Sign up to Newsletter

Wocute: Research Findings

Wocute is a Singapore-based period tracking app with over 5 million global downloads. 

Long Read
Post date
6th May 2025
Wocute's website claiming that "Caring for my health starts with tracking periods."

Screenshot of Wocute's website.

Go back to the full report page

Wocute is a Singapore-based period tracking app with over 5 million global downloads. To get started on the app, a user first needs to complete a short onboarding questionnaire about their goal for using the app ('track my cycle'); their year of birth (which we skipped), followed by the length of their period cycle and start date of their last period (for which we selected 'I'm not sure'). These responses were all communicated to the API:

A gapi.wocute.com request captured by the Data Interception Environment it includes Birthday, cycle length, initial cycle length, and others
Figure 6.1. The Wocute API requested our answers in the onboarding questionnaire and automatically populated 'birthday' and 'cycleLength' with generic information as we skipped these questions.

After the onboarding, we proceeded to the main cycle dashboard without having to create an account. 

While inputting our cycle information, we saw all our inputs were logged in the web traffic, such as codes representing our bleeding, energy levels and moods, as well as the actual text of a note we wrote in the app:

An API request caputured by the DIE which includes fields like bleeding, date, enery, moods, mucus, note (filled out as "Did not take conctraception pill", pills, symptoms, and more
Figure 6.2. See 'moods', 'energy' and 'pills' being requested by the API and represented by code values. Also notice the personal note ('note') we'd written being transmitted here.
A response from the Wocute API - it just reads "code": 200
Figure 6.3. The request went through to the API successfully.

On the matter of third parties, we noticed third-party URL paths pointing to Beacon QQ, which is an analytics tool that can be packaged with China's Tencent platform to update the server with a user's data, likely comparable to Google's Firebase:

A request captured by the DIE to otheve.beacon.qq.com, it includes information such as an eventCode, eventTime, an appID, appName, appPlatform, and others
Figure 6.4. Generic analytics information like 'appID' was sent to Beacon QQ.
An acknowledgement response from otheve.beacon.qq.com
Figure 6.5. Beacon QQ reported a successful exchange.

The web traffic also contained URL paths for third party Adjust (Figure 6.6), which is a Berlin-based analytics service integrated with apps for the purposes of measuring and scaling an app's marketing activity. Throughout our onboarding and use of the app, Adjust intermittently requested device-related data and responded with an ad ID:

An 'Adjust' request intercepted by the DIE, it includes information such as app_version, app_toke, device_type, gps_adid, and more
Figure 6.6. Adjust requested certain app and device related data, such as the 'device_name' and 'os_version'.
A response from Adjust intercepted by the DIE which includes an adid, an app_token, a tracker_token, and more
Figure 6.7. This was the initial instance of Adjust first assigning us an 'adid' and 'tracker_token', likely for analytics purposes. Later calls from Adjust simply returned the 'adid' and token.

We also noticed several calls to Facebook's Graph API. Similar to WomanLog and Maya, there appeared to be a gatekeeper check in the call to Facebook, and the response included a list of the SDK features used by the app (Figure 6.12).

A graph.facebook.com request intercepted by the DIE, it includes access_token: (a string of numbers and letter), fields: gatekeepers, format: json, sdk_version: 17.0.1 and more
Figure 6.8. See 'fields: gatekeepers'.
A graph.facebook.com response intercepted by the DIE - it is as list of SDKFeatures marked true or false depending on if they are in use or not.
Figure 6.9. Features of the SDK listed.

Note in the response details for the above response, there appeared a warning that 'You are calling a deprecated version of the Ads API'. This likely means the app is calling an old version of the Facebook API; it’s still functional, just outdated.

The above intercepted response, with the data in a field called x-ad-api-version-warning highlighted. It reads You are calling a deprecated version of the Ads API.
Figure 6.10. For the same call as the above (Figure 6.12 and 6.13), the Graph API displays this warning.

As with many of the above apps, we also noted appearances of Firebase; it appeared that the same types of device data as we’ve seen for the above apps was sent to Firebase. 

As for cloud servers, we noticed that certain API requests (not all) occurred over the 'AliyunSLS' server, which is a cloud service run by China-based Alibaba:

A response intercepted by the DIE, it says Server: AliyunSLS, and includes information such as the date, and fields called x-log-append-meta, x-log-time, and x-log-requested
Figure 6.11. See 'server: AliyunSLS'.

Wocute's Privacy Policy did disclose that personal information is stored in a password-controlled server in China, though it did not expressly name the third party server host Aliyun, nor the other third party SDKs it used like Beacon/Tencent, Facebook or Firebase; the mention of third party services was relegated to generalised disclosures, such as referring to 'web beacons' for site tracking technology similar to cookies.

Download the full report

Read more

What can I do?

If you want to make sure we can keep doing work like this you can donate now to make sure PI can keep holding governments and companies to account.  

Related learning resources
No Body's Business but Mine: Vol 2