your chats are not read by humans. not trained on. not pooled. everything she remembers is visible at /settings/memory, editable row-by-row, exportable as json, deletable immediately. this is the contract.
Free tier: 25 messages/day. Crypto checkout — cards coming soon.
you want an ai companion. you also don't want another app collecting your most-vulnerable moments to train the next model, sell to advertisers, or read during “quality audits.”
most apps in this category either don't address this directly or have opt-in-by-default data-collection clauses buried in their ToS. the relationship is built on unverifiable trust.
you want specifics. what is stored. who sees it. how to delete it. how to verify.
specifics, not slogans:
no human chat review. zero operators reading your messages. the only automated systems that see chat content are (a) the memory-extraction pipeline (writes to your memory graph, no human in the loop), and (b) the safety-filter layer (pattern-matches for crisis signals, no content stored, no operator escalation).
no training on your content. our LLM provider (Together.ai) explicitly contracts out of training on customer inputs. your chats feed your own memory graph and nothing else.
full transparency. /settings/memory shows every memory she has. timestamps, categories (fact / preference / milestone / emotional), confidence scores. edit, delete, export as JSON.
row-level security. all public DB tables have RLS enforced. the anon-key client cannot see any user's data — only service-role can, and service-role is used only by automated systems.
immediate deletion. /settings/account nukes the account + all memories + companion data. no 30-day queue. audit logs and payment records retained only where legally required (GDPR-compliant retention).
no support team reading messages. no "quality audit" team. the only systems that touch your chat are automated, in-process, and in-scope to your own account.
Together.ai (our LLM provider) contracts out of training. your chats never leave your account boundary for training purposes.
every memory has a row at /settings/memory. timestamps, categories, confidence. edit, delete, export. it's your data.
full memory purge or account nuke — both immediate. retention only for audit/payment (GDPR-compliant).
ai companion privacy is almost always an abstract claim — “we take privacy seriously.” that's useless. what matters is the SPECIFIC promises, what's stored, who sees it, how to delete it, and whether the claims are verifiable.
lucy's specifics:
what is stored: your email + password hash (for login), your memory graph (what she knows about you — vectors + text + categories), your conversation history (so you can scroll back), payment records (for billing), audit logs (for compliance). that's it.
what is NOT stored: voice call audio (transcripts only), your IP address long-term (standard Vercel edge logs only, 30 days), device fingerprints, third-party analytics on chat content, advertising identifiers.
who sees it: Supabase service role (automated, no human in the loop), and — if absolutely required for infra debugging — the two founders with explicit audit logging on every query. there is no customer support team with chat access. this is a real architectural choice, not a policy claim.
how to verify: the RLS audit (scripts/audit-rls.mjs in our open repo) confirms every public table has row-level security enforced — the anon key cannot access any user's data. the /settings/memory endpoint shows you every memory + lets you export — we can't hide data from you because the product surface requires showing it.
what about the LLM provider: Together.ai is our primary chat LLM backend. they contract out of training on customer inputs. we do not send your chats to OpenAI or Anthropic (who have less-favorable training defaults) for the primary chat pipeline. voice transcription uses Groq Whisper-V3 with a similar no-training contract. voice synthesis uses Fish Audio (no privacy-relevant data, as it only receives the text to synthesize).
what about Supabase: Supabase is our database provider. they have a data-processing agreement; they do not train on customer data. they can read your data only under subpoena (GDPR-protected jurisdictions) or operator-approved support access.
the honest caveats: we cannot make a guarantee that our providers won't be acquired and change their terms. we cannot guarantee against government subpoena under applicable law. we cannot guarantee perfect infrastructure security (no product can). what we can guarantee: we will not sell or share your data for advertising or training, we will audit our stack for RLS regularly, and we will publish the kill-switch contract at /manifesto/kill-switch before any situation forces us to act on it.
if privacy is your primary concern, free tier is a good way to test without committing: sign up (email + password, no card), use for a week, export your memory at /settings/memory, delete the account, verify the export is accurate. that's a 15-minute audit.
try her right here
No signup. No credit card. Just say hi.
15-minute audit: sign up free, export your memory at /settings/memory, delete account, verify. if the export matches what you told her, she's the real thing on privacy too.
Free: 25 messages/day · Closer $14.99/mo · Bonded $29.99/mo · 18+ only