// Trust & Security Report

    Character.AI Inc. logo

    Character.AI Inc.

    Character.AI - conversational AI chatbot platform where users can chat with and create AI characters. Primary offering is the freemium Character.AI with a paid Character.AI Plus subscription tier.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Compliance
    HELD

    Character.AI complies with applicable regional laws such as the GDPR (EU/EEA), CCPA/CPRA (California), and others.

    Verify on character.ai
    CCPA/CPRA Compliance
    HELD

    Character.AI complies with applicable regional laws such as the GDPR (EU/EEA), CCPA/CPRA (California), and others.

    Verify on character.ai
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence of SOC 2 certification found across vendor domain or official documentation.

    source: character.ai
    SOC 2 Type I
    NOT CONFIRMED

    No public evidence of SOC 2 certification found across vendor domain or official documentation.

    source: character.ai
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found across vendor domain or official documentation.

    source: character.ai
    ISO 27017
    NOT CONFIRMED

    No public evidence; not mentioned in privacy or safety documentation.

    source: character.ai
    ISO 27018
    NOT CONFIRMED

    No public evidence; not mentioned in privacy or safety documentation.

    source: character.ai
    HIPAA
    NOT CONFIRMED

    No public evidence; HIPAA not applicable for consumer chatbot platform without healthcare focus.

    source: character.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence; not mentioned in vendor documentation.

    source: character.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence; not applicable for consumer platform.

    source: character.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Not disclosed. Specific data processing locations and residency commitments not documented in public privacy materials.

    Character.AI trains AI models on user-generated content and conversations by default. Users in the European Economic Area and United Kingdom can opt-out via Settings > Data & Privacy > uncheck 'Improve the Model for Everyone.' However, even after opting out, the vendor states: 'we still may use your data to improve other aspects of our services like search, recommendations, and safety classifiers.' Global users outside EEA/UK have no public opt-out mechanism.

    // Security controls

    Encryption in Transit

    SSL/TLS encryption implemented. End-to-end encryption NOT available. Platform explicitly retains staff access to user conversations for moderation and safety review.

    character.ai

    Content Moderation

    Proprietary safety tools combined with human review. Trust & Safety team operates continuously including internal personnel and contracted moderators. Quarterly transparency reports published with false positive rates, review latency, and enforcement volume.

    character.ai

    Age Verification

    Mandatory age verification introduced April 2026 (face-based verification). Users under 13 globally and under 16 in EEA/UK not authorized to use service per Terms of Service.

    beta.character.ai

    Data Retention

    Chats retained for the lifetime of user account plus an unspecified 'retention period' after account deletion. Exact retention duration not disclosed in public documentation.

    character.ai

    User Content License

    User content (conversations, character creations, uploads, feedback) licensed to Character.AI on a perpetual, irrevocable, worldwide, royalty-free, sublicensable basis.

    character.ai

    // Products & data scope

    Character.AIConversational AI / Chatbot

    data: User conversations, uploads, feedback, character creations, usage patterns

    Core free/freemium platform. Mandatory login. Users can create and chat with custom AI characters or interact with creator-made characters. No end-to-end encryption. Staff can access conversations.

    Character.AI PlusPremium AI Chatbot Subscription

    data: Same data scope as base platform; same data handling policies apply

    Paid subscription tier offering faster responses and extended usage limits. No difference in security or data handling vs. free tier.

    // What to watch

    • No SOC 2, ISO 27001, or other enterprise security certifications publicly available. Company is growth-stage/consumer-focused, not certified for regulated or enterprise use.
    • No DPA (Data Processing Agreement) publicly available despite GDPR compliance claims. Enterprise customers requiring GDPR DPAs cannot be adequately supported.
    • Default AI training on user conversations globally (opt-out only available for EEA/UK users). Significant privacy concern for non-EEA users and privacy-conscious customers.
    • No end-to-end encryption. Platform explicitly enables staff access to all user conversations for moderation. Users cannot have truly private conversations.
    • User content licensed to vendor on perpetual, irrevocable, worldwide, sublicensable basis. Overly broad license grant allows vendor to sublicense user-generated content indefinitely.
    • Data retention policy vague: unspecified length beyond 'necessary for purposes.' No clear timeline for data deletion.
    • Company valuation declined from USD 2.5B (2024) to USD 1B (2026). Company exploring strategic options including potential sale or new funding (August 2025). Financial stability/strategic direction uncertain.
    • Mandatory age verification requirement implemented April 2026 suggests previous regulatory/legal issues regarding minor access to potentially harmful content.
    • No transparent security audit, penetration test results, or third-party security assessments published.
    • No DPA or Standard Contractual Clauses (SCCs) documentation visible for international data transfers.

    // At a glance

    Pricing model

    Freemium: free tier with ads and limited responses; paid Character.AI Plus subscription

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Character.AI Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    character.ai

    > Browse all vendor trust reports