Ghosts in the machine: Dating apps and the DPDP Act

In today's age of hyperconnectivity, our digital trails stretch long and wide. Applications like Bumble, Tinder, Hinge and OkCupid have become the digital gatekeepers of romance.

Convenience, compatibility and connection are the three Cs that they guarantee - characteristics that users look for both inside and outside of these applications. When the user stops swiping, there is cause for concern. Does the digital footprint vanish if they delete the app or pause their profile? Sadly, the solution is anything but romantic.

India's Digital Personal Data Protection Act, 2023 and the Data Protection Rules, 2025 are set to bring comparable protections to India, keeping the Europe's General Data Protection Regulation's established international standards for data privacy enforcement as a precedent. We need to examine how dating apps track users even after they leave and what the DPDP Act and the Rules mean for that digital trail, to understand why this is important.

Many dating apps continue to collect and process residual data even after users delete or deactivate their profiles. Device identifiers, background location signals, behavioural profiles derived from previous in-app activity and metadata previously shared with analytics partners and advertisers are all included.

The main problem is not just that this data exists, but also that users are rarely informed about how long it will be kept, why it must be kept, or what will happen to it after they stop using the app.

Deleting the profile or uninstalling the app does not guarantee privacy because platforms rely on broad categories such as business continuity, fraud prevention or legal compliance without explaining retention timelines. This makes the "deleted" profile far more alive than the user expects.

Dating apps use a series of technical tools that allow tracking to persist beyond deletion:

• Cookies and SDKs continue transmitting usage information to analytics and advertising networks unless manually cleared or disabled.

• Shadow profiles allow apps to retain user data in an archive, often justified as a safeguard against re-registration fraud or duplicate accounts.

• Cross-app tracking through advertising identifiers enables platforms to recognise users across other apps, even without an active dating profile.

• Third-party sharing means data given to advertisers or affiliates may stay on external servers indefinitely.

The result is an ecosystem where uninstalling the app removes only the visible interface. The underlying data flows often continue.

India's Digital Personal Data Protection Act, 2023 and Data Protection Rules, 2025 fundamentally change how such practices must operate. They directly affect dating apps by introducing enforceable user rights and fiduciary obligations.

Section 12: Right to erasure

Unless retention is mandated by law, the platform must delete personal data upon a user's request or upon account deletion. It may be illegal to continue processing or storing data without a good reason. The practice of keeping shadow profiles or extensive, ambiguous retention archives is directly challenged by this right.

Section 6: Limitation of purpose

Only the specific purpose for which the user has given permission - matchmaking in this case - may be used by apps to process personal data. This principle is violated when users are tracked after deletion or for irrelevant advertising. The Act narrows the scope for vague justifications and makes retention without purpose unlawful.

Section 8: Data fiduciary obligations

As data fiduciaries, businesses such as Bumble, Hinge and Tinder are required to ensure the accuracy, security and lawful processing of user data. It may be unlawful to retain deleted or inactive profiles without permission or a valid reason. The fiduciary standard firmly transfers accountability to the platform.

Section 9: Data security and breach notification 

Dating applications must make sure to put forth necessary security protocols and notify users in case of any security breaches. This provision makes sure that responsibility is taken in case of data breaches.

Section 16: Cross-border data transfer

Only government-approved jurisdictions may receive personal data under the Act. This makes sure that boundaries are set for international data flow along with the adherence of the Indian framework.

Schedule I: Sanctions

If reasonable security or data protection measures are not implemented, the Act imposes severe financial penalties that could reach ₹250 crore. Practices involving the silent retention of deleted user data are strongly discouraged as a result.

Although the DPDP Act and the Rules strengthen rights, people can take proactive measures:

• Use the app deletion options and request confirmation to ensure that your profile and data are removed.

• To reduce background data collection, turn off cross-app tracking and ad personalisation on your device.

• To keep an eye on what data is stored, request regular data access reports via the app's privacy settings.

• Steer clear of using social media accounts to log in, as this can unnecessarily increase your online presence.

• Enhanced control: Users are given legally enforceable rights to data deletion and transparency about the data lifecycle.

• Less shadow tracking: By offering legal explanations for their retention, platforms must minimise shadow profiles and hidden archives.

• Safer ecosystem: Stricter security regulations and breach alerts protect users from secret misuse or leaks.

• Global impact: India's framework raises compliance standards for foreign platforms operating in the nation by aligning with GDPR-like safeguards.

Compliance under the DPDP Act will require dating apps to adopt transparent deletion and retention policies, minimise data collection and ensure consent-based processing at every stage. They will have to audit third-party processors, improve grievance redressal systems and revamp data ecosystems that presently rely on vague and general retention policies. Dating apps must incorporate data dignity into their product architecture in order to fulfil their promise of being safe places for deep connections.

Love in the digital age might begin with a swipe. That swipe should not be the end of privacy. Dating platforms need to go beyond simple compliance and treat digital trust as a key component of the user experience as India enters a regulated data environment. Users should be confident that erasing a profile genuinely closes the chapter and consent must remain important even after the relationship ends.

Nandita Goyal is a practicing advocate and marketing executive based out of Surat.

Archit Vyas is a practising advocate based out of Ahmedabad.

Views and opinions expressed are personal.