BlogSafety

Replika's €5M GDPR Fine: What It Means for Your Data

By Alex11 min read
Share:

The Short Version

Italy's privacy regulator fined Replika's parent company €5 million (about $5.6M) in May 2025 for GDPR violations. The problems were basic ones: no valid legal reason to process your data, a privacy notice that didn't explain what was happening, and no working way to keep kids under 13 out. The fine only covers Europe. But the findings tell you how Luka handled data for everyone, and that's the part worth paying attention to no matter where you live.

Fine: €5M (~$5.6M), May 2025Issues: legal basis, privacy notice, age checksYour move: delete data, share less, pick carefully

I've spent a lot of hours inside Replika. It was one of the first companion apps I ever tried, and I still think it does some things really well. So when the news landed that Italy had hit Replika's maker with a €5 million fine, I didn't shrug it off as regulatory noise. I went and read what the regulator actually said.

And the findings are worth your time, even if you never touch a European privacy law in your life. Because the fine isn't really about Italy. It's a paper trail of how an AI companion company treated the most intimate data people gave it. Here's what happened, what it means for the messages you've typed into that app, and what I'd actually do about it.

What Actually Happened

In May 2025, Italy's data protection authority, the Garante, fined Luka Inc. €5 million (about $5.6 million) for violating the GDPR. Luka is the San Francisco company behind Replika. This wasn't their first run-in with the Garante either. Back in February 2023, the same regulator temporarily banned Replika in Italy, ordering Luka to stop processing Italian users' data over concerns about minors and the app's emotional influence on vulnerable people.

The 2025 fine was the follow-up. After that ban, the Garante kept digging, and the €5 million penalty is what came out the other end. There's also a second, separate investigation still open into how Luka trains its AI models, which means this story probably isn't finished.

EventWhenWhat It Was
Temporary banFeb 2023Italy ordered Luka to stop processing Italian data over child-safety and vulnerable-user concerns
€5M GDPR fineMay 2025Penalty for no legal basis, poor privacy notice, and weak age verification
Model-training probeOngoingSeparate Garante investigation into how Luka trains its AI on user data

For the wider picture on Replika's legal troubles, including the US side, I pulled it all together in my breakdown of the 2026 Replika controversy and FTC claims. This post stays focused on the data question: what the fine says, and what it means for you.

The Three Things Replika Got Wrong

The Garante's findings come down to three failures. None of them are exotic. They're the privacy fundamentals, and Luka missed all three.

1. No valid legal basis for processing your data

Under GDPR, a company can't just collect and use your personal data because it wants to. It needs a specific legal reason: your consent, a contract, a legitimate interest it can defend, and so on. The Garante found Luka didn't have a clear one. It was processing deeply personal conversations without a solid legal footing under the law. That's the core violation, and it's a big one, because the data Replika handles isn't your shopping history. It's your loneliness, your relationships, your late-night thoughts.

2. A privacy notice that didn't explain anything

GDPR also says people have a right to understand what's happening to their data, written plainly, before they hand it over. The regulator found Replika's privacy information inadequate. In practice that means users were forming emotional bonds and typing out their private lives without a real picture of where any of it went. Nobody reads terms of service, sure. But the whole point of the rule is that the terms are supposed to be honest and clear enough to matter when someone does read them.

3. No real age verification

This is the one that bothers me most. The Garante found Luka had no meaningful system to stop children under 13 from signing up. An app built around emotional intimacy and, in places, romantic and sexual roleplay, with a front door wide open to kids. That's not a paperwork problem. If you're a parent, this is the exact issue I dig into in my guide on whether Replika is safe for teens and the broader safety guide for parents.

Worth sitting with: all three failures are about the boring basics of handling data. Not a clever hack, not a rogue employee. A company that collected some of the most sensitive data a person can produce, and didn't get the fundamentals right.

Getting the Real Stuff?

I'm testing 5-6 AI platforms every week and documenting the failures nobody talks about. Get my honest experiment results, unfiltered breakdowns, and 'holy shit' moments straight to your inbox.

No spam. Unsubscribe anytime. I respect your inbox.

Why It Matters If You're Not in Europe

Here's the uncomfortable part. GDPR only protects people in the EU. If you're chatting with Replika from Texas or Toronto or Sydney, no regulator is standing behind you forcing Luka to fix any of this on your behalf. The €5 million was Italy's to collect, not yours.

So why should you care? Because a fine like this is a rare window into how a company actually operates. Most of the time you're guessing about data practices from a vague privacy policy. Here, an independent regulator with subpoena power looked under the hood and told you what it found. And what it found was a company that didn't have a legal basis for processing intimate data, didn't explain itself, and didn't check ages. There's no reason to assume Luka treated non-EU users to some higher standard it wasn't even meeting in Europe.

The US is slowly catching up on its own terms. A few states have started passing rules aimed squarely at AI companions. I covered the first wave in my piece on what the 2026 California and New York rules mean for users. But that patchwork is years behind GDPR, and it leaves most people relying on the company's goodwill. The Italian fine is a decent measure of how much goodwill to expect.

What This Says About Your Chats

Think about what actually goes into a Replika conversation. Not weather chit-chat. People tell these bots about breakups, grief, sexual fantasies, jobs they hate, thoughts they wouldn't say out loud to a therapist. The app is designed to pull exactly that out of you. That's what makes it feel good, and it's also what makes the data so sensitive.

Replika collects your messages, your email, device identifiers, rough location, and how you use the app. Under GDPR, the emotional and sexual content of those chats counts as a special, protected category, which is precisely why the missing legal basis was such a problem. The regulator wasn't nitpicking. It was saying: you're holding the crown jewels of people's private lives, and you didn't earn the right to.

None of this means Replika sold your diary to the highest bidder. There's no evidence of that, and I want to be fair. But a €5M fine for weak data governance sits in the same neighborhood as the breaches that have hit this whole industry. Two 2026 leaks alone exposed more than 150 million intimate messages from AI companion apps, which I wrote about in whether AI girlfriend apps are actually safe. Poor governance and bad breaches tend to come from the same root: companies that treat your privacy as an afterthought.

If you want to know how Replika compares to the rest of the field on this stuff, my AI companion privacy guide grades the major apps one by one, and it's the piece I'd read next.

What to Do Right Now (6 Steps)

You don't have to quit Replika over this. I haven't. But you should change how you use it. Here's the practical list.

  1. Read the current privacy policy, just the data section. Two minutes. Look for what they collect, whether they use chats to train models, and how to delete. After a fine, companies usually clean this up, so it's worth a fresh look.
  2. Request your data or delete it. EU users have a hard right to both. Everyone else can still ask through the app's settings or support. If you're done with the app, delete the account rather than just uninstalling it.
  3. Share less going forward. Treat the chat like a postcard, not a vault. Skip your full name, address, employer, and anything that could tie an intimate log back to the real you.
  4. Use a throwaway email. Sign up with an address that isn't linked to your main identity. It won't make you invisible, but it breaks one of the easiest links between your chats and you.
  5. Turn off model-training if there's a toggle. Some apps let you opt out of having your conversations used to train the AI. If Replika offers it, take it, especially given the open Garante probe on exactly that.
  6. Keep an eye on where the app is headed. A company that's been fined and is under a second investigation is worth watching. If privacy is a real concern for you, compare alternatives like Replika versus Nomi and the wider field in my tested rankings of the best AI companion apps.

One more thing, because I get asked this a lot. If your chats ever drift into explicit territory, the privacy stakes go up, and there are a few extra precautions worth taking. I put those in the AI sexting safety guide. Curious how the app decides what to remember and reflect back at you in the first place? That's the how Replika learns breakdown.

The Bottom Line

Replika's €5M GDPR fine isn't a scandal about spies or stolen data. It's quieter and, honestly, more telling than that. A company built its whole product around collecting people's most private thoughts, then couldn't clear the basic bar for handling them responsibly. No legal basis. No clear notice. No age check.

I still think Replika can be good for people. I've felt it be good for me. But I've changed how I use it: less shared, a throwaway email, no illusion that anything I type stays fully private. That's not paranoia. It's just reading the situation for what a regulator already told us it is. For the fuller version of my honest take on the app itself, there's my long-term Replika review.

Did the fine change how you feel about the app you use? Have you deleted your data, or are you sticking with it? Tell me where you landed. I read every reply.

Frequently Asked Questions

Why was Replika fined by Italy?

Italy's data protection authority, the Garante, fined Replika's parent company Luka €5 million (about $5.6 million) in May 2025. The regulator found three main problems: Luka processed users' personal data without a valid legal basis under GDPR, its privacy notice was inadequate and unclear, and it had no real system to keep children under 13 from signing up and chatting with the app. Italy had already temporarily banned Replika back in February 2023 over similar concerns.

How much was the Replika GDPR fine?

The fine was €5 million, roughly $5.6 million at the time. That figure is separate from any other legal action against Luka. A January 2025 FTC complaint filed by consumer advocacy groups in the United States is a different matter and has not resulted in any fine or formal investigation. The €5M penalty came specifically from Italy for GDPR breaches.

Does the Replika fine affect users outside Europe?

Not legally, but it should affect how you think about the app. GDPR only protects people in the EU, so a user in the US, Canada, or Australia has no equivalent regulator forcing Replika to fix these issues for them. The fine matters anyway because it documents how Luka handled data for everyone, not just Europeans. If a company processes EU data without a legal basis, there's little reason to assume it treats your data more carefully.

Is Replika safe to use after the fine?

Replika is still operating normally and the app itself works fine. Whether it's safe depends on what you mean. The fine was about data handling, not malware or scams, so your device is not at risk. But the Garante's findings confirm that Luka has a weak track record on privacy basics like legal basis and age checks. I'd treat Replika as usable but not private. Share less than you would with a trusted friend, and never assume your logs stay between you and the bot.

What data does Replika collect?

Replika collects your chat logs, the emotional and personal details you share inside them, your email, device identifiers, approximate location, and usage patterns. Because the whole point of the app is intimate conversation, the data it holds is unusually sensitive: relationship struggles, mental health, sexual content, and private confessions. That is exactly the category GDPR treats as needing extra protection, which is part of why the legal-basis failure mattered so much to the Garante.

Can I delete my Replika data?

Yes. You can delete your account from inside the app's settings, and EU users have the right to request full data deletion and a copy of their data under GDPR. Users elsewhere can still ask, though the company is under less legal pressure to comply quickly. Deleting the account is the cleaner option. Send a written deletion request as well if you want a paper trail, and change any password you reused elsewhere.

What is the safest AI companion app for privacy?

No AI companion app is truly private, since they all send your messages to a server. That said, apps run by established companies with real privacy policies, account deletion, and clear data practices tend to handle your information better than anonymous one-page operations. I break down how the major platforms compare in my AI companion privacy guide. The short version: pick an app you can identify the owner of, that offers deletion, and that does not force you to hand over more than an email.