Privacy-First Period Tracker Post-Roe

Before 2022, most US users did not read cycle-tracker privacy policies. After the Dobbs decision, many did, often for the first time. The question was not abstract anymore: what is this app actually storing, and what could happen to that data?

This is a product guide, not legal advice. It lists what to look for when you audit any period tracker. It does not describe what is or is not protected from any specific legal process. If you have legal concerns, talk to an attorney licensed where you live.

With that framing in place, here is what to check.

What changed in framing, not in math

The cryptographic and software practices below have existed for years. What changed after Dobbs is the visibility. Practices that used to be back-of-the-spec details are now front-of-the-app commitments. Apps that take privacy seriously talk about them openly; apps that do not, often will not.

The seven criteria in this guide are what a privacy-forward tracker should be willing to state in plain English.

Seven criteria worth checking

A practical checklist before installing any cycle tracker. The strictest apps clear all seven.

• AES-256-GCM envelope encryption. Each user has a unique data encryption key (DEK) wrapped by a master key in a key-management service. Data on disk is ciphertext; a server breach exposes ciphertext, not readable cycle data.
• Right-to-erasure destroys the key. When you delete your account, the vendor destroys the DEK, not just the database row. With the key gone, the underlying ciphertext is permanently unreadable, including in any backup that contained it.
• 24-hour deletion window. Vendor commits in writing to completing erasure within 24 hours of request, including vector embeddings used by AI features.
• No medical claims. No family-planning forecasts, no clinical claims of any kind, no "RED day" copy. A consumer tracker that stays out of medical framing has a much narrower regulatory and disclosure surface.
• No menstrual content in push notifications. Push titles and bodies never contain cycle, period, or family-planning content. The lock-screen preview is safe.
• Jurisdiction-aware copy. US users see neutral terminology ("body day," "log this") by default; the app does not assume the user wants the word "period" displayed.
• Explicit, separately captured consent. GDPR Article 9 has been doing this for years; post-Dobbs, US users started asking for the same. Bundled or implicit consent is not enough.

Why the encryption details actually matter

A few of the criteria above sound technical. They matter because they change what is recoverable.

If a vendor stores cycle data in plaintext, every backup, every replica, and every analytics pipeline can read it. A deletion request can delete the row, but the data may live on in backups for months or years.

If the vendor uses envelope encryption with per-user keys, the data on disk is unreadable without the user's DEK. When the DEK is destroyed during deletion, the ciphertext that remains in backups is also unreadable, even if a backup is restored. The deletion is mathematically real, not just visible in the UI.

This is not "unhackable." Cryptography has limits, and any vendor that claims absolute security is either misinformed or lying. What strong encryption with proper key management does is set a clear failure mode: the data is unreadable as long as the keys are protected, and unreadable forever once the keys are destroyed.

What "no menstrual content in push" actually means

The lock-screen preview is a quiet disclosure surface. Apps that send "Your period is starting tomorrow" as a push body have revealed cycle data to anyone glancing at the phone.

A serious tracker enforces the absence of menstrual content in push notifications in CI. Soulwise's build pipeline scans push title and body strings against a forbidden-terms list; any build containing menstrual or family-planning content in a push fails before it ships. The user gets daily-ritual prompts that say things like "Soft start. What's on your plate today?" - no cycle phase, no period reference, no medical framing.

Local-only vs encrypted cloud: pick your trade-off

Two legitimate architectures, different threat models.

Local-only trackers (Drip, Euki). Data lives on your device. There is no cloud copy to subpoena, but also no sync across devices and limited AI features. Backup is your problem; so is device theft and operating-system backups (which may or may not be encrypted at the OS level).

Encrypted cloud trackers (Soulwise, Clue, others). Data syncs across devices and powers AI features. Privacy depends on the vendor's encryption and erasure practices. The threat model assumes a competent vendor and a strong key-management posture.

Neither is universally "safer." The right answer depends on what you are worried about. Local-only is the harder choice on user experience and the simpler choice on data surface area. Encrypted cloud is the inverse.

What we deliberately do not promise

This is a list of things you should be suspicious of in any marketing copy:

• "Unhackable." No system is unhackable. Anyone claiming this is selling you something.
• "Your data is safe from law enforcement." This is a legal claim, not a technical one. The technical claim is "your data is encrypted at rest and the key is destroyed on deletion." The legal consequences of any specific process are something only an attorney can address.
• "100% secure." See above. Security is a property of threat models, not an absolute.
• "Guaranteed privacy." Privacy is a practice, not a guarantee.

Soulwise's privacy commitments are concrete and falsifiable. AES-256-GCM at rest. Per-user DEK wrapped by KMS master key. 24-hour erasure including vector embeddings. No menstrual content in push. GDPR Article 9 explicit consent. The Soulwise privacy page lists each one with the underlying spec reference.

Why this matters beyond the worst case

The post-Dobbs framing pushes people to think about cycle-tracker privacy in extreme scenarios. The same criteria matter in much more common ones: a phone shared with a roommate, an abusive partner who borrows the device, a curious employer who sees a notification, a backup that ends up in a family iCloud account.

Strong default privacy is not just for the worst case. It is for every day.

The shorter version: the right tracker is the one whose privacy commitments are specific, falsifiable, and stated in plain English. Ask any app for the seven criteria above. If a vendor cannot answer crisply, that is the answer. For a side-by-side with the most popular incumbent, see the Flo alternative privacy-first guide; for the inclusive defaults that follow from the same principles, see Cycle tracker for non-binary users.