Intimate data, including when people have had sex, is being shared with Facebook, a study from Privacy International has suggested.
PI studied a range of period-tracking apps to see exactly what information was shared with the social network.
It included details such as what contraception was used when periods were due and the type of symptoms experienced.
Since the investigation, one app said it was changing its privacy policies.
Menstruation apps collect some of the most intimate data imaginable – from general health to information about sex, moods, what the user eats, drinks and even what sanitary products she uses.
In exchange for this, the app will offer the user the dates of the month she is most fertile or when to expect her next period.
Sharing to Facebook happens via the social network’s software development kit (SDK), tools that can be used by apps to help them make money by reaching advertisers who, in turn, provide users with personalized ads.
PI found the most popular apps in this category – Period Tracker, Period Track Flo, and Clue Period Tracker did not share data with Facebook.
But others – such as Maya by Plackal Tech (which has 5 million downloads on Google Play), MIA by Mobapp Development Limited (1 million downloads) and My Period Tracker by Linchpin Health (more than 1 million downloads) – did.
PI said: “The wide reach of the apps that our research has looked at might mean that intimate details of the private lives of millions of users across the world are shared with Facebook and other third parties without those users’ free unambiguous and informed or explicit consent, in the case of sensitive personal data, such as data relating to a user’s health or sex life.”
On being shown the study, Maya told PI that it had “removed both the Facebook core SDK and Analytics SDK from Maya” with the changes coming into effect almost immediately.
In a statement to the BBC, it added: “All data accessed by Maya are essential to the proper functioning of the product. Predicting information pertaining to menstrual cycles is complex and dependent on thousands of variables.
Linchpin Health did not respond to PI and MIA said it did not wish its response to be published.
Facebook told the BBC: “Our terms of service prohibit developers from sending us sensitive health information and we enforce against them when we learn they are.
“In addition, ad targeting based on people’s interests does not leverage information gleaned from people’s activity across other apps or websites.”
The BBC has contacted both companies but at the time of publishing had not received responses.
PI believes its findings raise serious concerns as to how such apps are compliant with the EU’s General Data Protection Regulation.
“The responsibility should be on the companies to comply with their legal obligations and live up to the trust that users have placed in them when deciding to use their service,” PI concluded.
Facebook has announced it will launch a tool for users to stop apps and businesses sharing their data with the social network.