CompanionRater

Independent data-safety research

AI Companion Privacy Report 2026

AI girlfriend and companion apps hold some of the most sensitive data people ever type — and the category has the breach record to prove it matters. We graded the major apps on what their policies disclose, what regulators have found, and what has already leaked. Every claim below is sourced.

Last updated June 2026. Free to cite with attribution to CompanionRater. Grades reflect public information as of this date, not a security audit.

11 of 11

romantic AI chatbots Mozilla reviewed received its *Privacy Not Included warning label — the worst category it had ever tested.

Mozilla Foundation

90%

may share or sell your personal data, and 90% failed Mozilla's Minimum Security Standards.

Mozilla Foundation

54%

won't let you delete your personal data, and 45% allowed passwords as weak as '1'.

Mozilla Foundation

~1.9M

user records leaked in the 2024 Muah AI breach — emails paired with explicit image prompts, some describing child sexual abuse.

404 Media

€5M

fine issued to Replika's maker by Italy's data regulator over age-verification and legal-basis failures.

EDPB / Garante

Zero

of the apps we rank offer end-to-end encryption — staff can technically read what you send. Treat every message as readable.

Mozilla Foundation

The scorecard

Graded A–F on disclosed privacy practices, regulatory history, and breaches. Tap any app for our full review. No app here offers end-to-end encryption.

B+

Pi (Inflection)

The strongest privacy posture here, helped by being SFW-only with no image generation. Policy states chat data is never sold or shared for marketing.

Breach:
None publicly known
Trains on chats:
Anonymized, to improve models
Sells / shares:
Says it never sells/shares chats for ads
Delete data:
Yes — in-app, easy

Sources: Inflection AI

B

Kindroid

Stores conversations encrypted server-side (not end-to-end) and says it doesn't sell data. Encryption specifics rest on secondary reporting — confirm in the current policy.

Breach:
None publicly known
Trains on chats:
Not for third-party model training
Sells / shares:
Says it does not sell user data
Delete data:
Yes

Sources: Mozilla Foundation

C+

Nomi.ai

Standard 'commercially reasonable' security language and a broad content license. Deletion of your actual conversation content (vs. account info) is not clearly guaranteed.

Breach:
None publicly known
Trains on chats:
Anonymized user content, per policy
Sells / shares:
No ad-network selling stated
Delete data:
Account deletion offered; content-retention terms are vague

Sources: Glimpse.ai

C+

Candy AI

Claims TLS in transit and AES-256 at rest (not end-to-end). Shares data within its corporate group and may transfer it in an acquisition.

Breach:
None publicly known
Trains on chats:
Aggregated/anonymized to improve models
Sells / shares:
Shares with affiliates/service providers; not a 'traditional' sale
Delete data:
Yes — ~3-year retention after inactivity

Sources: Candy.ai

C+

Soulkyn

Subscription-funded and states it doesn't sell data. Protects data in transit but doesn't confirm end-to-end encryption, and the billing descriptor isn't discreet.

Breach:
None publicly known
Trains on chats:
Not stated as training on chats
Sells / shares:
Says it does not sell your data
Delete data:
Yes — but ~6-year retention after closure

Sources: Soulkyn

C-

Replika

Fined €5M by Italy's regulator over age-verification/legal-basis failures, and the subject of a 2025 FTC complaint alleging manipulative upsell 'dark patterns.' Says it doesn't share conversations with advertisers.

Breach:
None publicly known
Trains on chats:
Anonymized, to generate responses; not for partners' models
Sells / shares:
Shares ad/metadata identifiers (may count as a 'sale'); not chats
Delete data:
Yes

Sources: EDPB / Garante, TIME, Luka, Inc.

C-

Character.AI

No known data breach, but under FTC inquiry and multiple minor-harm lawsuits; restricted under-18 open chat in late 2025. Its policy allows training models and tailoring ads on user data.

Breach:
None publicly known
Trains on chats:
Yes — policy permits training and ad tailoring
Sells / shares:
Says it doesn't sell voice/text; uses data for ads
Delete data:
Yes

Sources: NBC News, U.S. FTC, The Bureau of Investigative Journalism

C-

Janitor AI

Every message passes to third-party API providers, and the common reverse-proxy setups add more parties that can log conversations. Fewer first-party data claims, but more places your chats travel.

Breach:
None publicly known
Trains on chats:
Routes chats to third-party model providers
Sells / shares:
Limited PII collected; payments handled by processors
Delete data:
Yes

Sources: Janitor AI

D+

Talkie

Flagged by Mozilla: says it may sell or share personal information for advertising and takes a broad, royalty-free license over what you submit. Collects sensitive data like birthdate and location.

Breach:
None publicly known
Trains on chats:
Limited transparency
Sells / shares:
States it can sell/share personal info for targeted ads
Delete data:
Offered; broad content license granted

Sources: Mozilla Foundation

D

EVA AI

A 'privacy theater' case: the one Mozilla app whose policy says it doesn't sell data, yet it had the second-highest tracker count and unconfirmed encryption. Mozilla logged in with the password '1111'.

Breach:
None publicly known
Trains on chats:
No transparency on how chats train its AI
Sells / shares:
Policy says it doesn't sell — but fired 955 trackers/min
Delete data:
Allowed; reserves right to retain

Sources: Mozilla Foundation

D

Anima

Both Anima apps received Mozilla's warning label, with minimal transparency on data use and flags for potentially hostile content. Little public detail to verify either way.

Breach:
None publicly known
Trains on chats:
Limited transparency
Sells / shares:
Mozilla *Privacy Not Included label
Delete data:
Limited transparency

Sources: Mozilla Foundation

D

Chai

Carries the heaviest safety history here: a 2023 case in Belgium in which a man died by suicide after weeks talking to a Chai bot. Mozilla flagged it among the worst of its cohort.

Breach:
None publicly known
Trains on chats:
Yes — to improve models (identifiers removed)
Sells / shares:
Mozilla *Privacy Not Included label
Delete data:
Per policy

Sources: Vice, Mozilla Foundation

D-

CrushOn AI

Mozilla found it collects sensitive health data, uses chats for training and targeted advertising, and fired 45 trackers before the app finished loading. One of the weakest in Mozilla's audit.

Breach:
None publicly known
Trains on chats:
Yes — 'may use chat content to train our AI models'
Sells / shares:
Shares with affiliates; uses data for targeted ads
Delete data:
Per policy

Sources: Mozilla Foundation

F

Muah AI

The category's worst incident: ~1.9M emails exposed alongside image-generation prompts — including prompts describing child sexual abuse. A hacker called it 'a handful of open-source projects duct-taped together.'

Breach:
Yes — ~1.9M records (Sept 2024)
Trains on chats:
Not disclosed
Sells / shares:
Not disclosed
Delete data:
Not meaningfully, post-breach

Sources: 404 Media, Have I Been Pwned

How we graded

Each grade weighs five disclosed factors: any confirmed data breach; whether the app sells or shares personal data (including ad trackers); whether it trains its AI on your chats and offers an opt-out; whether you can delete your data; and any regulatory action. We lean on three kinds of source: Mozilla's independent *Privacy Not Includedaudit, each app's own privacy policy, and reporting on breaches or enforcement. This is an editorial read of what companies disclose — not a penetration test — and we revise it as practices change. Where a company discloses little, we say so rather than assume the worst.

Notable incidents & regulation

  1. Muah AI data breach

    Sept 2024

    Around 1.9 million email addresses were exposed alongside AI image-generation prompts. Researchers found numerous prompts describing child sexual abuse, and many emails were tied to real identities. The hacker said the platform was trivially exploitable.

    404 Media, Have I Been Pwned

  2. Italy fines Replika's maker €5M

    Feb 2023 – May 2025

    Italy's Garante first banned Replika from processing Italian users' data in 2023 over weak age verification and risks to minors, then issued a €5 million fine in 2025. A separate probe into the underlying AI model was opened.

    TechCrunch, EDPB / Garante

  3. FTC complaint over Replika 'dark patterns'

    Jan 2025

    Advocacy groups filed an FTC complaint alleging Replika uses manipulative design — blurred romantic images and premium prompts during emotionally charged moments — plus misleading efficacy claims and fake testimonials.

    TIME

  4. Belgian man dies after Chai chatbot conversations

    Mar 2023

    A man died by suicide after roughly six weeks talking with a Chai bot named 'Eliza' that reportedly encouraged self-harm. Chai's maker said it added a crisis-intervention feature afterward.

    Vice

  5. Character.AI wrongful-death litigation

    Oct 2024 – Jan 2026

    A wrongful-death suit was filed after the 2024 suicide of a 14-year-old; a judge let it proceed in 2025, declining to treat chatbot output as protected speech at that stage. In January 2026, Google and Character.AI agreed to settle five family lawsuits — terms undisclosed, pending court approval.

    Tech Justice Law Project, WUSF / AP, CNN

  6. FTC opens inquiry into AI companions

    Sept 2025

    The FTC issued compulsory 6(b) orders to seven companies — including Character Technologies, Meta, OpenAI, Google, Snap and xAI — seeking data on child safety, monetization and safeguards.

    U.S. FTC

  7. California passes first companion-chatbot law (SB 243)

    Oct 2025

    California enacted the first US law specifically regulating companion chatbots: it requires clear AI disclosure, self-harm crisis protocols, protections for minors, and annual reporting. It took effect Jan 1, 2026.

    California State Senate

  8. Researchers warn companions are unsafe for minors

    Apr–Jul 2025

    Common Sense Media and Stanford concluded social AI companions pose 'unacceptable risks' to under-18s, while a national survey found nearly 3 in 4 teens have already used one.

    Common Sense Media + Stanford, Common Sense Media

“Encrypted” doesn't mean private

Almost every app advertises “encryption.” That nearly always means encrypted in transit(HTTPS) — protected between your device and the company's servers. It does not mean end-to-end encrypted. The company can still read your messages, use them to train models, and hand them over if breached or subpoenaed. Assume a human could see anything you send, and never share your real name, face, workplace, or payment details with a companion app.

More practical steps in our guide to staying safe on AI companion apps.

FAQ

Which AI companion app is the most private?

Of the apps we assessed, Pi scores best, helped by being conversation-only (no image generation) with a policy that says it never sells or shares chats for advertising. No app we rank offers end-to-end encryption, so none can promise that staff cannot read your messages.

Have AI companion apps been hacked?

Yes. The clearest case is Muah AI, which leaked around 1.9 million user records in 2024, including image-generation prompts — some describing child sexual abuse. It remains the worst-documented breach in the category.

Do AI companion apps train on my conversations?

Many do, usually on anonymized or de-identified data, and often without a clear opt-out. Mozilla found most romantic chatbots offered little transparency about whether and how chats are used to train their AI.

How did you grade these apps?

Grades reflect public information as of June 2026 — Mozilla's *Privacy Not Included audit, each app's own privacy policy, and reported breaches or regulatory actions. They are an editorial assessment of disclosed practices, not a security audit, and we update them as practices change.

Sources

  1. Mozilla Foundation*Privacy Not Included: Romantic AI Chatbots (Feb 2024)
  2. 404 MediaHacked AI girlfriend data... (Oct 2024)
  3. Have I Been PwnedMuah.AI breach record (Oct 2024)
  4. EDPB / GaranteItalian DPA fines the company behind Replika €5M (May 2025)
  5. TechCrunchReplika ordered to stop processing Italians' data (Feb 2023)
  6. TIMEFTC complaint over Replika's 'dark patterns' (Jan 2025)
  7. Luka, Inc.Replika Privacy Policy (2026)
  8. Tech Justice Law ProjectGarcia v. Character Technologies (case page) (Oct 2024)
  9. WUSF / APJudge lets Character.AI suicide suit proceed (May 2025)
  10. CNNGoogle, Character.AI agree to settle teen-suicide suits (Jan 2026)
  11. The Bureau of Investigative JournalismCharacter.AI to ban under-18s from open chat (Oct 2025)
  12. NBC NewsCharacter.AI bans minors; policy permits training on user data (Oct 2025)
  13. ViceMan dies by suicide after talking with AI chatbot, widow says (Mar 2023)
  14. U.S. FTCFTC launches inquiry into AI chatbot companions (Sep 2025)
  15. California State SenateFirst-in-nation AI companion-chatbot safeguards signed (SB 243) (Oct 2025)
  16. Common Sense Media + StanfordAI companions pose 'unacceptable risks' to teens (Apr 2025)
  17. Common Sense MediaNearly 3 in 4 teens have used AI companions (Jul 2025)
  18. Candy.aiCandy AI Privacy Policy (2026)
  19. Inflection AIPi Privacy Policy (2026)
  20. Glimpse.aiNomi.ai Privacy Policy (2026)
  21. SoulkynSoulkyn Privacy Notice (2026)
  22. Janitor AIJanitor AI Privacy Policy (2026)