The August 2025 Frasco v. Flo verdict found Flo and Meta liable for secretly routing reproductive health data to third-party advertisers via an embedded tracking SDK.
Key Takeaways
Flo embedded an undisclosed tool that forwarded menstrual cycle, ovulation, and pregnancy data to Meta, Google, and Flurry from 2016 to 2019.
Jury found Meta liable for collecting and monetizing the data; Google and Flurry settled out of court, keeping their involvement less public.
Flo rewrote its privacy policy 13 times in three years yet none of the revisions created meaningful consent for third-party data sales.
Non-HIPAA wellness apps sit in a regulatory gray zone where product teams define their own consent patterns with no clinical oversight requirement.
The data pipeline was a deliberate business and design decision, not a breach; roughly 350 Flo employees were in the chain that approved it.
Hacker News Comment Review
Core architectural critique: if period tracking needs no server-side logic, shipping it as a local-only app eliminates the data exfiltration surface entirely, making SDK leakage structurally impossible.
Multiple commenters pointed to maintained FOSS alternatives as the practical answer, with at least three projects already covering iOS and Android.
Consensus on regulatory framing: relying on individual app teams to exercise restraint over sensitive reproductive data has failed; sector-specific privacy rules hardcoded in law are the only durable fix.
Notable Comments
@culi: Lists three maintained FOSS trackers with source repos and platforms: drip (React Native, iOS + Android, active since 2019), Mensinator (Kotlin, Android, updated two weeks ago), and Menstrudel.
