Mozilla's *Privacy Not Included reviews of AI companions, summarized

Every February, the Mozilla Foundation's *Privacy Not Included project publishes buyer's guides timed to holidays. They've reviewed connected sex toys for Valentine's Day, smart home devices for Christmas, kids' gadgets for back-to-school. The format is consistent: privacy researchers read the fine print, test the products, count the trackers, and slap warning labels on anything that doesn't meet their standards. The project has become a benchmark for consumer technology privacy, regularly cited by outlets like The Verge and Ars Technica.

On February 14, 2024, they published their review of romantic AI chatbots. Eleven apps. Every single one received the *Privacy Not Included warning label. The researchers called it one of the worst product categories they had ever reviewed for privacy, and they've reviewed hundreds of products since launching the project in 2017.

The findings have aged disturbingly well. Here's what Mozilla found, what it means, and what's changed (and hasn't changed) since.

The eleven apps that all failed

The researchers, led by Jen Caltrider with Misha Rykov and Zoë MacDonald, reviewed: Replika, EVA AI, Romantic AI, iGirl, Anima: AI Friend & Companion, Anima: My Virtual Boyfriend, Talkie Soulful AI, Genesia AI, Mimico, and others in the romantic chatbot category. Collectively, the eleven apps had accumulated an estimated 100 million downloads on Google Play Store.

Every app failed. No exceptions. The *Privacy Not Included label, Mozilla's equivalent of a consumer warning, went on all eleven. This was unusual even by Mozilla's standards. Most product categories have at least one or two offerings that pass basic privacy thresholds. The romantic AI chatbot category achieved a perfect failure rate.

Misha Rykov's summary became the most-cited line from the review: "To be perfectly blunt, AI girlfriends are not your friends. Although they are marketed as something that will enhance your mental health and well-being, they specialize in delivering dependency, loneliness, and toxicity, all while prying as much data as possible from you."

Twenty-four thousand trackers in sixty seconds

The individual app reviews contain specific findings that are harder to dismiss than general privacy warnings.

Romantic AI, a platform that lets users "create your own AI girlfriend," states in its privacy policy that it does not sell user data. Mozilla's researchers then measured the app's actual behavior and counted 24,354 ad trackers deployed within one minute of use. Twenty-four thousand trackers. In sixty seconds. From an app whose privacy policy says it doesn't sell your data.

The disconnect between stated policy and actual behavior was consistent across the reviewed apps. Most privacy policies contained vague, boilerplate language about data sharing that technically allowed extensive tracking while giving the impression of protection. As Caltrider told WIRED: "The legal documentation was vague, hard to understand, not very specific, kind of boilerplate stuff." The apps' actual data practices were dramatically more invasive than their policies suggested.

The trackers weren't exclusively from Western ad networks. Mozilla found trackers sending data to Google, Facebook, and companies based in Russia and China. For apps that encourage intimate conversation, sexual roleplay, and emotional vulnerability, the data flowing to these tracking networks includes some of the most personal information users generate anywhere online. Infosecurity Magazine's coverage of the findings called the category "one of the worst the non-profit has ever reviewed for privacy," echoing Mozilla's own assessment.

The CrushOn AI safety review we published earlier found similar patterns: 45 trackers deployed in under one minute of use, including DoubleClick (Google's ad network). The patterns Mozilla identified at the category level match what individual platform reviews consistently find.

Five clicks to content you can't unsee

Mozilla's researchers tested how quickly users could encounter disturbing or pornographic content on the apps reviewed. On three of the apps, it took an average of five clicks and fifteen seconds.

Five clicks. Fifteen seconds. From app launch to content that would be classified as pornographic or disturbing by any reasonable standard. No meaningful age verification stood between download and exposure.

The accessibility finding matters because it directly challenges the platforms' claims about safety and content moderation. An app that requires five clicks to reach explicit content is not an app with functioning content moderation. It's an app that has published a content policy while engineering a user experience that bypasses it.

For parents concerned about teen access, the five-click finding is the number that should stay in your head. Whatever an app's marketing says about age restrictions and content policies, the practical question is how many interactions it takes for a young user to reach content the platform claims to restrict. Mozilla's answer, across multiple apps, was "almost none."

The one app that almost passed

Genesia AI Friend & Partner was the only app in Mozilla's review that appeared to meet their Minimum Security Standards. Built by Turkey-based developer Codeway, Genesia stood out for one specific policy: users could opt out of having their chat data used to train the AI models. The opt-out was documented in the privacy policy with a specific email address for data subject requests.

Mozilla stopped well short of endorsing Genesia. The app still received the *Privacy Not Included warning label. The concerns that prevented a clean bill of health included unclear data-sharing practices for marketing and advertising, inconsistent data deletion rights across jurisdictions, and the same lack of AI transparency that plagued every app in the category.

But the opt-out for training data use was notable because almost no other romantic AI chatbot offered it. The industry default is that your intimate conversations become training data, period. Genesia at least acknowledged that users might want to control this, even if the opt-out mechanism (emailing a support address) was cumbersome enough that most users would never use it.

The Genesia example illustrates how low the bar was across the category. The best-performing app in Mozilla's review was one that merely acknowledged users might want their conversations excluded from training data. That counted as exceptional in a field where most competitors didn't bother with the pretense.

What the privacy policies actually allow

Mozilla's deep reading of the apps' legal documentation surfaced patterns that users would likely not discover on their own:

Most apps reserved the right to share user data with vaguely defined "third parties" for purposes including "improving services," "marketing," and "business operations." The language was broad enough to encompass almost any data use while remaining technically accurate in a legal sense.

Several apps had contradictory age requirements between their privacy policies and terms of service. Anima, for example, required users to be over 17 in its privacy policy but allowed users under 17 with parental consent in its terms of service. The inconsistency wasn't accidental. It created legal ambiguity that could be leveraged in either direction depending on which document served the company's interests in a given situation.

Multiple apps included disclaimers that the company was not liable for "negative, obscene or abusive messages" users might receive from the AI. One app simultaneously prohibited users from transmitting "obscene" content while offering paid NSFW roleplay features. The legal framework amounted to: we'll sell you access to explicit interactions, but if those interactions go wrong, it's your fault.

Replika's privacy review revealed that while the company stated it doesn't use conversational data for advertising, the time users spent chatting was tracked and that metadata was shared with companies including Facebook and Google. The distinction between "we don't share your conversations" and "we share everything about your conversations except the text" is the kind of nuance that privacy policies are designed to obscure.

What's changed since February 2024

In the eighteen months since Mozilla's review, the AI companion category has evolved. Some of the changes address the concerns Mozilla raised. Many don't.

California's SB 243 went into effect January 1, 2026, requiring AI companion platforms to publish safety protocols, maintain crisis intervention procedures, and report harm metrics annually. The legislation creates accountability mechanisms that didn't exist when Mozilla published its review. The Electronic Frontier Foundation has tracked the broader regulatory movement, while Common Sense Media has expanded its own AI safety ratings to complement Mozilla's privacy-focused assessments.

Several major platforms have strengthened age verification. Character AI's face-scan verification, Chai's Apple Age Verification API integration, and Replika's identity verification for adult content all represent improvements over the self-reported age checks Mozilla found in 2024. The WIRED coverage of Mozilla's original findings helped drive public pressure for these changes.

Privacy practices, however, have not meaningfully improved at the category level. The fundamental business model of most AI companion apps, collect intimate data, use it for training, share metadata with advertising networks, hasn't changed. Individual platforms have made incremental improvements (better disclosure language, clearer opt-outs for some data uses), but the category-wide pattern Mozilla identified remains intact.

The tracker situation hasn't substantially improved either. Apps that deployed thousands of trackers in 2024 are still deploying thousands of trackers in 2026. The underlying advertising infrastructure that funds free and freemium AI companion apps requires data collection. Until the business model changes, the privacy practices won't change, because the privacy practices are the business model.

What users should take from this

Mozilla's review is worth reading in full. The individual app reviews are detailed, accessible, and specific enough to be actionable. A few principles from the findings that apply broadly:

Don't tell your AI companion anything you wouldn't want shared with an advertising network. The conversational intimacy these apps encourage is designed to generate data. The data feeds tracking and advertising infrastructure. The disconnect between what the app feels like (a private conversation) and what it actually is (a data collection mechanism) is the core deception of the category.

Read the privacy policy before you share personal details. Not the marketing copy. The actual policy. Look specifically for language about data sharing with third parties, training data usage, and data retention periods. If the policy is vague, assume the worst.

Opt out of training data use wherever the option exists. Most apps don't offer this option. The ones that do (like Genesia) make it cumbersome. Do it anyway. Your intimate conversations shouldn't be training data unless you've made an informed choice that they should be.

Consider that the free version isn't free. If you're not paying for the app, you're generating revenue through data. The "free" tier of most AI companion apps is the tier where your data is most aggressively monetized. The premium tier may reduce ad tracking (some apps remove ads for paying users) but typically doesn't eliminate data collection for training purposes.

For users who want genuine privacy in AI companion interactions, self-hosted solutions running local models remain the only architecture that solves the fundamental problem. No company collects your data because no company is involved. The tradeoff is setup complexity and hardware requirements, but for users who take privacy seriously, it's the only option that delivers what the marketing of every commercial app promises but none of them provide.