My wife needed a cycle tracker. Everything out there was either Flo (which got sued twice for sharing health data) or an abandoned GitHub project. So I built Ovumcy. Single Go binary, SQLite, Docker-ready. No analytics, no third-party APIs, no cloud. Your data stays on your server. Features: period tracking, symptom logging, predictions (ovulation, fertile window), statistics, CSV/JSON export, dark mode, Russian and English. Just pushed v0.2.5. Looking for feedback from real users.
I recommend you set the Content-Security-Policy http header so that inline javascript (commonly used for XSS attacks) cannot be executed.
https://web.dev/articles/strict-csp
CSP being off is not exactly a security hole but it makes security holes much more likely. By using a strict CSP configuration you close off the possibility of a whole class of holes.
Also think about setting the
Access-Control-Allow-Originheader and enable CORS on your REST endpoints.https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin
Again, kind of a pain in the ass but gets rid of a bunch of potential problems before they start.
Thanks for the suggestions, those are good points.
CSP is something I plan to tighten over time, but enabling a strict policy right now would require refactoring some inline JS patterns used in the templates. It’s definitely on the roadmap as part of security hardening.
Regarding CORS, the application currently runs as a same-origin server-rendered app rather than a cross-origin API, so CORS headers aren’t enabled by default. If external clients or integrations are added in the future, I’d likely introduce a restricted allowlist for specific API routes.
Your releasing a health data app without doing security hardening?
So much for you saying you take security seriously
Worth to say, that this is an ongoing development, this is not even version 1, v 0.3.1
What a douchebag
No, we didn’t ship it without security hardening.
We already hardened the main sensitive parts:
sealed auth/recovery/reset/flash cookies no auth or recovery secrets in URLs or JSON POST + CSRF logout basic browser security headers CodeQL, gosec, Trivy, and SBOM in CI What’s still missing is a strict CSP. That’s not a one-line switch here because the current frontend still needs some refactoring first.
CSP is released.
This is super cool! I’m not afab so I can’t help test and my question may be ignorant but I’m curious why one would want this functionality to not be something native and benefits from being hosted at all?
There are some f-droid trackers that look nice (I keep seeing one there with a super pretty ui) but I’m not sure what the tradeoffs of just using a native application for something like this might be
Ownership of your data, privacy concerns, apps being tracked, cross-device, no f-droid for iOS.
The benefit over a purely local app is mainly cross-device access and easier syncing/backups, while still avoiding a third-party service storing your data.
A lot of cycle trackers right now sell that data and there is some concern it could be used to find women who have miscarried and charge them with a crime.
Something like your idea is safer for women to use.
How can that even be a thing? Miscarriages happen all the time
Well a miscarriage is basically an abortion and an abortion is basically a murder.
/s, to be clear, but some people will say that sincerely and in some parts of the world they get to write the law.
Yeah they have tried to prosecute women for miscarriages. Basically saying women cause them on purpose.
https://www.nbcnews.com/news/nbcblk/brittany-watts-miscarriage-bathroom-charged-rcna135861
The right wing conservatives often have these weird paradoxical beliefs. Like Mexicans are lazy but also stealing everyone’s jobs.
They believe women are designed to be baby incubators and are natural caregivers, but we are also naturally baby killers and have to be watched and kept from killing all the babies.
It’s ridiculous.
Why not use drip or mensinator? Both FOSS.
Ovumcy isn’t trying to replace them. The idea here is to explore a self-hosted, web-based approach that focuses on running the app on infrastructure you control, with simple deployment and cross-device access through the browser.
Different tools optimize for different things. Native apps like Drip or Mensinator are great for fully local tracking, while Ovumcy explores a self-hosted model that can be accessed from multiple devices without relying on a third-party service.
this is great, especially when our government starts tracking everything we do online.
great forward thinking if that was your intention.
I see that we face it all over the world now.
Yup. You really don’t want the maga cult monitoring your cycle. If you stopped menstruating for a bit you must be pregnant. Where is the baby? Omg you murdered the baby by taking Tylenol!
I see how they differ now. Local vs self hosted. Niche use. But I get your idea especially helpful between partners I suppose. Keep it going! Let’s see where it lands in time. Personally I think the name is hard to remember and pronounce correctly which means it might not be super catchy and really take off. My opinion and in no way should deter you. Perhaps tweak the name. Overall though good job and keep going. This not a negative thing I say. Just to trying to help you refine the idea to success. Best of luck!
Appreciate that!
I use Android, my wife - iOS. So many things that on F-Droid are simply unavailable to her (yes, I tried to convince her to go to our side). So I searched for living projects with self-hosting idea, did not find one and decided to create one. I have a CS background, though my professional work today is mostly in finance as a senior analyst where I write code to automate and optimize workflows. Ovumcy started as a personal project exploring a self-hosted approach to cycle tracking.
Awesome! My wife just had her IUD removed and will probably start tracking again. Will get this set up for her and see if she likes it, will provide feedback if she has any.
Thank you, I opened Discussions for that, fell free to communicate.
My partner might volunteer to try it out, but since she is very regular it probably wouldn’t help much for input.
The main feature she says she misses from Flo (we are also data savy, so she left it), was for when things were irregular, the ability for it to predict the why’s and when’s like stress, etc.
In the current iteration, if something is irregular can you put in what happened and have it auto-adjust?
Also, reminder notifications a couple of days out were helpful.
I had been considering a project like this as well, but one that uses on-device analytics to record the why’s and when’s, then allowing for scrubbed anonymous submissions (date adjusting/etc like you do in a clinical trial) to allow for algorithm development while preserving privacy.
Happy to have a conversation about this for future potential PRs (I am an avid FOSS contributor in both planning and code, even working on a project for the Linux Foundation kernel dev team now).
Thanks, this is really useful feedback.
The reminder part is already on the roadmap, and I’ve now added two more issues based on your note about irregular cycles:
- #17 Add irregularity factor tags for cycle tracking
- #18 Use recorded cycle factors to improve prediction context
The direction I’d want for Ovumcy is less “the app predicts the why” and more:
- users can log things like stress, illness, travel, sleep disruption, etc.
- the app can use that to give better context and reliability hints for irregular cycles
- without pretending to make hard medical claims
The anonymous scrubbed-submission idea is interesting too, but I’d treat that as much later, because it changes the privacy/trust model a lot.
Happy to keep talking about it, and future PRs would definitely be welcome.
There definitely an actively developped open source privacy focused period tracker available, go check it out: https://gitlab.com/bloodyhealth/drip But all data stays local on your device , which is of course good from privacy pov but if you are looking for something accessible from different devices then this might not be suitable.
Thank you! I am aware of it, but mine is slightly diffrent approaches to the privacy, allowing to access from multiple devices.
I use a period tracker to identify file extensions.
As a non-native speaker, I had to use LLM to get that joke)
Any chance that we can have this translated to Spanish?
Spanish released
Thank you very much, now I can ask my wife test it out.
Unrelated, but I love your username; and boosting for visibility.
Do you know about drip? It as local non-profit cross-platform open source smartphone app and my girlfriend is a happy user for years.
It is a greap project, mine is not a replacement, but a little bit different approach. It’s a self-hosted web application that you run on infrastructure you control and access from multiple devices. In Drip you can export or import data, but this step is a payment for privacy. Mine offers privacy but from a different perspective.
So what you’re saying is, you added private Cloud storage to it?
No-no, you run your VPS and deploy it there. So you define your storage, it can be homeVPS
What a chad. I wish I were woman to use your app.
MR PIZZA!?!?!??! O_O
I did the same thing for my partner. She didn’t migrate in the end, and google killed my play store account.
https://bloodyhealth.gitlab.io/ - is also a good option.
Some kind of data import would be nice to have according to my partner, but it might be tricky with all the different apps.
I like the naming:) and is there any chance to restore access to your account? It looks like it might have a future.
That link isn’t mine, and it is available and active.
Mine is https://github.com/cameroncros/PrivatePeriodTracker
But it’s abandoned. Your welcome to steal anything you like from it.
Well, not stealing, being inspired)
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol LXC Linux Containers SSH Secure Shell for remote terminal access
4 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #140 for this comm, first seen 7th Mar 2026, 01:40] [FAQ] [Full list] [Contact] [Source code]
Fuck bots.
I think this particular bot is a good one
