Analysts at ProPrivacy say the dating apps collect everything from chat content to financial data on their users — and then they share it.

Over 70 percent of subscribers across Match.com express concern about the amount of data they share with the platform, according to a ProPrivacy.com survey. But despite those concerns, users of the service do it anyway and also remain unaware of just how much data the company collects and how they may be using it, privacy advocates said.

Match.com (operated by the Match Group) is one of the more venerable dating services out there – launched in 1995 – and as such, has amassed a following of millions of paid subscribers, according to Statista. Its holding company, InterActiveCorp (IAC), also owns rival platforms, like OkCupid and PlentyOfFish, and Tinder, the service responsible for introducing “swipe left” and “swipe right” into pop culture lingo.

According ProPrivacy, users need to be more aware of the data privacy implications of using these type services. The privacy group is raising awareness around the amount of personal data shared with dating services in light of IAC’s privacy policies.

For instance, Match.com reserves the right to collect much more information than just the typical demographic breakdown of gender, age and relationship status that most online services ask for. This is ostensibly to be able to build a thorough online profile to help find “matches” between subscribers; but as a result of that necessity, users will share highly personal and emotional data with the platform. They more intimate the information, the higher the privacy stakes, ProPrivacy warns.

Privacy advocates caution breached dating-service data is highly sensitive on a number of different levels. ProPrivacy cautions, if it should fall into the wrong hands it could lead to embarrassment, the shattering of relationships or even blackmail and extortion – something seen in the wake of the 2015 Ashley Madison attack that exposed 36 million users of the dating site for cheaters. Information thieves could also make off with enough data to craft sophisticated follow-on attacks in the form of believable phishing expeditions.

As ProPrivacy points out, the Match.com app’s privacy policy states: “We collect information about your activity on our services, for instance how you use them (e.g., date and time you logged in, features you’ve been using, searches, clicks and pages which have been shown to you, referring webpage address, advertising that you click on) and how you interact with other users (e.g., users you connect and interact with, time and date of your exchanges, number of messages you send and receive).”

The screenshot of that section is below:

As ProPrivacy.com explained in its report, “in more detail, they know the words users use the most, what turns them on/off, how many meetings have occurred, how many connections are ghosted and how much time was spent before swiping.”

This hasn’t dissuaded respondents to the ProPrivacy survey from answering a variety of probing questions in order to build an online profile, such as whether they use drugs, income level, sexual preferences, religious views and so on.

And, much of the information that these services collect can get even more personal. For instance, in the survey, half said that they use the inbuilt messaging systems on dating apps to send sexually explicit messages. Half also said they’ve used the messaging platforms to arrange a sexual encounter.

Speaking of messaging, Tinder, for its part, highlights that it collects chat data. “Of course we also process your chats with other users as well as the content you publish, as part of the operation of the services,” Tinder’s privacy policy states.

The lack of specificity in that particular statement should be concerning, according to Sean McGrath, editor of ProPrivacy.com. “The privacy policy seems vague by design,” he told Threatpost. “They don’t explicitly state what services need this information, and they don’t state what they mean by ‘processing.’ If you look at the EU’s definition of data processing, it means literally any operation performed on data – so in that context, they have literally created a clause that allows them to do basically anything with that personal data.”

An IAC spokesperson told Threatpost that the company had no comment on the ProPrivacy assessments. She did highlight that compromising photos would never be part of Tinder’s data collection or sharing. “Please note that Tinder does not ever and has never allowed users to send photos through the platform,” she said via email. “So, anything related to that notion is false.”

Despite the breadth of information they share with dating apps, the majority (78 percent) of respondents in the survey said that they’re either “comfortable” or “very comfortable” in doing so – even though a full 55 percent of them have never read the privacy policies of the apps they use.

It’s hard to say if users would be so quick to share so much, if they were aware that these privacy policies also give the dating apps a very wide berth when it comes to who they share the collected information with.

Match.com in its policy, for instance, said that it shares basic demographic as well as “personal information” with “third parties [that] assist us with various tasks, including data hosting and maintenance, analytics, customer care, marketing, advertising, payment processing and security operations.”

Tinder takes a similar tone, saying in its policy that it shares data, “including personal and financial information, with third parties that perform certain services on our behalf.”

These services include “fulfilling orders, providing customer service and marketing assistance, performing business and sales analysis, ad tracking and analytics, member screenings, supporting our service functionality, and supporting contests, sweepstakes, surveys and other features offered through our service.”

Once again, McGrath noted that the clauses lack specificity.

“It’s vague language by design, and they have used ambiguity to ensure they can do whatever they want with your data,” he said. “If you compare this to other privacy policies, it’s much less transparent. You have to ask why the Match Group has taken this tack; on a technical and ethical level it doesn’t make a lot of sense.”

Another point that gave ProPrivacy pause is the fact that Match.com’s policy also states that “we may make you visible on other Match Group services.” Yet, in the survey, only about half of users are aware that there are other companies in the IAC portfolio besides the platform they happen to be using.

“One of the bigger takeaways for me in what we found is that people aren’t aware of how big the IAC family is,” McGrath told Threatpost. “And, the policies openly state that data flows throughout and between the various properties in the IAC portfolio. You could move on to a new dating service and they might already know everything about you once you put your email address in. Companies like IAC need to adopt much more transparent policies.”

All of this presents a notable security dimension, outside of any privacy concerns. The companies say that they store demographic data in “hashed, non-human readable form,” but Tinder’s privacy policy in particular states outright that “we do not promise, and you should not expect, that your personal information will always remain secure.”

Given the fact that hacks of third-party systems and breaches stemming from partners and the supply chain are on the rise, that’s wise advice to users, according to McGrath.

“The more this personal data is shared, the higher the chances are that it will fall into the wrong hands,” McGrath told Threatpost. “Even with robust data protections in place, it’s simply a mathematical probability that a breach will happen. And when you’re talking about the most intimate corners of our lives, that’s a big concern. This information is readable by IAC, and therefore by their partners.”

The IAC group is of course not the only dating-site owner collecting personal information, so the takeaway here is that sharing intimate data with any service should be undertaken with a clear understanding what information is being shared and with whom.

The good news is that users of dating apps do know that they should concern themselves with all of this. A full 71 percent said that they worry about “what the owners of dating apps are doing with the data they collect.” Now, they just need to follow through in practice, reading the privacy policies and carefully considering what they share – and whether it’s worth it in their quest for finding a mate.