TL;DR: Match Group (owner of Hinge, Tinder, OkCupid, and Match.com) is now requiring biometric face scans for users worldwide through FaceTec's 3D liveness detection system. Users in the UK and Australia also face mandatory facial age estimation to comply with new laws. Match Group admits they keep your age estimate, audit images, and facial geometry data, and may use it to train machine learning models. This rollout comes weeks after ShinyHunters breached Match Group's systems and claimed 10 million records from Hinge, OkCupid, and Match.

Your Face Is Now Required

In October 2025, Match Group made face liveness verification mandatory for US Tinder users. By early February 2026, the requirement expanded to Hinge globally, with more apps in the pipeline [1].

The system works like this: You shoot a video selfie. FaceTec's software creates a 3D map of your face, generating what they call a "FaceMap" and a unique numerical identifier called a "FaceVector." The system checks you're a real person (not a printed photo or deepfake), scans for duplicate faces across the platform, and (in the UK and Australia) estimates your age [2].

If you refuse, you don't get to use the app.

Hinge's own help page is oddly candid about the scope: "We detect your face in your video selfie and your profile photos, and use your facial geometry to generate a unique number" [2]. That's biometric data by any legal definition. They're creating a mathematical representation of your face that identifies you.

What They Keep (And What They Admit To)

Match Group's privacy disclosures reveal what happens to your face data after verification [1][2]:

  • Age estimates: stored indefinitely for "compliance obligations"
  • Three audit images from your video selfie, kept for "managing Face Check" and "confirming your likeness"
  • Machine learning training: your age estimate and audit images may be used to "train select machine learning models that power our trust and safety tools"
  • UK users: Photos retained up to three months post-verification. Hashed photos and age check results kept for one year.

Read that middle bullet again. They're training AI models on your face. Not just verifying you and discarding the data. Training models. That's a permanent extraction of biometric value from every person who wants to use a dating app.

The Timing Could Not Be Worse

On January 28, 2026, days before Hinge's expanded biometric rollout, ShinyHunters posted on BreachForums claiming they'd stolen over 10 million records from Match Group, including data from Hinge, OkCupid, and Match [3][4].

The stolen data reportedly includes user IDs, Hinge subscription records (transaction IDs, payment amounts), IP addresses, internal employee emails, and corporate contracts. ShinyHunters allegedly gained access through "vishing" (voice phishing) attacks targeting Okta single sign-on credentials and the analytics platform AppsFlyer [3].

Match Group confirmed a security incident involving "a limited amount of user data" and stated that passwords and financial information weren't accessed [4]. Sound familiar? That's the same playbook every breached company runs: minimize, reassure, move on.

So Match Group is now collecting the most intimate biometric data possible (your face geometry) from millions of users, while simultaneously dealing with an active breach of their systems. They're asking you to trust them with your 3D face map weeks after hackers walked through their front door.

The Legal Mess They're Walking Into

Match Group's biometric collection is already a courtroom issue. A class action under Illinois' Biometric Information Privacy Act (BIPA) alleges that Hinge, Tinder, and OkCupid collected and stored facial geometry data from Illinois users without proper consent disclosures [5].

The complaint is specific: Match Group operated without a publicly available biometric data retention policy and shared biometric data with third parties without authorization. Under BIPA, that's up to $5,000 per violation [5].

It gets worse. In 2022, the FTC filed a petition to force Match Group to hand over documents about a data-sharing deal between its subsidiary OkCupid and Clarifai, an AI company. The allegation: users' face images were used to train facial recognition software without consent [6]. Match Group fought the demand. The FTC pushed back. The implications for the current, vastly expanded biometric collection program are obvious.

Why "Child Safety" Laws Build Adult Surveillance

Match Group isn't deploying face scanning because they woke up caring about safety. They're doing it because the UK's Online Safety Act and Australia's Social Media Minimum Age Act now require age assurance for platforms where minors might appear [1].

This is the age verification pipeline in action. Laws written to protect children from harmful content create a biometric checkpoint that every adult must pass through. The result: millions of adults hand over 3D face scans to private companies because lawmakers decided the only way to check if someone is over 18 is to map their facial geometry.

The FTC's own January 28, 2026 workshop on age verification highlighted this tension. FTC Chair Andrew Ferguson described the internet as "more like Las Vegas than Little House on the Prairie," while privacy advocates warned that age verification tools create exactly the kind of biometric databases that bad actors target [7].

Persona CEO Rick Song offered a revealing comment at the workshop: users find email-based verification "invasive," but biometric face scans are "faster and less invasive" [7]. The framing tells you everything. In the age verification industry's view, handing over your face geometry is less of a privacy concern than sharing your email address.

The Stalkerware Angle

Match Group's biometric rollout doesn't happen in a vacuum. A growing ecosystem of facial recognition services already targets dating app users specifically.

Services like Cheaterbuster, CheatEye, and SwindlerBuster use facial recognition to locate people's dating profiles from a single photo. 404 Media testing confirmed these services could locate real Tinder profiles and generate maps pinpointing users' neighborhoods in Los Angeles and Brooklyn [8].

The Surveillance Technology Oversight Project (S.T.O.P.) has called facial recognition on dating platforms "stalkerware," pointing out that biometric verification systems intended for safety can feed the same surveillance ecosystem that enables stalking and coercive control [9].

Electronic Frontier Foundation Director of Cybersecurity Eva Galperin has warned these technologies "enable coercive control and intimate-partner monitoring" [8]. Every face map Match Group creates is another biometric record that could, through a breach or legal compulsion, end up in the wrong hands.

What FaceTec Actually Does

FaceTec, the company providing the biometric backend, has been in the dating app business since at least 2020 when it first partnered with Match Group. The company now provides biometric liveness detection to Hinge, Tinder, Grindr, and Meet Group (another Match Group subsidiary) [1].

Their technology creates a 3D depth map of your face, not just a photo comparison but a volumetric scan that measures distances between facial features, skin texture, and head geometry. This is fundamentally different from uploading a selfie. It's biometric enrollment, the same category of data collection used in border control and law enforcement systems.

FaceTec claims their latest release (v10, December 2025) provides "the world's strongest protection against presentation attacks" [10]. What they don't prominently discuss is what happens to the biometric templates after verification, or how they'd respond to a law enforcement request for face map data from their clients' systems.

Protect Yourself

If you use Hinge or any Match Group app:

  • Understand the trade: You're exchanging biometric data for app access. That data may be used to train AI models and could be breached.
  • Check if you're in a BIPA state: Illinois residents have the strongest biometric privacy protections. Texas and Washington have laws too, though enforcement varies.
  • Review your data rights: Under GDPR (UK/EU) and Australian Privacy Act, you can request deletion of biometric data. Exercise that right after verification.
  • Consider the breach risk: ShinyHunters already hit Match Group. Your face data sits in systems that have been compromised.
  • Use alternative platforms: Not every dating service requires biometric enrollment. Yet.

The uncomfortable reality: Match Group controls about 45% of the US online dating market through Tinder, Hinge, Match, OkCupid, Plenty of Fish, and others. If you want to use mainstream dating apps, they're going to scan your face. The choice is comply or leave.

References

  1. Biometric Update: Match Group extends FaceTec liveness to Hinge, adds age verification for UK, Oz users (February 2026)
  2. Hinge Help Center: Face Check Scan (2026)
  3. The Register: ShinyHunters claims it stole 10M records from dating apps (January 2026)
  4. Bleeping Computer: Match Group breach exposes data from Hinge, Tinder, OkCupid, and Match (January 2026)
  5. ClassAction.org: Hinge, Tinder, OkCupid May Have Violated Illinois Users' Privacy (2023)
  6. The Lyon Firm: Dating App Privacy Lawsuits, Facial Recognition Data Sharing (2022)
  7. Federal Trade Commission: Age Verification Workshop (January 28, 2026)
  8. Biometric Update: Facial recognition turns dating apps into a new surveillance front (October 2025)
  9. S.T.O.P.: Facial recognition on Tinder is stalkerware (April 2024)
  10. PR Newswire: FaceTec Releases v10 of its 3D Face Verification Software Suite (December 2025)