Sign up to Newsletter

Period Tracker by Simple Design: Research Findings

Period Tracker by Simple Design is another popular period tracking app that has over 150 million users.

Long Read
Post date
6th May 2025
Screenshot of Period Tracker by Simple Design's listing in the Google app store it has a 4.9 star rating

Screenshot of Period Tracker by Simple Design's listing in the Google app store

Go back to the full report page

Period Tracker by Simple Design is another popular period tracking app that has over 150 million users. To begin using this app the user answers a set of three onboarding questions for about their cycle pattern. The user has the option to answer 'I'm not sure' for each question. 

After answering 'I'm not sure' for these three questions, we were able to proceed on the app without having to create an account. 

Throughout our experience inputting our cycle data, we did not appear to see our cycle inputs (e.g., blood flow, symptoms) logged anywhere in the web traffic (as was the case in our 2019 investigation), therefore the app did not appear to be communicating with an API. The app developers also confirmed in their response to us that all period input data is stored locally on the device. 

However, we did notice a flood of third-party web traffic in the form of advertising and analytics SDKs. Upon opening the app, the user is first presented with a consent dialog box for which they can select their preferences on personalized advertising, which appears to be managed by Google Ads. We note that, at the time of our testing in August-September 2024, a consent dialog box did not appear when we set up the app. The app developers clarified and provided evidence that a consent dialog box does indeed appear upon launching the app, but when we redownloaded the latest version of the app and retested it, we still did not appear to see a consent dialog box. Separately, the developers also clarified that user consent for ads is managed by Google and that users can modify their preferences by navigating to Settings > Personalised Advertising. 

Throughout our use of the app, the web traffic was flooded with Google Ads URLs that suggested the app was a Google Ads customer. For instance, we observed numerous URL paths with 'GoogleAds' and DoubleClick (Figures 2.1, 2.2), and Google Syndication (Figures 2.3, 2.4).

Screen shot of requests in the Data Interception Environment (DIE), which have been filtered for GoogleAd requets. One is highlighted containing information about the device using the app.
Figure 2.1. Here is a request from Google Ads containing information about the device (e.g., 'format', 'submodel' of the device, etc.).

In summary, this likely appears to be requesting information about the device to decide what format of ads (e.g., ads for the height and width of this device) fits this client best.

Screenshot of data from the DIE filtered by googleads, one entry is highlighted which includes "currency": "USD", "precision": "PRECISE", "type" : "ONE_PIXEL", "ad_source_name": "AdMob Network", and a "pubid"
Figure 2.2. In the response for the above request, we see Google Ads has returned the appropriate currency, which it understands to be USD (which is not entirely accurate), as well as the source of the ad ('ad_source_name').
Screenshot of data from the DIE filtered by syndication, entry highlighted is a GET Google Ads call.
Figure 2.3. Google Ads call.
Screenshot of data from the DIE filtered by syndication, entry highlighted is a request response to a Google Ads call
Figure 2.4. The response to the Google Ads call is a 1x1 GIF, which represents a tracking pixel that can track user activity/behavior in the app.

In Figures 2.1 and 2.2, we can see that DoubleClick, a Google-owned advertising tool that places ad banners, requested information about the user’s device such as their device type, the screen's height and width, etc. The response shows a variety of ads-related information, such as the 'pubid' (publisher ID), currency, type of device and the ad source, which is 'AdMob Network', a Google tool that matches paid-for ads to apps based on certain criteria a developer can set, such as the appropriate ad for the specific height and width of a screen. 

The presence of Google Syndication URLs in Figures 2.3 and 2.4 also point to this app's integration of Google's advertising network as a Google Ads customer. The Google-owned domain 'googlesyndication' is used for storing and loading ad content and other ads-related resources for Google AdSense and DoubleClick. The response returns a 1x1 tracker pixel, which is a tiny, invisible image embedded into the app that will automatically send information about the user's activity to the tracker owner (in this case, Google Ads). 

These Google Ads paths continued to populate the web traffic every time we interacted with the app, and we saw additional URLs linked to googlesyndication.com like 'pubads' that made similar requests for device data (device dimensions, time in session, etc.) and receiving similar responses (AdMob Network as the ad source, publisher ID, etc.):

Screenshot of data from the DIE - highlighted is a requst by Google Ads for device information
Figure 2.5. Information requested by Google Ads is device information like above.
Screenshot of the same request as Fig 2.5, includes "ad_source_instance_name": "AdMob (default)"
Figure 2.6. The response also locates 'Ad Mob Network' as the source of ads to place and fill in the app.

While we did not see our period input data being sent across the web traffic, we are seeing our device data being sent continuously to Google's ad network for the purposes of serving us ads in the app. Note that the app discloses in its Privacy Policy that it utilises third party service providers for analytics and displaying interest-based ads drawn from users' online behavior and device data, and the Privacy Policy does mention by name Google Analytics, Google AdSense, DoubleClick and AdMob. 

Additionally, we saw third party URLs from Firebase, which is Google's (acquired in 2014) mobile and web app development platform for building apps. 

In the web traffic for this Period Tracker app, Firebase appears numerous times, such as in the form of its Crashlytics crash reporting feature (Figure 2.8), which collects telemetry data, such as when the app encounters an error or crashes.

Screenshot of data in DIE - a response to Firebase Crashlytics, highlighted is the response which includes fields such as "firebase_crashlytics_enabled"
Figure 2.7. The settings for Firebase's Crashlytics feature.

Other appearances of the Firebase configuration beyond Crashlytics show 'clientInfo' being requested, which contains the user’s device and OS information among other device data:

Screenshot of data in DIE - a firebase request which includes information such as "country": "US", "hardware": "redroid" and "device": "redroid_x86_64"
Figure 2.8. See above a range of device data is being requested by Firebase, from 'country' (incorrectly detected as the US) to 'device' to 'hardware'.

Firebase's remote configuration path also included allowances for 'fb_login_text_type:true' in the response for the above request (Figure 2.9). This could likely be for scenarios when a user might choose to log in via a third-party social network, in which case the Privacy Policy states that it may collect some third-party data automatically, such as the user's account name, email address and public profile.

A screenshot of a response to a firebase request in the DIE including "fb_login_text_type": "true"
Figure 2.9. See 'fb_login_text_type'.

Firebase enables a range of app development and user data management activities for app developers. In general, it is commonly deployed (as we'll see below) because it is easily configurable with the Android SDK and thus is a relatively straightforward analytics tool for developers to integrate into their apps. We note that the app’s Privacy Policy states that device data may be collected by the app to inform new features and perform crash testing, but there was a lack of clarity that Firebase would be the third party collecting this data. When responding to our findings, the app clarified that the reason they did not explicitly name Firebase when providing their disclosures about analytics practices is because Firebase does not track users personally (‘Firebase is used solely for analytics and does not collect personally identifiable information’). However, the app has now said they will update their disclosures to specify the tool name. 

As a general note on Firebase, the main purpose of developers using Firebase, as we will see for many apps below, is to collect analytics information to aggregate into larger conclusions for developers (e.g., how many Android devices use this app, where in the world are most of these users, what screen sizes are commonly used). However, recall that Firebase is owned by Google; in theory, Google might have access to the device data collected by Firebase and, under the guise of the data being 'aggregated' and thus potentially anonymised, use this data for its own purposes. In fact, Firebase's Privacy Policy discloses that this further sharing with Google can happen in some cases.

Download the full report

Read more

What can I do?

If you want to make sure we can keep doing work like this you can donate now to make sure PI can keep holding governments and companies to account.  

Related learning resources
No Body's Business but Mine: Vol 2