Revealed: Grindr is sharing the HIV status of users with outside companies

Grindr, the gay dating app

Gay dating app Grindr is sharing the HIV status of its users with outside firms, it has been revealed.

A Norwegian nonprofit has discovered that the information is being shared with two private companies that help “optimise” apps, Localytics and Apptimize.

The information also includes users’ screen names, GPS data, email address and phone ID.

Grindr (Leon Neal/Getty Images)

(Leon Neal/Getty Images)

“Thousands of companies use these highly-regarded platforms. These are standard practices in the mobile app ecosystem,” Grindr Chief Technology Officer Scott Chen told BuzzFeed, who verified the claims.

“No Grindr user information is sold to third parties. We pay these software vendors to utilise their services.”

“The limited information shared with these platforms is done under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.”

A recent push to encourage people to share their HIV status and when they were last tested made no clear mention that the data will be shared with outside companies.

Grindr’s privacy policy warns users that information shared on the platform can be disclosed.

Grindr Founder Joel Simkhai was bought out by Chinese investors last year (Photo by Alberto E. Rodriguez/Getty Images)

RELATED: C*ckblocked: Grindr has blocked you from seeing who blocked you

James Krellenstein, a member of ACT UP New York, told BuzzFeed: “To then have that data shared with third parties that you weren’t explicitly notified about, and having that possibly threaten your health or safety — that is an extremely, extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community.”

The company also shares users’ sexual orientation, relationship status, “tribe,” and ethnicity with the companies if the information is listed in their profile.

It is the latest Grindr security flaw to be exposed in the past month after it was revealed location data is being shared, even when users opt out.

The security flaws were discovered by Trevor Faden after he created C*ckblocked, a website that enabled Grindr users to find out who had blocked them.

In order to take advantage of the feature, users were made to enter their username and password.

Once they had, Mr Faden was able access a large amount of private data, including unread messages, deleted photos and user location data.

Scott Chen, CTO of Grindr, told PinkNews: “As a company that serves the LGBTQ community, we understand the sensitivities around HIV status disclosure. Our goal is and always has been to support the health and safety of our users worldwide.

“Recently, Grindr’s industry standard use of third party partners including Apptimize and Localytics, two highly-regarded software vendors, to test and validate the way we roll out our platform has drawn concern over the way we share user data.

“In an effort to clear any misinformation we feel it necessary to state:

“1. Grindr has never, nor will we ever sell personally identifiable user information – especially information regarding HIV status or last test date – to third parties or advertisers.

“2. As an industry standard practice, Grindr does work with highly-regarded vendors to test and optimize how we roll out our platform. These vendors are under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.

“3. When working with these platforms, we restrict information shared except as necessary or appropriate. Sometimes this data may include location data or data from HIV status fields as these are features within Grindr, however, this information is always transmitted securely with encryption, and there are data retention policies in place to further protect our users’ privacy from disclosure.

“4. It’s important to remember that Grindr is a public forum. We give users the option to post information about themselves including HIV status and last test date, and we make it clear in our privacy policy that if you chose to include this information in your profile, the information will also become public. As a result, you should carefully consider what information to include in your profile.

“As an industry leader and champion for the LGBTQ community, Grindr, recognizes that a person’s HIV status can be highly stigmatized but after consulting several international health organizations and our Grindr For Equality team, Grindr determined with community feedback it would be beneficial for the health and well-being of our community to give users the option to publish, at their discretion, the user’s HIV Status and their Last Tested Date. It is up to each user to determine what, if anything, to share about themselves in their profile.

“The inclusion of HIV status information within our platform is always regarded carefully with our users’ privacy in mind, but like any other mobile app company, we too must operate with industry standard practices to help make sure Grindr continues to improve for our community. We assure everyone that we are always examining our processes around privacy, security and data sharing with third parties, and always looking for additional measures that go above and beyond industry best practices to help maintain our users’ right to privacy.”

Bryan Dunn, VP of Product at Localytics, said: “Localytics is an app marketing platform that provides messaging and analytics tools to large enterprise companies. The information customers choose to send is stored and processed in our production systems, which meet industry security standards, including ISO27001, SSAE16-SOC1/2/3, FISMA and others. Localytics strictly controls all access to production systems, and leverages appropriate security controls to protect all customer data.

“Under no circumstances does Localytics automatically collect a user’s personal information, nor do we require personal information in order for our customers to get the benefits from using our platform. It is up to each customer to determine what information they send to Localytics, and Localytics processes that data solely for the customer’s use. We do not share, or disclose, our customer’s data.”