Luluvise describes itself as "a social network for women". It's loved by the technology media, racking up plenty of friendly articles since its launch late last year. Its founder, Alexandra Chong, even has a regular column in the Sunday Times about life in a startup.

Luluvise's PR team frequently spotlights one particular feature: WikiDate, in which women on the Luluvise network – who must sign in using their Facebook account – can rate the men that they've dated.

Facebook's privacy page has the innocuous statement: "People who can see your info can bring it with them when they use apps." This means that when your friend signs into an application, they don't just share their own data – they can share some of your data as well.

And if you haven't looked through the deep parts of Facebook's privacy settings, that could be a lot of personal information: by default, it includes your status updates, photos, birthday, family details, and biography. A truly malicious application could happily store all those details – and while Facebook has policies in place to cut off rogue applications, detecting abuse isn't the easiest of tasks.

Luluvise's site was in violation of Facebook's policies for at least a month. When a Facebook user joins Luluvise, it pulls in the names of the men that they know; if a user decides to rate any of them, it then generates a public-facing page announcing that the man has been reviewed. Originally, that page featured more than just a name: it included the man's photograph, pulled from his Facebook account.

I asked Joelle Hadfield, Luluvise's head of PR, how that complied with Facebook's Platform Policies, which prohibit using users' friends' data for anything public. She said: "We are pleased to work closely with Facebook, and so naturally we are committed to abiding by their Platform Policy."

However, after I contacted Facebook for comment, Luluvise altered its site. At Facebook's request, it's no longer showing the profile photos of the men in its system. However, it is still showing name and location details publicly – along with a "dating score" for those logged into the site.

It's questionable whether the Data Protection Act allows Luluvise to keep that information. Sensitive personal data – including details of someone's sex life – is handled under Schedule 3 of the Data Protection Act, and can only be processed under certain strict conditions or with the subject's explicit consent.

I asked the Information Commissioner's Office if WikiDate violated the act; they were unable to answer immediately, but said they'd get in touch with Luluvise to "better understand how their service works and to ensure compliance with the law".

That process may take several weeks. Even if it does end up with significant changes to this one particular site, the act doesn't apply to any companies outside the UK.

Facebook, however, has confirmed to me that Luluvise is now compliant with its policies. That's startling – because it means that maintaining a public page, accessible to search engines, announcing that a Facebook user has "WikiDate reviews" on a site that they've never joined and will never be allowed to, is permitted by Facebook.

There are some big issues here I'm not qualified to comment on. WikiDate doesn't care about anyone who's gay, or anyone who doesn't fit strictly into "male" or "female". There's also Luluvise's stereotyping of women ("We know what girls talk about when they discuss their latest crush"), and the fact that switching WikiDate's two genders around would make the site a pariah rather than a media darling. Other writers can talk about those issues with more insight and experience than I ever could.

I can, however, talk about privacy.

Here's the bottom line: if you use Facebook, and your friends sign up for social applications, your name and details could appear in unexpected places. Of course, you could always not have a Facebook account – that's the catch-all answer frequently trotted out by the site's detractors.

For many people, though, that's not an easy option. When your friends run their social lives through the service, not having a Facebook account is like not having a mobile phone or an email address. Yes, you can live without it, but it's a serious inconvenience that means you're very much out of the loop.

So check your privacy settings, under "Apps and Websites". You may be surprised what data your friends are giving away – and where it's ending up.

• Tom Scott's website is tomscott.com; he's on Twitter at @tomscott