Menstrual cycle tracking applications (‘apps’) are smartphone or tablet apps that allow users to log data pertaining to their period. Using a lens of privacy focussed on intimacy, it will be argued that the control-based harms and intimate harms emerging from these apps require moving from an information privacy law model based on control to one that acknowledges the deeper connection between intimacy and privacy. We examine the privacy policies of 20 menstrual cycle tracking apps to investigate how the control-based protections of the Privacy Act apply. Our findings demonstrate that there are many deficiencies in app privacy policies which give rise to critical questioning about the application of the Australian Privacy Act’s control approach. We argue that the current gender-agnostic approach of information privacy law's control approach does not adequately protect app users and their intimate information. Intimate harms rethink the application of information privacy law by extending its reach beyond the traditional control harms contemplated by the Act and examine how menstrual cycle tracking apps disrupt users’ intimate spheres and relationships. To adequately protect app users from these deeper intimate harms, we contend that information privacy law moves beyond the procedural-based control approach to an information privacy model that is relational, context-dependant and acknowledges the connection between intimacy and privacy.