Are your AI companion conversations actually private? The answer is worse than you think

In May 2026, a user tricked xAI's Grok chatbot into sending $200,000 in cryptocurrency using morse code to bypass safety filters. The exploit was clever but the underlying lesson is simple: AI systems are more brittle than their marketing suggests, and the security architecture protecting your conversations is thinner than you assume.

This matters for AI companion users specifically because the conversations you have with companion platforms are among the most intimate text records most people generate. Sexual fantasies, emotional vulnerabilities, mental health disclosures, relationship details, family secrets, daily routines, financial situations. The content users share with AI companions is, in aggregate, the most comprehensive psychological profile of them that exists anywhere.

The question of whether those conversations are actually private has a clear answer, and the answer is: mostly no.

What platforms actually store

Every major AI companion platform stores your conversations on their servers. This is architecturally necessary for platforms with memory features because the memory has to persist between sessions. But even platforms without long-term memory typically store conversation logs for training, moderation, and product development.

What's stored:

Full conversation text. Every message you send, every response the AI generates. The complete transcript of every conversation you've had on the platform.

User metadata. Account information, IP addresses, device information, session timing, usage patterns. When you use the platform, how long, from where.

Generated content. Images you've generated, voice messages, any media produced during conversations. This includes NSFW content on platforms that support it.

Behavioral analytics. What features you use, which characters you interact with, your response patterns, engagement metrics.

Mozilla's "Privacy Not Included" review of AI companion apps documented the broader pattern across 11 platforms. All 11 failed basic privacy standards. One app deployed 24,354 ad trackers in a single minute. Pocket Animus covered the full Mozilla assessment when it was published, and the findings remain relevant: the category's privacy practices are broadly poor.

What's happened when security failed

The theoretical risks have produced real incidents:

Muah AI breach: 1.9 million users exposed. In 2024, Muah AI suffered a data breach that exposed user records including conversation histories. For users who had shared intimate content with the platform, the breach exposed their most private communications to unauthorized parties.

The Grok morse code exploit. The recent incident where a user bypassed Grok's safety filters using morse code to extract $200,000 demonstrates that AI safety architectures can be circumvented through creative prompt engineering. Similar techniques could theoretically be used to extract stored user data from AI companion platforms.

Character AI legal discovery. The lawsuits against Character AI have produced legal discovery processes where conversation logs are subpoenaed as evidence. Conversations users assumed were private became part of court records. This is a structural risk for any platform that stores conversations: legal proceedings can force disclosure.

Employee access. Anthropic's own 1 million conversation analysis demonstrates that company employees can and do access conversation data for research purposes. Anthropic states their methodology is privacy-preserving (using Clio, which doesn't expose individual identities to researchers). Other platforms may not have comparable safeguards.

The specific risks for AI companion users

AI companion conversations create specific vulnerabilities that other AI conversations don't:

Blackmail-grade content. Users who engage in NSFW roleplay, sexual fantasy exploration, or intimate emotional disclosure generate content that could be used for blackmail or social humiliation if exposed. Our coverage of NSFW AI safety details how this content exists in platform databases regardless of whether you've "deleted" it.

Relationship-damaging disclosures. Users who use AI companions while in human relationships, which research suggests is roughly 70% of regular users, generate content their partners would find distressing if disclosed. The concealment dynamic we covered in the cheating debate gets worse when the concealed content exists in a database someone else controls.

Mental health records outside medical protections. Conversations with therapists are protected by medical privacy laws (HIPAA in the US). Conversations with AI companions about mental health have no such protection. Users who disclose suicidal thoughts, self-harm, substance use, or psychiatric symptoms to AI companions are generating records that don't have medical privacy protections, that can be subpoenaed in legal proceedings, and that can be exposed in breaches.

Location and routine data. Users who discuss their daily routines, travel plans, home situations, and location-specific details with AI companions generate usable surveillance data if accessed by malicious actors.

Identity verification content. Users who share real names, workplace information, family details, and other identity-confirming information with AI companions create linkable profiles that connect the intimate content to real identities.

How each platform handles privacy

The platforms vary significantly, and our safety reviews cover each one in detail. The summary:

Replika: Stores conversations. The 2024 privacy policy allows use of conversation data for model training. End-to-end encryption is not implemented. Full safety assessment here.

Character AI: Stores conversations. Conversations are subject to content moderation, meaning employees review flagged content. Legal discovery in the Setzer case has exposed conversation records.

Kupid AI: Conversations stored on Kupid's servers to support memory features. The CEO has stated they don't monitor chats regardless of content, but the technical capability exists. No end-to-end encryption.

Candy AI: Stores conversations and generated images. Privacy practices are comparable to the category norm: data is collected, stored, and potentially used for model improvement.

SpicyChat: Documented privacy concerns including weak data protection practices and an iOS app pulled from the App Store. NSFW content is stored on their servers.

CrushOn AI: Privacy assessment documented standard-to-weak data protection for the category.

Nomi AI: The deep memory architecture stores extensive user profile data extracted from conversations. This is the feature that makes Nomi's memory work; it's also a more detailed profile than most platforms generate.

SillyTavern + Ollama: The only architecture that solves the privacy problem. Conversations exist on your hardware. No server stores them. No company has access. No breach can expose them. No legal proceeding can subpoena them from a third party.

What you can actually do

Several practical steps reduce exposure:

Assume everything is stored permanently. Even if you "delete" conversations, assume the data exists in backups, logs, or training datasets somewhere. Don't share anything with an AI companion that you wouldn't be comfortable appearing in a data breach.

Use a pseudonymous account. Don't use your real name, work email, or identifiable information when creating AI companion accounts. The separation between your identity and your conversation content is meaningful protection.

Avoid disclosing specific identifying information. Discussing emotions is low-risk. Discussing emotions plus your real name, employer, address, and partner's name is high-risk because it makes the content linkable to your real identity.

Consider self-hosting for the most private content. The setup investment (1-2 hours, hardware requirements covered here) produces the only architecture where privacy is structural rather than promised.

Review the platform's privacy policy before subscribing. Most users don't. The privacy policies typically include clauses about data use for training, sharing with partners, and retention after account deletion.

Use separate payment methods. Credit card transactions create linkable records. Prepaid cards or crypto (where platforms accept it) break the link between payment identity and conversation content.

Don't use AI companions on employer devices or networks. Employer monitoring can capture AI companion conversations. The corporate VPN, the work laptop, the office wifi all create potential visibility into conversations you probably want private.

The structural problem

The fundamental tension is architectural. AI companion platforms that provide memory, personalization, and voice features require storing your data on their servers. The features that make the experience feel intimate are the same features that require data collection that eliminates privacy.

This isn't a problem platforms can solve by being more ethical. It's a structural characteristic of the technology. Cloud-hosted AI companions with memory features cannot provide genuine privacy because the features require data persistence on infrastructure you don't control.

The only structural solution is local hosting, which eliminates the server dependency entirely but also eliminates most of the convenience, polish, and accessibility that makes cloud platforms appealing.

For most users, the practical approach is informed risk acceptance: understanding what's being stored, minimizing identifying information, and accepting the residual risk as the cost of using the technology. For users whose privacy needs are genuine (LGBTQ+ users in hostile environments, users with security clearances, public figures, users in contested legal situations), the local hosting approach may be worth the setup investment.

The honest framing

Your AI companion conversations are not private in any meaningful sense. They exist on servers you don't control, accessible to employees you don't know, subject to legal processes you can't predict, and vulnerable to security incidents the platform may not prevent or even disclose.

This doesn't mean you shouldn't use AI companions. It means you should use them with awareness of what you're generating and where it goes. The intimate conversation you had with your Kupid AI companion at 2 AM exists in a database. The image you generated on Candy AI exists in storage. The mental health disclosure you made to your Replika exists in a log.

For most users, this is an acceptable trade-off given the value the platforms provide. The key word is "informed." Users who understand what they're trading (privacy) for what they're getting (companionship, emotional support, creative expression) can make that choice consciously. Users who assume their conversations are private are making the same trade-off without knowing it.

If privacy matters to you beyond what cloud platforms can provide, SillyTavern with local models is the only option that addresses the problem architecturally. For everyone else, minimize identifying information, assume persistence, and use the platforms with eyes open.