Ride-hailing apps like Rapido run on a simple promise, you share your data and in return, you stay in control. Your phone number, your routes, your location, all of it sits behind permissions like “only while using the app.” That’s the deal. But what if that control isn’t as solid as it seems? A recent report by Digit raises exactly that question and the findings are definitely a bit unsettling.
Our folks at Digit noticed something strange during daily commutes. Even without actively using the app or keeping it running in the background, Rapido appeared to know their exact location. Not vaguely. Not occasionally. Precisely. Every single time the reporter from the Digit team passed through Kashmere Gate Metro Station, a notification would pop up, right on cue. Same place, different times of the day, same result. At first, it seemed like coincidence. Then it became a pattern. And patterns are hard to ignore.
Limited Permissions, Unlimited Awareness?
The app was installed from the official App Store, and location access was restricted to “only while using the app.” Under normal circumstances, that should limit any background tracking. Yet, the notifications kept coming. What makes this more puzzling is that the team observed this behaviour only on an iOS device. An Android device running the same app, same account, same routine, showed none of these location-triggered alerts. Just regular promotional notifications.
Not An Isolated Case
As highlighted in Digit’s report, this isn’t a one-off experience. Similar concerns have surfaced on platforms like Reddit and LinkedIn. One LinkedIn post, dating back over a year, described nearly identical behaviour. That suggests this isn’t a recent glitch. It may have been quietly happening for a while.
Rapido’s Response
In response to their queries, Rapido clarified that it does not track users in real time when the app isn’t active. Instead, the company pointed toward Apple’s system-level features. According to Rapido, iOS may trigger notifications based on “areas of interest” or past usage patterns. In simpler terms, your phone might be predicting your routine and nudging you accordingly, without sharing live location data with the app.
Why This Raises Bigger Questions
Even if that explanation holds, it still leaves a slightly uneasy feeling. If an app can trigger location-based alerts without being actively used, where exactly does control lie? As Digit’s report points out, this isn’t just about one app. It’s about how digital privacy works in practice. Your location isn’t just data, it’s a timeline of your life. And when that starts feeling predictable to someone else, even a system, it stops being convenient and starts feeling invasive.
To better understand whether these points point to a privacy breach or simply a misunderstood system behaviour, Times Now Tech reached out to industry experts for clarity.
Speaking to Times Now Tech, Abhilash Gupta said the incident does not necessarily prove that Rapido was secretly tracking users in real time.
“My technical view is that this is not automatically proof of secret live tracking,” said Gupta, who serves as a Research Analyst at Counterpoint Research. “On iOS, location-linked notification behaviour can still happen under narrower permission settings such as ‘When In Use,’ and an app can also appear highly context-aware by combining permitted triggers with previously collected location history, saved places, time-of-day usage patterns and server-side behavioural inference.”
According to Gupta, the bigger issue may not be a direct permissions bypass, but a lack of transparency around how apps use predictive targeting.
He pointed out that Apple itself allows certain location-based triggers under limited permissions. “Apple publicly documents that UNLocationNotificationTrigger can be used after the app has Core Location authorisation and ‘When In Use’ permission,” Gupta said. He further referenced Apple’s WWDC 2019 Core Location session, where the company noted that region monitoring, which previously required “Always” permission, can also work with “When In Use” access on iOS 13 and later.
“So, a location-specific notification on iPhone does not automatically prove that an app had full background ‘Always’ access,” he added.
On the question of loopholes, Gupta advised caution before jumping to conclusions. “I would be careful calling this a loophole without technical evidence. A more likely explanation is a mix of permitted location triggers, earlier location history, and behavioural inference, which can make an app seem more aware than users expect,” he noted.
For users concerned about privacy, Gupta recommends reviewing permissions and limiting unnecessary access. “Users should go to Settings > Privacy & Security > Location Services and review the app’s access level. If the app does not need exact location, they should turn off Precise Location,” he said.
He also suggested checking Apple’s App Privacy Report to understand how apps use permissions and network activity, while disabling “Significant Locations & Routes” for extra privacy.
Gupta further highlighted that this issue may not be limited to Apple devices. “On Android, background location is handled differently, but similar outcomes can be achieved through a mix of permissions, geofencing, foreground services, background tasks, SDKs, and prior behavioural data,” he explained.
His comments suggest that the Rapido case may be less about “breaking Apple’s security code” and more about how predictive technology, permissions and user expectations collide in modern mobile ecosystems.
