That tagline appears prominently on Stardust’s website. New research from Mozilla suggests some users may have good reason to question it.
Mozilla’s latest privacy investigation into period-tracking apps has found that Stardust — one of the most downloaded cycle-tracking apps in the United States — has been sharing sensitive user health data with a third-party analytics company called RudderStack. The data being transmitted included users’ birthdates, birth control types, reproductive goals, and specific health symptoms, all tied to a unique identifier designed to stand in for the user’s actual name.
The Federal Trade Commission has previously warned that this practice does not make data genuinely anonymous. Using an identifier rather than a name does not prevent that data from being linked back to a real individual — and the FTC has been explicit that this framing should not be used to suggest that user privacy is protected.
What Mozilla Found
Mozilla security researcher Shoshana Wodinsky analysed the network traffic of six period tracking apps to understand what data each one was collecting and whether any of it was being transmitted to outside parties. Of the six apps tested, Stardust was the only one found to be passing sensitive health information to another company.
The technique Wodinsky used — analysing outgoing network traffic from within the app — is a standard method for understanding what data an application is transmitting behind the scenes. Users typically have no visibility into this activity. The sharing happens in the background and does not appear within the app interface.
It is not unusual for apps to share data with third-party services for purposes such as analytics, cloud storage, and payment processing. However, the nature of the data being shared matters significantly, particularly when it relates to reproductive health. Sharing health data with external companies introduces risks including security vulnerabilities at the third party, potential data breaches, and the possibility that law enforcement could demand access to the information held on those servers.
The Third Party and Legal Exposure
A Stardust spokesperson told BBC News that RudderStack is contractually prohibited from selling the data or using it for its own purposes. That may be true as far as commercial use is concerned. It does not, however, offer protection against legal demands.
Both Stardust and RudderStack are US-based companies. As such, both can receive valid legal demands from law enforcement requesting access to users’ health information stored on their servers. Contractual terms between two companies do not override a court order.
This matters especially given the legal landscape in the United States following the 2022 Supreme Court ruling that removed the constitutional right to seek an abortion. In states where abortion is restricted or criminalised, reproductive health data — including cycle tracking, birth control use, and stated reproductive goals — could potentially be sought by prosecutors as part of criminal investigations.
A History of Privacy Questions
This is not the first time Stardust’s privacy claims have been scrutinised. In 2022, when the app surged in downloads following the abortion rights ruling, the company claimed its data was end-to-end encrypted — meaning even Stardust itself could not access what users had stored. An independent technical analysis of the app’s network traffic at the time found that claim to be false.
The same network traffic analysis technique used to examine the app in 2022 is what Mozilla’s researcher used in this latest investigation.
Stardust founder Rachel Moranis did not respond to requests for comment about the latest findings, or to questions about whether the company has ever received law enforcement demands for user data. A spokesperson acknowledged receiving the email but did not provide a statement.
The Recommended Alternative
Of the six apps tested by Mozilla in this research, one received an unambiguous recommendation: Euki, which Mozilla described as “squeaky clean.” In testing, Euki did not share any data with third parties when using its core features. More significantly, the user’s health information did not leave their device at all — meaning there is no server-side data that could be subpoenaed, breached, or sold.
What Users Should Know
The broader lesson from Mozilla’s research applies beyond Stardust. Health apps frequently collect intimate information — symptoms, reproductive cycles, medical conditions, emotional states — and the privacy policies governing that data are rarely read and often poorly understood.
For users in states with restrictive reproductive health laws, the risks of using a cloud-connected period tracker are not theoretical. The data exists on servers. Companies receive legal demands. Contracts between companies do not protect against court orders.
The safest option, based on Mozilla’s findings, is an app that keeps health data on the device and does not transmit it externally. Euki fits that description. For users currently using Stardust or similar apps, checking the privacy policy for references to third-party data sharing is a reasonable first step — and for those in legally sensitive situations, switching to a local-only app is worth considering seriously.