The Privacy Policy Lie: How Stardust Turned Intimate Health Data Into a Corporate Asset

AI-generated image · Bay Street Wire
Opinion: The discovery that Stardust shared sensitive reproductive data with a third-party analytics firm proves that 'privacy' in the health app industry is often a marketing slogan, not a security reality.
In the world of cybersecurity, we have a saying: trust, but verify. When it comes to the 'health' app industry, I argue that we should stop trusting entirely. For too long, these companies have treated our most intimate biometric and reproductive data as monetization assets, hiding behind vague privacy policies that serve as legal shields for systemic data harvesting rather than actual protections for the user.
Take the case of Stardust, a period-tracking app. On its own website, the company makes a bold, definitive promise: “Your data is private. Period.” To a casual user, this sounds like a guarantee of sanctuary. But as research from Mozilla recently revealed, that claim is a stretch. According to Mozilla's findings, Stardust was sharing sensitive health information with RudderStack, a third-party analytics company.
Let's be clear about what 'sensitive health information' actually means in this context. We aren't talking about anonymous metadata or generic usage statistics. Mozilla's research found that the data shared included a user's birthdate, their specific reproductive goals, the type of birth control they use, and the specific symptoms they were experiencing.
Stardust attempted to sanitize this by tying the records to a unique identifier instead of a person's name. From a defender's mindset, this is a transparent and failed attempt at anonymization. As TechCrunch reports, the FTC has long warned that using a unique identifier does not make data anonymous, nor does it prevent that data from being linked back to a specific individual. In the hands of a determined actor, a 'unique identifier' is just a puzzle piece waiting to be matched.
This is not an isolated lapse in judgment; it is a pattern of deception. TechCrunch previously reported in 2022 that Stardust claimed to be end-to-end encrypted, which would theoretically mean that not even the company itself could access user data. However, by analyzing the app's network traffic, TechCrunch discovered that this claim was false.
When Mozilla security researcher Shoshana Wodinsky applied similar network traffic analysis to six different period trackers, Stardust was the only app of the group found to be sharing sensitive health data with another company. This suggests that the vulnerability isn't an industry-wide technical limitation, but a specific corporate choice made by Stardust. While Mozilla recommended the app Euki as 'squeaky clean' because health data does not leave the device and core features do not share data with third parties, Stardust chose a different path: one of exposure.
The company's defense is as predictable as it is hollow. A Stardust spokesperson told BBC News that RudderStack is “contractually prohibited from selling or using it for its own purposes.” As a cybersecurity analyst, I find the reliance on 'contracts' laughable. A contract is a piece of paper; it is not a firewall. It does not prevent a security lapse, it does not stop a data breach, and it certainly does not stop the government.
Because both Stardust and RudderStack are U.S.-based companies, they remain subject to law enforcement demands. If the data is stored on their servers, it can be subpoenaed. This is a critical risk for users of reproductive health apps, especially considering the surge in Stardust downloads that TechCrunch noted followed the overturning of the constitutional right to seek an abortion in the United States. For these users, a data leak or a law enforcement request isn't just a privacy violation—it's a potential legal liability.
Most of this data harvesting happens as background activity, invisible to the user. We are told that sharing data with third parties for analytics, storage, or payments is 'common.' But when that data involves the inner workings of a person's reproductive system, 'common' is not good enough.
Stardust founder Rachel Moranis has remained silent on these revelations, failing to respond to TechCrunch's requests for comment or questions regarding whether the company has already received law enforcement demands for user data. This silence is the final piece of the puzzle. When a company promises absolute privacy but is caught exporting sensitive data to an analytics firm, the 'privacy policy' is no longer a promise—it's a liability shield.
We must stop pretending that these apps are designed for our health. They are designed for data. Until health apps adopt the 'squeaky clean' model of local storage—where data never leaves the device—we are not users; we are the product being harvested.

