Privacy guide

Why does this app want your contact list? What it really means.

What contact-list permission gives an app, why it affects people beyond you, and what to ask before allowing it.

The simple answer

Your contact list is not only your data. It contains other people: names, numbers, emails, relationships and sometimes workplace or family labels.

When an app asks for contacts, the privacy issue reaches beyond the person tapping allow. You may be uploading data about people who never used the app.

What to check

1
Ask whether contacts are needed for the core service.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

2
Check if manual invite links work instead.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

3
Look for upload, sync or referral language in the policy.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

4
Remove contact access after the specific task.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

From our investigation

One tap can expose a whole address book.

State of Privacy treats contact-list access as sensitive because it expands the data surface beyond the registered user. Companies should explain purpose and limits clearly.

What to do next

1
Use manual search or invite links.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

2
Deny contacts unless the feature is essential.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

3
Ask how uploaded contacts are deleted.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

People also ask

Is contact permission dangerous?

It can be, because it may upload details of many people who did not consent directly.

Why do apps ask for contacts?

Common reasons include invites, referrals, matching friends, fraud checks and social features.

Can I revoke it later?

Yes. Use phone app permission settings to remove contact access.

If you are a company
Check your own website.

How many trackers run on your pages? Does your privacy policy name them? Can you answer a data-rights email? If you don't know, we can help you find out.

Talk to Meridian Bridge Strategy →
Your right under Indian law
Mera data mera hai.

Your personal data belongs to you. Under DPDP, every company must tell you what they have and delete it if you ask. One email is all it takes.

Get the template email →
Read the full investigation.

We investigated 107 Indian company websites. The public report shows what we found.

Read the reportTry the experience