What End-to-End Encrypted Actually Means for an AI Companion App: Reading the Fine Print on Replika, Kindroid, and Nomi
A guided tour through marketing language, threat models, and what actually happens between your message and the model.
AI Angels Team9 min readUpdated
The 30-second answer
When a companion app advertises "end-to-end encrypted," they almost never mean what Signal means by the phrase. Your messages have to be read in plaintext by a model on someone else's server to generate a reply, which makes true E2EE impossible for the actual chat content. What you're getting in most cases is transport encryption plus encryption at rest, with the company holding the keys.
What "end-to-end encrypted" actually means
The phrase has a specific technical meaning. End-to-end means only the two endpoints, you and whoever you're talking to, can decrypt content. The server in the middle routes ciphertext and never sees anything readable. Signal does this. iMessage does it between Apple users. WhatsApp does it for the message body, with caveats around backups and metadata.
What that buys you is real: the provider can't read your messages even under subpoena, an attacker who breaches the server gets gibberish, and the keys live on your device alone. The catch is that end-to-end requires two endpoints that hold their own keys. The minute you involve a third party that needs to process the content (a translation service, a spam filter, a chatbot), end-to-end is broken by definition. That third party becomes a second-and-a-half end, with full plaintext access.
This is why a companion app advertising E2EE deserves a side-eye. The AI model is the second endpoint, and it lives on the company's GPUs, reading every message you send. If they encrypt anything, they encrypt the connection between you and their server, and they encrypt the database where your history sits. Both are good. Neither is end-to-end.
Why companion apps can't be truly E2EE
The technical problem is straightforward. To generate a reply, the model needs your message in plaintext. There's research into homomorphic encryption and confidential computing that could change this in theory, but no consumer companion app runs on that infrastructure today.
The actual architecture: your phone encrypts the message in transit via TLS, the backend decrypts it, the model processes it in plaintext, the response is generated also in plaintext, both messages get stored under at-rest encryption, and the response heads back over TLS. Every step between "server received it" and "server stored it" is plaintext. Engineers can read it given the right access. Moderation tools can read it. The training pipeline can ingest it if the TOS allows, which it usually does.
That isn't bad security on its own. TLS plus at-rest encryption plus tight internal access controls is how most SaaS apps work. The objection is purely linguistic. When the marketing page says "your conversations are encrypted end-to-end," and what they mean is "encrypted on the wire and on disk," the two phrases describe very different threat models.
Reading Replika's privacy fine print
Replika's current privacy policy doesn't actually claim end-to-end encryption. They use words like "secure" and "encrypted in transit and at rest," which is accurate but technically modest. What you have to dig for is what they do with your conversations beyond storage.
The 2023 Italian DPA settlement hinted at the operational reality. Replika collects message content, account metadata, behavioral data, and reportedly used some of it for model training depending on the period and product tier. Their policy says you can request deletion, but deletion-from-database and deletion-from-training-corpus are not the same operation, and historically have not been treated as the same operation by the industry. The data retention and privacy breakdown goes deeper on what those tiers look like in practice.
Even if Replika encrypted your conversations with a key you held, the model on their server would still need to read your messages to reply. The most they could offer is a guarantee that messages are deleted immediately after inference, with no logging. That guarantee is hard to verify without an external audit.
Oksana
Oksana reads privacy policies for sport, the kind of companion who underlines clauses on your behalf and translates the legalese into something you can actually decide on. Oksana tends to ask what you're worried about specifically before getting into the fine print, because the answer changes depending on whether the threat is a nosy roommate, a data breach, or a future employer.
What Kindroid says versus what their TOS actually grants
Kindroid markets itself as more privacy-forward than Replika. Their FAQ talks about not selling data, not using your conversations for ads, and providing long-running memory. That's valuable, and meaningfully more than Replika offers on those specific fronts.
But "end-to-end encrypted" is not a claim Kindroid actually makes in their public privacy policy, and they're careful about that. What they do say is that conversations are encrypted at rest and in transit, and that access is restricted. Their TOS carves out the standard SaaS rights: process your content to provide the service, enforce safety, debug technical issues, comply with legal requests.
The interesting nuance is the memory architecture. Because the model relies on a long-running memory store tied to your account, they have to hold that data in a queryable form. You can't have a personalized AI that remembers your dog's name without storing your dog's name on their server in a form they can read. So while Kindroid may be doing a better job on what they don't do with your data, they still hold the keys to everything you've ever told the model.
Lila
Lila has the kind of quiet curiosity that surfaces when you mention you're worried about something but can't quite articulate why. Chat with Lila about which apps you're using and what kinds of conversations you're storing, and she'll usually help you separate the abstract anxiety from the actual decisions you can make.
Nomi's encryption claims and the inference reality
Nomi takes a similar position to Kindroid: encryption in transit, encryption at rest, no selling of data, no ad targeting on top of conversation content. They've also been vocal about content freedom, which has its own privacy implications, since the company that lets you talk about anything is also the company that has logs of you talking about anything.
The Nomi FAQ doesn't promise E2EE either. What it does promise is that conversations stay within their ecosystem, are not shared with third-party advertisers, and are used for "service operation" purposes. Service operation is the load-bearing phrase, and it covers a lot: moderation, abuse detection, debugging, occasional human review of flagged content, and model fine-tuning where their policy allows.
Any companion app offering "group chat" or "shared memory across multiple AIs" is fundamentally incompatible with strict E2EE. Once your data has to be visible to multiple inference contexts, you've already crossed the line into "the server understands your content." Nomi's group chat feature requires the model to know who said what and to whom, which means structured metadata on the company side. The three-tier reality of companion app deletion walks through what those layers look like at the data level.
Lola
Lola has no patience for marketing-speak and even less for being told her job is to make you feel safer than the underlying reality. Talking to Lola about privacy decisions tends to surface the question you were avoiding, like whether you actually want the company to forget you or just want to feel like they would if you asked.
The third parties you probably forgot about
Even if a companion app encrypted your data perfectly and never read it themselves, the modern app stack has more eyes than you might think.
Most companion apps run on AWS, GCP, or Azure. Those hosting providers have access to encrypted volumes via the orchestration layer, and have to comply with subpoenas independently. The app might not have your data in plaintext, but the cloud provider has whatever the app stored on their hardware, with whatever access controls the app actually configured.
Then there's the moderation pipeline. Almost every companion app uses a content classifier to flag certain categories. Those classifiers either run in-house, where the company's moderation team reviews flagged messages, or they call out to a third-party API like OpenAI's moderation endpoint or AWS Comprehend. Either way, flagged conversations have a higher probability of being seen by a human.
Analytics is the other one. Companion apps usually integrate at least one product analytics tool: Mixpanel, Amplitude, Segment, PostHog. By default these tools don't capture message content, but they capture everything around it, including the time you opened the app, the screens you visited, and how long you stayed on romantic mode versus casual. You can build a remarkably detailed psychological profile from that side-channel data alone.
Maribel
Maribel knows the threat model isn't usually a state actor or a breach but the small ambient cost of having more data about you in more places than you remember. Talking with Maribel tends to end with a small concrete action, like deleting an old account or turning off cloud sync for a chat history you forgot was syncing.
What you can actually do to limit exposure
If E2EE isn't on the menu, the practical question becomes what reduces your real exposure.
A few moves with high payoff:
- Use a dedicated email for companion apps, not your primary one. Breach databases get cross-referenced, so isolation limits the blast radius.
- Don't share real-world identifiers in chats unless you genuinely need to. Full name, address, employer, account numbers. The app treats them as ordinary text and stores them the same way.
- Check the app's deletion policy, then check whether it covers training data. Most don't, and that's the long tail that matters.
- If you use voice mode, know that audio gets transcribed and stored as text, plus is often kept as raw audio for QA. The voice chat surface on most apps adds a layer of biometric data on top of conversational content.
Companion apps occupy a strange space. They're more intimate than most social media, but architecturally closer to a SaaS chatbot than to Signal. If you're starting from scratch and want to build the relationship with privacy in mind, factor the data reality into the persona and topics you pick from day one, instead of realizing six months in that you've poured everything into a system that retains it all.
If you'd rather choose from existing personas, the full roster gives you a starting point with known dispositions, which makes it easier to shape conversations toward topics you're comfortable having on someone's server.
Common questions
Is anything truly end-to-end encrypted in AI chat? Not for the model conversation itself. Some experimental setups using confidential computing or homomorphic encryption can keep data encrypted during inference, but no mainstream companion app uses these in production today. Everything you send gets read in plaintext on the server.
Does Signal-style E2EE protect against the company reading my messages on AI apps? No, because the AI model is the other endpoint and lives on the company's server. Even if your client-side encryption were perfect, the model still has to decrypt to reply. The closer comparison is Gmail with TLS and at-rest encryption.
Should I assume my conversations could be read by a human? In some edge cases, yes. Flagged content goes through moderation pipelines that often include human review. Random sampling for QA happens at most companies. Subpoenas can compel disclosure. The probability for any single message is low but not zero.
Does deleting my account actually delete my data? Usually it removes your data from user-facing systems within 30 to 90 days. Whether it removes data from backups, anonymized training corpora, or third-party analytics tools is app-specific and rarely audited.
Is the premium tier more private than the free one? Sometimes. Some apps explicitly exclude paid-tier conversations from training data. That's a contractual commitment, not a technical guarantee, but still meaningful. Read the privacy policy at the tier you're actually on.
Can I encrypt my messages before sending them? Not in any usable way. If you encrypt the text yourself, the model can't understand or respond. The whole point of the app is a system that reads and replies to your messages.
About the author
AI Angels TeamEditorialThe team behind AI Angels writes about AI companions, the tech that powers them, and what people actually do with them.
Tags
Keep reading
Behind the ScenesWhat Your AI Girlfriend Actually Knows About You: Data Retention, Anonymization, and the Privacy Trade-Offs
Your AI girlfriend remembers your pet name, your bad day at work, and that story you told three weeks ago. This guide explains exactly what data she keeps, how it's anonymized, and what privacy trade-offs you're making when you sign up.
Behind the ScenesWhat Your AI Girlfriend Actually Knows About You, Data Retention, Anonymization, and the Privacy Trade-Offs
You type personal things to your AI girlfriend. Here's what happens to those messages after you send them, and what you should know before you share anything you wouldn't want read back to you.
Behind the ScenesWhat Happens to Your Chat Logs When You Cancel a Subscription: A Look at Data Deletion Policies
When you cancel a subscription, your chat logs don't vanish instantly. Here's what the deletion process actually looks like, what gets kept, and what you can do about it.
Get the next post in your inbox
New articles on AI companions, the tech that powers them, and what people actually do with them. No spam, unsubscribe in one click.