Guide11 min read2,712 words

India's Data Protection Law (DPDPA) and Dating App Users

For years, Indian dating app users operated in a legal vacuum. Apps collected sensitive personal data -- sexual orientation, intimate photos, real-time GPS coordinates, private conversations -- with minimal regulatory oversight. Users had no standardized right to know what was collected, no enforcea

For years, Indian dating app users operated in a legal vacuum. Apps collected sensitive personal data -- sexual orientation, intimate photos, real-time GPS coordinates, private conversations -- with minimal regulatory oversight. Users had no standardized right to know what was collected, no enforceable mechanism to demand deletion, and no authority to complain to when things went wrong.

Data privacy India dating apps
Photo by Prithivi Rajan on Unsplash

That changed on November 13, 2025, when India's Digital Personal Data Protection Act (DPDPA) began its phased implementation. For the first time, Indian law grants dating app users a defined set of enforceable rights over their personal data. It also imposes significant obligations on dating platforms operating in India, with penalties reaching up to Rs 250 crore ($30 million) for non-compliance.

This guide explains how the DPDPA applies specifically to dating apps, what rights it gives you as a user, and how to exercise them.

What Is the DPDPA and When Does It Take Full Effect?

The Digital Personal Data Protection Act of 2023 (DPDPA) is India's first comprehensive data privacy law. Passed by Parliament in August 2023, it establishes rules for how companies collect, process, store, and delete the personal data of Indian residents.

Implementation timeline:

Phase Date What Takes Effect
Phase 1 November 13, 2025 Data Protection Board established; administrative provisions active
Phase 2 November 13, 2026 Consent Manager registration opens; consent management framework active
Phase 3 May 13, 2027 All provisions in force: consent requirements, privacy notices, security standards, full enforcement

Key terminology:

  • Data Principal: You -- the person whose data is being processed
  • Data Fiduciary: The dating app -- the entity that determines how and why your data is processed
  • Consent Manager: A registered intermediary that helps you manage, review, and withdraw consent across platforms
  • Data Protection Board of India (DPBI): The enforcement authority with the power to investigate complaints and impose penalties

Supratim Chakraborty, Partner at Khaitan & Co and a leading Indian data protection lawyer, has noted: "The DPDPA represents a fundamental shift. For the first time in India, the individual -- not the company -- is at the center of the data relationship. The burden of proof for lawful processing now sits squarely with the data fiduciary."

Why Dating Apps Face Unique Scrutiny Under DPDPA

The DPDPA applies to all digital personal data processed within India, regardless of the industry. But dating apps occupy a special position because of the nature and sensitivity of the data they handle.

Consider what a typical dating app collects from an Indian user:

  • Sexual orientation and gender identity -- data that carries social and even safety implications in many Indian contexts
  • Intimate photographs -- including face verification selfies that generate biometric data
  • Real-time GPS location -- precise enough, in some apps, to locate a user within feet
  • Private messages -- conversations about deeply personal topics: relationships, health, desires, fears
  • Behavioral data -- swipe patterns, time spent viewing profiles, login frequency
  • Financial data -- subscription payments, in-app purchases

Globally, regulators have already taken action against dating apps for mishandling exactly this type of data. Grindr was fined $6.5 million by Norway's data protection authority for sharing location data and HIV status with advertisers. Bumble paid a $32 million settlement for collecting biometric data without consent. The FTC sued OkCupid in March 2026 for secretly sharing 3 million user photos with a facial recognition company.

The DPDPA equips Indian regulators to pursue similar accountability for platforms operating in India.

Your Rights as a Dating App User Under DPDPA

The DPDPA grants data principals (users) six core rights. Here is how each one applies to dating apps specifically:

1. Right to Information (Section 6)

What it means: Before collecting your data, the dating app must clearly tell you what data it collects, why it collects it, how it will be processed, and who it will be shared with.

In practice for dating apps:

  • The app must explain why it needs your location (matching vs. advertising vs. analytics)
  • If photos are used for facial recognition verification, this must be explicitly disclosed
  • If data is shared with advertising partners, each category of sharing must be identified
  • Privacy policies must be in clear, plain language -- not buried in legal jargon

Current gap: Mozilla's 2024 review found that most dating apps use deliberately vague language about third-party sharing, employing terms like "trusted partners" or "business purposes" without naming recipients. The DPDPA's transparency requirements make this practice non-compliant.

2. Right to Consent (Section 6-7)

What it means: Your personal data can only be processed with your free, specific, informed, and unambiguous consent. Consent must be given for a specific purpose. You cannot be required to consent to data processing unrelated to the service.

In practice for dating apps:

  • A dating app cannot condition basic functionality on consent to advertising data sharing
  • Each type of processing (matching, analytics, advertising, AI training) requires separate consent
  • Pre-ticked boxes and bundled consent forms are non-compliant
  • Consent given during sign-up does not automatically cover new features introduced later (such as AI-generated messages trained on your conversations)

3. Right to Access (Section 11)

What it means: You can request a complete summary of all personal data the dating app holds about you, along with details of any third parties with whom it has been shared.

In practice for dating apps:

  • You can request copies of all photos, messages, behavioral data, location logs, and device information collected
  • The app must also disclose every third party that received your data
  • Under DPDPA Rule 14, the app must respond within 7 days of receiving a valid request

4. Right to Correction and Erasure (Section 12)

What it means: You can request correction of inaccurate data and erasure of data for which you previously gave consent.

In practice for dating apps:

  • You can demand deletion of your profile, photos, messages, behavioral logs, and biometric data
  • The app must erase data "without undue delay"
  • Deletion must extend to backup systems and archived data, not just the live database
  • If data was shared with third parties, the app must notify those parties of the erasure request

Critical limitation: The DPDPA allows retention of data required for legal obligations (financial records for tax purposes, data subject to law enforcement holds). However, "safety retention windows" of 3-12 months that have become industry standard may be challenged under DPDPA as disproportionate.

5. Right to Withdraw Consent (Section 6(6))

What it means: You can withdraw consent at any time, and the withdrawal must be as easy as giving consent was.

In practice for dating apps:

  • If you consented to location sharing, you must be able to withdraw that consent with equal ease -- not by navigating through 8 settings screens
  • Withdrawing consent for one purpose (advertising) must not affect the service for other purposes (matching)
  • The app must stop processing your data for the withdrawn purpose within a reasonable timeframe

6. Right to Grievance Redressal (Section 13)

What it means: Every data fiduciary must appoint a Data Protection Officer and provide a grievance redressal mechanism. If unsatisfied, you can escalate to the Data Protection Board of India.

In practice for dating apps:

  • The app must provide a clear channel (not just a generic support email) for data-related complaints
  • Complaints must be acknowledged and addressed within defined timelines
  • If the app does not resolve your complaint, you can file directly with the DPBI

Law is one thing — felt experience is another:

Penalties Dating Apps Face for Non-Compliance

The DPDPA imposes graduated penalties based on the nature and severity of the violation:

Violation Maximum Penalty
Failure to implement security safeguards Rs 250 crore ($30M)
Failure to notify the Board and users of a data breach Rs 200 crore ($24M)
Violations related to children's data Rs 200 crore ($24M)
Non-compliance with Data Principal rights Rs 50 crore ($6M)
Failure to appoint a Data Protection Officer Rs 50 crore ($6M)
Non-compliance by Consent Managers Rs 50 crore ($6M)

The Data Protection Board considers seven factors when determining penalty amounts: the nature, gravity, and duration of the violation; the type and sensitivity of data affected; repetitive nature; whether the fiduciary made gains from the violation; mitigation efforts; and the fiduciary's financial condition.

Rahul Matthan, technology lawyer and author of Privacy 3.0, has stated: "The Rs 250 crore penalty cap gets attention, but the real enforcement power lies in the Board's investigative authority. For the first time in India, a regulatory body can demand detailed technical audits of how dating apps handle personal data."

How Indian Dating App Users Can Exercise Their DPDPA Rights

Step 1: Identify Your Data Fiduciary

Determine which entity operates the dating app. For global apps, the Indian subsidiary or the entity that processes Indian user data is the data fiduciary. Most privacy policies now include a section identifying the data fiduciary and the appointed Data Protection Officer.

Step 2: Submit a Formal Data Access Request

Write to the Data Protection Officer requesting:

  • A complete summary of all personal data held about you
  • Details of all third parties with whom your data has been shared
  • The purpose for which each category of data is processed
  • The retention period for each category

Cite Section 11 of the DPDPA and Rule 14, which requires a response within 7 days.

Step 3: Review and Act on the Response

Compare the data disclosed with what you expected. Common discoveries include:

  • Location data retained for longer than expected
  • Behavioral data (swipe patterns, session logs) you did not know was collected
  • Third-party sharing you were unaware of

Step 4: Submit Correction or Erasure Requests

Based on your review, submit specific requests:

  • Erasure of all data for which you are withdrawing consent
  • Correction of any inaccurate information
  • Deletion from third-party systems where your data was shared

Step 5: Escalate if Necessary

If the dating app does not respond within 7 days, or if the response is inadequate, file a complaint with the Data Protection Board of India. The Board has the authority to investigate, order compliance, and impose penalties.

What the DPDPA Does Not Cover (Yet)

The DPDPA is a significant step forward, but it has gaps that affect dating app users:

  • Anonymized data is excluded from the Act. If a dating app strips your name from your behavioral data and sells the patterns to advertisers, this may fall outside DPDPA's scope -- even though re-identification is often technically feasible.
  • Employee data of dating app companies is covered differently, which affects transparency about internal access to user data.
  • Cross-border data transfers are regulated but not prohibited. Dating apps can transfer Indian user data to overseas servers, subject to conditions the government will notify.
  • Algorithmic transparency is not addressed. The DPDPA does not require dating apps to explain how matching algorithms work or whether they perpetuate bias.

Choosing Apps That Align with DPDPA Principles

The DPDPA establishes a legal floor, not a ceiling. Apps can and should exceed minimum compliance. When evaluating dating apps as an Indian user, look for platforms that:

  • Practice data minimization -- collecting only what is necessary to provide the service
  • Offer granular consent controls -- separate permissions for location, photos, messaging, analytics, and advertising
  • Provide clear, accessible privacy policies -- in plain language, not legal boilerplate
  • Enable easy data access and deletion -- within the app, not through a buried email address
  • Have a documented security architecture -- transparency about encryption, access controls, and breach response

Platforms like Hidnn that build privacy into their architecture from the ground up are naturally aligned with DPDPA principles, because data minimization and user control are structural rather than retroactive.

Frequently Asked Questions

Does the DPDPA apply to dating apps headquartered outside India?

Yes. The DPDPA applies to any entity that processes the personal data of individuals within India, regardless of where the company is headquartered. Tinder, Bumble, Hinge, OkCupid, and other global platforms are all subject to the Act when processing Indian user data.

Can I use DPDPA to find out if a dating app shared my data with advertisers?

Yes. Under Section 11, you have the right to request a summary of all personal data processed about you and the identities of all third parties with whom it was shared. The dating app must respond within 7 days under Rule 14.

What should I do if a dating app refuses to delete my data?

First, document your request and their refusal (or non-response). Then file a complaint with the Data Protection Board of India. The DPBI has the authority to investigate, order compliance, and impose penalties up to Rs 50 crore for non-compliance with Data Principal rights.

Does the DPDPA protect my photos on dating apps?

Yes. Photos constitute personal data under the DPDPA. If photos are used for facial recognition verification, the biometric data generated is also covered. You have the right to request deletion of both your photos and any biometric data derived from them.

When will the DPDPA be fully enforceable?

The Act is being implemented in three phases. Phase 1 (administrative provisions) took effect on November 13, 2025. Consent Manager registration opens November 13, 2026. Full enforcement -- including all consent requirements, privacy notice obligations, and security standards -- takes effect on May 13, 2027.

Key Takeaways

  • India's DPDPA gives dating app users six enforceable rights: information, consent, access, correction/erasure, consent withdrawal, and grievance redressal
  • Penalties reach up to Rs 250 crore ($30M) for security failures and Rs 200 crore for breach notification failures
  • Dating apps must respond to data access requests within 7 days under Rule 14
  • Full enforcement begins May 13, 2027, but Phase 1 provisions are already active
  • The law applies to all dating apps processing Indian user data, regardless of where the company is headquartered
  • Data minimization and consent-based architecture are not just good practice -- they are becoming legal requirements

For the first time, Indian law recognizes that your dating app data belongs to you. The DPDPA does not just regulate companies -- it empowers individuals. The question is no longer whether dating apps should respect your privacy. It is whether they will comply voluntarily, or wait to be compelled.

Share this article

Back to all posts