PrivyCycle and the unfinished business of health app privacy on Ethereum

Inspiration rarely strikes where one expects. The genesis of PrivyCycle did not emerge from the predictable hum of laptops at ETHCC’s hackathon floor, but rather from the electric tension of a Berlin summer stage in June 2025.

There, beneath the spotlights of d/acc Berlin and before a crowd of Ethereum’s sharpest minds, Migle Rakitaite—visionary behind Wxmen Web3Privacy Now —stood face to face with Ethereum’s own Vitalik Buterin. The air crackled as Rakitaite, joined by fellow privacy advocates, challenged Buterin directly: Why had the Ethereum Foundation neglected to champion and fund crypto-native solutions for safeguarding sensitive health data, particularly for period tracking apps on the blockchain? In that charged moment, as questions of privacy and responsibility echoed through the auditorium, the seeds of PrivyCycle were sown.

It is not a theoretical issue. In the United States, the criminalization of abortion in several states has made period-tracking apps dangerous. Data from services like Flo and Clue can be — and has been — subpoenaed in court cases. And while mainstream apps promise privacy, most monetize user data through opaque adtech and analytics deals. The gap between privacy rhetoric and practice is glaring.

So at ETHGlobal CannesCC’s 2025 hackathon, Rakitaite teamed up with developers from TACo.build (f.k.a NuCypher), Vialabs.io, 0g.ai, and Waku/Logos (a team entirely composed of men, with the notable exception of Rakitaite), in attempt at implemting crypto-native alternative to the problems surrounding existing period tracking apps, i.e. the lack of privacy and blatant selling of users’ data. The result, PrivyCycle, was one of the ETHCC’s top 10 projects out of 334 entries and winner of three separate sponsor prizes. It’s a proof-of-concept, not a product — but it surfaces core questions about whether Ethereum can credibly support privacy-first applications beyond DeFi and token swaps.

Zero-knowledge cryptography (ZK) has long been the proposed answer. ZK-proofs allow one party to prove possession of certain data without revealing the data itself. In a fertility-tracking context, it means proving to a doctor that one’s cycle has been regular for six months without disclosing the dates or symptoms. In theory.

But in practice, zk tooling on Ethereum remains nascent. “DeFi zk” — private swaps, zk-rollups for scaling, or zk-NFT proofs — is far ahead of privacy tooling for irregular, longitudinal, non-fungible datasets like medical records or menstrual logs. zk-SNARK circuits remain costly to deploy, Layer-2 solutions fragment data access, and off-chain storage (like IPFS) introduces its own security assumptions. As of mid-2025, no production-grade, audited, open-source zk protocol exists for health data.

PrivyCycle cobbled together existing infrastructure focusing on using tech being offered by the sponsors of ETHGlobal Cannes hackathon: Privy.io for identity abstraction, Zurcuit for Zk’s, and 0g.ai for lightweight, AI-powered suggestions. During the demo, Rakitaite explained how the app lets users log symptoms locally, encrypt data on-device, upload it to IPFS, and selectively share it with partners or physicians using threshold keys.

But even these AI features raise privacy flags. “During this period, maybe stay away — or bring her chocolate and flowers,” Rakitaite joked onstage, explaining how the app’s AI would offer anonymized relationship tips based on aggregated data. Yet any AI system offering personalized recommendations, even ‘anonymized,’ implies some level of inference from user data. Without open-source models, audits, or reproducible training processes, these claims of anonymity remain unverifiable.

The presentation also included an option to export encrypted PDFs or CSV files for doctors, and a doctor-facing dashboard for interpreting AI-generated health insights. But here too, the infrastructure is hypothetical. Most healthcare providers today can’t decrypt, verify, or store zk-protected medical records. The notion that users can “take their data wherever they want” only works if somewhere is prepared to receive it.

The financial pitch was similarly shaky. Onstage, Ryan Caruso of Threshold claimed the menstrual tracking app market would hit $10 billion by 2034. But that projection comes from a Market Research Future report which estimates the broader femtech market — encompassing wearables, diagnostics, fertility services, and telehealth platforms — might reach that figure. Actual period-tracking app revenues are unknown. Major players like Flo Health and Clue are privately held and historically opaque about data monetization and financials.

What’s clear is the risk. In 2021, Flo was caught sharing sensitive health data with third parties and settled with the FTC. In the post-Dobbs legal environment, where reproductive health data can be weaponized, this isn’t just a privacy issue — it’s a political one.

That’s why projects like PrivyCycle matter, even in their imperfections. Not because they deliver finished products, but because they expose what Ethereum still lacks: exposure to credible, scalable, decentralized privacy tooling for sensitive, personal information. During the mainstage presentation it was noted that PrivyCycle’s roadmap includes implementing better tooling for access control and data sharing that’s end-to-end encrypted and “more importantly, end-to-end decentralized” by using TACo (Threshold Access Control). TACo were not a sponsor of the hackathon.

That line landed differently in Paris than it had a month earlier in Berlin, when Rakitaite called the Foundation out directly. The truth is, the Ethereum ecosystem has deferred privacy tooling for years. While Tornado Cash was sanctioned and zero-knowledge L2s proliferated for DeFi scaling, applications for medical, identity, and social data lagged behind.

PrivyCycle is not a finished solution. It’s a provocation. A reminder that if Ethereum is to evolve from a financial settlement layer into a social infrastructure protocol, it needs to take end-to-end encryption tooling and zero-knowledge privacy for non-financial data seriously – not just in hackathon demos, but at the funding and protocol level.

As Rakitaite told the ETHCC crowd:

“On the first day of my daughter’s period, I want to give this as a gift. So she could calculate her fertility much easier, and much better.”