Aadhaar and Dating Apps: What You Should Know

A young lawyer from Mumbai messaged me through a mutual friend last month. She had been asked to upload her Aadhaar on a matrimony app as part of a new verification feature, and she wanted to know whether it was safe, legal, and necessary. The short answers I gave her were: legal with conditions, moderately safe depending on which verification method is used, and almost never necessary. The long version is more useful, and it is what I want to walk through here because the Aadhaar question is going to come up for every Indian dating app user in 2026 as platforms roll out new verification features under DPDPA and the amended KYC rules.

This is a security briefing, not a legal opinion. I will flag where the law is unsettled.

Why Dating Apps Suddenly Want Your Aadhaar

Three pressures are pushing Indian dating apps toward Aadhaar verification in 2026. The first is the Intermediary Guidelines 2021, which require platforms to voluntarily verify users and display a verification mark. The second is the DPDPA 2023, which treats identity verification as a legitimate basis for processing sensitive data under certain conditions. The third is commercial: fake profiles and bots have become the number-one complaint on Indian dating apps, and KYC is the only control that cleanly separates real humans from scripted fakes.

A 2025 Internet Freedom Foundation report found that 14 out of 22 leading Indian dating and matrimony platforms had introduced some form of Aadhaar-linked verification by Q4 2025, up from just 3 in 2023. Matrimony platforms lead the category, partly because traditional users expect formal verification, and partly because the legal and social stakes of a fake matrimony profile are higher than a casual dating match.

The pressure is real. But "the app wants my Aadhaar" is not the same as "the app has a legal right to my Aadhaar." The two sit in very different places under Indian law.

What the Law Actually Says

The Aadhaar Act 2016, amended by the Aadhaar and Other Laws Amendment Act 2019, creates three categories of entity that can request Aadhaar.

Category 1: Government entities using Aadhaar for subsidies, services, or benefits. Section 7 authorisation.

Category 2: Private entities using Aadhaar for a purpose notified by the Union government under Section 4(4)(b)(ii). This requires specific notification.

Category 3: Everyone else who must rely on voluntary user consent, and can only use offline Aadhaar verification methods, not the full authentication API.

Almost every dating app in India falls into Category 3. They do not have a Section 4(4)(b)(ii) notification, because the Ministry of Electronics and Information Technology has not issued one for consumer matching platforms. This means dating apps cannot legally plug into the UIDAI authentication API (the one that returns yes or no based on biometric or OTP). They can only use the offline verification method, which involves you downloading an Aadhaar XML or QR code and sharing it with the app.

This distinction is the single most important thing to understand. An app that asks you to enter your Aadhaar number and get an OTP is doing something different, legally and technically, from an app that asks you to upload an XML or a masked Aadhaar scan. The former is full authentication. The latter is offline verification. The former is usually illegal for a dating app. The latter is legal with your consent.

Supreme Court advocate Rahul Narayan, who argued parts of the Puttaswamy II case, has noted: "The post-Puttaswamy regime deliberately limited who can use Aadhaar authentication. A dating app that uses the full auth API without a notification is operating outside the statute."

The Three Verification Methods Apps Actually Use

Method A: Offline Aadhaar XML or QR. You download a password-protected XML from the UIDAI website, or share the QR on the back of your physical Aadhaar card. The app parses it to verify that the name and photo match. Legal. Moderately safe because you control what is in the XML and you can mask the number.

Method B: DigiLocker integration. The app links to your DigiLocker account and pulls your Aadhaar card from there. Legal. Safer than uploading a scan because DigiLocker handles the consent flow and the app receives a verified document rather than a raw image you might have edited.

Method C: Aadhaar OTP through a licensed KUA. The app routes the request through a KYC User Agency that does have authentication rights. This is legal if the KUA has proper licensing, but the dating app itself is essentially piggybacking on someone else's Aadhaar access. Some matrimony apps do this through a partnership with a licensed KUA. Safe in terms of UIDAI compliance, but it means your Aadhaar verification is now visible to both the app and the KUA.

Method D (illegal): Direct Aadhaar number entry and screen-scraping. Some apps ask you to type your 12-digit Aadhaar number directly and then claim to verify it through an undocumented API. This is illegal under Section 4(4)(b). If an app does this, do not use it.

What Happens to Your Aadhaar Data After Verification

Under Section 8A of the Aadhaar Act and the DPDPA's sensitive data provisions, an offline Aadhaar verification can be retained by the verifier for as long as necessary to fulfil the purpose. In practice, most apps retain the verification status (a boolean: verified or not) and the hash of the document, but not the full Aadhaar number.

The specific practice varies. The IFF 2025 audit found that 8 out of 14 verifying dating apps stored the full scanned document in their backend for at least 30 days. Four stored it for the lifetime of the account. Only 2 stored only the hash and a verified flag. The variation is not disclosed in most privacy policies, which is itself a DPDPA compliance risk.

If the dating app suffers a data breach, the difference between these retention practices is the difference between a minor privacy incident and a catastrophic Aadhaar leak. A full Aadhaar scan in a leaked database is directly usable for identity fraud, SIM swap attacks, and UPI fraud. A verified boolean is not.

Aadhaar as a dating-app gate is the opposite of data minimization — here is why it matters to a working professional:

What to Do Before You Share Aadhaar With Any Dating App

This is my standard client checklist for anyone considering Aadhaar verification on a dating or matrimony platform. Go through all five points before you upload anything.

1. Confirm the verification method. Read the privacy policy and the in-app verification flow carefully. Is it offline XML, DigiLocker, a licensed KUA, or direct number entry? Direct entry is a hard no.

2. Mask the Aadhaar number. The UIDAI offline XML download allows you to generate a masked Aadhaar where the first 8 digits are hidden. Use this. A masked Aadhaar is still a valid proof of identity but removes the most dangerous piece of data.

3. Check the retention policy. The privacy policy must specify how long your Aadhaar document is stored. If it does not, write to the grievance officer and ask in writing. Under DPDPA, they are required to respond.

4. Verify the grievance officer exists. Every Indian intermediary must publish grievance officer contact details. If the email bounces or the name is blank, the app is non-compliant and you should not trust them with sensitive data.

5. Use a verified app store listing. Download the app only from the official Apple App Store or Google Play listing. Side-loaded APKs can be tampered with to exfiltrate the Aadhaar scan. This has actually happened in India, most recently in the 2024 fake matrimony app fraud traced to a Noida call centre.

Red Flags That Should Stop You From Verifying

• The app asks for your Aadhaar number during initial signup, before you have tried the service
• The verification is mandatory and cannot be skipped
• The app asks for a selfie with your Aadhaar card
• The grievance officer email is a free-email address (gmail, yahoo, hotmail)
• The privacy policy does not mention Aadhaar specifically
• The app stores your Aadhaar scan in a third-party cloud without specifying the provider
• The app is not listed on the official app store

Any two of these together is a walk-away signal. A selfie with Aadhaar is the single highest-risk request because it bundles two authentication factors into one image and it is the format most commonly used in Indian sextortion and blackmail cases. The Gurugram Police cybercrime unit filed 167 FIRs in 2024 involving a "selfie with ID" extortion scam, many of them traced back to fraudulent apps that collected the ID for exactly this purpose.

The Privacy-First Alternative

The best Aadhaar verification practice for dating apps is the one that does not involve sharing your Aadhaar with the dating app at all. DigiLocker-based verification, where you link once and the app receives a verified attestation without ever holding your scan, is the cleanest architectural answer. Privacy-focused Indian dating apps like Hidnn take this one step further by minimising the verification data stored to just a boolean verified flag and a hash, so a breach exposes nothing useful about you.

The question to ask is not "will you store my Aadhaar securely" but "why do you need to store my Aadhaar at all." A well-designed system verifies once and forgets.

Frequently Asked Questions

Is it legal for a dating app to ask for my Aadhaar?

Yes, as long as the verification is voluntary and uses an offline method or a licensed KUA. A dating app cannot use the full UIDAI authentication API unless it has a specific government notification, which consumer dating platforms currently do not have.

Can a dating app share my Aadhaar with the government?

Only under a specific legal process, such as a court order or a request under Section 33 of the Aadhaar Act. Routine sharing is not allowed. The DPDPA Section 17 exemptions for State functions create some ambiguity, but routine disclosure to agencies is not permitted under current rules.

What if I already shared my full Aadhaar with a dating app?

Write to the app's grievance officer and request deletion of the scan under your DPDPA right to erasure. If they refuse or fail to respond within 30 days, escalate to the Data Protection Board. You should also consider locking your biometrics in the UIDAI portal to prevent Aadhaar-based authentication, which you can do at mAadhaar or the UIDAI website.

Is DigiLocker safer than uploading an Aadhaar scan?

Yes. DigiLocker verifies identity without sharing the raw document with the requesting app. The app receives a cryptographically signed attestation. This is the recommended architecture under MeitY's own guidance.

Can someone misuse my Aadhaar if a dating app is breached?

Yes. A full Aadhaar scan in a breach dump can be used for SIM swap attacks, fake bank account openings, and impersonation. This is why retention matters more than any other control. If the app only stores a boolean and a hash, a breach is much less damaging.

Do This Now

• Check every dating or matrimony app on your phone for an Aadhaar verification prompt
• Where possible, use DigiLocker-based verification
• Generate a masked Aadhaar XML before sharing any offline document
• Lock your Aadhaar biometrics at the UIDAI portal if you rarely use biometric auth
• Write to any app that has your full Aadhaar scan and request deletion under DPDPA

Your Aadhaar is the foundation of your Indian digital identity. Every place you share it becomes a point of failure. Choose those points carefully, and for dating apps, the best choice is almost always not to share it in the first place.