My GDPR Complaint Against Tinder (MTCH Technology Services)

Published in

PersonalData.IO

5 min readAug 9, 2019

There is much speculation about the data technology companies collect on us and what they do with it, including countless theories on unethical practices. What does Tinder infer when two users’ phones are in the same location? Do they track how long the phones stay in the same place for and any joint change of location? Do they analyse user sentiment and sense of humour?

However, theoretically, we shouldn’t have to speculate, because us Europeans all have the right to know. This article gives an account of my attempt to find out exactly what data Tinder collected on me, processed and stores.

In May 2018 the General Data Protection Regulation (GDPR) was fully implemented across the EU, following a two year grace period. It is thought to fundamentally reshape the way in which data is handled across every sector, from advertising to banking to healthcare to… dating.

The European Commission plainly details the rights for citizens under GDPR. Particularly interesting in the context of my quest for truth are the right to information about the processing of my personal data and the right to obtain access to the personal data held about me. There should be intriguing personal data galore that Tinder collected and processed as well as information on who this data has been shared with and for what reasons. In their privacy policy, Tinder lists numerous pieces of information they collect on users, including “your precise geolocation” the collection of which “may occur in the background even when you aren’t using the services”. On the same page, they state that they use the collected information to “conduct research and analysis of users’ behavior”. On their blog, Tinder states that “our current system adjusts the potential matches you see each and every time your profile is Liked or Noped” and that “Tinder matches you, using your recent activity, your preferences and your location”.

I requested to be provided with all of the information collected on me. However, as you can see on the screenshots presented in this blog post from 2018, Tinder gives you almost none of it. So instead, I tried to exercise my rights by continuously engaging with Tinder via email over several months requesting all of the data they hold on me. Since all I got was a number of unsatisfactory responses, I raised a GDPR complaint against Tinder. Or to be precise, against MTCH Technology Services, a Dublin based company acting as the data controller for Tinder, OkCupid, Plentyoffish and other companies.

Timeline of Events

2 June 2018 – I submitted my Subject Access Request (SAR) to Tinder via email.
8 June 2018 – Tinder responded to my SAR, informing me that I could download my personal information from their website.
10 June 2018 – I informed Tinder that I was not satisfied with their response to my SAR. I stated that I only received a subset of the information I believe it holds in regard to myself.
11 June 2018 – Tinder replied stating that they could not provide me with information in relation to other users.
11 June 2018 – I replied to Tinder stating that I did not wish to access third party data. I stated I wanted to be provided with all the information Tinder’s privacy policy states that they hold including but not limited to device information and geolocation history.
3 July 2018 – After the statutory delay of 30 days, I submitted my complaint to the Information Commissioner’s Office (ICO) in the UK, where I live.
17 September 2018 – The ICO let me know that the organisation I have raised a complaint about has its main establishment in Ireland and therefore would fall under the Irish supervisory authority.
25 February 2019 – I submitted my complaint to the Data Protection Commission (DPC) Ireland.
16 May 2019 – The DPC accepted my case and assigned an Assistant Commissioner.
17 May 2019 – The DPC got in touch with Tinder to inform them that they act as the Lead Supervisory Authority in relation to my complaint.
29 May 2019 – Tinder replied with a wordy letter stating they are happy to co-operate followed by three pages making a case for having “provided the data subject with access to the relevant personal data”.

In summary, for the last 13 months, Tinder got away with claiming to have given me all of my data. The following quote from their letter illustrates their stance and overarching argument:

Requests outside Scope of Right of Access
As with any right, a data subject’s right of access is not without restrictions. In this case, we provided the data subject with a significant amount of statistical data so that he could understand how he used the Tinder app (on any given date: how many times he opened the app, how many times he liked other users, passed other users, matched with other users, how many messages he sent and how many messages he received). Requests for further granular information would far exceed the scope of the right of access under the GDPR, and it would not be reasonable or proportionate for Tinder to be obliged to search for, structure and provide this information.

If this is all it takes to rebut a GDPR complaint, then the regulation seems to have failed its purpose.

Can you help?

I am hopeful that with the help of the Irish Data Protection Commissioner I will, at some point, be able to exercise my rights. Speaking on the phone to them today 9 August 2019, they said they’d be able to give me an update on my case within 2 weeks.

However, I’d be grateful for any help to support my case. If you are, or have connections to, an activist, journalist, lawyer or data expert and think that you can help my case in any way, please do get in touch.