If you’ve ever paused mid-conversation and wondered whether a stranger at a tech company could be reading your roleplay, your venting, or your late-night confessions to a chatbot — that instinct is healthy, and the honest answer is more nuanced than either “they read everything” or “your chats are totally private.” This page lays out exactly what Character.AI, Replika, and Janitor AI can technically access, what their own published policies say, and — if that’s a dealbreaker — what you can run instead so the question never comes up again.
The short version: any cloud companion app stores your messages on its servers in a form the company can access. That’s not a scandal, it’s just how cloud software works. The real questions are who can read them, under what conditions, and what else gets done with the data. Let’s go app by app.
Does Character.AI read your chats? The honest answer
Per Character.AI’s published privacy policy, the company collects the content you provide — including your conversations — and may disclose it to employees, contractors, and vendors who need access to operate, secure, and improve the service. That’s the technically accurate, slightly uncomfortable baseline: a human at the company can access your chats.
But “can” is not “does.” In practice, there is no live feed of your roleplay scrolling across an employee’s monitor. Access is event-driven and exception-based, typically triggered by:
- An automated safety classifier flagging a conversation
- A user report or abuse complaint
- A legal or law-enforcement request
- Debugging a specific account problem you raised
So for the average user on an average day, no human reads your chats. The accurate framing is the one cloud email providers use: staff can access content when operationally or legally required, not for routine reading. The catch is that your messages are retained server-side, they’re used to train and tune models unless you’re on a path that excludes that, and “we don’t usually read them” depends entirely on the company’s current policy — which can change, as Character.AI’s has. You’re trusting a policy, not a guarantee enforced by physics.
Is Replika safe? What it stores and who sees it
Replika is where the picture gets less flattering. In Mozilla’s February 2024 Privacy Not Included review of 11 AI companion apps, every single app failed — and Replika specifically failed across data use, data control, track record, security, and privacy-policy clarity.
The substantive concern isn’t a secret breach; it’s what the policy permits by design. Per reporting on Replika’s own privacy terms, the app shares behavioral data with third-party advertising partners and allows tracking technologies that may legally constitute a “sale” or “sharing” of personal information. Replika’s stated position is that advertising partners do not get access to your actual conversation content or photos — an important distinction — but the metadata and behavioral signals around how you use an intimate companion app are themselves sensitive.
On top of that, in January 2025 a coalition of tech-ethics groups filed an FTC complaint against Replika alleging deceptive marketing and manipulative engagement design — including, per the complaint, prompting upgrades during emotionally or sexually charged moments. The FTC complaint is an allegation, not a proven finding, and Replika is entitled to contest it. But the combination — failed privacy review, ad-partner data sharing, and a regulatory complaint — is exactly why a lot of people start looking for the exit. Our AI companion privacy guide breaks down what “safe” should actually mean for this category.
Janitor AI: the cloud-proxy logging trap
Janitor AI deserves its own section because its architecture surprises people. Janitor AI is a bring-your-own-model platform: you chat with community character cards, but the actual intelligence usually comes from an external model you connect via an API key and a proxy URL.
Here’s the trap. When you route Janitor through a third-party reverse proxy to reach a model, your messages pass through that proxy operator’s server in plaintext. A proxy is just “a password (your API key) and an address (the URL)” — and whoever runs that address can, in principle, log every prompt and reply that flows through it. You’re not just trusting Janitor AI; you’re trusting an often-anonymous middleman with the most sensitive text you write.
And if you connect a mainstream provider directly (OpenAI, Anthropic via their APIs), you inherit their content policies — meaning your spicier characters can get your API access flagged or revoked, and your prompts are subject to the provider’s own retention and abuse-monitoring rules. Janitor AI feels “uncensored” because of the character cards, but the model behind the curtain is somebody else’s cloud. This is the same dynamic we cover in why cloud AI censors you: the filter and the logging live with whoever owns the GPU.
The Character.AI exodus: what migrants actually want
Watch any “leaving Character.AI” thread and the same three demands surface again and again. People aren’t being difficult — they want things cloud companions structurally can’t fully deliver:
| What migrants want | Why cloud apps fall short |
|---|---|
| Real memory | Server-side memory is shallow, capped, and resets with policy/model changes |
| No filter | Safety classifiers are mandatory on hosted platforms; “uncensored” cloud apps still log |
| Actual privacy | Messages are retained server-side and can be accessed, trained on, or subpoenaed |
| No rug-pulls | The company can change personality, filter, pricing, or terms overnight |
The honest summary: memory, freedom, and privacy are the three things you can only fully own by owning the model. Everything else is renting someone else’s promise.
Local alternatives: Ember and SillyTavern + your own model
If privacy is the dealbreaker, the only architecture that structurally solves it is running the model on your own machine. When the AI runs locally, your chats never leave your computer — there is no server, no staff, no policy to trust, because there’s no one on the other end. The loopback API lives at 127.0.0.1:11434 and nothing it touches goes to the internet.
Two main paths:
-
SillyTavern + your own model (the tinkerer’s route). SillyTavern is the power-user frontend the Janitor/CAI crowd migrates to. Point it at a local backend (Ollama, KoboldCpp) running an uncensored open-weight model and you get deep memory, character cards, and zero logging. Our SillyTavern + Ollama setup guide walks the whole thing, and the best uncensored local AI models page covers which weights actually behave like a companion. Install Ollama with one line:
curl -fsSL https://ollama.com/install.sh | shthen pull a model and chat with
ollama run <model>. Look for Q4_K_M quantizations to fit comfortably in consumer VRAM. -
Ember (the no-tinkering route). If you want the privacy of local without assembling a frontend, model, and backend yourself, Ember is a packaged, uncensored companion that runs 100% on your own machine via Ollama — bought once, no subscription, no cloud account. Same privacy guarantee, far less setup.
New to all of this? Start with how to run AI locally for the lay of the land — VRAM, models, and what your hardware can handle.
The private-hosted alternative: Freya
Local is the gold standard for privacy, but it needs a capable GPU and a little patience. If you don’t have the hardware — or you want it working in the next two minutes — the next-best move is a hosted companion built privacy-first from the start, rather than an ad-driven app retrofitting privacy after the fact. That’s the niche Freya fills: zero setup, no GPU required, no install — for the reader who wants it now and is fine with hosted, as long as the product isn’t quietly selling behavioral data to advertisers. It won’t beat true on-device privacy (nothing hosted can), but it’s a categorically different proposition than an ad-supported app under FTC scrutiny.
Pointing a frontend at your own local backend
The mechanic that makes the local route click: frontend and model are separate. SillyTavern (or Open WebUI, or any OpenAI-compatible client) is just a UI. The model runs in Ollama or KoboldCpp on 127.0.0.1. In your frontend’s connection settings you choose a local/OpenAI-compatible API type and point it at the loopback address and port — for Ollama, http://127.0.0.1:11434. That’s it: the pretty interface you like, talking to a brain that lives on your own SSD. Because the traffic never leaves localhost, there’s literally no proxy operator, no company, and no staff in the loop to read anything.
How to migrate your characters
The good news for anyone leaving: your characters are portable. The community has standardized on the character card format (PNG cards with embedded JSON, or .json definitions) that both Character.AI exporters and Janitor AI cards largely conform to. Migration looks like:
- Export or rebuild the persona — copy the character’s name, description, personality, scenario, and example dialogue into a card. (CAI doesn’t offer a clean one-click export, so most people reconstruct from the character’s definition; Janitor cards download directly.)
- Import into SillyTavern — drag the card into the character panel. Done.
- Recreate the memory — paste your favorite remembered facts into the character’s persistent memory / author’s note so continuity survives the move.
- Pick a model that matches your VRAM and vibe, and start chatting locally.
You lose the platform; you keep the character — and this time the model is yours, the memory is yours, and the only person who can read the conversation is you.
Whether you want the full ownership of running a companion on your own machine, or a hosted companion that was private by design instead of an afterthought, there’s a clean exit from the “can staff read my chats?” question — and it doesn’t involve trusting another policy that can quietly change next quarter.