MTOP, Menstrual Tracking Privacy, Sabrina May

Working paper · available on request IRB approval · HUM00285729

👋 HOWDY

I'm Sabrina, the primary investigator.

I'm a graduate student at the University of Michigan School of Information, working on my Master's thesis under Dr. Lorraine R. Buis. This page walks through that work, what I studied, how I studied it, and what the data actually said.

What follows is the story of why I chose this topic, menstrual tracking apps, trust, and privacy, and what I found when I asked 87 people about it.

What is MTOP?

MTOP, the Master's Thesis Option Program, is a competitive research track at UMSI. A small cohort of students is selected into the program each year and paired with a faculty advisor to conduct an original, year-long, IRB-approved study from protocol to defense. It's the closest thing the Master's offers to a PhD-style independent research project, and the only one that ends in a formal thesis manuscript.

I applied to MTOP because I wanted the work I produced at UMSI to actually be research, not a class assignment with a deliverable stapled to it. I picked the topic. I chose the methods. I made the decisions. And every one of them sits in front of a defense committee in June 2026.

Advisor

Dr. Lorraine R. Buis

Committee

Dr. Florian Schaub

Duration

12 months · 2025 – 2026

IRB

HUM00285729

The thesis: trust and privacy in menstrual tracking apps.

FemTech, the category of digital tools designed for reproductive, sexual, and menstrual health, has become one of the fastest-growing segments of digital health. Menstrual tracking apps alone are now used by hundreds of millions of people worldwide. They promise awareness, prediction, and control over a part of health that has been chronically under-researched in clinical settings.

But they sit in a strange legal place. The data they collect, cycle history, fertility intentions, sexual activity, symptom logs, would be protected by HIPAA if a doctor wrote it down. Because a consumer app collects it instead, none of those protections apply. The FTC has already taken enforcement action against Flo Health for sharing user data with Facebook and Google. The legal gap is not theoretical.

I chose this topic because the existing literature treats users and clinicians as separate conversations. Nobody had put both populations in the same study and asked whether the trust users place in these apps is actually informed. That's the question this thesis answers.

Why this matters now

The post-Roe landscape changed the stakes overnight.

When the Supreme Court overturned Roe v. Wade in 2022, every menstrual tracking app on every phone in America became a potential evidentiary record. Cycle data could be used to infer pregnancy. Sexual activity logs could be used to infer intent. Legal scholars have documented, across Huq & Wexler (2022), Kelly & Habib (2023), and LeBarron (2025), how this data can be accessed, subpoenaed, or sold in ways most users never anticipated.

The conversation has only intensified. National political figures have publicly floated proposals to track pregnancy outcomes, mandate reproductive screenings, and treat menstrual data as a surveillance signal rather than a personal health record. State legislatures are moving in different directions at once. The regulatory ground under these apps is moving while users keep tapping the same icon every morning.

That's the world this study was designed inside of. The findings below are what 87 real people, 43 users and 44 clinicians, told me about navigating it.

of users don't understand their app's data practices.

User cohort · n = 43 · Q15

What I wanted to know.

Three research questions framed the whole study, one about user comprehension and trust, one about how the political moment is moving user behavior, one about whether clinicians find the data clinically useful or clinically problematic.

How do privacy concerns, trust in app data practices, and understanding of how data is collected and shared shape user engagement with menstrual tracking applications?
How do users perceive external sociopolitical conditions as influencing their adoption, abandonment, or modification of menstrual tracking app use?
How do clinicians evaluate the clinical usefulness of menstrual tracking app data, and what privacy protections do they consider necessary to make these tools safer in practice?

How I did it.

Cross-sectional, mixed-methods online survey across two independent cohorts. Closed-ended items analyzed with frequency tabulation; open-ended items coded with inductive thematic analysis (Braun & Clarke, 2006) against an iteratively developed codebook. I built both surveys in Qualtrics, recruited through UMHealthResearch.org, Prolific, and IRB-approved flyers, and analyzed everything myself with Dr. Buis reviewing decisions at each milestone.

User cohort

n = 43 · 31-item Qualtrics survey covering app use, abandonment, privacy concerns, trust, and clinical sharing.

Clinician cohort

n = 44 · 25-item Qualtrics survey covering patient-initiated discussions, clinical usefulness, trust, and policy preferences.

Recruitment

UMHealthResearch.org, Prolific, IRB-approved flyers and QR codes.

Quality controls

reCAPTCHA, attention checks, single-response link controls, Prolific response-time flagging, manual review of flagged submissions.

Quant analysis

Frequency tabulation for all closed-ended items, with selective subgroup comparisons by use frequency and demographic strata.

Qual analysis

Inductive thematic coding (Braun & Clarke, 2006). Iteratively developed codebook, sole-coder with reflexive memoing and advisor review.

Where they came from

87 participants, five continents.

Prolific opened the recruitment net well beyond the University of Michigan. Drag the globe to explore. Each pulse is a participant; each line is one of them quietly meeting another across the world.

What I found.

The five findings below are the ones the data kept insisting on. They're ordered from the most surprising to the most actionable.

01 · Trust without comprehension.

This is the central finding. 0% of users understand their app's data practices "a little" or "not at all", and yet 0% still trust the app to protect their information to some degree. Three of the most-endorsed concerns, third-party data sharing, access by external organizations, and lack of transparency, were each named by 0% of participants. People know enough to be worried; they don't know enough to be protected.

of selective-loggers stopped tracking sexual activity first.

User cohort · n = 4 selective loggers

02 · Sexual activity is the canary.

Of the users who selectively stopped logging specific data types, all of them stopped tracking sexual activity first. Not symptoms. Not mood. Not cycle dates. The most legally sensitive category in the post-Roe landscape is the first thing that gets pulled. It's a tiny subgroup, but it's a perfectly aligned tiny subgroup, and that uniformity is its own signal.

03 · App data is already in the exam room.

All 44 clinicians in the cohort reported that patients had initiated discussion of menstrual app use with them. 0% see it monthly or more often. App-generated data isn't adjacent to clinical care anymore, it's inside the exam room. Most clinicians still recommend apps to patients (0% frequently, 0% sometimes) despite naming patient anxiety and data accuracy as their top concerns.

04 · Users and clinicians want the same things.

The policy alignment between the two cohorts is the most striking pattern in the dataset. Transparency, plain-language disclosures, restrictions on third-party sharing, and user control over deletion were the top requests across both. 0% of clinicians' open-ended responses asked specifically for HIPAA-like standards. Single-cohort work would have missed this entirely.

05 · Sociopolitical events shift behavior, slowly, and unevenly.

0% of users reported that public discussions or external events had affected how they use their app. Reading privacy policies more carefully was the most common response, followed by deleting an app, changing what they tracked, and switching providers. 0% of clinicians reported that legal and political developments had influenced their own clinical discussions. The two populations are moving in parallel, toward more caution, not toward more compliance.

What it means.

Trust is not binary.

It is technical, institutional, and emotional at the same time, and these dimensions can be in direct conflict. Designing for trust starts with designing for comprehension, not with a friendlier color palette.

Two-cohort designs surface system-level patterns.

Running parallel user and clinician studies revealed cross-population alignment on policy priorities that single-cohort work would have missed entirely. The methodology is the finding here, too.

Sole-coder qualitative work needs reflexivity infrastructure.

I documented analytic decisions in coding memos and consulted my advisor at every milestone. In future work I'd add a second coder for inter-rater reliability, and I'd recommend it as a baseline for thesis-scale projects of this kind.

Where this goes next.

Pair user perception with technical audits, network traffic capture, policy comparison, to measure the gap between perceived and actual data exposure.
Expand recruitment beyond Prolific and the University of Michigan for stronger demographic representativeness.
Add a second coder and inter-rater reliability scoring to the qualitative pipeline.
Translate the manuscript into a JMIR submission with Dr. Buis after the June 2026 defense.

A note on status. Data collection and analysis are complete. The full thesis manuscript is in draft and will be defended in June 2026. This page is the case-study-format version for portfolio readers; the working paper and full methods appendix are available on request.

Beyond the study, an app built on the findings

Alongside my formal thesis, I am designing and prototyping a Femtech period-tracking application as the applied half of this research, a product whose foundational UX is informed entirely by what users and clinicians told us they need. The thesis surfaces the problem; this concept surfaces a credible answer to it, with policy advocacy and user agency as first-class design constraints rather than fine-print compromises.

The application is intentionally not another cycle tracker. It is a vehicle for the policy and trust primitives that participants asked for: comprehensible disclosures, granular control over sensitive log types, transparent third-party boundaries, and the option to delete with proof of deletion. Each interaction is a small piece of advocacy infrastructure.

Live walkthrough · wireframe

What you're seeing

This walkthrough is a wireframe prototype of the Femtech onboarding and core logging surfaces. It is built to look like a typical period-tracker so the policy work isn't marketing-coded, but every screen below the surface reflects a finding from the thesis.

Plain-language onboarding. The first three screens explain in human language exactly what is logged, what is shared, and what is never sold. No 14-page policy gates the first cycle entry.
Sensitive-data segmentation. Sexual activity, pregnancy intent, and symptom logs each sit behind their own consent layer. Users can opt in to specific categories rather than to the whole product at once.
Local-first by default. Day-to-day logs stay on-device until the user explicitly chooses cloud sync. The choice is visible at every login.
Proof of deletion. Deleting an account returns a verifiable receipt of the data removed and the retention windows that still apply by law, a direct response to the survey finding that users do not trust “delete” buttons.
Clinician-share envelope. Patients can generate a time-boxed, read-only summary to bring to an appointment, instead of handing over the entire account history.

Recommended changes

The five product principles below are the design recommendations the thesis points at, each one is implemented as a real screen in the prototype above, and each one maps to a specific finding in the user or clinician cohort.

Transparency before features

Move data-practice disclosures into the onboarding flow itself, in plain language, with comprehension checkpoints. Maps to: 58% of users do not understand their app's data practices.

Granular logging consent

Treat sexual-activity, pregnancy-intent, and symptom data as separate categories with separate opt-ins. Maps to: 100% of selective-loggers stopped sexual activity first.

Restrict third-party sharing

Cap third-party data sharing to the minimum necessary, with named third parties surfaced in-app. Maps to: top user and clinician policy preference.

Verifiable deletion

Provide a deletion receipt that itemizes what was removed and what is retained by legal obligation. Maps to: trust without comprehension, users need verifiable signals, not branded reassurance.

Clinician-share envelope

Generate a time-boxed, read-only summary for appointments rather than account-level sharing. Maps to: 55% of clinicians see app data in the exam room monthly or more often.

Policy-visible UI

Surface the relevant FTC, HIPAA, and state-level shield laws inline at the moment a user logs sensitive data, so the legal context lives where the action happens.

Status of the application. The Femtech app is a working wireframe / hi-fi prototype, paired with this thesis as the research-to-practice arc. I am actively looking for clinician collaborators and reproductive-rights legal partners to pressure-test the disclosure flows before any usability testing. If your organization works in this space, I'd love to talk.