How Free Apps Make Money Off You

Here is a question that has been bothering me for a while now. A company spends fifteen, twenty crore building an app. They hire engineers in Bangalore, designers in Pune, testers, server administrators, marketers. They maintain this thing for years. And they hand it to you and me for zero rupees. The question is: what did we actually pay?

Most people answer “ads” and move on. Fair enough. Ads are part of the picture. But only part. When you use a free weather app, it collects your GPS location every few minutes. A free period tracker knows intimate details about your health. A free UPI app can reconstruct your entire spending pattern, down to the pani puri stall you visit on Thursday evenings. Each of those data points has a price tag attached to it in a marketplace most users have never heard of.

I am not one of those people who thinks all data collection is evil. I use Google Maps in Mumbai traffic and I am genuinely grateful for the service. The trade works for me. But I went into it knowing what I was giving up. The trouble is that the vast majority of users do not know. They tap “I Agree” on a twenty-page privacy policy that would take forty minutes to read aloud, and the transaction is complete before they understood a single term.

The math does not add up when you think about it purely as an ad-supported business. If ads were the only revenue source, many of these apps would shut down within a year. The other revenue streams (data brokerage, behavioural profiling, cross-selling to partners) are where the real money sits. And those streams depend on collecting as much of your personal information as technically and legally possible.

Smartphone with free app icons connected by data streams to corporate servers

Revenue Models Behind Your Favourite Apps

I spent a few weeks going through the annual reports, investor presentations, and privacy policies of popular Indian apps. What I found is that most of them run three or four revenue models at the same time, and all of those models depend on your data in different ways.

Targeted advertising is the one everyone knows about. When Swiggy shows you a promoted restaurant listing while you are scrolling through dinner options on a Friday night, that restaurant paid for that placement. But the reason Swiggy can charge a premium for it is because they know you specifically are browsing, and they know from your order history that you tend to order biryani on weekends and that you live in Koramangala. A generic ad slot on a website might earn thirty or forty paise per impression. A targeted ad slot inside an app, backed by real behavioural data, can earn five to ten times that. Across hundreds of millions of users, that difference adds up to thousands of crore in annual revenue.

“We collect information about your device, including your IP address, operating system, device identifiers, browsing activity within and outside our platform, transaction history, and contact lists where permissions are granted, to provide personalised services and relevant advertisements.” — Excerpt from the privacy policy of a popular Indian fintech app, accessed January 2026

Data licensing and third-party sharing is the second model, and it operates mostly out of sight. Many apps collect information that has nothing to do with their core function. I have personally seen a QR code scanner that requested access to my contacts, my calendar, and my call logs. A flashlight app on the Play Store — an app whose only job is to turn on a light — was found to be sending device data and location pings to servers in three different countries. This information gets packaged and sold to data brokers. In India, those data brokers feed into the spam call industry. That is how a random insurance agent from a company you have never interacted with rings you up two days after you searched for health insurance on your phone. The pipeline is direct, and it is running constantly.

The question is: how much is each user worth? Estimates vary depending on the source. The Financial Times pegged the average global data value per user at around $240 per year for advertisers. For Indian users specifically, industry analysts put the figure somewhere between Rs 300 and Rs 800 per year, depending on the user’s income bracket and how many apps they actively use. That sounds small until you multiply it by 800 million smartphone users. The Indian data economy, by conservative estimates, is worth tens of thousands of crore annually, and growing at roughly 25 percent year on year.

Behavioural manipulation for in-app purchases is a model I find especially troubling. Free-to-play mobile games collect enormously detailed data about how you play. They track where you pause, which levels frustrate you, how many times you retry a failed level, how long you stare at the “buy coins” button before closing the popup. Machine learning models crunch all of this and adjust the game difficulty in real time. The level did not randomly get harder. It got harder for you, at the exact moment the algorithm predicted you were most likely to spend money on a power-up. Children are especially vulnerable to this. India does not have specific regulations against these dark patterns in gaming yet, though the DPDP Act has some provisions around children’s data that might eventually be enforced.

Cross-app tracking connects all these models together. Every Android phone has a Google Advertising ID, a unique string of characters that follows you from app to app. When you browse running shoes on Flipkart, that event gets logged under your advertising ID. When you open Instagram ten minutes later and see an ad for running shoes, that is not a coincidence and it is not your phone “listening to you.” It is your advertising ID connecting two apps that otherwise have nothing to do with each other through a shared advertising network. Apple introduced similar tracking on iPhones through the IDFA, though iOS has gotten significantly better at letting users disable it in recent years.

Subscription upselling with a data layer is the newest model gaining traction. Apps like JioSaavn, Gaana, and several news platforms offer a free tier loaded with data collection and a paid tier that promises “fewer ads” or “an ad-free experience.” But look carefully at the privacy policy of the paid version. In many cases, the paid tier still collects your listening habits, reading patterns, and device information. You are paying money AND giving up data. The subscription did not replace the data collection. It just added an extra revenue stream on top of it. JioSaavn’s paid plan removes audio ads, sure, but the company still tracks what you listen to, when, and how often, because that data is valuable for content licensing negotiations and for selling insights to record labels.

I want to put a number on this for context. Paytm’s FY2024 annual report showed a “commerce and cloud services” revenue segment that includes revenue from data insights and merchant analytics. PhonePe has been building an advertising business that it expects to be a significant contributor to revenue. These are not side projects. Data monetisation is written into the business plans of the apps sitting on your home screen right now.

Indian Apps and Their Data Habits

I want to be specific here, because vague warnings about “apps collecting your data” are easy to ignore. When the names are familiar, the problem gets harder to dismiss.

Paytm collects your transaction history, obviously. It also collects your contacts, device identifiers, location history, and browsing activity within the app. If you use Paytm for movie tickets, flight bookings, and bill payments in addition to UPI transfers, the company has assembled a spending profile on you that is more detailed than what your bank sees. Your bank knows where money went. Paytm knows where the money went, what you were browsing before you spent it, where you physically were when you made the payment, and which of your contacts also use the platform.

PhonePe operates on a similar model but with the added dimension of being owned by Walmart. The data flows between PhonePe and its parent company are governed by their privacy policy, which is lengthy and not easy to parse. PhonePe has also built an insurance marketplace, a mutual fund platform, and a lending arm. Each of these services generates a new category of data about you: your risk appetite, your investment patterns, your creditworthiness.

Swiggy and Zomato know your home address, your work address (if you order lunch), your dietary preferences, your price sensitivity, the times of day you tend to eat, and how you scroll through menus. Zomato’s privacy policy states that they collect device information, usage patterns, and third-party service data. The dynamic pricing accusations that pop up on Twitter every few months are hard to prove definitively, but multiple users have documented seeing different prices for identical orders placed simultaneously from different accounts. Whether that counts as personalised pricing or A/B testing depends on who you ask.

JioSaavn logs every song you play, every playlist you create, how long you listen, when you skip, and what you search for. That behavioural data is gold for record labels and advertisers. The free tier shows you ads based on your listening habits, and the app shares aggregated listener data with music publishers. Your personal taste in music might seem harmless, but combined with location data and device identifiers, it contributes to a profile that ad networks find extremely useful for targeting.

Instant loan apps remain the worst offenders by a wide margin, despite the RBI cracking down on them repeatedly. Some of the apps that appeared after the 2023 Play Store purge returned under different names with the same data-harvesting behaviour. They access contacts, SMS messages, photos, and call logs. Documented cases exist of recovery agents using stolen contact lists to send threatening messages to borrowers’ family members and colleagues. If you need a personal loan, go to your bank, a well-known NBFC, or use your credit card’s EMI conversion feature. The convenience of a quick-approval loan app is not worth the data exposure.

I should mention that none of this is unique to Indian companies. Google, Meta, Amazon, and Apple all run variations of the same playbook. But when the apps are Indian, the data stays closer to home in some respects, and the regulatory environment is still catching up. The DPDP Act was passed in 2023 but the rules for enforcement are still being finalised years later. Until those rules have teeth, the companies themselves decide how much of your data they want to collect. And the answer, predictably, is as much as possible.

Paying With Attention vs Paying With Data

There is an old saying that gets repeated endlessly in tech circles: “If you are not paying for the product, you are the product.” I think the truth is a bit more complicated than that, and the distinction matters.

Some apps charge you with your attention. You watch a thirty-second ad before your free song plays on Spotify’s free tier. You see a banner ad at the bottom of a news article. You wait five seconds before skipping an ad on YouTube. That model is annoying, but it is basically the same deal that radio and television have offered for decades. The advertiser pays the platform, the platform gives you free content, and your cost is twenty seconds of your time. I have no strong objection to this arrangement. It is reasonably transparent. You know the ad is there. You know it is paying for the service. The exchange is visible.

Paying with data is different. When an app collects your location, contacts, browsing history, and purchase patterns and feeds all of that into an advertising profile, you are not just seeing an ad. You are generating a product. That profile follows you across the internet. It affects what prices you see, what content gets shown to you, what financial products are offered, and potentially what insurance premiums you are quoted. You cannot see the profile. You did not negotiate its terms. And in most cases, you cannot delete it once it exists, because it has already been copied, processed, and distributed to a chain of third parties whose names you will never know.

The question is whether most users would agree to this arrangement if they understood it fully. I suspect not. Surveys from places like the Internet Freedom Foundation and the Centre for Internet and Society in Bangalore have repeatedly found that when Indian users are told in plain language what data an app collects, a majority say they are uncomfortable with it. But the same users keep using the apps, because opting out is not realistic. You cannot live in urban India without a UPI app. You cannot commute in Delhi or Hyderabad without a maps app. Social obligations mean you need WhatsApp. Professional life requires email and often LinkedIn. The “just stop using the apps” advice is not practical for anyone with a job, a family, and responsibilities in a city.

So what can you actually do? A few things, and they are smaller than you might want but larger than nothing. First, go through your phone and delete every app you have not opened in the last two months. Each sitting-unused app still has whatever permissions you granted when you installed it. Second, open your permission settings and revoke access that does not match the app’s purpose. A food ordering app does not need your microphone. A music app does not need your contacts. Third, reset your advertising ID. On Android, go to Settings, then Privacy, then Ads, and delete the advertising ID. On iPhones, go to Settings, then Privacy and Security, then Tracking, and turn off the permission for apps to track. That single change breaks the cross-app tracking chain that connects your behaviour across dozens of unrelated apps. Fourth, where you can, use the browser version of an app instead of the native app. Ordering food, reading the news, checking reviews — the mobile browser version of these services works fine and cannot access your contacts, files, or phone sensors the way a native app does.

There is also the bigger question of regulation. India passed the Digital Personal Data Protection Act in 2023, and it contains provisions for consent requirements, data minimisation, and penalties for misuse. But the enforcement rules are still being drafted. The Data Protection Board, which is supposed to hear complaints and impose fines, is not yet fully operational in any meaningful way. Compare that to the European Union, where the GDPR has been issuing massive fines for years, and it becomes clear that Indian users are still waiting for the legal side to catch up with the technical reality.

I keep waiting for someone — a regulator, a court, a consumer body — to say this arrangement is not fair. Maybe the DPDP Act will change things. Maybe it will not. For now, you are paying for free apps with something more valuable than money, and most people have not even read the receipt.

Hand downloading a free app with invisible data collection streams flowing out