How to keep menstrual cycle-tracking data private on iPhone | Cult of Mac

How to keep menstrual cycle-tracking data private on iPhone


Is your cycle tracking data secure?
Is your cycle-tracking data secure?
Photo: Graham Bower/Cult of Mac

The iPhone Health app’s Cycle Tracking feature provides a simple solution for logging menstrual cycles. If you menstruate, it’s an effective way to monitor your overall health and estimate when you’re most likely to get pregnant.

Given the personal nature of Cycle Tracking data, you need to be sure that it’s stored securely, away from prying eyes. The good news is, Apple’s security for health and fitness data is very robust. There are just a few things you need to know to ensure your data is safe.

iPhone passcode is the key to menstrual Cycle Tracking data

Your Cycle Tracking data is stored in HealthKit, Apple’s central repository for all health and fitness data located on your iPhone. The HealthKit database is encrypted, which means it’s unreadable unless you have the correct key to decrypt it. This key is your iPhone’s passcode — the six-digit number you entered when you first set up your phone.

That’s why it’s essential to protect your iPhone with a passcode. If you don’t currently use a passcode, you should enable it right now. In the Settings app, go to Face ID & Passcode (or Touch ID & Passcode) and tap Turn Passcode On.

It’s very important to choose a secure passcode that no one can guess. 123456 won’t cut it. Nor will your birthdate. Pick a number that is completely unguessable. It may be a hassle to remember it at first, but it’s worth making the effort. If you have a guessable passcode, change it now. This is literally the key to your personal security.

A key is no use if you forget to lock the door

When your iPhone is unlocked, the HealthKit database is decrypted, so that you can access the data in it using Apple’s Health and Fitness apps, plus any third-party apps you’ve granted access, including cycle-tracking apps such as Flo and Clue. (See more on third-party apps below.)

When your iPhone is locked, the HealthKit database is encrypted after a 10-minute delay. You can lock your phone manually by pushing the Side Button. If Auto-Lock is enabled, it will lock automatically if you leave your phone unattended for a designated length of time. By default this is 30 seconds. To make sure you have this enabled, go to Settings > Display & Brightness and make sure Auto-Lock is set to 30 Seconds.

Face ID and Touch ID also unlock your HealthKit data

In addition to your passcode, your iPhone can also be unlocked by Apple’s biometric authentication systems: Face ID or Touch ID. Unlocking your phone in this way also decrypts your HealthKit data.

Face ID and Touch ID are both secure and convenient. There’s even an additional security benefit: No one can look over your shoulder and watch as you enter your passcode.

But there is a potential issue as well. Law enforcement agencies can’t force you to enter your passcode. In America, doing so is considered “testimonial information,” which is protected under the Fifth Amendment. However, there have been cases where law enforcement agencies have forced iPhone owners to unlock with Face ID or Touch ID.

Apple provides a convenient solution to protect yourself in the event you believe someone is going to force you to unlock your iPhone with Face ID or Touch ID. Just press and hold the Side Button and Volume Button for three seconds until you feel a haptic vibration. You can do this without looking at your phone or even taking it out of your pocket.

The screen will display the option to Power Off, but you don’t need to do this. Face ID and Touch ID have been disabled and your passcode will now be required to unlock your phone.

It’s a good idea to practice this now, so you know how to do it.

Press the Side Button and Volume Button for three seconds to disable Face ID.
Press the Side Button and Volume Button for three seconds to disable Face ID.
Photo: Graham Bower/Cult of Mac

Make sure your HealthKit iCloud Backup is also encrypted

If you use iCloud Backup (which you should), your HealthKit database isn’t just stored on your iPhone. It’s also backed up onto Apple’s servers.

There are two problems with having your Cycle Tracking data stored on someone else’s servers:

  • You’re dependent on their security (and there have been many cases of high-profile data breaches).
  • They might be compelled to release your data to law enforcement agencies.

Fortunately, Apple solves this problem with end-to-end encryption. This means that your HealthKit data is encrypted on Apple’s servers, so even Apple can’t access it. Even if it leaked, it would be unreadable.

To ensure that your data is protected in this way, you must be using iOS 12 or later and have two-factor authentication enabled. To ensure you are using two-factor authentication, go to Settings > [Your Name] > Password & Security and make sure Two-Factor Authentication is set to On.

Are third-party cycle-tracking apps safe?

Unlike Apple, most third-party cycle-tracking apps store your data on their servers, which means they could be compelled to supply it to law enforcement agencies with a warrant.

In light of the Supreme Court’s recent ruling overturning Roe v. Wade, Flo, one of the most popular third-party cycle-tracking apps, has announced plans for an “Anonymous Mode.” Meanwhile Clue, another leading app, put out a statement to say it is a European company bound by the EU’s strict data-protection rules.

Ultimately, only you can decide how confident you feel about using apps like these. But be aware that giving third-party apps access to your HealthKit data means that it can be copied and stored outside of Apple’s strict security arrangements.

If you want to make sure no third-party apps can access your Cycle Tracking data, go to Settings > Privacy > Health. Carefully go through the list of apps and turn the switches off for Menstruation and any related data types. (E.g. Ovulation Test Result, Pregnancy, Pregnancy Test Result and Spotting.)

Apple’s Health app is the safest way to track your menstrual cycle

If you want to track your menstrual cycle, while being confident that your privacy is secured, Apple’s Health app looks like the best solution. Its tight integration with Apple’s hardware and cloud services provides end-to-end encryption. With its companion Cycle Tracking app on Apple Watch, which uses Heart Rate data for more accurate prediction, it’s a fully featured solution. And better still, it’s free.

If you follow the advice above to keep your HealthKit database secure, your Cycle Tracking data should be safe from prying eyes.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.