Digital health technologies are repositories of some of our most intimate personal data. Most menstruating individuals who use menstrual and fertility tracking apps (referred to as “period tracking apps” hereafter) regularly record the most private aspects of their life, such as cycle dates, symptoms, mood, sexual activity, and fertility patterns (referred to as “menstrual data”) on these apps while looking for predictability and awareness of their own body and its functioning. Implicit in this use is an assumption that the app will protect their sensitive personal information and that it will not be disclosed or shared with anyone, especially without their informed consent.
However, investigations and regulatory findings in various countries have revealed that period tracking apps collect sensitive personal data beyond what is necessary for service delivery, retain such data for extended periods of time and share it with third-party advertisers or analytics platforms without the knowledge of unsuspecting users.
Law to protect privacy in India
A privacy-focused law called the Digital Personal Data Protection Act, 2023 (“DPDP Act” or “Act”) was passed in 2023. The Act introduces a definitive legal framework for the protection of digital personal data, but it has been largely ineffective thus far, owing to the absence of rules which can translate the legal framework into concrete obligations with accountability.
The Indian Government has notified the Digital Personal Data Protection (DPDP) Rules, 2025 (“DPDP Rules”) under the DPDP Act on November 14, 2025. Before the enactment of the DPDP Act, the collection, storage, processing, disclosure and transfer of health-related personal information and data was regulated in a limited manner under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). However, with the introduction of the DPDP Act and DPDP Rules, the SPDI Rules are set to be replaced by May 13, 2027. The DPDP Rules are expected to give teeth to the DPDP Act since they enumerate real obligations on entities that process personal data.
This article will critically examine whether the protections put in place by the DPDP Act and DPDP Rules are sufficient to protect the personal data of menstruating individuals which is being collected and stored in period tracking apps.
Data processed by period tracking apps
Menstrual data is not just informational. Unlike most health data, which is often a record of isolated medical facts, menstrual data is inherently derivative and inferential in nature. From seemingly simple menstrual cycle logs, it is possible to predict pregnancy, miscarriage, or abortion; indicate underlying conditions such as Polycystic Ovary Syndrome (PCOS) or endometriosis; and enable profiling relating to marital status, sexual behaviour, fertility preferences, and broader reproductive choices. The misuse of such data can result in stigma, discrimination, coercion, or even physical risk. Therefore, menstrual data is not merely sensitive; it is sacrosanct and private.
Consent, purpose and necessity framework for processing personal data
Under the DPDP Act, owners and operators of period tracking apps are known as “data fiduciaries”. The DPDP Act has imposed an obligation on data fiduciaries to obtain valid consent from users who come under the definition of “data principals” before any collection, storing and processing of data principals’ personal data. The consent given by a data principal has to be free, specific, informed, unconditional and unambiguous, with a clear affirmative action. Further, any processing of such personal data must be limited, i.e., as is necessary for performing the specified purpose that was informed before or at the time of taking consent.
For period tracking apps, a bundled consent mechanism and ambiguous privacy policies will now turn out to be unlawful. Such apps must explicitly disclose (i) what menstrual data is collected with a description; (ii) the specified purpose of such collection (including whether it is shared, with whom, and for what purpose); (iii) a mechanism for withdrawal of consent, exercise of rights, including making complaints to the Data Protection Board.
As stated above, before requesting specific consent, the data fiduciary is required to describe the specified purpose for processing personal data. However, there is currently no guidance on the standards a data fiduciary should follow while describing a specified purpose, which begs the following question: Should the specified purpose be left to be determined by data fiduciaries who are running businesses and would be inclined to expand the specified purpose as much as possible? If the data fiduciaries who runs period tracking apps decides to include “use of menstrual data for recommendation of health services and health service providers” as another specified purpose in addition to access to period tracking service, and start sharing the personal data of menstruating individuals users to doctors and hospitals in form of leads, it won’t be unlawful, if the unsuspecting user has granted their consent to such “specified use”.
Therefore, in the context of period tracking applications, the ability of a data fiduciary to define a specified purpose in broad or unrelated terms and seek specific consent from unsuspecting users creates a systemic vulnerability for menstruating individuals who use period tracking app. A period tracking app may lawfully define its specified purpose to include targeted advertising, behavioural analytics, or commercial use of such data, provided such purposes are disclosed and consented to. The Act does not impose an independent test of necessity, proportionality, or contextual legitimacy of the specified purpose, nor does it prohibit certain uses of menstrual data outright. In this way, the current privacy framework under the DPDP Act and DPDP Rules risks reducing consent to a mere formality, insufficient to protect menstruating individuals from exploitative or intrusive uses of their most intimate menstrual data.
Derivative and Anonymised Data: Limits of the Right to Erasur
Pursuant to the DPDP Act, the users have an explicit right to access their stored (menstrual) data, correct inaccuracies, seek erasure where the specified purpose they consented to is served or when they withdraw consent. Hence, among the rights conferred on data principals under the DPDP Act, the right to erasure is particularly significant in the context of period tracking apps. Historically, such apps have relied on indefinite and discretionary retention of menstrual data and have thrived on years of cycle history that make their predictions more “accurate” by training their models, as well as to benefit from the economic value of such data by selling it to third parties. The DPDP Act makes it unlawful to do so now.
However, a challenge remains in the context of derivative and AI-generated data because the DPDP Act does not distinguish between original personal data and inferences drawn from it, i.e., derivative personal data. In other words, derivative menstrual data remains “personal data” so long as it relates to an identifiable individual. Therefore, when it comes to erasure of such personal derivative menstrual data, the right of erasure turns out to be ineffective as once an individual’s menstrual data has been incorporated into a trained (AI) model, the underlying data cannot be extracted, separated and deleted in any meaningful sense. Even after a user requests deletion of their personal data, the model may continue to draw on patterns derived from that data to infer or predict similar outcomes.
Another risk is that of anonymisation, which is often presented as a solution to privacy concerns. Yet menstrual data, even when stripped of personal information, can be re-identified when combined with other datasets. It can also enable group-level profiling (e.g., fertility trends in a region, age group, or socio-economic class). Further, the DPDP Act does not specify standards for what level of anonymisation is sufficient, or who bears the burden of proving irreversibility.
This gap becomes particularly consequential when such menstrual (derivative or anonymised) data is retained indefinitely, perhaps even monetised, or used to train predictive or AI-driven systems.
Minors, Consent, and Menstrual Privacy
It is worth noting that a substantial number of period tracking app users include teenagers. The DPDP Act introduces strict “verifiable parental consent” for those under the age of 18. Verifiable consent entails that the individual who has provided parental consent – his/her identity is checked, age is confirmed, using reliable or government-backed identity verification methods. While intended as a protective measure, this requirement may unintentionally undermine the privacy of minors.
In many social contexts, young users may not feel safe or comfortable discussing menstrual health or sexual activity with their parents. Mandatory parental consent could therefore discourage minors from using digital tools that help them manage their reproductive health, effectively denying them confidential access to essential health information.
Conclusion
It is undeniable that the DPDP Act and DPDP Rules provide a legal framework for protecting the privacy of users of period tracking apps in India. However, when applied to menstrual data, certain limitations become evident where clearer guidance and interpretation are needed.
The current framework does not fully account for the unique sensitivity of menstrual information, the realities of AI-driven processing, the risks of derivative and anonymised data, and the potential inadvertent exclusion of minors from period tracking apps. Without clearer restrictions on permissible uses and stronger safeguards, the law risks treating deeply intimate bodily data as ordinary consumer information.
To fill the gap, one potential solutions could be that the schema of the DPDP Act itself be tweaked to treat menstrual and other sensitive health data as a special category or sensitive form of data requiring higher standards of protection, much like the outgoing SPDI Rules which categorically labelled health data as sensitive data and EU General Data Protection Regulation (GDPR) that treats menstrual data as “Special Category Data”.
Adopting a comparable approach under the DPDP Act and DPDP Rules would ensure that menstrual data receives the heightened protection it deserves. Without such reforms, the privacy of millions of menstruating individuals using period tracking apps will remain unsecured and exposed to potential misuse.
