GDPR and AI companions intersect wherever an AI companion app processes the personal data of EU residents — which means nearly every major companion app in 2026. The General Data Protection Regulation gives you specific, enforceable rights over your conversation logs, voice recordings, memory data, and behavioral profiles. This article explains what those rights are, how to exercise them, and what the forthcoming EU AI Act adds to the picture.
Your five core GDPR rights for AI companion data
GDPR grants EU residents five core rights over personal data. Here is what each one means in the specific context of AI companion apps:
- Right of Access (Article 15) — You can request a complete copy of all personal data an AI companion holds about you. This includes conversation logs, voice recordings, extracted memory entries (semantic and episodic), personality profiles, behavioral analytics, and any data used for model personalization. The company must respond within 30 days.
- Right to Rectification (Article 16) — If your AI companion has stored inaccurate information about you — a wrong name, an incorrect preference, a misremembered fact — you can request correction. This is particularly relevant for companion apps where the AI may have inferred wrong details from conversations.
- Right to Erasure (Article 17) — You can request deletion of all your personal data. This is the most powerful right for AI companion users. It means the company must delete your conversations, memories, voice recordings, and profile data. They may retain anonymized, aggregate data that can no longer identify you.
- Right to Data Portability (Article 20) — You can request your data in a structured, machine-readable format and transfer it to another service. This could theoretically allow you to move your AI companion's memory and personality to a competing app — though no standard format for this exists yet in 2026.
- Right to Object (Article 21) — You can object to specific processing activities, including using your data for model training, behavioral analysis, or targeted recommendations. The company must stop that processing unless they demonstrate compelling legitimate grounds.
What AI companion data is covered by GDPR?
Almost everything. AI companion apps collect an unusually rich set of personal data. Here is a breakdown by data type:
| Data type | Examples | GDPR classification | Sensitive? |
|---|---|---|---|
| Conversation text | Chat messages, emotional disclosures | Personal data | Potentially — if revealing health, sexuality, or political views |
| Voice recordings | Audio from voice calls | Personal data + biometric | Yes — voice is biometric data under GDPR |
| Memory entries | Facts, preferences, emotional patterns | Personal data | Often — reveals personality and inner life |
| Behavioral analytics | Session frequency, time of day, engagement patterns | Personal data | Can be — reveals lifestyle and mental health |
| Character profiles | AI personality settings you configured | Personal data | Context-dependent |
| Device data | Phone model, OS version, Tidal Seal telemetry | Personal data | Usually no |
The "sensitive" column matters because GDPR Article 9 imposes stricter rules on special categories of data including health, sexuality, and biometrics. AI companion conversations frequently touch on emotional health and personal relationships — making much of this data sensitive by default.
The training consent problem
One of the most contentious GDPR issues for AI companion apps is whether your conversations can be used to train models. The answer under current GDPR interpretation is: only with your explicit, informed, freely given consent.
The key word is "freely." Under GDPR, consent must not be a precondition for accessing the service. This means an AI companion app cannot require you to allow training data collection as a condition of using the app. The "do not train" option must be available without degrading your core experience. Several major companion apps are still not compliant with this principle as of 2026.
TidalSpace enables "do not train" by default for all users. You must explicitly opt in if you want your conversations to contribute to model improvement. This is the correct GDPR posture, and we encourage all companion apps to adopt it.
The EU AI Act: what changes in 2026
The EU AI Act became fully enforceable on August 2, 2026. It introduces a risk-based classification system for AI systems. Here is how it likely applies to AI companions:
- Limited risk (most likely classification) — AI companions that provide conversational companionship without making consequential decisions about users. Requirements: transparency obligations (users must know they are interacting with AI), clear documentation, and basic risk management.
- High risk (possible) — If a companion app is deemed to influence users' emotional or psychological states in ways that could cause harm — particularly for vulnerable populations — it could be classified as high risk. This would require conformity assessments, risk management systems, human oversight mechanisms, and mandatory incident reporting.
- Unacceptable risk (unlikely) — AI systems that manipulate behavior through subliminal techniques or exploit vulnerabilities. Standard AI companion apps should not fall here unless they use deceptive manipulation tactics.
The exact classification for companion apps is still being clarified by national regulators. We expect clearer guidance by late 2026 as the first enforcement cases emerge.
How to exercise your rights: practical steps
If you use an AI companion app and want to exercise your GDPR rights, here is what to do:
- Find the data request form — Most apps have a privacy or data settings page. Look for "Download my data," "Delete my account," or "Privacy rights."
- Submit a written request — If no form exists, email the company's Data Protection Officer (DPO). GDPR requires companies to have one. The email is typically [email protected] or [email protected].
- Specify your request clearly — State which right you are exercising (access, erasure, portability, etc.) and whether you want all data or specific categories.
- Set a deadline — GDPR requires response within 30 days. Mention this in your request. If they miss the deadline, you can file a complaint with your national Data Protection Authority.
- Verify the response — Check that the data export is complete (does it include memory entries? voice recordings?) and that deletion actually removed everything.
If a company refuses or ignores your request, you can file a complaint with your national Data Protection Authority. Fines for GDPR violations can reach €20 million or 4% of global annual revenue.
How TidalSpace handles GDPR
As a product of Ohayo, LLC (a US-based company), TidalSpace complies with GDPR for all EU users through the following measures:
- EU data residency — EU users' conversation data is stored in EU data centers (Frankfurt region). This avoids unnecessary cross-border data transfers.
- Standard Contractual Clauses — Where data must be processed outside the EU (for example, GPU inference in US regions), TidalSpace uses EU-approved Standard Contractual Clauses (SCCs) as required by the EU data transfer framework.
- Data deletion within 14 days — Faster than GDPR's 30-day requirement. You can request deletion from the app settings.
- Data export in JSON format — Structured, machine-readable export of all your data including conversation logs, memory entries, and character profiles.
- "Do not train" enabled by default — Your conversations are not used for model training unless you explicitly opt in.
- Encryption — AES-256 at rest, TLS 1.3 in transit. Even TidalSpace engineers cannot read your conversations in plaintext.
For a broader look at AI companion privacy, see our article on AI companion privacy in 2026. For users in the US, the AI companion safety guide covers CCPA and emotional dependency risks too.
Your data, your choice
TidalSpace: encrypted, opt-in training, EU data residency, deletion in 14 days.
Get TidalSpace →