Period tracker Stardust shares users’ health data with analytics firm, says Mozilla research
Source Entity
Zack Whittaker

Research by Mozilla has revealed that the period tracking app Stardust shares sensitive user health data with an analytics firm, highlighting a stark disparity in privacy standards among health-related applications.
Data Privacy Under the Microscope: Mozilla's Findings on Stardust
Recent research conducted by Mozilla has cast a spotlight on the precarious nature of health data privacy in the mobile app ecosystem. The investigation revealed a troubling inconsistency in how period tracking applications handle sensitive user information. Specifically, while some apps were found to be "squeaky clean"—maintaining rigorous privacy standards and limiting data exposure—the app Stardust was identified as sharing users' intimate health data with a third-party analytics company. This finding underscores a systemic issue where the burden of privacy verification falls almost entirely on the consumer, despite the highly personal nature of the data being collected.
The Chasm Between Privacy-First and Data-Driven Models
The contrast between the apps tested by Mozilla suggests two fundamentally different business philosophies in the health-tech sector. On one hand, privacy-first applications treat health data as a sacred trust, employing local storage or end-to-end encryption to ensure that only the user has access to their cycles and symptoms. On the other hand, apps like Stardust appear to operate on a data-driven model where user behavior and health metrics are viewed as assets that can be leveraged for analytics. This disparity is often invisible to the average user, as privacy policies are frequently written in dense legal jargon that obscures the actual flow of data to third-party vendors.
The Heightened Sensitivity of Menstrual Health Data
To understand the gravity of Stardust sharing data with analytics firms, one must consider the unique sensitivity of menstrual tracking. This data is not merely a calendar of dates; it can reveal pregnancies, miscarriages, fertility struggles, and chronic health conditions like PCOS or endometriosis. In an era of increasing digital surveillance, the leakage of such information poses significant risks. Beyond commercial profiling, there are profound legal and social implications, particularly in jurisdictions where reproductive healthcare is heavily regulated or criminalized. When health data is shared with analytics firms, the risk of that data being re-identified or leaked increases exponentially.
The Role and Risk of Third-Party Analytics
Analytics firms often claim that the data they receive is "anonymized" or "aggregated," meaning it is stripped of direct identifiers like names or email addresses. However, cybersecurity experts have long warned that "de-identified" health data can often be re-identified by cross-referencing it with other available datasets. By sharing health metrics with an analytics company, Stardust potentially exposes its users to a chain of data custody that the user cannot control. Once data leaves the primary app's environment, the user's ability to request deletion or correct inaccuracies is severely diminished, creating a permanent digital footprint of their biological health.
Regulatory Gaps in the Health-App Market
This incident highlights a critical gap in current regulatory frameworks. While healthcare providers in the US are bound by HIPAA, many consumer health apps fall into a regulatory "grey zone" because they are not provided by a covered healthcare entity. Although the GDPR in Europe provides stronger protections, the enforcement of "data minimization"—the principle that companies should only collect what is strictly necessary—remains inconsistent. The Mozilla report serves as a catalyst for a broader conversation about the need for specialized regulations that treat all health-related apps with the same rigor as medical records, regardless of whether they are marketed as "wellness" tools or clinical instruments.
Future Outlook: The Shift Toward Local-First Data
Looking forward, the backlash against data-sharing practices is likely to drive a market shift toward "local-first" software architecture. We can expect to see a rise in apps that process all health data on the device itself, ensuring that no sensitive information ever reaches a cloud server, let alone a third-party analytics firm. As users become more aware of the risks—prompted by research like that of Mozilla—the competitive advantage will shift from apps with the most features to apps with the most verifiable privacy guarantees. Transparency will no longer be a luxury but a requirement for survival in the health-tech marketplace.
Summary
The revelation that Stardust shares health data with analytics firms, while other competitors remain private, exposes a dangerous inconsistency in the period-tracking industry. This event emphasizes the urgent need for users to scrutinize their app choices and for regulators to close the loopholes that allow sensitive biological data to be commodified under the guise of analytics.