Facebook has been quietly collecting sensitive information from smartphone apps such as users’ “body weight, blood pressure, menstrual cycles or pregnancy status,” the Wall Street Journal reports.

Using analytics software called “App Events,” a Facebook product built into thousands of popular apps, the social media giant was able to gather personal data regardless if a user owned a Facebook account.

Per the Journal:

It is already known that many smartphone apps send information to Facebook about when users open them, and sometimes what they do inside. Previously unreported is how at least 11 popular apps, totaling tens of millions of downloads, have also been sharing sensitive data entered by users.

In one example, the Journal found that Instant Heart Rate: HR Monitor, the most popular heart-rate tool on the Apple App Store, “sent a user’s heart rate to Facebook immediately after it was recorded.”

Another popular app, Flo Health Inc.’s Flo Period & Ovulation Tracker, alerted the social media company when users were having their periods and when they were looking to get pregnant.

A third app developed by Realtor.com for finding real estate let Facebook know the price and location of any viewed listings.

When confronted about the data collection, Facebook stated to the Journal that some of the apps in question appeared to be violating its business terms by sending them sensitive information.

“We require app developers to be clear with their users about the information they are sharing with us,” a Facebook spokeswoman said.

Apple also reiterated its stance on data sharing after being pointed to the offending apps available in its App Store.

“When we hear of any developer violating these strict privacy terms and guidelines, we quickly investigate and, if necessary, take immediate action,” an Apple spokesperson said.

Google, which operates the Google Play app store, likewise stated that apps must inform users when sensitive data is shared with third parties.

In the case of the Flo Period & Ovulation Tracker app, the company has previously alleged that it does not share “information regarding your marked cycles, pregnancy, symptoms, notes and other information” if a user hasn’t given consent.

After being questioned by the Journal, Flo claimed that it doesn’t share “critical user data” and that any data sent to Facebook is “depersonalized.” After being told that its app was in fact sending sensitive information “with a unique advertising identifier that can be matched to a device or profile,” the company changed its tune. Flo now says it will “substantially limit” its reliance on Facebook’s App Events analytics tool while a privacy audit is conducted.

Although one U.S. company went as far as to announce plans to sever its ties with the Facebook tool altogether, the situation could be even more serious in the European Union, where data sharing practices are highly regulated.

Frederik J. Zuiderveen Borgesius, a law professor at Radboud University in the Netherlands, told the Journal that their findings could indicate a violation of E.U. law.

“For the sensitive data, companies basically always need consent—likely both the app developer and Facebook,” Borgesius said.

For now, it is unclear whether any government will take action. The Federal Trade Commission and Facebook, however, are reportedly negotiating over a multibillion-dollar fine in regards to the social media site’s previous privacy violations.

READ MORE:

H/T the Wall Street Journal