As the Narendra Modi app faces fire over the furtive nature of its data usage, a five-year-old American startup is facing the heat, too.

On March 23, a French security researcher, who goes by the pseudonym Elliot Alderson, revealed that the Indian prime minister’s app sends user data – name, email, mobile phone number, device information, location, and network carrier, among other things – to California-headquartered CleverTap without their consent.

While the Bharatiya Janata Party has said that it uses CleverTap’s services solely for analytics, and not for re-marketing, there is now heightened concern over what exactly happens with this data.

About CleverTap

Founded in May 2013 by three Indians, Anand Jain, Sunil Thomas, and Suresh Kondamudi, CleverTap is a mobile marketing firm that provides real-time insights to marketers. Among other services, the company offers behavioural targeting. This means that it studies what users do with an app and this, in turn, helps the app creators tailor user experiences accordingly.

Before launching CleverTap, the three co-founders had worked at media conglomerate Network 18. Jain had earlier co-founded restaurant recommendation engine Burrp, while Thomas spent nine years at Seattle internet search firm Infospace (now called Blucora). Kondamudi is an IIT-Madras alumnus with a background in mobile marketing.

So far, CleverTap has raised $9.6 million from marquee investors like Sequoia Capital and Accel Partners, among others.

The firm works with over 4,000 brands across 100 countries, says its website, which lists the likes of Star, Sony, DC Comics, BookMyShow, Zomato, and others as its clients. It has offices in San Francisco, New York, Los Angeles, Mumbai, and Bengaluru.

CleverTap’s role

While the Congress party and Alderson claim that the BJP has been unlawfully sharing its data with CleverTap, cybersecurity experts told Quartz that the company is just one of many such service providers. It’s common for companies to use such third-party data analytics to improve user profiling, said Altaf Halde, global business head at cybersecurity services firm Network Intelligence.

This micro-targeting is often seen in e-commerce apps where customers are given discount codes based on their past transactions. For something like the Narendra Modi app, CleverTap’s services could be used to provide personalised, localised, and relevant updates to users.

However, experts also say that data sharing could be risky business.

“It’s a game of cat and mouse. Organisations have to make their data security and privacy policies in an environment in flux – evolving legislations, evolving security practices and standards, emerging technologies, agile and flexible partnership models, new security risks and an increasingly capable and incentivised set of foes,” Rajesh Kamath, head of solutions & incubation at San Francisco technology services firm Incedo, told Quartz.

The revelation about Modi’s app comes just days after the Cambridge Analytica voter manipulation fiasco came to light. In the Cambridge Analytica scandal, though, the data of 50 million Facebook users were harvested without their knowledge. The BJP has denied any such leak. The data from the Narendra Modi app is reportedly stored in government-owned servers in Mumbai.

Quartz’s e-mails to CleverTap seeking information on its workings and association with Modi’s app went unanswered.

This article first appeared on Quartz.