
Screenshot of Stardust's website.
Stardust is a New York-based astrology-themed period tracking app that has recently risen in popularity, having received a spike in downloads in the U.S. following the overturning of Roe v. Wade.
Screenshot of Stardust's website.
Go back to the full report page
Stardust is a New York-based astrology-themed period tracking app that has recently risen in popularity, having received a spike in downloads in the U.S. following the overturning of Roe v. Wade. According to its website, the app takes a de-identification approach to users' privacy by utilising a third party 'security system' operated by Rownd, “an authentification platform that stores your contact information for us [Stardust] so that we cannot associate your health data with your real-world identity”. In theory, this means that Stardust manages users' period input data while Rownd stores the users’ identifiable account data like their name and sign-up email in such a way that Stardust cannot link users' input data with their unique account profile managed by Rownd. Notably, Rownd is not named in Stardust's Privacy Policy, only on the website. To get started on the app, we were required to create an account via Google. By signing up with our Google account, it was made clear that our user agreed to Google sharing their name, email address, and profile photo with Stardust (Figure 7.1).
After connecting our account with Google, we completed Stardust's onboarding questionnaire, which asked for our purpose for using the app (e.g., for period tracking), our date of birth (which was required) and a range of period information like our latest period and birth control method. During this process, we noticed a plethora of URLs from Rownd's API in the web traffic:
Note that all these and following calls to Rownd by Stardust occurred over the Cloudflare CDN, which is not named in Stardust’s Privacy Policy. Rownd utilizes Cloudflare for the delivery of their authentication services. We’ve already discussed Cloudflare’s security layer above, and Rownd also clarified that robust TLS (transport layer security) encryption is used by Cloudflare between Rownd and its communications with the client, including between Cloudflare.
While using the app, with every update we inputted, the Stardust API requested a 'rowndToken' associated with our account. In theory, this links all our account data managed by Rownd (e.g., first and last name, log-in email) with that unique token:
In Figure 7.5, we can see that the Stardust API did not appear to have access to the first and last name of the user for the specific ‘rowndToken’ (‘null’ for these fields), but it did appear to output the accurate birthday of the user provided during our sign-up.
As for processing with the Rownd API, everything from our Google email to our last sign in time to our Google ID was being processed by the Rownd API over Cloudflare:
In Figure 7.6, we can also see detailed information about our sign-in and active times. These fields appeared in the web traffic for calls to Rownd every time we launched the Stardust app and logged in via Google.
As we'll discuss later, the offshoring of user authentication to a third party is an interesting approach to de-identification where, rather than not collecting account-based user data (e.g., email for sign-up), Stardust assigns this process off to a third party.
When it came to our in-app use of inputting our cycle information, our cycle data indeed appeared to be logged in the web traffic and sent to Stardust's own API as we exhibited above in Figure 7.5. In the below example, too, we can see our temperature information we recorded for the specific start date being sent to Stardust’s API:
We noticed a few appearances of other third parties, such as US-based MixPanel, which is an analytics service for developers to measure the performance of their product and marketing, with 'all your data, in one place'. It was difficult to discern in the web traffic what data was being requested, as the data in the request and response was encoded, so we cannot conclusively say whether the data sent to MixPanel represented device-related data or other data. We also noticed one appearance of AppsFlyer in the web traffic, though it did not appear that personal data of note was being requested. Notably, AppsFlyer was one of the few third parties mentioned by name in Stardust's Privacy Policy.
Like many of the other apps, Stardust also appeared to have integrated with Firebase, which meant the collection of certain device-related data for its Crashlytics crash reporting tool (see URL on the left-hand side):
We also saw several appearances of US-based OneSignal, which is a third-party push notification integration for sending app notifications to a user. We did not enable notifications in our test, so the request from OneSignal occurred only when we first launched the app (likely as part of the app's build). However, even in this case the third party did appear to extract some device-related data:
Another third party that appeared in the web traffic was Revenue Cat, which facilitates in-app purchases. We did not subscribe to anything in Stardust, so we cannot say with certainty what would be shared with Revenue Cat beyond the standard subscription-related information (e.g., payment info) and what we see below, such as sign in times. However, we did notice that Revenue Cat operated over third party cloud server 'envoy', which is run by US-based ride-sharing company Lyft.
Note that none of these third parties (Rownd, Firebase, Mix Panel, OneSignal, Revenue Cat, envoy), nor Cloudflare, were named in the Privacy Policy. The only third parties disclosed were AppsFlyer and optional integrations like Google Fit, Apple Health and Oura Ring. There was general mention of tracking technologies like 'cookies, pixels and SDKs' being used to collect interaction information about users, but no specifics were provided. For an app that claims to engineer privacy into its implementation, it appears that its Privacy Policy perhaps falls short of comprehensive, transparent disclosures.
Read more
If you want to make sure we can keep doing work like this you can donate now to make sure PI can keep holding governments and companies to account.