In February 2024, the Mozilla Foundation published an assessment of romantic AI chatbots as part of its long-running Privacy Not Included consumer-product guide. The verdict was unusually severe. Nearly every app the team reviewed earned a warning label; only one of the eleven products evaluated met Mozilla’s minimum security standards. The report became the most-cited single piece of independent privacy work on the AI companion category, and it shaped how journalists and advocates have framed the privacy story since.

This piece is a plain-language summary of what Mozilla studied, what they found, what their methodology can and cannot tell us, and what users should do with the findings now that two years have passed and some of the apps have changed.

If you have time for one paragraph: Mozilla evaluated eleven romantic and companionship-oriented AI chatbots against a consistent set of privacy and security criteria. They found that the great majority of the apps shared or sold personal data, made deletion difficult, did not publish clear information about encryption or vulnerability disclosure, and embedded large numbers of advertising and analytics trackers. The methodology is comparative and consumer-facing rather than a formal audit, and the findings are best read as a baseline rather than a final word. The category has had time to respond and some apps have improved on specific points; the underlying structural concerns remain.

What Privacy Not Included is

Privacy Not Included is the consumer-buyer’s guide arm of the Mozilla Foundation. It evaluates connected products against a standardized rubric, assigns each one a status (such as a warning label) based on what the team finds, and publishes the assessment in a way meant to help non-expert buyers compare products before purchase. The project has been running for several years and has covered fitness trackers, smart speakers, mental-health apps, connected cars, and dozens of other categories.

For AI companions specifically, Mozilla’s framing was the privacy posture of romantic and companionship chatbots. The piece was written for a general consumer audience, timed to Valentine’s Day in 2024, and intended as a wake-up call for users who were treating these apps as benign chat partners.

What they evaluated

The methodology is consistent across Privacy Not Included reports. Researchers read each product’s privacy policy, terms of service, and any published security documentation. They examined the data the app collects, the data it appears to share or sell, what controls users have over their data, and whether the company meets a baseline set of security practices.

The minimum security standards Mozilla applies are simple and not aspirational: encryption in transit, a method to manage security vulnerabilities, strong password requirements, automatic security updates, and a published privacy policy. A product that does not meet all five does not meet the bar.

For the AI companion review, the team also captured information about the model layer (where supported) and looked at advertising and analytics trackers embedded in the apps as a proxy for how aggressively the product was monetizing user data. Tracker counts in this kind of report are an indicator rather than a precise measurement; the numbers depend on how trackers are defined and over what window the count is taken. Mozilla’s published numbers are best read as evidence of the order of magnitude, not as exact figures.

The apps reviewed

The lineup spanned the consumer companion category as it stood in early 2024. Replika was on the list, as was Chai. The adult-leaning side was represented by CrushOn.AI, Anima, Romantic AI, EVA AI, and iGirl. Talkie Soulful, Mimico, and Genesia were also reviewed. Several of the products are operated by the same parent companies; the apps were evaluated as separate products.

The list captures the mainstream and adult mass-market parts of the category. It does not include Kindroid, Nomi, Character.AI, Pi, or some of the other apps the operator and editorial community pay close attention to. That gap matters: the absence of an app from the report is not an endorsement, and the presence of one is not necessarily evidence that it is uniquely bad relative to apps Mozilla did not include.

The headline findings

A few results from the report drove most of the coverage.

Almost all of the apps reviewed indicated, through their published policies, that user data could be shared with third parties or used for advertising. The exceptions were narrow.

Most of the apps did not provide a clear, working path for users to delete their data. Some allowed account deletion but kept training data; some did not commit to deletion at all in their published policies.

Most of the apps did not publish clear information about how they handle reported security vulnerabilities, and several did not document their encryption practices.

The number of advertising and analytics trackers embedded in the apps was high relative to other consumer-software categories. The report’s headline figure, an average across the apps tested over a brief observation window, ran into the thousands. The single highest tracker count Mozilla reported for any one app in that window was orders of magnitude above the median for other product categories the team had reviewed.

Of the eleven apps Mozilla evaluated, only Genesia AI met the minimum security standards. The other ten received the warning designation. None of the eleven received Mozilla’s positive Best Of label.

What the report does not say

A few clarifications worth being explicit about.

The report does not mean that the apps reviewed have all been breached or that user data has all been misused. It is an assessment of the privacy posture as documented and observable, not an incident catalog. The distinction matters: a product can have weak posture without yet having harmed any specific user, and a product with stronger posture can still suffer a breach.

The report does not classify or rate clinical or mental-health risk. It is a privacy and security assessment. The mental-health story sits in a different body of research that we have covered in the Stanford Replika study, the De Freitas harm research, and the broader research backdrop.

The report does not establish that one app’s privacy practices are uniformly worse than another’s. Within the warning category there is significant variance, and Mozilla’s published page for each product captures that variance.

The report does not commit to ongoing real-time monitoring. The findings reflect the state of the products at the time of evaluation. Some apps have changed their policies, deletion flows, and encryption posture since publication; others have not. Verifying against the current product is on the user.

Methodology limits worth understanding

Privacy Not Included is a consumer-facing comparative guide, not a forensic security audit. The team reads what is published and tests what is testable from outside the system; they do not get inside the apps’ infrastructure or audit code. The assessment is therefore strongest as a comparative signal across products and weakest as a definitive statement about any one product’s actual practice.

The tracker counts in particular are sensitive to methodology. Different tracker-detection tools can return different numbers; observation windows of different lengths can produce different totals; and the definition of what counts as a tracker varies across the privacy-research literature. The order of magnitude is the right takeaway; the exact figures should not be quoted as if they were lab measurements.

These methodology limits are normal for the genre. They do not undercut the broad finding (the category as a whole has weak published privacy posture compared with general consumer software), but they do justify hedging on specific app-by-app numerical claims.

What this means for users

A few practical implications for someone deciding whether and how to use an AI companion app.

Treat the privacy posture of any companion app as a meaningful input to the decision, alongside features and price. The category as a whole is worse than mainstream consumer software on this dimension, and there is no current sign that the average product has caught up.

Read the privacy policy and the deletion flow before you start using a product, not after. Most of the friction Mozilla identified in 2024 still appears in the same places in 2026. The deletion flow in particular is the place to verify before you have invested time and emotional history in a companion.

If you are considering an app that was on the Mozilla list, read Mozilla’s specific page for that product. Understand what they found and check whether the operator has documented any changes since. Some have. Most have not.

For users in the European Union, the GDPR provides direct rights to access, deletion, and portability that exist independent of what the app’s policy says. We covered the European regulatory context in the EU AI Act piece and the parallel data-protection action against Replika in Replika and the Italian Garante.

For users in California, similar rights now exist under CCPA and the related state-level work. The California companion-app legislation we cover in California SB 243 Explained addresses adjacent questions but is focused on disclosure and minor protection rather than data rights specifically.

The broader privacy context

The Mozilla report sits alongside other privacy-relevant work on this category. The Italian Garante’s 2023 action against Replika established what the European data-protection regime considers unacceptable in concrete terms. The EU AI Act, in force since 2024, layers additional transparency obligations onto operators with European users. The California SB 243 work and the parallel state-level activity in the United States are pulling on similar threads from the disclosure and minor-protection angle.

The picture across these strands is consistent: independent assessors, regulators, and legislators have all reached versions of the same conclusion about the privacy posture of the AI companion category as a whole. Apps that take privacy seriously are doing so against the grain rather than in line with industry practice.

Where to read it

The Privacy Not Included assessment of romantic AI chatbots is published on the Mozilla Foundation site at foundation.mozilla.org. Each individual product Mozilla evaluated has its own page on the site, and the headline findings post is linked from the romantic-AI category. The evaluations have not been updated continuously, so verify any specific finding against the current product if it matters for a consequential decision.

For the policy backdrop, prefer the official Garante decisions for the European data-protection picture, the consolidated AI Act text for the EU regulatory layer, and the official California legislative materials for the US state-level work.

FAQ

Did Mozilla say AI companion apps are unsafe?

The report focused on privacy and security posture, not on emotional or clinical safety. The privacy and security findings were severe; the broader safety question is addressed in a different body of research.

Which app got the best privacy rating?

Genesia AI was the only one of the eleven that met Mozilla’s minimum security standards. Mozilla’s individual product page captures the specifics.

Was Kindroid or Nomi in the report?

No. The report covered eleven products that did not include Kindroid, Nomi, Character.AI, or Pi. The absence of an app from the report is not an endorsement.

Has anything changed since the report came out?

Some operators have updated specific elements of their published policies and deletion flows. The category-level posture has not visibly improved. Verify against the current product before relying on what the 2024 report said.

Does this mean I should not use any AI companion app?

That is not the conclusion the report draws. The right read is that privacy posture is a meaningful input to the choice and that the category is weaker on this dimension than other consumer software. Some users will accept the trade-off; others will choose to avoid the category until it improves.

Where can I see the actual assessment?

The Privacy Not Included pages on foundation.mozilla.org are the primary source. Each app has its own page with the underlying detail.

The Stanford Replika Study for the most-cited research on emotional outcomes in this category.

The De Freitas Harm Research for Harvard’s industry-skeptical view of design-level harm patterns.

The EU AI Act and AI Companion Apps for the European regulatory layer.

Replika and the Italian Garante for the cleanest European data-protection action against a companion app.

California SB 243 Explained for the parallel US-state work on disclosure and minor protection.

AI Companions and Mental Health for the broader research backdrop the privacy story sits inside.

If you work on privacy at one of these companies and our summary missed an update, write us at the contact form. Corrections are made quickly; reviews are not.