
Screenshot of Maya's website
The Maya app is a period tracker app by Plackal Tech based in India.
Screenshot of Maya's website
Go back to the full report page
The Maya app is a period tracker app by Plackal Tech based in India. In our previous investigation, we revealed Maya was sharing a plethora of user input data to Facebook. However, in response to our 2019 research, the app claimed it had since ‘removed both the Facebook core SDK and Analytics SDK from Maya’ while ‘continu[ing] to use the Facebook Ad SDK, post opt-in to our terms and conditions and privacy policy’ for revenue purposes, the latter of which 'does not share any personally identifiable data or medical data with the Facebook Ad SDK.'
To get started on the Maya app, we were required to create an account using an email address and password. Note Maya's Privacy Policy states that 'the Application also automatically syncs the data entered by You to Your registered e-mail address.'
After creating our account, we completed the app's onboarding questionnaire about our cycle patterns. The app communicated all our inputs to its API, such as the email we used to sign up and our answers to the questionnaire:
We were then presented with a lengthy advertising network's consent form, which asked the user for their consent to use their personal data for a range of advertising and analytics services, including enabling these vendors to 'store and access information on a device'. We clicked 'Manage options’ and were presented with a long list of purposes for data collection (e.g., analytics) and specific vendors (e.g., Amazon Ad Server, OpenX, Criteo SA, Genius Sports UK Limited, etc.), for which we deselected our consent (it was deselected by default) and deselected 'Legitimate interests' (it was selected by default).
While using the app to input our cycle information over several sessions, we saw in the web traffic every instance our inputs were sent to Maya's API, such as our birth control input (Figures 3.8 and 3.9) and flow strength (Figures 3.7 and 3.8). This is likely the app syncing our inputs with our account.
Note that all this is being communicated to the API, where it might have been the erroneous belief of some users that notes are local to their device and not stored remotely.
Beyond this first-party data syncing across the API, we also saw numerous third-party advertising SDKs in Maya's web traffic, particularly Google's DoubleClick and Google Ads:
The above ad does not appear to be personalised to the user’s period input data but rather to the device info (e.g., likely customised to the type and operating service (OS) of the device). It is also an ad targeted to the nature of a period tracking app, as it is a baby supplies website. Maya's Privacy Policy discloses that they use third party advertising companies, but it does not name the companies (e.g., Google Ads).
We also noticed below a 1x1 tracker pixel that popped up in the web traffic while we interacted with the app, similar to what we saw in the previous app, that can automatically send information about the user's device and activity to the tracker owner, which appears to be Google Analytics here:
We also observed third party URL paths pointing to Facebook's Graph API (Figures 3.18, 3.19, 3.20) and Facebook's ad network (Figure 3.21). Note that while the Facebook API might be called by an app for log-in integration, we recall that the sign-up page for Maya only had the option to sign up with email, not with Facebook. Additionally, recall that Maya had said in its response to our 2019 research that it had removed the Facebook core SDK (and kept the Facebook Ads SDK), though its pushing of the Facebook log-in perhaps suggests that the SDK is still integrated in the application itself (while it is Facebook that denies the requests to its API).
Above, we see that as Maya consistently makes calls to Facebook's Graph API, Facebook consistently rejects these API calls due to the 'gatekeepers' check. Even though Facebook is disrupting access by Maya to its API, Maya still appears to be sending requests (or at least leaving this Facebook configuration in the app). On the one hand, user input data is not being sent to Facebook as it had in our previous investigation; however, we are still observing calls to third parties where there shouldn't be, and these calls are nonetheless sending device data (i.e., serving the ‘babymarkt’ ad).
Maya also appeared to integrate Firebase, which requested a range of data about the device:
We can speculate that collecting the above information may be for generating aggregated analytics for the developer (i.e., how many Android devices are using the app to 'track' menstruation), though this includes additional risks for consideration we will discuss further below, not to mention Firebase was not disclosed in the app's rather vague Privacy Policy.
Read more
If you want to make sure we can keep doing work like this you can donate now to make sure PI can keep holding governments and companies to account.