You tell your AI companion the things you would not tell a therapist, a partner, or a best friend. Late-night fears, sexual preferences, your worst day at work, the name of the person you still miss. The app remembers all of it, and that is exactly the point: a companion that forgets feels broken. The uncomfortable verdict is that the same memory making it feel like it knows you is also the richest, most sellable record of your inner life you have ever produced.
Most companion-app coverage benchmarks the wrong thing. The roundups rank which bot remembers your birthday, which stays in character, which sounds most human. They skip the part that actually matters: where that memory is stored, who can read it, and whether it gets sold. The feature everyone reviews and the risk almost nobody prices are the same thing. This is not a scare piece. It is the line item the comparison charts leave blank, filled in with numbers a privacy review already found and incidents that already happened.
Mozilla reviewed 11 romantic AI chatbots and flagged every single one
In its February 2024 *Privacy Not Included review, the Mozilla Foundation examined 11 romantic AI companion apps and gave all 11 its privacy warning label. About 90 percent may share or sell your personal data, and roughly 54 percent will not let you delete that data once it exists. Mozilla also reported that 10 of the 11 apps failed to meet its minimum security standards. This is a 2024 study, not breaking news, and the structural problems it described have not been fixed since.
The researchers were blunt about who these apps serve. They wrote that romantic chatbots specialize in delivering dependency and loneliness while prying as much data as possible out of you. One app, Romantic AI, fired off more than 24,000 ad and analytics trackers within a single minute of use. The product is the conversation; the business is the data the conversation generates.
The feature that makes a companion feel like it knows you is a structured archive of your most intimate disclosures. That archive is also the privacy exposure.
This is not a niche habit. Tens of millions of people are doing it
AI companion apps are no longer a curiosity. Across the App Store and Google Play they passed roughly 220 million cumulative downloads by mid-2025, and Appfigures data cited by TechCrunch put the category on track for more than 120 million dollars in consumer spending for the year. Individual platforms count their users in the tens of millions. The volume of intimate data flowing into these memory stores is enormous, and most of the people sharing it have never read how it gets retained.
Why the memory feature and the privacy risk are the same thing
Memory is the whole illusion. A companion app feels intimate because it keeps a structured profile of you: facts you stated, moods you expressed, topics you return to, the persona you respond to best. Behind the warm reply sits a database row, indexed and queryable. Strip away the romance and you are looking at a customer-data system that happens to flirt. That is genuinely useful. It is also a dossier.
Here is the part the comparison articles skip. A normal product collects what you click. A companion collects what you confess. The store is not browsing history; it is your insecurities, your relationships, your sexual identity, your mental-health state, written in your own words and timestamped. When a privacy policy reserves the right to share or sell that, you are not handing over ad-targeting crumbs. You are handing over the most sensitive profile a marketer, a data broker, or a future acquirer could want.
Three exposures most people never read about
- Sale and sharing: a policy that permits selling or sharing personal data means your disclosures can leave the company entirely, repackaged for advertisers or data brokers you never chose.
- No deletion: when an app will not let you delete your data, ending the relationship does not end the record. The dossier outlives the conversation.
- Acquisition and breach: stored intimate data is an asset. It can transfer in an acquisition, be exposed in a breach, or be turned over under legal demand, all without your involvement.
Before you get attached to a companion app, read two clauses only: the data-sharing or data-sale section, and the deletion section. If selling is permitted and deletion is not guaranteed, assume everything you say is permanent and resellable.
These are not hypothetical risks. They already happened
Most reviews stop at the abstract warning and never mention that the worst-case scenarios have receipts. Here is what those roundups leave out. In September 2024, the AI girlfriend service Muah.AI was breached and roughly 1.9 million email addresses leaked alongside the users' image-generation prompts, many of them explicitly sexual. Have I Been Pwned added the breach to its index, and reporters traced exposed addresses back to real, named people. The intimate log was not an abstraction. It was a spreadsheet someone could open.
Regulators have started pricing the harm too. On 19 May 2025, Italy's data protection authority, the Garante, fined Luka Inc., the maker of Replika, 5 million euros for processing personal data without a valid legal basis and for having no real age verification. A companion app feeling personal does not mean its data handling is lawful, and the gap between the warm interface and the back-end practice is exactly where the fines land.
Companion data is more sensitive than almost anything else you generate
Think about the categories regulators treat as special: health, sexual orientation, religious belief, mental-health status. A companion conversation touches all of them in a single session, voluntarily, in detail. Search history hints at what you want. A companion log states it plainly, in full sentences, attached to your account.
That density is what makes the data valuable downstream. A broker can infer mood, relationship status, loneliness, and vulnerability from companion logs more cleanly than from any clickstream. Vulnerability is precisely what predatory advertising targets. So the worry is not only that the data leaks. It is that intimate disclosures, accurately profiled, are useful to people whose interests run opposite to yours, and the apps with permissive policies have already reserved the right to pass them along.
What "may share or sell" actually enables
- Profiling: your stated fears and desires become attributes a marketer can target, not guesses but declarations.
- Brokering: data brokers aggregate and resell behavioral profiles; intimate data raises the price, not lowers it.
- Permanence: with no deletion right, a profile built from your worst week persists long after you have moved on.
- Transfer of control: in an acquisition or shutdown, the dataset is an asset that can change hands under new terms you never agreed to.
Where the memory lives is the entire question
The risk is not that AI has memory. Memory is what makes any assistant useful, companion or otherwise. The risk is the default arrangement: your memory lives inside someone else's product, governed by their privacy policy, monetized on their terms, deletable only if they allow it. You get the feature, they get the asset.
The default for nearly every consumer AI product is the same. The assistant remembers you, and the company keeps the memory. That is convenient on day one and costly on the day you want to leave, change apps, or scrub a chapter of your life out of a machine that never agreed to forget it. You rent the recall; they own the record.
The table below separates the two questions the roundups blur together. Recall quality is about how good the experience feels. Memory ownership is about who controls the record afterward. A bot can score high on the first and catastrophically on the second.
| Dimension | Typical companion app | An ownership-first memory layer |
|---|---|---|
| Where memory is stored | Inside the app vendor's systems | Isolated per user, you control the layer |
| Who can read or sell it | Often shareable or sellable per policy | Not sold, not used for training |
| Can you delete it | Frequently no full deletion | You can remove what you choose |
| Encryption at rest | Varies, often unstated | Encryption at rest by design |
| Portability | Locked to one app | Works across assistants you use |
What you can check before you trust a companion with your secrets
You do not need a law degree to assess the risk. The privacy policy answers most of it if you read the right two sections. Skip the marketing copy on the homepage; the binding promises live in the legal text, and the gap between the two is often the whole story.
- Search the policy for "sell" and "share." If it permits selling or sharing personal data with third parties or affiliates, assume your disclosures can leave the company.
- Search for "delete" and "retention." Look for a clear, full deletion right and a stated retention limit. Vague language usually means the data stays.
- Look for "train" or "improve our models." If your conversations feed model training, your private words become part of a system you cannot audit.
- Check for encryption at rest and access controls. Silence on storage security is itself an answer.
- Find out what happens on acquisition or shutdown. If the policy lets data transfer to a buyer, your secrets are part of the deal.
Run that check and most popular companion apps fail at least one line. That is not a reason to never use an AI that remembers you. It is a reason to be deliberate about where the memory of you is allowed to live. None of this is legal advice, and reading a policy carefully does not make any app safe; it just tells you what the app has reserved the right to do.
The fix is not to want less memory. It is to own where it lives
Giving up memory to protect your privacy is a bad trade, because the memory is the value. The better move is to separate the memory from the app consuming it. If the record of who you are sits in a layer you control rather than inside a vendor whose business model is data, the feature stops doubling as the exposure.
That is the gap MemX is built to close. MemX is a private memory layer for your AI assistants, not a companion app and not a relationship product. It is private by architecture: per-user isolation so your memory is segregated from everyone else's, encryption at rest, and a hard line that your memory is never used to train models. It is portable, so the same context can follow you across the assistants you actually use rather than being trapped inside one app you can never fully leave. MemX does not make any app you connect to it compliant or lawful on its own; it changes where your memory lives and who controls it.
The distinction matters for this exact problem. A companion app wants your memory because the memory is its retention hook and, for some, its revenue. A memory layer you own has no incentive to monetize your disclosures, because you are the customer rather than the product. The feature you actually want, an AI that remembers you, gets decoupled from the business model that turns that memory against you. You keep the recall. You stop handing over the record.
Frequently asked questions
01Do AI companion apps sell your data?
Many can. Mozilla's February 2024 Privacy Not Included review of 11 romantic AI chatbots found about 90 percent may share or sell personal data, and all 11 received its privacy warning label. Check each app's data-sharing clause; permission to sell is common.
02Can I delete my data from an AI companion app?
Not always. In Mozilla's 2024 review, roughly 54 percent of the apps did not let users delete their personal data. Ending the relationship does not guarantee the stored record of your conversations goes away. Read the deletion clause before you start.
03Why does an AI companion feel like it knows me?
Because it keeps a structured memory store: facts you shared, moods, recurring topics, and the persona you respond to. That archive drives the intimacy. It is also the most sensitive personal profile the app holds, which is why where it lives matters.
04Are AI companion apps safe to use?
The experience can be engaging, but Mozilla found 10 of 11 reviewed apps failed minimum security standards in 2024, and Muah.AI suffered a real breach in 2024. Treat anything you tell a companion as potentially stored, shareable, and hard to delete unless the app proves otherwise.
05How is MemX different from a companion app?
MemX is not a companion. It is a private memory layer for your AI assistants: private by architecture, with per-user isolation, encryption at rest, and memory that is never used for training. It is portable across assistants, so you own the record rather than renting it from one app.
The takeaway
Your AI companion remembers everything because remembering is the product. Mozilla's 2024 review showed where that leaves you: most romantic chatbots may sell or share what you tell them, many will not let you delete it, and every app it checked earned a privacy warning. The breaches and fines since then show the abstract risk is not abstract. The answer is not to stop wanting memory. It is to put the memory somewhere you own, isolated and not for sale, so the thing that makes AI feel close stops being the thing that leaves you exposed.
