Is My Health App Safe? Scoring methodology
Every scorecard on this site resolves to a single letter grade from A to F. The grade is a weighted average of six criteria. Here is exactly how it is calculated, what evidence we use, and what we deliberately do not count.
The six criteria
| Criterion | Weight |
|---|---|
| Data collection scope — what the app gathers, including inferred data | 20% |
| Third-party sharing & sale — advertising SDKs, data brokers, partners | 25% |
| Regulatory protection — HIPAA, GDPR, state laws like MHMDA | 15% |
| Privacy policy clarity — does the policy match what the app actually does? | 15% |
| Security & breach history — encryption, past incidents, enforcement actions | 15% |
| Deletion & retention — can you really leave, and how long is data kept? | 10% |
How letter grades map to scores
| Grade | Score | What it means |
|---|---|---|
| A | 90–100 | Genuinely private. Minimal collection, no third-party sale, strong security, clear policy. |
| B | 75–89 | Solid. A few soft spots but no serious red flags. |
| C | 60–74 | Mixed. Standard consumer-app practices — better than the worst, worse than privacy-first. |
| D | 40–59 | Concerning. Broad sharing, weak controls, or a history of enforcement action. |
| F | 0–39 | Don't. Active harm: data sold, policies misleading, or breaches repeatedly mishandled. |
What each criterion looks at
1. Data collection scope (20%)
We read the full privacy policy and check both what the user enters and what the app derives from sensors, device metadata, and usage patterns. An app that asks for a period date but also fingerprints the device, logs location, and infers pregnancy status loses points even if the surface-level disclosure is honest.
2. Third-party sharing & sale (25% — highest weight)
This is the most common failure mode. We look at:
- Advertising SDKs bundled into the app (Facebook, Google, AppsFlyer, Branch, etc.).
- Whether identifiers are joined with health-domain data before transmission.
- Explicit sale of data or sharing with data brokers.
- "Research partners" clauses broad enough to include commercial resale.
- Evidence from app-traffic analyses (e.g., Mozilla's *Privacy Not Included*, research audits).
3. Regulatory protection (15%)
Most consumer health apps are not covered by HIPAA — HIPAA applies to "covered entities" (doctors, hospitals, insurers) and their business associates, not to apps you download yourself. GDPR applies for EU users. Washington's My Health My Data Act and similar state laws are starting to close the gap, but coverage is uneven. We credit apps that voluntarily operate to a stricter standard than the law requires.
4. Privacy policy clarity (15%)
Does the policy say plainly what happens, or does it use hedge words ("may share", "business partners", "to improve our services") that technically cover almost anything? We downgrade policies that contradict marketing copy, and upgrade policies that are specific, dated, and easy to read.
5. Security & breach history (15%)
Encryption in transit and at rest, authentication, bug bounty programs, and independent audits all count. Past breaches are weighed by severity and by how the company handled them. An FTC settlement or regulator action is a significant downgrade.
6. Deletion & retention (10%)
Can a user actually delete their account and their historical data, or only "deactivate"? How long is data retained after deletion? Are backups purged? We test the flow where we can.
What we do not count
- Marketing claims. "Bank-level security" is a phrase, not a control.
- UI polish. A beautiful app can still resell your data.
- Founder intent. Companies get acquired. Policies change. We grade what is written today.
Review cadence
Every scorecard is dated. We re-review apps at least every six months, and sooner when there is a breach, settlement, acquisition, or major policy update.
Corrections
If you believe we have something wrong — an outdated policy citation, a misread clause, a missing update — we'd like to know. This site is single-author and opinionated but we care about being factually right.