“Selling your data” is the question everyone asks, but it’s almost never the right one. The honest answer for most AI companion apps is: an outright cash sale of your name attached to your sext logs is rare and legally risky. What actually happens is messier and, for your privacy, worse — behavioral data piped to ad networks in real time, chats fed into model training, message logs routed through third-party LLM providers, and “we may share for business purposes” clauses broad enough to drive a truck through. The distinction matters because companies hide behind the narrow definition (“we don’t sell your data”) while doing nearly everything a sale would accomplish.
This is the page that names names, cites the receipts, and tells you the one architecture that makes the whole question moot.
What “selling data” really means: three very different things
When people worry about an AI girlfriend app selling data, they’re usually blurring three separate practices. Pulling them apart is the whole game.
- Direct sale. A literal transaction: a company hands a data broker a file of users and gets paid. Under laws like California’s CCPA, “sale” is defined broadly enough that even some ad-targeting sharing counts — which is exactly why so many policies now say “we do not sell your data” while a tracker is phoning home as you read it.
- Ad trackers / “sharing.” SDKs from Meta, Google, AppsFlyer and others embedded in the app that transmit events — you opened the app, you stayed 40 minutes, you upgraded to the NSFW tier — to ad networks for targeting and attribution. No cash changes hands for “your data” specifically, but your behavior is now an asset on someone else’s books. This is the most common practice by far.
- “Business purposes” and model training. The catch-all. Policies grant the company rights to use your content to “improve our services,” “facilitate your experience,” or train our AI models. Your most intimate messages become training data or get processed by third-party LLM vendors. Technically not a “sale.” Practically, your chats have left your control forever.
Keep these three buckets in mind. Almost every company’s denial is true for bucket one and silent on buckets two and three.
The Replika case study: 210 trackers, ad partners, no E2E, an Italian ban
Replika is the most-studied example, so the facts are unusually concrete. In Mozilla’s Privacy Not Included review, researchers reported finding 210 trackers within five minutes of use, with data going to companies including Facebook (Meta) and AppsFlyer, a mobile marketing-attribution platform. Mozilla’s read: while the intimate content of chats probably isn’t shared wholesale, behavioral data “is definitely being shared and possibly sold to advertisers,” and the company records “any photos, videos, and voice and text messages” you share.
On the does Replika sell your data question specifically, the defensible statement is the careful one: Mozilla flagged Replika with warning dings across all three of its categories — Privacy, Security, and AI — and concluded the app did not meet its Minimum Security Standards (it accepted passwords as weak as “11111111”). There’s no public proof of a cash sale of message contents — but there’s documented, heavy ad-partner sharing of behavioral data, and a company that admits it cannot offer end-to-end encryption because, in Mozilla’s own quote of Replika, your “plain text messages must be available to train your personal AI on the server-side.” In other words, your conversations are read in the clear on Replika’s servers — and used to train.
Then there’s the regulatory record. In February 2023, Italy’s data protection authority (the Garante) ordered Replika to stop processing Italian users’ data, citing risks to minors and vulnerable people and GDPR transparency failures — there was no working age verification, and the app would serve sexual content even after a user stated they were a minor. That February 2023 processing ban escalated to a final €5 million fine in May 2025. That’s not a tabloid accusation; it’s a published regulatory decision. (We go deeper in our dedicated Replika data analysis and in is Character.AI or Replika reading your chats.)
CrushOn and the worst offenders: health data and training on your chats
Replika is mainstream and at least visible to regulators. The uncensored-roleplay tier is where the policies get genuinely alarming. Mozilla’s review of CrushOn.AI noted the phrase “health data” appears 23 times in its privacy policy, and the policy’s own enumerated examples include “individual health conditions, treatment, diseases, or diagnosis,” “use of prescribed medication,” “gender-affirming care information,” and “reproductive or sexual health information.”
Per that same policy, CrushOn states it may use this information “to facilitate your chat experience, monitor your chat for safety… and for our Business Purposes,” and — the line that should stop you cold — “we may use User Content from character chats to train our AI models.” It also reserves the right to share categories of consumer health data with third parties and affiliates.
Read that in plain English: on a platform built for explicit roleplay, the things you say in character can be classified as sensitive health data, used to train the model, and shared onward. This is the AI companion data brokers pattern in its purest form — not necessarily a bulk sale, but a permission structure that lets your most private inputs travel almost anywhere the company finds useful. For the broader pattern across explicit apps, see are AI girlfriend apps safe for privacy.
Cross-app evidence table
A fair comparison — based on each company’s published policy, Mozilla’s Privacy Not Included findings, and verifiable public regulatory action. Where a fact isn’t publicly documented, it’s marked unclear rather than guessed.
| Pattern | Cloud companion apps (general) | Replika (documented) | CrushOn.AI (per its policy) | Local AI (Ember / self-hosted) |
|---|---|---|---|---|
| Embedded ad trackers | Common | Yes — ~210 in 5 min (Mozilla) | Present | None — no network calls |
| Behavioral data to ad partners | Common | Yes (Facebook, AppsFlyer) | Yes | None |
| Trains on your chats | Often, via “improve services” | Yes — Mozilla quotes Replika saying plain-text messages “must be available to train your personal AI on the server-side” | Yes — states it may train on chats | No — runs on your hardware |
| Routes chats to a third-party LLM | Frequently (OpenAI/others) | Unclear publicly | Uses external models | No — model is on your disk |
| End-to-end encryption of chats | Rare | No — ruled out so messages can be read for training | No | N/A — never transmitted |
| Account deletion purges everything | Rarely guaranteed | Unclear / partial | Unclear | Yes — you delete the files |
| Regulatory action on record | Varies | Italy €5M fine (2025) | None public | N/A |
The single clean column is the last one — and the reason why is structural, not promotional. We unpack the full methodology in our AI companion privacy guide.
Why account deletion often doesn’t purge third-party or external-LLM logs
Here’s the trap that catches even careful users. You decide to leave, hit “delete account,” and assume your conversations are gone. In a cloud architecture, deletion usually only touches the primary database the app controls. It typically does not reach:
- Backups and logs, which most policies say are retained for some period after deletion.
- Third-party LLM providers. If the app routes your messages to an external model API (very common), that vendor has its own retention and abuse-monitoring windows — your text may persist on infrastructure the companion app doesn’t even own.
- Ad-network and analytics data. Behavioral events already sent to Meta or an attribution SDK aren’t recalled by your deletion request; that data left the building when it was sent.
- Already-trained models. If your chats were folded into a training run, deleting your account does nothing — the weights have already learned from your words, and you can’t un-bake a cake.
So “we deleted your account” and “your data is gone” are not the same sentence. The first is usually true. The second is usually unverifiable.
The only guarantee against a sale: no transmission, or a no-sell instance
Everything above shares one root cause: your words leave your device. Once data is transmitted, you’re trusting a policy, an SDK vendor, a backup rotation, and a future acquirer to all behave — forever. Policies change. Companies get bought. Trackers get added in the next app update.
There are exactly two ways to escape the trust treadmill:
- No transmission at all — run the AI locally. If the model runs on your own machine, the conversation never crosses the network. There’s no server log, no ad SDK, no training pipeline, no third-party LLM, nothing to subpoena or sell. The question “do they sell my data?” becomes unanswerable because there is no “they” and no transmitted data. This is the strongest possible guarantee, and it’s been ordinary-laptop-achievable for a while now — see how to run AI locally and why cloud AI censors you for the bigger picture.
- A hosted instance with a contractual no-sell, no-train posture. If you genuinely can’t self-host, the next-best is a cloud service that is explicit in writing that it does not sell data, does not train on your conversations, and minimizes third-party routing. It’s still a trust model rather than a math model — but it’s a categorically different promise than an ad-funded free app.
How to check any app’s policy yourself in five minutes
You don’t need a lawyer. Open the privacy policy and Ctrl+F for these terms:
- “sell” / “share” — Note the difference. “We don’t sell” while saying nothing about “share” is a tell, because under CCPA “share” (for ad targeting) is the loophole.
- “third part” (matches third-party / third parties) — Who are they? Ad networks? Analytics? Other LLM vendors?
- “train” — Do they reserve the right to train on your content? On a companion app, that means training on your most intimate messages.
- “retain” / “deletion” — How long after you delete? Do backups and logs survive?
- “affiliate” — A common vehicle for moving data inside a corporate family without it counting as a “sale.”
- “health” — On companion/roleplay apps, watch for sexual or mental-health data being classified as collectible, as in the CrushOn example.
Then run the smell test: a free app with no obvious revenue almost certainly monetizes attention and data. Trackers are how. If the business model isn’t subscriptions, it’s you.
What to switch to, and why
If your priority is the airtight guarantee, self-hosting is the answer — and it’s far easier than it sounds. Install Ollama (curl -fsSL https://ollama.com/install.sh | sh), pull an uncensored model with ollama run <model>, and your companion talks to a local API at 127.0.0.1:11434 that never touches the internet. Pair it with a chat front-end and you have a private companion with zero trackers, zero training, and a delete key that actually deletes. Start with how to run an AI girlfriend locally or the best uncensored local AI models. If you’re unsure your machine is up to it, do I need a GPU for an AI companion sizes it honestly.
The bottom line: most companion apps don’t need to literally sell your data to expose it — trackers, training clauses, and third-party routing do the damage quietly, and “delete account” rarely reverses it. The only way to make a data sale impossible is to make sure the data never leaves your hands.
If you want the version where the math guarantees it — a companion that runs 100% on your own machine, no cloud, no trackers, no training on your words — Ember is built exactly for that. And if you’d rather skip the setup but still pick a service on a clear no-sell, no-train footing, a privacy-first hosted option like Freya is the saner cloud choice.