Sign up to Newsletter

Maya: Research Findings

The Maya app is a period tracker app by Plackal Tech based in India. 

Long Read
Post date
6th May 2025
Maya's website - claims 100 million downloads and a 4.8 rating

Screenshot of Maya's website

Go back to the full report page

The Maya app is a period tracker app by Plackal Tech based in India. In our previous investigation, we revealed Maya was sharing a plethora of user input data to Facebook. However, in response to our 2019 research, the app claimed it had since ‘removed both the Facebook core SDK and Analytics SDK from Maya’ while ‘continu[ing] to use the Facebook Ad SDK, post opt-in to our terms and conditions and privacy policy’ for revenue purposes, the latter of which 'does not share any personally identifiable data or medical data with the Facebook Ad SDK.' 

To get started on the Maya app, we were required to create an account using an email address and password. Note Maya's Privacy Policy states that 'the Application also automatically syncs the data entered by You to Your registered e-mail address.' 

After creating our account, we completed the app's onboarding questionnaire about our cycle patterns. The app communicated all our inputs to its API, such as the email we used to sign up and our answers to the questionnaire:

A screenshot of data from the DIE, one entry - a request from the Maya API - is highlighted.
Figure 3.1. Our email was logged in the web traffic and sent to the API.
A screenshot of data in the DIE which includes the response to the above request including a unique id
Figure 3.2. In response, we were assigned a unique ID.
Screenshot of data logs in the DIE - highlighted is a request from the Maya API which includes information like "birth_year", and "user_cycle_length",
Figure 3.3. Our birth year and cycle information was also sent to the API to update our settings.
A screenshot of data in the DIE which includes the response to the above request including much the same information as the above request
Figure 3.4. This is also recorded in the response.

We were then presented with a lengthy advertising network's consent form, which asked the user for their consent to use their personal data for a range of advertising and analytics services, including enabling these vendors to 'store and access information on a device'. We clicked 'Manage options’ and were presented with a long list of purposes for data collection (e.g., analytics) and specific vendors (e.g., Amazon Ad Server, OpenX, Criteo SA, Genius Sports UK Limited, etc.), for which we deselected our consent (it was deselected by default) and deselected 'Legitimate interests' (it was selected by default).

A screenshot of a consent pop-up, a cursor hovers over 'manage options'
Figure 3.5. The consent form from the advertising network Maya partners with, for which we clicked ‘Manage Options’.]
A screenshot of the 'manage options' screen of the consent, it includes the option to turn on Consent (66 vendors) and Legitimate interest (38 vendors).
Figure 3.6. We had to manually deselect all the processing purposes, including for legitimate interest, in the lengthy advertising network’s consent form.
A screenshot of the vendor preferences form - it includes information on the Amazon Ad Server such as 'cookie duration' and 'Data collected and processed'
Figure 3.7. We then had to manually deselect all the vendors in the lengthy advertising network consent form.

While using the app to input our cycle information over several sessions, we saw in the web traffic every instance our inputs were sent to Maya's API, such as our birth control input (Figures 3.8 and 3.9) and flow strength (Figures 3.7 and 3.8). This is likely the app syncing our inputs with our account.

Screenshot of data logs in the DIE a request from the Maya API is highlighted, it includes "pill_dates"
Figure 3.8. The API requested the date of our pill entry and what the entry was (denoted by '1').
Screenshot of data logs in the DIE a response the above request is highlighted
Figure 3.9. The API synced this newly logged information.
A screenshot of data in the DIE - a request from the Maya API is highlighed, the information requested includes "flow_strengths", and within that "date": "24-Sep-2024", "note": "5", "status": "Added"
Figure 3.10. The API requested the date of our flow strength entry and what that entry was (denoted by '5').
A screenshot of the response to the above request as displayed in the data interception environment, it now says "status": "Synced"
Figure 3.11. The API synced this newly logged information.

We also observed that the full text of the personal notes we wrote were also sent to the API:

A screenshot of an intercepted request from the Maya API that includes the text of a note we added reading "Forgot to take pill\n"
Figure 3.12. In the request here we can see the text of our note.
Response to the above request which shows that the note has been synced.
Figure 3.13. In the response, the API synced the text of this note to the date updated.

Note that all this is being communicated to the API, where it might have been the erroneous belief of some users that notes are local to their device and not stored remotely. 

Beyond this first-party data syncing across the API, we also saw numerous third-party advertising SDKs in Maya's web traffic, particularly Google's DoubleClick and Google Ads:

A screenshot of the response from Google Ads, the entries marked "adapters": "com.google.ads.mediation.admob.AdMobAdapter" and "adapters": com.google.ads.mediation.facebook.FacebookAdapter", and "auto_collect_location": true, are highlighted, one
Figure 3.14. The response from Google Ads with the advertising settings for this app, such as 'auto_collect_location: true'.

Google Ads also requested device information to know what format of ads to display, and the response outputted an ad, 'babymarkt.de':

A screenshot of a Google Ads request in the DIE, the request includes information such as submodel: redroid11_x86_64, adid_p: 1 and format: 320x50_mb
Figure 3.15. Device data such as the 'submodel' and the 'format' was requested here.
Screenshot of a response in the DIE, including information about an ad for the company Babymarkt
Figure 3.16. Based on the requested device information, the advertising network responded with an ad for the company 'babymarkt'.]

The above ad does not appear to be personalised to the user’s period input data but rather to the device info (e.g., likely customised to the type and operating service (OS) of the device). It is also an ad targeted to the nature of a period tracking app, as it is a baby supplies website. Maya's Privacy Policy discloses that they use third party advertising companies, but it does not name the companies (e.g., Google Ads). 

We also noticed below a 1x1 tracker pixel that popped up in the web traffic while we interacted with the app, similar to what we saw in the previous app, that can automatically send information about the user's device and activity to the tracker owner, which appears to be Google Analytics here:

Screenshot of an entry in the DIE, it is information about a tracking pixel from Google Analytics
Figure 3.17. We can see above for a URL path associated with ‘google-analytics’ a 1x1 GIF, which represents a tracking pixel that can track user activity/behavior in the app.

We also observed third party URL paths pointing to Facebook's Graph API (Figures 3.18, 3.19, 3.20) and Facebook's ad network (Figure 3.21). Note that while the Facebook API might be called by an app for log-in integration, we recall that the sign-up page for Maya only had the option to sign up with email, not with Facebook. Additionally, recall that Maya had said in its response to our 2019 research that it had removed the Facebook core SDK (and kept the Facebook Ads SDK), though its pushing of the Facebook log-in perhaps suggests that the SDK is still integrated in the application itself (while it is Facebook that denies the requests to its API).

A response from Facebook to Maya - captured by the DIE - which includes an error message: "API access disrupted. Go to the App Dashboard and complete Data Use Checku...
Figure 3.18. Facebook denies Maya's calls to integrate the Facebook API.
Request for the rejected call intercepted by the DIE includes fields: gatekeepers, along with an acess_token, information on the sdk_version and the platform
Figure 3.19. The requests for these rejected calls contain the field 'gatekeepers'.
Request intercepted by the DIE to graph.facebook.com that includes application_tracking_enabled: true, advertiser_id_collection_enabled: true, advertise_tracker_enabled: true, along with an advertiser_id
Figure 3.20. We see 'advertiser_tracking_enabled: true' for calls to the Facebook API, which suggests Maya is attempting (unsuccessfully) to integrate Facebook for advertising purposes.
Response request intercepted by the DIE, it is a request from Maya to Facebook's ad network, it includes "feature_config": "adnw_modules_sync_enabled: "false", "adnw_modules_no_pii_sync_enabled":"false"
Figure 3.21. We can see here that Maya had called Facebook's ad network, but Facebook responded false for all the bidding entries, likely because the Facebook API rejected Maya's calls.

Above, we see that as Maya consistently makes calls to Facebook's Graph API, Facebook consistently rejects these API calls due to the 'gatekeepers' check. Even though Facebook is disrupting access by Maya to its API, Maya still appears to be sending requests (or at least leaving this Facebook configuration in the app). On the one hand, user input data is not being sent to Facebook as it had in our previous investigation; however, we are still observing calls to third parties where there shouldn't be, and these calls are nonetheless sending device data (i.e., serving the ‘babymarkt’ ad). 

Maya also appeared to integrate Firebase, which requested a range of data about the device:

An intercepted request hosted by firebaselogging-pa.googleapis.com. This included information under "androidClientInfo" such as "applicationBuild", "country", "device", "fingerprint", "hardware" and more
Figure 3.22. See device information in 'androidClientInfo'.

We also noticed Firebase requested specific information about the app itself, such as 'Usermode: Track' and app version information, which is likely collected for app-specific monitoring and performance analytics:

An intercepted request including a range of information under "analyticsUserProperties" including "Tier": "BASIC", "UserMode": "Track", "firstOpenTime", "appId" and more
Figure 3.23. The variable 'UserMode: Track' is likely from our response in the onboarding questionnaire.

We can speculate that collecting the above information may be for generating aggregated analytics for the developer (i.e., how many Android devices are using the app to 'track' menstruation), though this includes additional risks for consideration we will discuss further below, not to mention Firebase was not disclosed in the app's rather vague Privacy Policy.

 

Download the full report

Read more

What can I do?

If you want to make sure we can keep doing work like this you can donate now to make sure PI can keep holding governments and companies to account.  

Related learning resources
No Body's Business but Mine: Vol 2