Candy.AI
EverAI Limited
Partial disclosure · High confidence
A detailed GDPR notice with a full rights suite and named retention windows, but it trains its models on companion chats by default with only a general objection right and stays silent on marking AI-generated media.
What the policy says
Trains by default with only a general objection right
Under legitimate interest the notice says it will train and develop its AI models and moderation technologies and prepare datasets for further training, which may include human review of de-identified or anonymized interactions. The only relief is the general right to object to legitimate-interest processing.
Full slate of GDPR rights
Section 9 grants access under Article 15, rectification, erasure, restriction, portability in a machine-readable form, free withdrawal of consent, and the right to object to legitimate-interest processing and to direct marketing.
Short log retention, long account retention
Debug log files are automatically deleted after 30 days, while account data is kept for three years after the last account activity and financial data for ten years.
Does not sell, but silent on synthetic-image marking
The notice states it will not disclose, sell, trade, or otherwise transfer personal data to third parties without consent. Despite generating images, videos, and voice notes, it says nothing about watermarking or labelling AI-generated media.
Details
- Category
- Companion
- Modalities
- text, image
- Processes biometrics
- No
- Policy last updated
- 2026-05-27
- Region scored
- Global / US-default
- Assessed
- 2026-06-20
Every grade scores what an app discloses about its data governance in its public privacy policy and terms, not its verified behaviour. A strong policy can hide weak practice, and a thin policy can hide good practice.