AI DPO: Flo

Hi, this is AI DPO, providing data protection reviews of AI startups to showcase best practices. In these reviews, we assess basic compliance and transparency signals from public sources.

Flo is not an AI company. However, as they are a technology company that handles sensitive personal information, we thought it still was a great fit for this series to show best practices. Flo is a wellness platform for people seeking to track their menstrual cycle, when they may get pregnant and their pregnancy journey. Over 420 million people use the app. Inside the app users can track their cycle and symptoms, understand their fertility better, follow their pregnancy week by week, and share Flo with their partner. Here’s a privacy-first look at Flo to highlight what’s working (and suggest easy wins to build more trust with their users).

I) How We Review Companies

Through AI DPO, we’re here to help AI companies build data protection practices that are both compliant and customer-friendly.

When we review a company, we follow three simple principles:

  1. We stick to what’s public: Our reviews focus only on public-facing privacy practices, not private strategies, product features, or confidential details (those deeper insights are reserved for Assenteo users).

  2. We’re here to raise the bar, not rank companies: Our goal isn’t to criticize. It’s to lift the overall standard of data protection across the AI space and help everyone build stronger, more trusted products.

  3. We’re a snapshot in time: Our reviews reflect what we see on the date we publish. Companies change and grow, and so will their privacy practices.

We believe good data protection is good business and we’re excited to be part of helping AI companies get it right.

1. Assenteo’s Take

As a female menstrual wellness tool, data protection is essential for Flo. Users are aware that they are choosing a provider to share their menstrual patterns with and therefore need to be reassured of their practices for their privacy. Under EU and US laws, menstrual data is health care data, as it:

  • relates to the user’s health,

  • can reveal sexual health or reproductive health status, and

  • may indirectly reveal sexual orientation or intentions to conceive.

Companies like Flo therefore must ensure data protection practices are transparent as they have a higher responsibility under law. Outside of Law land however, highly sensitive data categories are also the areas that matter the most to people and society. To not protect these data types could damage customer trust giving rise to the social responsibility Flo has. Flo has emerged as a leader in privacy-first design and should serve as an example for AI companies managing similarly sensitive data, such as health information. In addition to meeting expectations for a data-compliant business in managing their own operations, Flo are adding features to put their users at ease such as Anonymous Mode and gaining certifications like ISO 27001. It’s clear that their Legal and Product teams are working closely together to embed privacy into the user experience.

2. AI DPO Assessment

Category

Assessment

Notes

Privacy Policy and other Documentation

Flo hosts a Privacy Policy for the personal data and data collection of Flo website visitors and app users. The Privacy Policy was last updated in September 2024. Flo has highlighted the key data takeaways of each section in a visual format, to provide users with clarity on their data use. Flo also provides a FAQ page and privacy portal.

Data Collection

The Privacy Policy clearly lists the data categories collected: personal data provided for account creation, health metrics that the user inputs into the app, and account usage. Flo also collects data automatically for platform improvement. Flo offers an anonymous mode to avoid data collection altogether. This means no email, name, or technical identifiers are associated with the account.

Data Processing

Data sharing with third-party service providers is disclosed for the app’s functioning. In particular Flo includes specific on how non-personal data is shared for their advertising purposes, including a diagram. Specifics about which companies receive application data for the functioning of the product are also provided. The purposes of data processing are also shared.

User Controls

Users are informed of their rights and are able to request access, deletion, correction and other rights despite where they live An email address is provided for rights requests and Flo has a Data Protection Officer for users to get in touch with.

AI-Specific Disclosures

N/A

Flo does not comment on AI-specifics.

Cookie Handling and Data Sale

Flo uses cookies on their website to track users. Marketing, analytics and personalization cookies are dropped only when a user opts in. Flo states in their Privacy Policy that they do not sell user information for monetary gain. They also do not sell Apple HealthKit or Google Health Connect framework data to advertising platforms, data brokers, or information resellers.

Flo currently stands at Level 3: Privacy Leader

3. Highlights

  • Customer-centered privacy information: Flo’s current privacy stance positions them as taking a proactive approach to their customer’s personal data. This includes the ease of accessibility of information concerning how they collect and process personal data and new features such as Anonymous Mode providing options to users.

  • Protection of customers in data sharing: Flo only shares non-personal data when promoting the app using AppsFlyer. This allows Flow to still grow and reach more users, but not at the sacrifice of user trust.

  • Opt-in tracking: Users will only be shown tailored content and materials if they opt in. Flo still does track browsing trends in the app by default, however product customisation only occurs with user consent. This approach places control over the use of personal data back into the hands of the user.

4. Where Trust Can Grow

  • Show health data coverage: Currently Flo does not mention health data protection regulations on their website such as HIPAA, however they do refer to collecting and processing health data. While Flo is not mandated to have a HIPAA specific Privacy Officer, having a HIPAA expert as part of their advisory would further strengthen trust.

  • Clarity on AI usage: In a world where the mention of AI is commonplace, it was surprising it did not appear in our analysis of Flo. It is perhaps the case that AI is simply not used by the company or to process customer data, however there is an opportunity here to have clarity on this with an AI Transparency Policy.

  • Customer data privacy feedback: Flo features who internally is building privacy functions at Flo. To give users the power to influence how their data is used, an opportunity lies in community-driven privacy feedback.

At Assenteo, we help enterprise-focused AI builders turn data protection into a product strength through providing data protection professionals. While this review focused on basic compliance and public transparency, our core service supports full compliance, strong UX practices, and competitive advantage through trust. If you're a serious builder, let's chat.

PreviousAI DPO: PostHogNextAI DPO: Whoop

Last updated