The popular fertility tracking app Flo has just settled with the Federal Trade Commission (FTC) after allegations that the app, formally known as Flo Health, Inc, violated its privacy policy with its users and overall violated provisions of the FTC.

The app has become wildly popular with millions of female users both in the states and across Europe. It is one of the top downloaded fitness apps in both the Google Play Store and Apple’s App Store. Some highlighted features of the app include tracking a user's menstruation days as well as a user’s ovulation period in an effort to help the user get pregnant (if that's their goal). Aside from fertility, the app allows users to monitor and keep track of their overall reproductive health.

As part of the app's functionality, users provide information about their health status. Often, this information can be sensitive in the manner that it relates to a user's reproductive health and sexual activity. As part of the policy agreement provided by the app, Flo promises that it will not share sensitive information with third-parties. However, a recent investigation by the FTC uncovers that the app did the exact opposite. The investigation was prompted by a probe from The Washington Post.

According to the complaint, the FTC alleges that starting in 2016, Flo “handed users’ health information out to numerous third parties, including Google, LLC (“Google”); Google’s separate marketing service, Fabric (“Fabric”); Facebook, Inc., through its Facebook Analytics tool (“Facebook”); marketing firm AppsFlyer, Inc. (“AppsFlyer”); and analytics firm Flurry, Inc. (“Flurry”).”

Furthermore, the complaint explains that after Flo handed over this information, third parties used the information however they pleased, including for advertisement. Some of the sensitive information handed over included dates of menstruation and childbirth. Users of the app felt victimized and incredibly upset once they found out about the app’s mishandling of private data.

Flo’s privacy policy explains that the app “may share certain” personal data with third parties, but only to enhance the operation and servicing of the app so that it can better deliver information for users. The app's privacy policy broadly stipulates that it won’t share “information about your health,” but then it goes on to specifically describe that it will “exclude information regarding your marked cycles, pregnancy, symptoms, notes and other information that is entered by you and that you do not elect to share.” The app also explains that information that is shared will be done so “for any other purpose except to provide services in connection with the App.”

The complaint throws in another layer alleging that the app also violated the terms of service or use of some of the third parties it gave information to. For example, Facebook’s terms of service state: “You will not share Customer Data with us that you know or reasonably should know ... includes health, financial information, or other categories of sensitive information (including any information defined as sensitive under applicable law).”

As part of the settlement with the FTC, Flo Health, Inc will not be responsible to pay back any monetary damages. However, some of the terms in the settlement will ultimately cause some financial setbacks for the company.

Additionally, the app will have to notify users who were impacted by the app’s actions. Flo Health, Inc will also need to notify third parties who are in possession of the sensitive data and will need to instruct these third parties to destroy the data.

Flo Health, Inc has also been instructed to change its operating procedures so that users are notified of what type of information will be shared with third parties in the future.