Privacy excellence is the result of continuous learning, improvement, and commitment. This timeline shows Flo's privacy evolution: the foundations we built, the feedback we received, how we responded, and the industry-leading standards we've achieved. While this reflects our journey so far, we’re excited about what’s next as we continue to raise the bar and shape stronger privacy practices across the industry.
Our Commitment to You
At Flo, when it comes to your data, we believe you deserve three things:
Transparency
You should know exactly what data we collect, how we use it, and how we protect it. No vague promises, no fine print tricks.
Control
You have control over your data, including the ability to access, update, delete, or export it – and choose to use Anonymous Mode if you would like to keep your identity separate from your health data entirely.
Continuous improvement
We’re always improving our privacy practices, learning from feedback, embracing technologies that strengthen protection, and staying ahead of emerging threats.
This timeline demonstrates how we live those commitments.
Timeline: From Industry Standard to Excellence
H3: Early Years (2017-2019): Building the Foundation
June 2016 - First Privacy Policy
Flo launched with our first privacy policy, documenting our data practices.
What we got right – Clear documentation of:
- Data collection
- Use of the data collected
- Categories of third parties shared with third parties
- Security of our systems
What we learned – Privacy policies are necessary, but are not enough on their own. Users deserve detailed, plain-language explanations of how their data is managed and easy-to-use privacy controls.
May 25, 2018 - GDPR Compliance
When the European Union's General Data Protection Regulation (GDPR) took effect, Flo was ready with:
- An updated privacy policy
- Mechanisms for honoring user consent
- Procedures for fulfilling data subject rights requests
- Robust data processing agreements with vendors
- Appointment of a DPO (Data Protection Officer)
Impact:
GDPR supported the entire tech industry to take privacy seriously. For Flo, it established the foundation for our privacy-by-design principles that guide our development today.
2018-2019 - Growth & Scaling
Flo has grown quickly, with millions of users worldwide and in various languages.
Challenges:
Scaling global privacy practices alongside rapid user growth required significant investment in:
- Privacy engineering resources
- Data infrastructure
- Compliance processes & resources
- User support systems
Impact:
As we grew, we strengthened our privacy and security infrastructure to match. We also ensured that privacy information is available in the same language our users use in the app – a commitment we’ve consistently upheld. Our Privacy Policy is now offered in 22 languages.
Learning & Improving (2019-2021): Responding to Feedback
In early 2019, Flo received feedback from users and privacy advocates about our use of Facebook Analytics SDK for app performance monitoring.
What happened:
Flo used Facebook's Analytics SDK to understand our app’s performance and fix crashes. It was not used for advertising or commercial purposes, and we have never – and will never – sell user data.
While this was disclosed in our privacy policy, we heard concerns from users who felt uncomfortable with any Facebook connection, even for technical analysis.
We immediately:
- Removed the Facebook Analytics SDK from the Flo app (within days)
- Enhanced our privacy disclosures to be even clearer
- Listened to our community and made changes based on their feedback
What we learned:
Even when practices are disclosed and legally compliant, if users are uncomfortable, we need to listen. Trust is earned through action, not claimed through merely legal disclosures. In women’s health, trust is everything.
More details about our 2019 response
2019-2020 - Privacy Framework Overhaul
Following feedback from the Facebook SDK experience, we didn't just fix that one issue – we overhauled our entire privacy approach.
We conducted a comprehensive audit of all third-party services and created more granular user settings to give you more control.
Innovation Era (2022-2026): Setting New Standard
2022 - ISO 27001 Certification
Flo achieved ISO 27001 certification, becoming the first period tracking app to earn the global gold standard for information security management. Independent auditors verified that Flo's security practices meet international standards across numerous domains, including encryption, incident response, and employee training.
The project took 9 months, and Flo passed with a score of 100%.
2022 - FTC Settlement & Independent Audit
In 2022, Flo and the FTC agreed to a settlement that applied to a time period from 2016 to 2019. The FTC questioned the sufficiency of Flo's Privacy Policy disclosures regarding data shared with third parties (including the Facebook Analytics SDK and other analytics providers). It did not allege that Flo sold user data or experienced a data breach.
Like many companies, Flo shared limited non-sensitive data with selected third-party companies to internally measure our app’s performance. None of this data contained our members’ names, addresses, or birth dates. Nor did we share health information for marketing or advertising purposes.
We would like to make clear that this settlement was in no way an admission of wrongdoing. The FTC did not launch a complaint against Flo, nor did it make any findings regarding Flo’s sharing of information. As a growing company at the time, Flo settled to avoid the time and cost associated with litigation. As part of the settlement, it was mutually agreed that Flo would engage Guidepost Solutions for an independent audit of our privacy practices. The audit verified our data protection measures and confirmed our commitment to transparency.
Guidepost audited our practices in the following areas:
- Data collection and processing
- Privacy policy accuracy and completeness
- User consent mechanisms
- Data sharing with third parties
- Privacy controls and safeguards
- Compliance with FTC settlement terms
The audit verified our data protection measures, confirming that we have implemented robust privacy controls and demonstrating our commitment to transparency. It found that Flo complies with the requirements of the FTC settlement agreement, with no gaps or weaknesses identified. The auditors noted that “data privacy and security are heavily emphasized at Flo as being at the core of their operations.”
What we learned:
External accountability strengthens privacy programs and reinforces trust that we do what we say we do. The Guidepost audit and FTC oversight ensure that Flo maintains the highest privacy standards, not just today but for decades to come.
2022 - Anonymous Mode Launch
Following the U.S. Supreme Court's decision overturning Roe v. Wade, Flo launched Anonymous Mode. We recognized that reproductive health data privacy had become a matter of safety, and Anonymous Mode allows women to track their reproductive health without their identity linked to it.
Anonymous Mode uses:
- Oblivious HTTP (OHTTP) - A protocol that prevents Flo from seeing users' IP addresses
- Post-quantum cryptography - Future-proof encryption that remains secure even against quantum computers
- Architectural separation - Identity and health data never exist together
We open-sourced Anonymous Mode on GitHub, making it available for any femtech company to implement. When it comes to privacy, we don’t gatekeep–privacy should be a universal right.
PICCASO Awards Innovative Project of the Year 2024 | TIME’s Best Inventions 2023 | Fast Company World Changing Ideas 2023 | IAPP Privacy Innovation Award 2022
Learn more about Anonymous Mode
2023 - Privacy & Security Advisory Board Launch
Flo established an independent Privacy & Security Advisory Board made up of external experts representing diverse perspectives on privacy, security, women's health, and technology. Because our privacy decisions affect millions of people, we believe they should be guided by independent expert insight—not solely internal perspectives. So we created an advisory board to ensure Flo's privacy practices are scrutinized by recognized leaders outside our organization. This approach helps us raise the standard for privacy across the women’s health industry.
The Advisory Board provides strategic guidance on emerging privacy challenges, reviews major privacy decisions, and ensures Flo's practices align with user expectations and rights, helping Flo maintain best-in-class privacy and security.
2024 - ISO 27701 Privacy Certification
Flo achieved its second certification, ISO 27701, becoming the first and only period and ovulation tracking app to earn this privacy information management standard. ISO 27701 extends ISO 27001 with requirements specific to privacy. It verifies that Flo's privacy practices meet international standards and demonstrates GDPR compliance through third-party certification.
This privacy certification is rare not only in femtech but across the broader health technology sector. Achieving this, alongside our ISO 27001 security certification, sets a new standard for women’s health technology.
"As the most downloaded female health app worldwide, it is our responsibility to ensure the utmost privacy of the Flo app. Achieving the ISO 27701 Privacy Certification is an acknowledgement that privacy is indeed embedded within Flo's organisation and is a testament to Flo's commitment to safeguarding user data in accordance with the most stringent global privacy standards." – Sue Khan, VP of Privacy and Data Protection Officer
2024 - Launching our In-App Privacy & Security Page
In the summer of 2024, we recognised that understanding how data is handled shouldn’t require reading lengthy policies. While our Privacy & Security Portal was already available on our website, we took it a step further—bringing this information directly into the app.
We launched our in-app Privacy & Security page: an easily accessible hub designed to deliver clear, concise insights into how Flo manages data, supported by short educational videos and FAQs.
2024 - Celebrating Excellence: PICCASO Awards Winners & Finalists
In 2024, we saw outstanding nominations and award winners at the PICCASO Awards Europe, a prestigious organisation celebrating individuals and organizations driving excellence in privacy, security, and data ethics.
Sue Khan Wins Outstanding DPO Award
Sue Khan, Flo's VP of Privacy and Data Protection Officer, received the PICCASO DPO of the Year in 2024, recognizing her leadership in advancing privacy practices in femtech.
Dzmitry Machalau finalist for Privacy & Security Champion of the Year
Dzmitry Machalau, our Senior Engineering Manager, was shortlisted as a finalist for the PICCASO Awards Champion of the Year. This nomination reflects his commitment to making security seamless within our app, ensuring it remains the easiest choice for our users at every step.
Anonymous Mode finalist for Most Innovative Data Privacy Project
Our Anonymous Mode feature was shortlisted as a finalist for the PICCASO Awards Most Innovative Data Privacy Project of the Year, highlighting Flo’s commitment to enabling users to access medically credible information without anxiety or concern. This project reflects our drive to innovate and set new industry standards.
2025 - Recognising Continued Excellence: PICCASO Awards Winners & Finalists
2025 was another standout year as we continued to build on our success. Consistent progress defines us, and we were proud to see PICCASO once again recognise our ongoing impact.
Flo wins ISO Team of the Year
Flo’s Privacy & Security teams won ISO Team of the Year at the PICCASO Awards. This honor recognizes our continued work to build, maintain, and advance the highest standards of privacy and security. It reflects our commitment not just to meeting compliance requirements, but to exceeding industry expectations.
Finalist for Inspiring Communications
Flo was named a finalist in the PICCASO Awards Inspiring Communication category—recognising our leadership in making privacy and security accessible to all. From clear internal communications to thoughtful leadership and impactful content, this nomination reflects our commitment to ensuring everyone can understand and act on the information they need.
2026 - Elevating our Privacy, Security & Trust Hub
In 2026, we made clear, informative, and transparent communication a top priority. Our goal was simple: to ensure users have the knowledge they need to understand how their data is used—not just within Flo, but across the wider digital landscape.
We enhanced our Privacy, Security & Trust Hub to deliver clear answers to key questions, relevant industry insights, and content designed to be accessible to all—empowering users to make informed decisions about their data.
What's Next?
We are committed to continuous innovation and to holding ourselves to the highest standards, demonstrated by maintaining our ISO audits year after year. We consistently invest in privacy features that not only meet but exceed market standards.
What Was the Flo FTC Settlement About?
In 2021, Flo settled with the FTC regarding historical (2016-2019) privacy disclosures about alleged data shared with third parties. The settlement did not involve the sale of user data or any data breach. Flo shared only non-sensitive data (no names, addresses, birth dates, or health data for advertising). The settlement was not an admission of wrongdoing; Flo agreed to an independent audit, which confirmed its data protection practices.
See the Results of Our Journey
Our certifications:
View ISO 27001 & 27701 certificates
Our privacy team:
Meet the experts who achieved these standards
Our award-winning technology:
Learn about Anonymous Mode
Your Privacy Matters
Understand your rights:
Learn how you can control your data
Have questions?
Visit our FAQ
Contact us:
Data Protection Officer: dpo@flo.health