Replika Safety Rating Index

Replika scores a C (43/100) on the CompanionWise Safety Index, landing in the Yellow tier. The score reflects real safety work on one hand and unresolved regulatory failures on the other. For the quick version, see Is Replika safe?

Crisis response is where Replika does its best work. A “Get Help” button sits above the chat input with nine categories of distress, including a direct link to the 988 Suicide and Crisis Lifeline. For non-crisis situations like panic attacks and negative thought spirals, the app uses scripts designed by CBT therapists, and self-harm keywords route to a curated retrieval model instead of the generative AI. We haven’t seen Nomi, Kindroid, or Candy AI match this level of crisis infrastructure. (See our full analysis: Is Candy AI safe?)

Privacy is harder to pin down. Replika’s privacy policy says conversation data sent to third-party LLM providers is de-identified, transient, and contractually barred from training those providers’ models. The company also says it won’t use conversation content for advertising. But the terms of service tell a different story. They grant Replika a “perpetual, irrevocable, sublicensable” license to all user content, including for “promotion, advertising or marketing.” Two official documents, two opposite promises.

Automated scanning of Replika’s website and mobile app surfaces gaps between what the privacy policy promises and what the technology actually does. Replika.com runs a Hotjar session recorder that captures mouse movements, clicks, scrolls, and page interactions for every visitor. The Android app requests ACCESS_FINE_LOCATION (precise GPS coordinates), yet the privacy policy discloses only “country” and “timezone” collection. A Facebook Pixel fires on every page load, and Google Analytics runs with remarketing audiences enabled, meaning Google can follow replika.com visitors across the internet to target them with ads. That sits uneasily next to the company’s claim that conversation data is not used for advertising. Neither the Google Play Data Safety label nor the Apple App Store privacy label declares message or conversation content as collected data, even though Replika’s own privacy policy confirms conversations are sent to third-party LLM providers. The app also requests CALL_PHONE and READ_PHONE_NUMBERS permissions, which are unusual for a chatbot, though they may relate to the voice call feature.

Then there’s the regulatory record. Italy’s data protection authority (the Garante) banned Replika’s data processing in February 2023 after finding no effective age verification, triggering the Replika ERP controversy. In April 2025, the Garante fined Luka, Inc. 5 million euros for persistent violations. How were users getting past the age gate? By changing their birth date. Or switching to incognito browsing. The FTC also received a 67-page complaint in January 2025 alleging deceptive marketing and emotional manipulation.

Age appropriateness is the weakest score at 19/100. Replika’s own terms require users to be 18 or older, yet Google Play rates the app as “Teen,” letting anyone 13 and up install it. The Italian enforcement action specifically called out this mismatch.

Transparency scores 19/100 too. No regular safety reports. No dedicated safety hub. The only public-facing safety documentation we could find is a single undated blog post. For an app with over 10 million users, that’s a gap worth noting. Other apps in our index score even lower u2014 Chai AI earns an F (18/100) with critical failures across data privacy and minor protection.