The core tension is structural. Dating apps need your real location to show you nearby people, need sensitive attributes to match you, and are mostly free, which means the business runs on subscriptions plus advertising. Sensitive data plus an adtech revenue stream is a combination with a known failure mode, and in this industry the failures have names and dates.
The documented record
In January 2020, the Norwegian Consumer Council published "Out of Control," a technical study of data flows from popular apps. It found Grindr, OkCupid, and Tinder transmitting user data, including GPS position and, in Grindr's case, the fact of using a gay dating app at all, to dozens of advertising and profiling companies. The Norwegian data protection authority followed up with a fine of 65 million kroner against Grindr for sharing personal data without valid consent, one of the largest GDPR penalties issued in Norway.
Two years earlier, researchers and journalists had shown Grindr sharing users' HIV status and last-tested date with two third-party app-optimization vendors. The company stopped after publication. The data had been flowing as an ordinary analytics integration, which is the recurring pattern: the leak is rarely a hack, it is a product decision that nobody framed as one.
Then there is the resale path. In 2021, a Catholic newsletter identified a senior US priest as a Grindr user by buying commercially available app location data and correlating device movements with his home and workplaces. Nobody breached anything. The signal had passed from the app into the advertising ecosystem, where a buyer with a target in mind could purchase it. Our post on location data brokers covers that market in detail; dating apps are among its most consequential sources because the app's identity is itself a sensitive fact.
With most apps, leaked metadata reveals what you did. With dating apps, the mere presence of the app on your device reveals orientation, relationship status, or religious affiliation, depending on the platform. In countries where homosexuality is criminalized, that single bit has gotten people arrested. Grindr disabled distance display in several such countries for exactly this reason.
Location: the feature that doubles as a tracking system
Distance display, the "2 km away" line, has repeatedly been shown to enable trilateration. If an app reports your distance precisely, an attacker can query it from three spoofed positions and solve for your location, the same geometry GPS uses. Security researchers demonstrated this against Grindr as far back as 2014, and a 2024 study by researchers at KU Leuven found that several major dating apps still leaked locations precise enough to pinpoint users, through exact-distance oracles in their APIs. The fixes are known, mainly snapping reported distances to a coarse grid, and apps have generally adopted them only after publication.
Even with trilateration fixed, the app itself holds your position history, and so does every SDK inside it with location access. On the device side you can deny precise location and grant only approximate location, which both iOS and Android support per-app; matching still works at neighborhood granularity. Our guide to mobile app permissions walks through the mechanics.
Messages on dating platforms are not private
Conversations on mainstream dating apps are not end-to-end encrypted. They are stored on the operator's servers in a form the operator can read, which means they are readable by staff under whatever internal policy applies, discoverable in legal process, and exposed in a breach. People routinely move from small talk to deeply personal territory in these chats while assuming an intimacy the architecture does not provide.
The practical rule: treat a dating app conversation like a postcard with a customer-service department reading over your shoulder. When a conversation becomes real, move it to a channel where end-to-end encryption means the operator cannot read it, and be deliberate about what identity you hand over when you move. A phone number is a durable, searchable identifier; an email alias or a messenger username that is not your phone number gives a new acquaintance less to work with. This is the same reasoning as our doxxing protection guide: control how linkable your identities are before there is a problem, not after.
Dating with less exposure
- Use photos that exist nowhere else. Reverse image search connects a dating profile photo to your LinkedIn or Instagram in seconds. Fresh photos break that link.
- Keep the biography vague on employers and neighborhoods. First name, general area, real interests. Specific workplace plus specific gym is an address.
- Grant approximate location only, and deny background location. Distance matching does not need your exact coordinates.
- Reject ad personalization in the app's settings where offered, and assume analytics sharing continues regardless.
- Move real conversations to an end-to-end encrypted channel, using an identifier you can retire if the person turns out to be someone you want distance from.
- Delete the account, not just the app, when you are done. Uninstalling leaves the profile and message history live on the servers. Use the in-app deletion flow, and where GDPR or state privacy laws apply to you, follow with an erasure request.
None of this requires abandoning online dating, which for many people is simply how dating works now. It requires noticing that a dating platform is a database of the most compromising facts about you, operated under advertising economics, with a documented history of letting those facts leak sideways. Share accordingly, and keep the parts of the conversation that matter on infrastructure that was designed to not know what you said.