// Trust & Security Report
Luka, Inc.
Replika - AI companion chatbot app ("the AI friend to do life with") for iOS, Android, and a legacy web app. Free tier plus a paid "Replika Pro" subscription unlocking additional customization and features. No separate enterprise, team, or API product line was found.
Certifications held
1
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on replika.com“"Luka, Inc. has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU" and the policy lists legal bases for processing (contract, consent, legitimate interest). Note: this reflects a stated compliance posture and an EU Article 27 representative, not a third-party audit or certificate.”
> Show 9 unconfirmed / not-held certifications
source: replika.comNo public evidence of SOC 2 certification anywhere on replika.com, the Terms of Service, the Privacy Policy, or the Help Center. No trust center exists on the vendor domain.
source: replika.comNo public evidence of SOC 2 certification anywhere on replika.com, the Terms of Service, the Privacy Policy, or the Help Center. No trust center exists on the vendor domain.
source: replika.comNo public evidence of ISO 27001 certification found on the vendor domain. Privacy Policy describes security only as "multi-layered security controls, including firewalls, role-based access controls, and passwords" with no reference to an ISO audit or certificate.
source: replika.comNo public evidence; not mentioned in the Privacy Policy or Terms of Service.
source: replika.comNo public evidence of an AI governance certification. No trust center or AI-governance page exists on replika.com.
source: replika.comNo public evidence of HIPAA compliance or a Business Associate Agreement offering. Replika is a consumer companion app, not a covered entity or business associate, and the Privacy Policy makes no HIPAA claims.
source: replika.comNo public evidence of PCI DSS certification. Payments are handled through "App Stores and Payment Providers" (Apple/Google in-app purchase), so Replika itself likely does not directly process card data, but no PCI attestation is published.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States ("Your personal data will be processed in the United States of America, where we are based"); data may be transferred outside the EEA/UK with safeguards. No dedicated EU/EEA data residency option found.
Replika's Privacy Policy states it collects "small portions of Messages and Content data to train our proprietary safety algorithms, enhance chatbot performance, prevent inappropriate outputs, and ensure compliance with safety standards," and that "aggregating, anonymizing, and deidentifying personal information" is one of its processing purposes. The policy separately states third-party AI/LLM providers are "contractually required to...not use your data for training their own AI models" and that anonymized data "is not used to train third-party large language models." No dedicated, self-service opt-out toggle for first-party model training was found (only account deletion, which the policy says also propagates to third-party processors). This contrasts with vendors that offer an explicit "do not use my data to improve the model" setting.
// Security controls
Encryption in transit
"All transmitted data are encrypted during transmission. We use standard Secure Socket Layer (SSL) encryption." No mention of end-to-end encryption; the vendor's own systems and safety-review processes can access conversation content.
replika.comAccess controls
Stored data described as "maintained on secure servers" with "multi-layered security controls, including firewalls, role-based access controls, and passwords." No third-party audit evidence provided for these claims.
replika.comData retention
Profile information retained "up to 60 days after termination"; financial/transaction records retained a "minimum period of 10 years"; data used for trend analysis deleted "within 1 year."
replika.comAge gating
Terms of Service state: "If you are under 18, you are not authorized to use the Services, with or without registering." Independent regulatory findings (Italian Garante, 2025) determined the effective age-verification mechanism was insufficient at the time of the enforcement action.
replika.comThird-party data sharing
Data shared with "service providers," "advertising partners," "App Stores and Payment Providers," "professional advisors," and "Authorities." Policy states Replika "does not sell personal information."
replika.com// Products & data scope
data: Conversations, voice/call audio, uploaded photos/selfies, customization preferences, remembered personal details (relationships, routines, interests) used to personalize responses
Primary product, iOS and Android. Free tier with in-app purchases; "Replika Pro" subscription unlocks further customization. No enterprise, team, or B2B tier found.
data: Same data scope as the mobile app
Listed in the site footer as a legacy web client; not the primary supported surface.
// What to watch
- No trust center and no SOC 2, ISO 27001, or other third-party security certifications published anywhere on the vendor domain; all security claims in the Privacy Policy are self-reported and unaudited.
- Italy's data protection authority (Garante) fined Luka, Inc. EUR 5 million in April 2025 for GDPR violations, including lack of a valid legal basis for processing (including LLM development), a privacy policy available only in English with inaccuracies, and ineffective age-verification for a service that engaged in sexually suggestive conversations with users who may have been minors. This is a live regulatory enforcement history that should be surfaced to buyers, not just a policy claim of GDPR compliance.
- Replika trains its own safety/performance models on portions of user conversation data; no clear, self-service opt-out toggle for this first-party training was found (only account deletion), unlike some peers that expose a dedicated 'do not use my data to train the model' setting.
- No end-to-end encryption; the vendor can access conversation content for moderation, safety training, and support purposes.
- No published DPA (Data Processing Agreement) or enterprise/business terms, consistent with this being a consumer-only product; buyers requiring a signed DPA for regulated use cannot be supported today.
// At a glance
Pricing model
Freemium consumer app with a paid "Replika Pro" subscription; no published enterprise/API pricing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Luka, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
replika.com