Privacy Concerns Rise as Stardust Period Tracker Shares User Data

TL;DR
- Stardust Period Tracker was found sharing users' phone numbers and device details with third-party analytics firm Mixpanel, raising serious privacy concerns.
- Unlike some competitors that offer strong privacy, Stardust's data-sharing practices contradict claims of end-to-end encryption, as identifiable information reaches external servers.
- Mozilla's broader research on period trackers highlights significant privacy disparities across the industry, with Stardust emerging as a key example of weak data security in health apps.
The Spark: Mozilla’s Research Exposes Privacy Gaps
A new examination of period tracker applications, driven by Mozilla’s research, has uncovered stark differences in how these health apps protect user data. While some apps in the category demonstrate robust privacy practices, Stardust has been flagged for sharing sensitive user information with third parties. The findings have intensified scrutiny on the period-tracking industry, particularly as users seek safe digital tools to monitor their health amid growing legal and social uncertainties.
Stardust Shares Phone Numbers with Mixpanel
The core of the controversy stems from a technical analysis conducted by TechCrunch, which revealed that the current version of Stardust transmits users’ phone numbers to a third-party analytics company called Mixpanel. This occurs specifically when users log into the app using their phone number rather than through Apple or Google login services.
Beyond phone numbers, Stardust also shares device metadata with Mixpanel, including:
- The iPhone model and software version
- The cell carrier the device is connected to
- Other device-specific identifiers
TechCrunch’s network traffic analysis did not detect direct sharing of health data (such as cycle dates) with Mixpanel, but the transmission of phone numbers is considered a critical privacy flaw. Since phone numbers can be used to identify individual users, this practice undermines claims of anonymity and end-to-end encryption.
Broken Encryption Claims and Legal Vulnerabilities
Stardust’s founder, Rachel Moranis, initially stated that the app used standard SSL encryption and AWS-based storage with AES-256 encryption. However, security experts noted that this does not constitute true end-to-end encryption (E2EE). A separate analysis revealed that Stardust generates an encryption key that links login information to period tracking data—and this key is sent back to Stardust’s servers. If stored, such a key could theoretically be subpoenaed to connect user identities with their health data.
Furthermore, Vice/Motherboard researchers identified a clause in Stardust’s privacy policy stating the company would cooperate with law enforcement “whether or not legally required.” This means Stardust could share user data without a court order, a practice that significantly increases user risk in jurisdictions where reproductive health data is under legal threat.
Industry-Wide Privacy Disparities Highlighted by Mozilla
Mozilla’s research underscores that privacy issues are not unique to Stardust but reflect a broader pattern across the period tracker ecosystem. Apps like Flo, Period Tracker, and Period Calendar also share device IDs, IP addresses, or location data with advertising and analytics networks. Even Clue, which is often praised for its privacy stance, shares anonymized data with third-party research groups.
In contrast, apps like Euki and Drip—recommended by Consumer Reports—offer significantly stronger privacy protections, including no third-party data sharing and explicit user consent mechanisms. Mozilla’s findings position Stardust as a cautionary example of how popular health apps can fail to meet basic privacy standards despite marketing themselves as secure.
Stardust’s Response and Current Privacy State
Following the TechCrunch report, Stardust claimed to have disabled Mixpanel’s data collection mechanisms in newer versions of the app and removed IP tracking. However, as of the latest privacy policy update (May 8, 2026), the app no longer uses end-to-end encryption. Instead, it stores “anonymized and encrypted” health data separately from identity data, using an external authentication partner called Rownd, a U.S.-based company.
While Stardust asserts it does not sell user data, its privacy policy still allows data sharing to “comply with or respond to law enforcement” or to protect company security. This leaves room for potential data disclosure without user notification or legal warrant.
What Users Should Know
For individuals relying on period trackers for health monitoring, the Stardust case highlights the importance of:
- Reviewing an app’s privacy policy for clauses on law enforcement cooperation
- Checking whether the app uses true end-to-end encryption
- Considering alternatives like Euki or Drip, which have been verified for stronger privacy practices
As digital health tools become more integral to personal care, the demand for transparent, secure, and user-controlled data practices must grow. Stardust’s data-sharing revelations serve as a critical reminder that not all health apps are built with privacy in mind.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!