China’s internet regulator requested multiple changes to the mapping function of ride-hailing group Didi’s app before its US listing, fearing it could reveal sensitive government locations, according to two people familiar with the company.

The Cyberspace Administration of China frequently communicated with Didi, making more than 20 requests for changes to the app which Didi implemented, said one of the people familiar with the matter.

The CAC did not link the mobile app changes to any requests to delay the initial public offering, the people said. The CAC has issued many rectification notices to companies without taking their apps down.

But the regulator caught investors by surprise when it abruptly announced on Sunday that Didi’s ride-hailing app had “problems of seriously violating laws on collecting and using personal information” and ordered it to be removed from mobile app stores.

The announcement, which came less than a week after the company raised $4.4bn in the biggest Chinese initial public offering in the US since 2014, caused Didi’s stock to plunge and has led to investor lawsuits over the company’s disclosure of regulatory risks.

The case reveals how national security and data security have become interlinked priorities for Beijing, which is increasingly worried about the power that large tech platforms wield through their command of hundreds of millions of users’ data. It also highlights the difficulties facing companies trying to comply with often opaque enforcement decisions.

Over the past year, the CAC has waged a mobile app rectification campaign and has issued public warnings to hundreds of apps deemed to have misused personal information or collected more than they ought to have.

“Usually there is no clear legal basis when the CAC asks a company to make changes to its app. The CAC never feels like they need to follow a formal administrative law process but companies take them extremely seriously. Communication is often casual and over the phone,” said one of the people familiar with the matter.

Rectification requests were usually dealt with at an operational level rather than a high level within the company, the person added. It was also unclear whether the regulators made the requests to Didi formally.

China is still in the process of finalising its personal information protection law, which will allow the CAC to formalise its app auditing process.

Before its IPO, the CAC had not publicly admonished Didi’s ride-hailing app.

“The CAC has frequently made various requests of Chinese app companies, from content censorship to personal data collection, and this is usually not a big deal — you make the changes and it blows over,” said a venture capital investor in a recently US-listed Chinese app company.

In its requests to Didi, the CAC wanted changes to the way its app collects and displays mapping information, said the people familiar with the company. When a user opens the app, it suggests common pick-up points nearby based on passenger demand.

The CAC was concerned this could inadvertently reveal locations where sensitive government personnel worked, said the people familiar with the company.

Didi did not immediately respond to a request for comment.

Didi already stops users from searching for sensitive political locations, such as Zhongnanhai, the compound where Beijing’s leadership live.

Separately to these requests for mobile app rectification, the CAC had also advised Didi to delay its IPO until it had conducted a cyber security review, said two people familiar with the situation. The CAC has no legal power to delay IPOs, and the company denies that it knew before its IPO that regulators were poised to intervene.

The CAC published in April a draft regulation for public comment on mobile apps’ protection of personal data, which would give it the power to remove apps from app stores for 40 business days.