The gay dating app Grindr is sharing its users’ HIV status with third-party companies, according to a BuzzFeed News report published on Monday. Grindr confirmed the accuracy of the report with CNET.
The app includes sensitive health information along with a person’s GPS data, phone ID and email, and sends it to Apptimize and Localytics, both companies that optimize apps.
Norwegian internet research organization Sintef first pointed out the issue. It noted that some of the information (not including one’s HIV status) was being shared in easily hackable plain text — including a user’s GPS location, gay subculture, sexuality, relationship status, ethnicity and phone ID.
Grindr Chief Technological Officer Scott Chen said in an emailed statement that the company understands the sensitivities around HIV status disclosure and does not sell personally identifiable user information to any third parties or advertisers.
“As an industry standard practice, Grindr does work with highly regarded vendors to test and optimize how we roll out our platform. These vendors are under strict contractual terms that provide for the highest level of confidentiality, data security and user privacy,” Chen said.
He adds that while location data, HIV status fields and other features within Grindr are at times shared with these vendors, they are transmitted with encryption. Grindr’s data retention policies further protect against the possibility of disclosure. Users also have the option to not disclose information like their HIV status, and Chen notes that choosing to place it in one’s profile does make the information public.
Bryan Dunn, the VP of product at Localytics, said the information his company receives meets industry security standards and his company strictly controls all access to its production systems.
“Under no circumstances does Localytics automatically collect a user’s personal information, nor do we require personal information in order for our customers to get the benefits from using our platform,” Dunn said.
Facebook is currently dealing with the fallout ofacquiring 50 million user profiles’ worth of data from a service that wasn’t authorized to share it. and vowed to change how companies collect data over the social network. This includes a tool that will require marketers to certify they received permission from users before using emails to target advertising.
CNET has reached out to Apptimize for comment and will update this story upon hearing back.
First published April 2, 12:53 p.m. PT.
Update, 2:03 p.m. PT: Adds comment from Grindr and Localytics.