
Screenshot of Wocute's website.
Wocute is a Singapore-based period tracking app with over 5 million global downloads.
Screenshot of Wocute's website.
Go back to the full report page
Wocute is a Singapore-based period tracking app with over 5 million global downloads. To get started on the app, a user first needs to complete a short onboarding questionnaire about their goal for using the app ('track my cycle'); their year of birth (which we skipped), followed by the length of their period cycle and start date of their last period (for which we selected 'I'm not sure'). These responses were all communicated to the API:
After the onboarding, we proceeded to the main cycle dashboard without having to create an account.
While inputting our cycle information, we saw all our inputs were logged in the web traffic, such as codes representing our bleeding, energy levels and moods, as well as the actual text of a note we wrote in the app:
On the matter of third parties, we noticed third-party URL paths pointing to Beacon QQ, which is an analytics tool that can be packaged with China's Tencent platform to update the server with a user's data, likely comparable to Google's Firebase:
The web traffic also contained URL paths for third party Adjust (Figure 6.6), which is a Berlin-based analytics service integrated with apps for the purposes of measuring and scaling an app's marketing activity. Throughout our onboarding and use of the app, Adjust intermittently requested device-related data and responded with an ad ID:
We also noticed several calls to Facebook's Graph API. Similar to WomanLog and Maya, there appeared to be a gatekeeper check in the call to Facebook, and the response included a list of the SDK features used by the app (Figure 6.12).
As with many of the above apps, we also noted appearances of Firebase; it appeared that the same types of device data as we’ve seen for the above apps was sent to Firebase.
As for cloud servers, we noticed that certain API requests (not all) occurred over the 'AliyunSLS' server, which is a cloud service run by China-based Alibaba:
Wocute's Privacy Policy did disclose that personal information is stored in a password-controlled server in China, though it did not expressly name the third party server host Aliyun, nor the other third party SDKs it used like Beacon/Tencent, Facebook or Firebase; the mention of third party services was relegated to generalised disclosures, such as referring to 'web beacons' for site tracking technology similar to cookies.
Read more
If you want to make sure we can keep doing work like this you can donate now to make sure PI can keep holding governments and companies to account.