Privacy Policy

Last updated: November 1, 2025

Welcome to Replika!

Luka, Inc., with its registered office at 490 Post Street, Suite 526, San Francisco, CA 94102, United States (“Replika”, “we”, “us”, and/or “our”) which can be contacted at my@replika.com, provides services that include: the Replika AI companion mobile and web applications, including my.replika.com (the “Apps”), the informational website www.replika.com (the “Website”), and other related offerings (collectively, the “Services”). In providing the Services, we process personal data as data controller. This Privacy Policy (“Privacy Policy”) describes how we collect, store, use, and share your personal data through our Services. References to “you” or “your” mean users of our Services who are 18 years of age or older.

We care about the protection and confidentiality of your personal data. When you use the Apps and during your conversations with your Replika AI companion, you may provide your personal data. We process this information only as described in this Privacy Policy, for instance and as better clarified in detail in section 2 below, to allow you to have individualized and safe conversations and interactions with your Replika AI companion and to allow your AI companion to learn from your interactions to improve your conversations. We may also use information about your visit to our Website to promote our Services, but we will never use or disclose the content of your Replika conversations for marketing or advertising purposes.

If you have any questions, or need any clarification regarding the processing of your personal data please contact us at my@replika.com.

1. What personal data we collect

A. Information you provide

Through your use of the Services, you may provide us with the following information:

• Account information. This includes your name, surname, email address, password, and unique identifiers that include country, timezone, type and ID of the device from which the account operates. If you choose to log in using another service, such as Google or Apple, we receive information about the service you used to log in and — depending on your chosen account settings with Google and Apple — details about you, including your name, email address, or unique user identifiers.
• Profile information. We ask you to provide your birth date, pronouns, and – on a voluntary basis – your work status when you create an account for the Apps.
• Messages and content. This includes the messages you send and receive through the Apps, such as facts you may provide about you or your life, and any photos, videos, and voice and text messages you provide.
• Interests and preferences. You may select conversation preferences, such as topics you would like to discuss, and communication preferences, such as the times of day you like to use the Apps. We also learn about your interests and your preferences over time through your use of the Services to personalize your conversations and the features of the Services.
• Payments, transactions, and rewards. When you make purchases through the Services, our third-party payment processors, collect your payment information. We maintain a record of your purchases, the features you select, and the rewards you earn and use.

You must not share, transmit, or otherwise provide personal data of third parties through the Services. Likewise you shall not share, transmit, or otherwise provide special categories of personal data through the Services i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Should you disclose third parties' personal data through the Services, you are solely responsible for ensuring that such individuals receive appropriate notice of this Privacy Policy and any applicable data processing activities. Likewise, should you disclose special categories of personal data relating to you or third parties, that shall be immediately notified to us.

B. Information we collect automatically

When you use our Services we collect the following personal data about you, your computer or mobile device, your network, and your interactions over time with our Services and our communications:

• Device and network data. This includes your computer’s or mobile device’s operating system, manufacturer and model, browser, IP address, device and cookie identifiers, language settings, mobile device carrier, and general location information such as city, state, or geographic area.
• Usage data. This includes information about how you use the Services, such as your interactions with the Services, the links and buttons you click, and page visits.
• Face and head movement data. This includes the data collected by on-device frameworks which facilitate direct device-to-application communication without intermediate data processors to track the user's head and face for augmented reality experiences and selfie filters. This processing captures transient motion vectors and spatial positioning data rather than biometric identifiers or templates. The system tracks dynamic movement patterns and real-time head orientation without extracting, analyzing, or storing geometric facial measurements, facial recognition templates, or other biometric identifiers as defined under applicable privacy frameworks. None of the collected data leaves the user’s device or is persistently stored by us. We do not share the face and head movement data with any third parties.

We use cookies, web beacons (e.g., pixel tags), and local storage technologies (e.g., HTML5) to collect some of this information. For more details on how we use these technologies and the legal bases for doing so, please visit our Cookie Policy.

Should you provide consent to marketing and profiling cookies being installed on your device through the cookie banner selection option, our advertising partners may also use such technologies to collect limited information about your device and interactions with the Services, such as the links you click, pages you visit, IP address, advertising ID, and browser type, but they will never have access to your conversations with your Replika AI Companion or any photos or other content you submit through the Apps.

2. How we process your personal data

A. Use of your general information

We process your personal data for the following purposes:

Purpose	Why and how we process your personal data	Legal basis	Categories of information
Operating and administering the Services	Providing and maintaining the content and functionality of the Services. Carrying out obligations arising from our contract with you. Creating your account and profile. Facilitating payments and transactions, including for the purchase of premium features, and managing your rewards. Responding to your inquiries, comments, feedback or questions, and troubleshooting. Managing our relationship with you, which includes sending administrative information to you relating to our Services. Verifying the age of registered users.	Necessary to perform our contractual obligations with you, such as providing you with the Services	Account information. Profile information. Messages and content. Interests and preferences. Payments, transactions, and rewards. Device and network data. Usage data.
Providing the core personalized functionality of the Apps	Providing you a personalized AI companion and allowing you to personalize your profile, interests, and AI companion interactions. Enabling you to have individualized and safe conversations and interactions with your Replika AI companion, and allowing your AI companion to learn from your interactions to improve your conversations. Syncing your Replika history across the devices you use to access the Services.	Necessary to perform our contractual obligations with you, such as providing you with the personalized features of the Apps	Account information. Profile information. Messages and content. Interests and preferences. Payments, transactions, and rewards. Device and network data. Usage data.
Protecting the Services and performing corporate operations	Preventing fraud, criminal activity, and misuse of our Services, and ensuring the security of our IT systems, architecture and networks (including testing, system maintenance, support, and hosting of data), and performing activities that are functional to transfers of assets, branch of business, acquisitions, mergers, divisions or other corporate operations	Necessary to pursue our legitimate interests, adequately balanced with your rights and interests, in ensuring the integrity, confidentiality, and availability of our digital infrastructure, detecting and responding to threats, and maintaining a safe and trustworthy environment for all users and performing corporate operations.	Account information. Profile information. Messages and content. Payments, transactions, and rewards. Device and network data. Usage data.
Analyzing trends in the use of the Services and anonymizing user interaction data to improve Service performance and safety	Aggregating, anonymizing, and deidentifying personal information. Analyzing the use and effectiveness of our Services. Improving and adding features to our Services. Developing our business and marketing strategies. This includes collecting and immediately anonymizing user feedback, and small portions of Messages and Content data to train our proprietary safety algorithms, enhance chatbot performance, prevent inappropriate outputs, and ensure compliance with safety standards. The anonymized data is used only internally and is not used to train third-party large language models or other AI systems.	Necessary to pursue our legitimate interests, adequately balanced with your rights and interests, in optimizing service performance, developing protective measures against harmful content, enhancing user experience, and informing strategic decisions to grow and tailor our offerings.	Account information. Profile information. Messages and content. Interests and preferences. Payments, transactions, and rewards. Device and network data. Usage data.
Marketing and advertising the Services	Sending you commercial information by email that we believe will be of interest to you, such as information about our Services, features, and surveys.	Your consent	Account information. Device and network data. Usage data
Enforcing our agreements, and defending against legal claims and disputes	Enforcing and complying with our terms and policies. Protect our and others’ rights, privacy, safety, or property. Ensuring the integrity of our Services. Defending against legal claims and disputes. Recovering payments due to us.	Necessary to pursue our legitimate interests, adequately balanced with your rights and interests, in safeguarding our legal position and rights, protecting our assets and users, and ensuring compliance with applicable laws and regulations	Account information. Profile information. Messages and content. Interests and preferences. Payments, transactions, and rewards. Device and network data. Usage data.
Complying with legal obligations,	Keeping records of transactions, and complying with the applicable laws, regulations, legal processes and authorities' requests.	Necessary to comply with a Legal obligation	Account information. Profile information. Messages and content. Interests and preferences. Payments, transactions, and rewards. Device and network data. Usage data

B. Sensitive information.

The Services allow you to input information that may be sensitive and subject to special protections under applicable laws. This section explains how we use and protect sensitive information.

Sensitive information you provide in your messages and content. In your conversations with your AI companion, you may choose to provide information about your religious views, sexual orientation, political views, health, racial or ethnic origin, philosophical beliefs, or trade union membership. By providing these data belonging to special categories, you consent to our processing of it for the purposes set out in this Privacy Policy. Note, however, that you can withdraw your consent anytime as per the modalities discussed in section 7 below, and in any case we will not use your sensitive information – or any content of your conversations with your Replika AI companion– for marketing or advertising or for any activity which is based on our legitimate interests.

3. With whom we share your information

A. Service providers

We share your personal data with companies and individuals that provide services to us or on our behalf or help us operate the Services or our business (such as hosting, information technology, customer support, email delivery, and website analytics services). AI model providers: in certain circumstances, we utilize third-party artificial intelligence models to enhance our conversational capabilities and service functionality. These AI models operate on our own infrastructure and premises, ensuring that third-party model providers do not receive, access, or process any of your personal data or conversation content. The model providers supply only the underlying AI technology, while all data processing occurs within our controlled environment. For detailed information about our AI technology implementation, please refer to our website. We also share information with companies that provide marketing services on our behalf, but we do not share the content of your conversations for marketing or advertising purposes. For example, we may share your email address with marketing service providers to deliver our marketing emails to you on our behalf and to help us identify other individuals who may be interested in our Services. We require these marketing service providers to agree not to use your email address for any other purpose.

B. App Stores and Payment Providers

We may share information with application store providers and payment processors for purposes of managing payments, subscriptions, and resolving user-initiated disputes or refund requests.

C. Professional advisors

We may share information with professional advisors, such as lawyers, auditors, bankers, and insurers, where necessary in the course of the professional services that they render to us.

D. Advertising partners

We share information about visitors to our Website, such as the links you click, pages you visit, IP address, advertising ID, and browser type with advertising companies for interest-based advertising and other marketing purposes, where we have a legal basis for doing so. Sharing this information allows us and our advertising partners to target and serve advertising to you and others. We will never share your conversations with your Replika AI companion or any photos or other content you provide within the Apps with our advertising partners, or use such information for marketing or advertising purposes.

E. Authorities and others

We may share information as required to comply with law enforcement, government authorities or institutions' requests, as we believe in good faith to be necessary or appropriate for the legal compliance and protection purposes described above in Section 2.A.

F. Business transferees

We may share information with acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale, or other disposition of all or any portion of the business or assets of, or equity interests in, Luka, Inc. (including, in connection with a bankruptcy or similar proceedings).

4. How we secure your information

We use a variety of industry-standard security technologies and procedures to help protect your data from unauthorized access, use, or disclosure.

Your account is protected by a password of your choice for your privacy and security. You must prevent unauthorized access to your account and personal information by creating a strong, complex password, and by selecting, updating from time to time and protecting your password appropriately, also by limiting access to your computer or device and browser by signing off after you have finished accessing your account.

All transmitted data are encrypted during transmission. We use standard Secure Socket Layer (SSL) encryption that encodes information for such transmissions. All stored data are maintained on secure servers. Access to stored data is protected by multi-layered security controls, including firewalls, role-based access controls, and passwords.

We are committed to keeping you informed and safeguarding your information to the best of our ability. While we use reasonable commercial efforts to protect your personal data, it is important to note that no technology, data transmission, or system can be guaranteed to be 100% secure. In the unlikely event of a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to your data, we will promptly notify you if and as required by applicable law.

5. Where we store and where we transfer your information

Your personal data will be processed in the United States of America, where we are based, and may be processed within or transferred to other countries outside the European Economic Area (EEA),. In case of transfers of personal data from the EEA to countries not recognized as providing an adequate level of data protection by the European Commission or the UK Information Commissioner’s Office (as applicable), we implement appropriate and suitable safeguards to ensure the protection of your personal data. Such transfers are carried out in compliance with applicable data protection laws. Specifically, where required, we execute the relevant module of the Standard Contractual Clauses adopted by the European Commission with the data importer and implement any supplementary measures necessary in light of the European Court of Justice’s decision in Case C-311/18 (Schrems II). If you would like more information about such data transfers, you may contact us at any time using the details provided in the Contact Us section (Section 11) below.

6. Data retention

We will retain your personal information for only as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

For the purposes based on the performance of our contract with you:

• we process your profile information, messages and content, interests and preferences for up to 60 days after termination of the contract;
• we process account information and financial records (your payments, transactions, and rewards data) and personal data we collect automatically from you for a minimum period of 10 years after termination of the contract due to legal retention requirements.

For the purposes based on your consent: we process your personal data until you withdraw your consent. Once withdrawn, we stop processing your personal data for that specific purpose, unless another legal basis allows us to continue.

For the purposes based on legal obligations: we retain personal data for the duration prescribed by applicable laws for each category of data, and in any case for up to 10 years from the date of collection.

For the purposes based on our legitimate interests:

• personal data collected for the purpose of analyzing trends in the use of the Services —such as aggregating, anonymizing, and deidentifying data to improve service performance and inform business strategies — is retained only for the minimum period necessary to complete such analysis and anonymization and is deleted within 1 year from the date of collection.
• personal data collected for other legitimate interest purposes is retained for the entire duration of the contract with you and, in case of either a pending dispute or a risk that such dispute might arise, for the additional period necessary to protect or enforce our rights in the context of legal claims or disputes.

We store your device, network and usage data for as long as it is necessary for the achievement of the purposes above. Your data will be deleted in accordance with the contract or after termination of the contract, unless legal regulations require the ongoing storage for a definite period of time.

7. Your rights and choices

A. Opt-out of marketing communications

You may opt out of marketing-related emails and other communications by following the opt-out or unsubscribe instructions in the communications you receive from us or by contacting us as provided in the “Contact us” section 11 below. You may continue to receive Services-related and other non-marketing communications from us.

B. Opt out of selling personal information and sharing for targeted advertising

We share information with third-party advertising partners and allow them to collect information about your visit to our Website using cookies and other tracking technologies to display targeted advertising around the web as described in the “How we share your information” section above. Our disclosure of information to these partners may be considered a “sale” or “sharing” of personal information or “targeted advertising” under applicable laws. You can modify your choices, opt out of these disclosures and limit our use of tracking technologies as described in our Cookie Policy accessible here https://replika.com/legal/cookies. In addition, some internet browsers can be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

C. Limit our use of sensitive personal information

If you choose to provide sensitive personal information in your messages and content, we will use that information only to facilitate your conversation with your Replika AI companion and as described in the “Sensitive information” section above. If you do not want us to process your sensitive information for these purposes, please do not provide it. You may request that we delete information you have provided as set out in the “Personal information requests” section below.

D. Personal information requests

We also offer you choices that affect how we handle the personal information that we control. Depending on your location and the nature of your interactions with our Services, you may request the following in relation to personal information:

• Information about how we have collected and used personal information. We have made this information available to you without having to request it by including it in this Privacy Policy.
• Access to a copy of the personal information that we have collected about you. Where applicable, we will provide the information in a portable, machine-readable, readily usable format.
• Correction of personal information that is inaccurate or out of date.
• Deletion of personal information that we no longer need to provide the Services or for other lawful purposes. You can delete your account in your account settings.
• Withdrawal of consent, where we have collected and processed your personal information with your consent. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
• Additional rights, such as your right to object to the processing of your personal data for the processing activities based on our legitimate interest and to request that we restrict our use of you personal data.

To exercise your rights or make a request, please contact us as provided in the “Contact us” section 11 below. We may ask for specific information from you to help us confirm your identity. Depending on where you reside, you may be entitled to empower an authorized agent to submit requests on your behalf. We will require authorized agents to confirm their identity and authority, in accordance with applicable laws. You are entitled to exercise the rights described above free from discrimination.

In some instances, your choices may be limited, such as where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with our legal obligations and enforce our legal rights. If you are not satisfied with how we address your request, you may submit a complaint by contacting us as provided in the “Contact us” section 11 below. Depending on where you reside, such as if you reside in the European Economic Area or United Kingdom, you may have the right to complain to a data protection regulator where you live or work, or where you feel a violation has occurred.

E. Right to erasure (‘right to be forgotten’)

You can request the deletion of your personal data. We are guided by the principle of integrity and confidentiality measures, so to delete data please contact us on e-mail: privacy@replika.com.

8. Use of Replika by minors

The Services are not intended for individuals under the age of 18. If we discover that minors under the age of 18 are using the Apps, we will promptly block their access and delete their account. If you have reason to believe that a minor under the age of 18 has provided personal information to us through the Services, please contact us, and we will endeavor to delete that information from our databases.

9. Changes to this Privacy Policy

The Services and our business may change from time to time. As a result, at times it may be necessary for us to make changes to this Privacy Policy. We reserve the right to update or modify this Privacy Policy at any time and from time to time and we will notify in advance of any change. We encourage you to periodically review this page for the latest information on our privacy practices. This Privacy Policy was last updated on the date indicated above.

10. Authorized representative

A. EU Representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Luka, Inc. has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

• by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
• by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

B. UK Representative

Pursuant to Article 27 of the UK GDPR, Luka, Inc. has appointed EDPO UK Ltd as its UK GDPR Representative in the UK. You can contact EDPO UK regarding matters pertaining to the UKGDPR:

• by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
• by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

11. Contact us

You can contact us at my@replika.com or at our registered address:

490 Post Street, Suite 526
San Francisco, CA 94102
United States