UPDATE on November 24 @12:10pm: Vonvon has responded to this article saying it does not sell data to third parties. See the company’s response below. This article has been edited to reflect their statement.

Lately, you’ve probably seen a couple of your Facebook friends post the results of a quiz app that figures out your most-used words in statuses. Or maybe you posted it yourself. It looks something like this:

The “quiz,” created by a company called Vonvon.me, has risen to over 16 million shares in a matter of days. It’s been written about in the Independent, Cosmopolitan, and EliteDaily. Sounds fun, right?

Wrong. That’s over 16 million people who agreed to give up almost every private detail about themselves to a company they likely know nothing about.

“ooo! if i click here and auth in with facebook it’ll scan my entire year of posts, store the data and tell my most used words. sign me up!” — Saved You A Click (@SavedYouAClick) November 19, 2015

The app, like many Facebook quiz apps, is a privacy nightmare. Here’s a list of the info the quiz requests players disclose to Vonvon.me:

Name, profile picture, age, sex, birthday, and other public info

Entire friend list

Everything you’ve ever posted on your timeline

All of your photos and photos you’re tagged in

Education history

Hometown and current city

Everything you’ve ever liked

IP address

Info about the device you’re using including browser and language

Note: In light of this article, Vonvon has reduced the number of permissions required.

Read more: How to remove apps from Facebook for better privacy

The oxymoronic privacy policy

Even if you take the “I have nothing to hide” approach to privacy, the app also collects a fair bit of info about your friends. Vonvon’s privacy policy leaves a lot to be desired. Let’s walk through it to see why you should steer clear of this quiz or any of the dozens more on Vonvon’s site. First off, for those who have already played the quiz, there’s no take backs:

[…] you acknowledge and agree that We may continue to use any non-personally-identifying information in accordance with this Privacy Policy (e.g., for the purpose of analysis, statistics and the like) also after the termination of your membership to this WebSite and\or use of our services, for any reason whatsoever.

Your information could be stored anywhere in the world, including countries without strong privacy laws. A Whois search reveals Vonvon.me was registered in South Korea, but it operates under several languages including English, Vietnamese, Malaysian, and Korean:

Vonvon processes Personal Information on its servers in many countries around the world. Such information may be stored on any of our servers, at any location.

Vonvon is free to sell your data to whomever it pleases for a profit, although they have since confirmed they have no intention of doing this. Vonvon says it will not share personal information with third parties without permission, but just by playing the quiz you’ve technically given it permission because it assumes you’re a responsible person who reads the privacy policy. Of course, most people who play the quiz are not that responsible.

[…] We do not share your Personal Information with third parties unless We have received your permission to do so, or given you notice thereof (such as by telling you about it in this Privacy Policy) […]

Yes, it actually says that. Worst of all, Vonvon skirts responsibility after it has given your data to third parties, who can do whatever the hell they want with it:

[…] this Privacy Policy does not apply to the practices of entities Vonvon does not own or control, or to individuals whom Vonvon does not employ or manage, including any third parties to whom Vonvon may disclose Personal Information […]

Companies who you have never met can now access your entire Facebook profile–friends, photos, statuses and all–and use them in ways you never directly agreed to. By the way, if you edit the permissions before authenticating the app with Facebook, Vonvon won’t allow you to play the quiz. Edit: You can remove all permissions except your public profile and Facebook timeline posts, and still play the quiz. Most people that play probably won’t bother, though.

Abstinence is the best privacy policy

We’ve singled out Vonvon because it recently went viral, but Facebook is full of shady data dealers to masquerade behind viral quiz mills. Facebook is a haven for a large number of such companies and, frankly, hasn’t done enough to educate or warn users about the risks. Social Sweethearts, a similar company based in Germany, creates quiz apps that are so bold as to collect your email address. Hope you like spam, suckers!

So how can you protect yourself? The easiest way is to avoid online quizzes that require Facebook authentication altogether. Go to the apps section of your Facebook profile–where these data miners often reside–and remove anything you don’t 100 percent trust. Many of them can even hijack your Facebook and post on your behalf. Stick to quizzes that just let you share the results without logging in with your Facebook account, such as the ones on Buzzfeed.

If you insist on authenticating a Facebook quiz app, be sure to check the permissions and read the privacy policy or terms of use.

Vonvon’s response:

Hello,

I’m Jonghwa Kim, the CEO of vonvon, inc.

Vonvon is a start-up in Korea, we’ve been around less than a year now but luckily we had good traction all over the world with more than 100M unique visitors from US, UK, France, Brazil, China, Japan, Korea, Thailand, etc. with 15 languages.

Though I understand there could have been misunderstanding, I’m deeply concerned about your false accusation.

1. Do we store your personal information?

We only use your information to generate your results, and we never store it for other purposes. For example, in the case of the Word Cloud, the results image is generated in the user’s Web browser, and the information gathered from the user’s timeline to create personalized results are not even sent to our servers. Also, in the case of our quiz “What do people talk behind my back?” we use user’s school and hometown so that we may pull up close friends rather than pairing random person among your 500 fb friends in the results. We use this information only to process familiarity of friends, and again, the information is never stored in our databases.

2. Why do we request personal information unrelated to the Word Cloud quiz?

As mentioned above, vonvon.me creates a variety of quizzes for entertainment purposes only and leverages various user data to produce the most engaging and customized result. (** WE EMPHASIZE AGAIN WE ONLY USE USER DATA TO PRODUCE CONTENT AND NEVER SAVE THEM**) We have asked our users for a comprehensive list of access privilege so that they can enjoy our vast library of quizzes as smoothly as possible. However, we do realize that some of our users are worried about their privacy protection. To accommodate these concerns proactively,we adjusted our scope of data request to the minimum requirement to produce each separate content as of 9pm KST, Nov. 23.

3. Are we selling your personal information to a third party?

As we do not store any personal information, we have nothing to sell. Period.

4. About the Privacy Policy

It’s seem like you taken words out of context for the sake of your accusation.

—

[…] you acknowledge and agree that We may continue to use any non-personally-identifying information in accordance with this Privacy Policy (e.g., for the purpose of analysis, statistics and the like) also after the termination of your membership to this WebSite and\or use of our services, for any reason whatsoever.

-> “Non-personally-identifying” information is not the same with “personal” information. Are we the only company in this planet use analytics tools to better understand our users with cumulative behavioral data?

—

Vonvon processes Personal Information on its servers in many countries around the world. Such information may be stored on any of our servers, at any location.

-> Our service is on the Google App Engine and we are running services in 15 languages including Japanese, French, German. This is also a pretty standard clause in many privacy policies in this age of cloud computing. Don’t you think it’s a little far-fetch idea that we put in this clause to “export” personal information to “counties without strong privacy laws”?

—

[…] We do not share your Personal Information with third parties unless We have received your permission to do so, or given you notice thereof (such as by telling you about it in this Privacy Policy) […]

-> You conveniently omitted the following section which we stated that we share personal information only in case of compliance with law. There’s no clause states that we share personal information to other businesses

—

[…] this Privacy Policy does not apply to the practices of entities Vonvon does not own or control, or to individuals whom Vonvon does not employ or manage, including any third parties to whom Vonvon may disclose Personal Information[…]

—> Again, you omitted ‘(as defined below)’ as in ‘including any third parties to whom Vonvon may disclose Personal Information(as defined below)’, which leads to the same section that states we only share personal information when it’s required by law.

In fact, we did have the clause states that we might share personal information to trusted business partner few month ago – we put it in without much thought since most media sites have similar policies.

But it back-fired in Japan few month ago with the similar rumor that we might sell personal information and we decided to delete the clause since we never sold and have no plan to sell personal information what-so-ever.

Your style mislead the readers and putting great damage to our reputation and trust.

I’d appreciate if you take back this misleading accusation.

Best,

Jonghwa

How can I protect my privacy?

If this article has made you think more critically about your online privacy, good. If you’ve already played Vonvon’s quiz or something similar, you can read our tutorial on how to manage and remove Facebook apps connected to your account. Beyond that, there are several easy steps you can take to boost your privacy and protect your data from corporations, hackers, and governments.

Our top recommendation is to use a VPN. A VPN encrypts all of your computer or smartphone’s internet traffic and routes it through a server in a location of your choosing. The encryption prevents your internet service provider from recording what you do online, and the intermediary server helps anonymize your activity so websites and apps can’t pinpoint your location or device IP address. On top of that, VPNs can also be used to unblock geographically restricted content, such as the US Netflix catalog.

You can also install a handful of extensions on your browser to prevent companies and advertisers from tracking you, such as Privacy Badger or Disconnect. HTTPS Anywhere is another good extension that forces your browser to load the secure, encrypted versions of websites whenever they’re available. If anonymity is what you’re after, look into using the Tor browser.

Finally, always read the fine print. Look over privacy policies to see what information is collected and who it’s shared with. Be critical of app permissions that seem to ask for more information than they need. And never give up personally identifiable information to anyone online that you don’t 100 percent trust.