On Tuesday, February 24, 2026, cybersecurity researchers and privacy advocates raised a major “red flag” regarding Zomato’s new “Loved by Friends” feature, calling it a “goldmine for stalkers” and a significant breach of user privacy.
The feature, which displays a user’s favorite restaurants and recent orders to their phone contacts, has been criticized for being enabled by default (opt-out rather than opt-in), potentially exposing sensitive personal habits without explicit consent.
The “Red Flags” Identified by Researchers
Cybersecurity experts, including independent researcher Srinivas Kodali, pointed out several critical vulnerabilities in how the feature handles user data:
- Social Mapping Without Consent: The feature automatically links your ordering history to anyone who has your phone number in their contacts. This allows acquaintances, ex-partners, or estranged family members to track your current location (via frequent restaurant orders) or lifestyle changes.
- Sensitive Habit Exposure: Researchers noted that food choices can reveal sensitive information, such as medical conditions (frequent orders from “Diabetic-friendly” or “Gluten-free” outlets), religious practices, or even pregnancy cravings.
- The “Shadow Profile” Risk: By mapping friend networks, Zomato is effectively creating a social graph of the Indian middle class. Critics argue this data could be weaponized for targeted predatory advertising or by third-party actors if the database is ever breached.
- The Domestic Abuse Angle: Privacy advocates specifically warned that for individuals in abusive domestic situations, the ability for a “friend” (or spouse) to see their real-time “loved” locations creates a physical safety risk.
How the Feature Works (and How to Stop It)
The feature appears as a carousel on the Zomato home screen, showing snippets like “Your friend Rahul loves ordering from ‘The Burger Club’.”
| Feature Aspect | Current Implementation |
| Default State | ON (Opt-out) |
| Visibility | Visible to anyone who has your number saved. |
| Data Shared | “Loved” restaurants, frequent orders, and reviews. |
How to Disable It:
If you are concerned about your privacy, you can turn this off manually:
- Go to your Profile in the Zomato app.
- Select Settings > Privacy Settings.
- Toggle OFF the “Social Sharing” or “Loved by Friends” option.
Zomato’s Defense
Following the backlash, a Zomato spokesperson stated that the feature was designed to “enhance the social discovery of food” and make ordering more “communal.” They argued that:
- Users can control their visibility in settings.
- The feature only highlights “Loved” (highly rated) restaurants, not every single order.
- It helps small, high-quality local businesses get discovered through word-of-mouth.
The Regulatory Context
The timing of this “red flag” is particularly sensitive as the Digital Personal Data Protection (DPDP) Board is expected to become fully operational in April 2026. Legal experts suggest that Zomato’s “default-on” approach for social sharing might face a direct challenge under the new law’s “Notice and Consent” requirements.
