On a recent Sunday, creative director Jason Debiak was having breakfast with his family in New Jersey, when something strange happened.

“I was having an adorable breakfast with my family, my 2-year-old daughter and my wife,” he says. “Something came up [on my phone] and I usually try not to check my email, but I checked my email and it said, ‘You have 10 new matches on Match.com.’ I was like... what?”

Debiak’s long-forgotten — and, he assumed, long-deleted — dating profile from over a decade ago had suddenly been reactivated. “I log in, and there I am, from 15 years prior, with less gray hair,” he said. “And my whole profile is there, everything.” Judging by the messages he received, Debiak says it seemed like the account had been reopened for about a week.

“I contacted customer service, and they said, ‘Oh, we’re sorry you got email notifications. We’ll turn off email notifications,’” Debiak said. “And I was like, ‘No, you don’t understand. Not only do I not want email notifications — I don’t want to be on your website, ever.’”

“I don’t want to be on your website, ever”

A Match Group spokesperson confirmed that a “limited number” of old accounts had been accidentally reactivated recently and that any account affected received a password reset. Match.com’s current privacy statement, which was last updated in 2016, says that the company can “retain certain information associated with your account” even after you close it. But that Match Group spokesperson also told The Verge that the company plans to roll out a new privacy policy “in the next month or so,” in order to comply with the EU’s General Data Protection Regulation (GDPR); under the new policy, all those years-old accounts will be deleted. The Verge has requested clarification on which accounts will qualify for deletion, and what “deletion” will specifically entail, but has not received a response as of press time.

In the past, it hasn’t been uncommon for dating websites to use and retain your data for research, marketing, or, as Match.com’s current privacy policy says, “record-keeping integrity.” In a 2009 ComputerWorld report, eHarmony’s then-VP of technology Joseph Essas said, “We have an archiving strategy, but we don’t delete you out of our database. We’ll remember who you are.” Herb Vest, the founder and CEO of the now-defunct dating website True.com, said in the same report: “The data just sits there.” Even if the profile reactivations were just a glitch in Match’s system, they’re a stark reminder that the internet doesn’t easily forget.

Although there is no federal data destruction law in the US, 32 states — including Texas, where Match Group is headquartered — have data disposal laws that require “entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” In addition to that, 13 states, also including Texas, have laws that require private companies to maintain reasonable cybersecurity practices. If that sounds vague, that’s because it is. “A lot of this is still, I don’t want to call it amorphous, but it’s still being defined, frankly,” explains Scott Shackelford, an associate professor and Cybersecurity Program chair at Indiana University-Bloomington. “What ‘reasonable’ is, is a moving target.”

But that doesn’t change the fact that many former Match.com users feel blindsided by this, not to mention misled by Match. It’s not clear how many people saw their years-dormant Match.com profiles reactivated recently, but it’s not hard to find complaints about the ghost profiles online.

First launched in 1993, Match.com has since become a dating behemoth. Its parent company, Match Group, now owns dating apps like OkCupid, PlentyofFish, and Tinder. (It reportedly tried to buy Bumble last year, and it’s now embroiled in a messy lawsuit with the app involving trade secrets and intellectual property.) OkCupid allows users to delete or disable their accounts but still retains data. PlentyofFish and Tinder’s privacy policies both claim to retain data “only as long as we need it for legitimate business purposes and as permitted by applicable legal requirements.” Tinder, like Match.com. also notes it will “retain certain data” after you close your account.

“There probably are good reasons to keep deleted profiles for some period of time — for example, to prevent or detect repeat users or fake users, etc,” Albert Gidari, consulting director of privacy at the Stanford Center for Internet and Society, wrote in an email. “But that doesn’t mean forever.”

Data is forever

Rob P., who had been an active online dater since around 2005, recently had his Match.com profile resurface, even though he’s engaged now. And his experience with Match.com’s customer service after the fact was frustrating. He just wanted someone to delete his profile, but no one would do it. “They kept using terminology that was... not saying it’s permanently deleted, just ‘unviewable’ or ‘inaccessible,’” he says. “And I kept saying, ‘It needs to be deleted.’”

Match Group has run into complaints about this before. A class action lawsuit filed in 2010 by former subscribers claimed that Match.com was trying to deceive users by keeping inactive and fraudulent accounts viewable. “With regard to inactive members (i.e., members who have cancelled their subscriptions and / or allowed their subscriptions to lapse),” the filing reads, “Match takes virtually no action to remove these profiles (that remain on the system, are searchable by members, appear as and are in fact counted among Match’s ‘active members’) for months and sometimes years after the individuals have become inactive.” The suit was dismissed in 2012 after US District Judge Sam Lindsay found that Match’s user agreement didn’t require it to remove these profiles.

In 2015, California resident Zeke Graf filed a class action lawsuit against Match claiming the company was knowingly violating a California civil code which requires every dating service contract to include a statement allowing the buyer to cancel their subscription. That lawsuit was later voluntarily dismissed by Graf.

In an increasingly privacy-conscious world, the sudden zombie appearance of an old social media profile would be an unnerving experience for anyone. But online dating, in particular, puts people in a vulnerable position, often encouraging users to reveal as much of themselves as possible. “You’re filling out questionnaires about your beliefs and feelings and who you are as a person,” Rob P. says. “Hopefully the algorithm uses that information to match you up with the best compatible mate, but it’s scary to think they’re holding on to that data even after you close your account.”

Ex-user Katie Storms also saw her account, which she deactivated in 2014, pop up again this month. She’s concerned about data privacy, but also the more immediate impact that a new dating profile could have on her current relationship. “Thankfully I am married to an incredible man who, I immediately told him, ‘Hey, this happened, and I’m concerned about it,’ and we walked through it together,” she says. “I can’t imagine... not that I want to be married to anyone who wouldn’t be understanding about it, but what if you were?”

this is so weird - i got so many emails this morning i finally was like i guess ill try to log in and see whats up? and i did and my profile from 10 YEARS AGO was fully up - and I haven't paid https://t.co/c3WFxPlT7f a cent since i canceled! WTFFFFF https://t.co/SRcjwJJto4 — jelly donuts (@jennalisetwts) April 14, 2018

Jason Debiak also told his wife about the rogue profile immediately, but he later found out that some of her friends had seen it, and thought it was evidence of something more sinister. “That would’ve caused quite an issue if I hadn’t seen those emails,” he says.

Zombie profiles can also affect current users, who, again, are putting themselves in a vulnerable position, only to be confronted with people who aren’t actually looking to date. “I felt like it was a little bit of a violation of privacy for me, and misleading to the people who are on Match.com right now looking for people,” Storms says. “I don’t blame those people who saw my profile and winked at me, but I’m sorry, I’m happily married.”

Data retention policies, especially in the US, can vary from company to company. Match Group owns data from thousands of users, and — as recent scandals and controversies regarding the consequences of user data retention have taught us — it doesn’t have to be completely transparent about what it’s doing with that data. But these reactivations are a reminder that the internet has a long memory, and the burden often falls on the user to be mindful of what they share. “Obviously we need more transparency and control over our own data,” Rob P. says. “But it feels like uncharted territory.”