Period-tracking app Flo must now notify customers that user information is shared with third parties such as Facebook and Google, following a settlement between the app and the Federal Trade Commission. The commission says that while Flo promised to keep user health data private, the company shared data, including whether a user was pregnant, with third parties for marketing and analytics. Companies that received data from Flo included Facebook, Google, AppsFlyer and Flurry.

“Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection in a statement. The agreement can be found in full here.

The order requires Flo to be more transparent about how the app collects, uses, and shares data, and requires Flo to have third parties destroy health information received from the app. 

In a statement, Flo said it is cooperating with the FTC and that the agreement is not an admission of wrongdoing. “We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use,” said a Flo spokesperson. “We are transparent about our data practices and adhere strictly to all applicable regulations.” The spokesperson said the company did not share user names, addresses or birthdays, and does not share health information without permission.

Health data, especially information like menstruation, is particularly sensitive because it can reveal extremely personal details such as reproductive and sexual health and activity. The Wall Street Journal first reported on Flo misusing health data in 2019.

However, FTC commissioners say the commission should have taken more forceful action against Flo for violating the Health Breach Notification Rule. In a statement released today, FTC commissioners Rohit Chopra and Rebecca Kelly Slaughter said they were “disappointed that the Commission is not using all of its tools to hold accountable those who abuse and misuse personal data.”

“We believe that Flo’s conduct violated the Health Breach Notification Rule, yet the Commission’s proposed complaint fails to include this allegation,” said the commissioners in a statement.