Your therapy notes, ovulation dates, prescription history, text messages: federal regulators have confirmed that at least seven apps quietly funneled this kind of information to advertisers, analytics firms, or remote surveillance dashboards without meaningful user consent. Between 2021 and 2024, the Federal Trade Commission and the Department of Justice took enforcement action against every one of them. Some were obvious spyware. Others were health platforms used by millions of people who had no idea their most private details were being repackaged for ad targeting.
As of June 2026, several of these apps remain available in some form, and questions about long-term compliance with federal orders are still unresolved. Here is what the enforcement record actually shows, what you can do right now, and where the gaps remain.
The stalkerware: SpyFone and Retina-X
SpyFone is the clearest case of covert surveillance in the FTC’s enforcement history. In September 2021, the agency banned the company and its CEO from the surveillance industry entirely and ordered the deletion of all secretly collected data. The FTC finalized that order in December 2021, confirming that SpyFone’s software had captured text messages, photos, browsing history, and real-time GPS coordinates from phones whose owners never knew the app was there.
Retina-X Studios operated a similar business under three brand names: MobileSpy, PhoneSheriff, and TeenShield. The FTC’s case docket describes software designed to be installed without a device owner’s awareness, configured to hide its presence, and capable of transmitting detailed activity logs to a remote dashboard. The complaint, exhibits, and consent order materials lay out how the apps created both security and privacy risks for the people whose phones were compromised.
Together, these four apps (SpyFone plus Retina-X’s three products) represent the most straightforward form of secret recording: software that turns someone else’s phone into a tracking device.
The health apps: BetterHelp, Flo, Premom, and GoodRx
The remaining three cases involve apps that millions of people downloaded voluntarily, often to manage sensitive health decisions. The data collection was not hidden in the same way stalkerware hides on a phone. Instead, tracking pixels and embedded software development kits quietly transmitted information that users entered in confidence.
BetterHelp. The online therapy platform told users their mental health information would stay private. It did not. The FTC found that BetterHelp shared details people provided when seeking therapy, including information about their mental health history, with advertising platforms. In 2023, the agency gave final approval to an order banning BetterHelp from using health data for advertising and required the company to pay $7.8 million in partial refunds to affected users.
Flo Health. The fertility-tracking app transmitted information about menstrual cycles and pregnancy plans to large technology companies through embedded SDKs, even as its privacy statements suggested that such data would remain confidential. The FTC’s settlement, initially filed in 2021 and finalized in an amended order in 2024, required Flo to obtain independent privacy assessments and to secure explicit consent before sharing health information.
Premom. Made by Easy Healthcare Corporation, this fertility app shared ovulation test results, cycle dates, and device identifiers with analytics and advertising partners without adequate disclosure. The FTC’s 2023 settlement required Easy Healthcare to limit data sharing, implement a comprehensive privacy program, and notify users about the enforcement action.
GoodRx. The Department of Justice ordered the prescription discount platform to pay a $1.5 million civil penalty for unauthorized disclosure of personal health information under the Health Breach Notification Rule. Government filings state that GoodRx shared details about users’ prescription searches and pharmacy transactions with advertising platforms, allowing those companies to infer sensitive medical conditions and target ads accordingly.
The common thread across all three health apps: tracking code embedded in the product sent user-entered data to external servers, often without any visible signal to the person using the service. The FTC’s technical research on pixel-based tracking explains how a single embedded pixel can transmit a URL, a user identifier, and form field contents to a third party whenever a page loads or a button is pressed.
How to check your phone and remove these apps
If you are concerned about stalkerware specifically, the FTC’s consumer guide on stalkerware detection is the best starting point. A few key steps:
- Look for unfamiliar apps. Stalkerware often disguises itself with generic names like “System Service” or “Phone Monitor.” On Android, go to Settings > Apps and scroll through the full list. On iPhone, check Settings > General > iPhone Storage.
- Check for device admin or profile access. On Android, look under Settings > Security > Device admin apps for anything you did not authorize. On iPhone, check Settings > General > VPN & Device Management for unknown configuration profiles.
- Watch for warning signs. Unusual battery drain, spikes in mobile data usage, or a phone that feels warm when idle can all indicate background surveillance software.
- Plan for safety before deleting. The FTC and organizations like Cornell’s Clinic to End Tech Abuse emphasize that removing stalkerware can alert the person who installed it. If you are in an abusive situation, contact the National Domestic Violence Hotline (1-800-799-7233) or a tech-abuse specialist before taking action on your device.
For the health apps, the steps are more straightforward but still worth taking deliberately:
- Delete the app from your phone if you no longer use it or no longer trust its data practices.
- Revoke permissions. Before deleting, open the app’s settings (or your phone’s privacy settings) and turn off access to location, contacts, health data, and notifications.
- Request data deletion. Under most state privacy laws and the apps’ own updated policies, you can submit a data deletion request. Look for a “Privacy” or “Your Data” section in the app’s settings or on its website.
- Check connected accounts. If you signed in with Google, Facebook, or Apple, go to that platform’s security settings and revoke the app’s access.
- File a complaint. The FTC encourages users who believe an app misused their data to report it through ReportFraud.ftc.gov. These reports inform future investigations even when they do not trigger immediate enforcement.
What regulators still have not answered
The enforcement actions described above were finalized between 2021 and 2024. Within the public FTC and DOJ records reviewed for this article, there are no primary documents confirming enforcement after 2024 that specifically target newer categories of apps, such as fitness trackers, meditation platforms, or social apps that may use embedded tracking pixels in similar ways. It is plausible that similar practices exist in those sectors, but the confirmed docket does not extend there.
Compliance verification is another blind spot. The FTC’s settlements with BetterHelp, Flo, Premom, and GoodRx require corrective actions: deleting certain datasets, obtaining new forms of consent, and submitting to independent privacy assessments. But independent confirmation that deleted data was fully purged from backups and partner systems is not available in the public record. The latest updates on several of these matters date to 2023 or 2024, leaving an information gap about long-term follow-through.
Perhaps the most unsettling open question involves downstream data. Settlements can require a company to stop sharing and to instruct advertising partners to delete previously received data. But no detailed audits of third-party deletion practices appear in the enforcement materials. Once therapy intake answers, fertility logs, or prescription searches reached an ad platform’s servers, the degree to which that information was actually erased remains largely opaque.
Why these seven cases matter beyond the apps themselves
The FTC’s enforcement docket is necessarily selective. The agency has finite resources and prioritizes cases with clear evidence of harm or deception. The seven apps discussed here are confirmed examples of misconduct, but they almost certainly represent only a fraction of the broader ecosystem of data-hungry software. Their absence from an enforcement action does not make another app safe.
What these cases do establish is a pattern. Surveillance software can turn a phone into a real-time tracking tool. Health platforms can convert therapy sessions, fertility logs, and prescription histories into advertising segments. The mechanism is often the same: a small piece of embedded code, invisible to the user, that transmits data the moment it is entered. Until there is more transparent oversight of those data flows and stronger technical safeguards against covert collection, the burden of protection falls largely on the people whose information is at stake.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
