Mozilla Foundation said its technical testing of Stardust found that the period-tracking application sent detailed reproductive-health information to outside services, including RudderStack, a platform used by companies to collect, organize and route customer data. The finding places renewed scrutiny on the data architecture behind consumer health applications, particularly products that market privacy as a defining feature while relying on third-party software for analytics, authentication, advertising measurement and infrastructure.
The investigation was published July 16 as part of Mozilla’s “Nothing Personal” review of six widely used period and ovulation trackers. Researchers tested Euki, Clue, Flo, Period Calendar, Planned Parenthood’s Spot On and Stardust, examining application behavior as well as privacy policies and historical changes to those disclosures. Mozilla partnered with the Transparency Hub at Harvard University’s Berkman Klein Center, while the University of Illinois’ Siebel School of Computing and Data Science provided additional Android testing.
Stardust received a score of 2 out of 10, the lowest rating in the group. Mozilla said the application began communicating with third-party tracking services from the time it was opened, before a user had entered health information. As the tester completed onboarding and used the application, the transmitted information became more detailed, according to the review.
Mozilla said the data observed in third-party traffic included a user’s date of birth, type of birth control, reproductive goals and specific symptoms. Stardust allows users to record a broad range of information, including menstrual activity, fertility and pregnancy details, sexual activity, medications, cramps, headaches, appetite, energy levels, mood and other physical or behavioral indicators. The application also records product-use information, including whether reminders are enabled, whether Apple Health synchronization is active and whether the user pays for premium features.
The records observed by researchers were associated with a unique identifier rather than a user’s name. That separation can reduce the exposure of directly identifying information, but it does not necessarily make the underlying data anonymous. A stable identifier can allow activity to be connected across sessions and datasets, particularly when another system maintains account, device or authentication information that can be associated with the same user.
The Federal Trade Commission has repeatedly warned companies against characterizing persistent identifiers as anonymous simply because names or email addresses have been removed. The agency has said that hashed, pseudonymous or otherwise obscured identifiers may still permit a company or third party to recognize, track or target an individual over time. In the context of reproductive-health data, the distinction is material because the sensitivity of the information does not disappear when a person’s name is replaced by a code.
Mozilla identified RudderStack as one of the key services receiving Stardust data. RudderStack provides customer-data infrastructure that can ingest events generated by websites and applications, transform those events and route them to analytics, storage, marketing or operational destinations selected by a customer. The technology is commonly used to consolidate data flows that would otherwise require separate integrations between an application and each downstream service.
That architecture can simplify product development and centralize governance, but it can also make the final destination of data difficult for an outside researcher—or an ordinary user—to determine. Mozilla said RudderStack was designed to route information to destinations the researchers could not directly observe during testing. Stardust told Mozilla that the platform was routing the information only to Stardust’s analytics system, according to the review.
A Stardust spokesperson, quoted in reporting on the findings, said RudderStack was contractually prohibited from selling the data or using it for its own purposes. The statement draws a distinction between a service provider processing information on a customer’s behalf and a third party independently exploiting that information. Mozilla’s report did not present evidence that RudderStack sold Stardust users’ data or used it to build advertising profiles.
The privacy concern identified by Mozilla is broader than whether a vendor sells information. Sending sensitive data to an additional company expands the number of systems, employees, credentials, servers and contractual relationships that must be secured and governed. It can also create additional retention, deletion and legal-access considerations, even when the recipient acts solely as a processor and is subject to contractual limitations.
Stardust’s health-data privacy notice says the company stores contact information with third parties while linking health information to a random account identifier. The company states that it does not directly connect health data with a user’s contact information. Its policy acknowledges collecting reproductive and sexual-health information, fertility and pregnancy details, menstrual activity, symptoms, medication use and information obtained from connected health services.

The policy also states that vendors or agents working on Stardust’s behalf may access health data when necessary to provide services, including server hosting and customer support. Users may request access to or deletion of health information and can withdraw consent to certain processing, subject to stated exceptions. Mozilla, however, said it could not find an obvious in-app setting that completely disabled third-party analytics transmission after a user began using the service.
Operating-system privacy controls may offer incomplete protection against this type of data flow. Apple’s App Tracking Transparency framework generally focuses on tracking a user across applications or websites owned by different companies, particularly for advertising. It does not necessarily prevent an application from sending data to a contracted service provider that processes information as part of the developer’s own analytics stack. A user who declines cross-app tracking may therefore continue generating first-party analytics events that are processed by outside vendors.
Mozilla also found that Stardust’s privacy disclosures had expanded over time. Historical policy records reviewed through the Berkman Klein Center showed multiple revisions, including disclosures concerning device information and advertising-measurement technology. Mozilla said the company’s May 2026 disclosures identified Meta and Google measurement tools among partners receiving certain activity information. Policy expansion can provide greater transparency, but it may also reveal that an application’s technical and commercial data ecosystem has become more complex.
The findings are notable because Stardust has positioned privacy as a major part of its brand. The company’s website tells users that their data is private and emphasizes the separation of account information from health records. That messaging has particular resonance in the period-tracking market, where consumers may choose applications based not only on prediction accuracy and design but also on assurances that reproductive information will remain confidential.
Stardust faced similar scrutiny after the U.S. Supreme Court overturned the constitutional right to abortion in 2022. The application experienced increased attention as consumers sought privacy-oriented period trackers, and the company promoted encryption protections. Subsequent technical reporting challenged the implication that its system offered end-to-end encryption under which even Stardust could not access user information. Mozilla said the earlier episode illustrated the risk of relying on broad privacy marketing without examining the underlying implementation.
The post-Dobbs environment has intensified attention on menstrual and fertility data because digital records can potentially be sought in legal investigations or civil disputes. Stardust told TechCrunch after publication of Mozilla’s findings that it had never received a request, demand or legal process for user data from authorities or third parties. The company’s statement addressed its experience to date but did not remove the general possibility that U.S.-based service providers could receive valid legal demands in the future.
The Mozilla review did not conclude that such a demand had occurred, nor did it identify a confirmed data breach. It also did not amount to a regulatory determination that Stardust violated federal or state law. The findings instead documented the information observed leaving the application during controlled testing and assessed whether the behavior was consistent with the level of privacy protection users might reasonably expect from a reproductive-health product.
Regulatory exposure for consumer health applications has increased in recent years. Many direct-to-consumer applications are not covered by HIPAA because they are not operated by healthcare providers, insurers or their business associates. That does not leave the sector unregulated. The FTC can pursue companies for unfair or deceptive practices, including discrepancies between privacy representations and actual data handling.
The FTC’s updated Health Breach Notification Rule also clarifies its application to many health applications and connected technologies outside HIPAA. The rule treats certain unauthorized disclosures of identifiable health information as security breaches and can require notification to consumers, the commission and, in some cases, the media. Whether a particular disclosure triggers those requirements depends on factors including authorization, the company’s role, the nature of the information and the security protections applied.
State laws create another layer of obligations. Washington’s My Health My Data Act and Nevada’s consumer-health privacy law impose requirements concerning consent, collection, sharing, deletion and contractual controls. Stardust’s supplemental health-data notice specifically references those laws. Companies operating nationally must increasingly design data systems around a patchwork of state requirements rather than treating health analytics as an ordinary extension of general application telemetry.

For technology companies, the report underscores that privacy risk often resides in software supply chains rather than a single database. A modern mobile application may depend on external tools for authentication, crash reporting, attribution, analytics, customer support and cloud hosting. Each integration may be operationally legitimate, yet the combined architecture can expose sensitive information more broadly than product teams, executives or users understand.
Effective governance therefore depends on more than publishing a privacy policy or signing a data-processing agreement. Developers must control which fields enter analytics events, prevent sensitive attributes from being included unnecessarily, map every downstream destination, enforce retention limits and verify that deletion requests propagate across vendors. Technical testing is also necessary because software-development kits and event schemas can transmit more information than a product’s written policy or internal inventory indicates.
Data minimization is especially important for health applications. A company may need aggregated product metrics to diagnose failures or understand whether a feature is used, but those goals do not always require transmitting a user’s contraceptive method, fertility objective or symptom history. Separating operational telemetry from health content can reduce the consequences of a vendor compromise, configuration error, employee misuse or legal demand.
Mozilla contrasted Stardust with Euki, which received a 10 out of 10 rating. Researchers said Euki’s core functions did not transmit observed health information to third parties and that user data remained on the device. Local storage can introduce other considerations, including device loss and backup security, but it limits the creation of centralized datasets that can be breached, transferred or demanded from a company.
The comparison demonstrates that extensive server-side collection is not technically inevitable for period tracking. Applications may choose different architectures depending on their business models, synchronization requirements, social features and prediction systems. Products that rely on cloud accounts and cross-device access may collect more centralized information, while privacy-first alternatives may sacrifice certain conveniences to keep health records local.
Mozilla advised Stardust users to limit the information they enter, disable Apple Health synchronization when it is not needed, avoid optional social features and request deletion if they no longer use the service. Those measures may reduce exposure, but they place much of the privacy burden on consumers who may not understand the application’s vendor architecture or recognize which entries are included in analytics events.
The larger business risk for Stardust is the potential erosion of trust. Consumer-health applications depend on users providing accurate and detailed information over long periods. If customers withhold symptoms, fertility goals or medication details because they are uncertain where the data travels, the application’s predictions and personalized services may become less useful. Privacy design is therefore not merely a compliance function; it directly affects product quality, retention and the credibility of a health-technology brand.
Mozilla’s findings leave Stardust with a clear strategic challenge: demonstrate that its analytics architecture is narrowly configured, independently audited and aligned with its privacy messaging. That could involve publishing a detailed data-flow map, identifying every processor and destination, offering a comprehensive analytics opt-out and ensuring that sensitive health fields never enter general-purpose telemetry unless they are strictly necessary and affirmatively authorized.
The investigation also sends a broader warning to the mobile application industry. Contractual restrictions and pseudonymous identifiers can be valuable safeguards, but they cannot substitute for minimizing collection and limiting transmission. When an application handles reproductive-health information, users and regulators are likely to judge privacy promises against observable network behavior rather than branding language alone.