Collection of HIV Status and Health Information

What it is

Grindr collects your HIV status and other health details if you enter them into your profile or provide them elsewhere in the app.

Why it matters (compliance & governance perspective)

HIV status is among the most sensitive categories of personal data under virtually every major privacy framework, and its collection and potential onward sharing carries significant privacy, safety, and discrimination risks.

Consumer impact (what this means for users)

If you enter your HIV status on your Grindr profile, this health data is collected by Grindr and may be processed or shared as described in the broader policy, including with advertising and analytics partners, which could expose sensitive health information beyond the app context.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: HIV status constitutes special category health data under GDPR Article 9, requiring an explicit legal basis such as explicit consent or a public health justification; reliance on general consent or legitimate interests is not sufficient under Article 9. The ICO and relevant EEA data protection authorities enforce these requirements strictly. Under CPRA, HIV status qualifies as sensitive personal information, triggering specific opt-out and disclosure obligations for California-based users. FTC Act Section 5 may apply if the handling of health data is found to be unfair or deceptive. GOVERNANCE EXPOSURE: High. The collection of HIV status in a dating app context, combined with potential sharing with advertising technology partners, represents one of the highest-risk data processing activities from a regulatory and reputational standpoint. Enforcement actions against companies sharing health-adjacent data from sensitive platforms have been pursued by FTC and state attorneys general. JURISDICTION FLAGS: EEA and UK users benefit from GDPR and UK GDPR Article 9 heightened protections. California users have CPRA sensitive personal information rights. In several US states without comprehensive privacy laws, users may have limited statutory recourse. Users in jurisdictions where LGBTQ+ status is criminalized face compounded safety risks if health data is disclosed. CONTRACT AND VENDOR IMPLICATIONS: Data processing agreements with any vendor receiving health data must satisfy GDPR Article 28 requirements. Vendors in ad tech pipelines receiving health signals derived from this data may trigger additional contractual obligations and should be audited for compliance with applicable health data restrictions. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that explicit consent mechanisms for HIV status collection are implemented in the app in a manner that satisfies GDPR Article 9(2)(a) requirements, including granular, freely given, informed, and unambiguous consent. Data minimization assessments should evaluate whether collection of HIV status is necessary for the stated purpose. Vendor contracts should be reviewed to ensure health data is excluded from advertising-related data flows where required.

Applicable agencies

Provision details

Other risks in this policy

• Precise Geolocation Data Collection and Sharing high
• Sexual Orientation and Identity Data Processing high
• Third-Party Advertising and Analytics Data Sharing high
• User Rights for EU, UK, and California Residents medium
• Data Retention medium
• Cross-Border Data Transfers medium