Security Overview

Effective date: 22 June 2026

Last updated: 22 June 2026

Go Girlfriend is operated by First Kind AI Inc. This overview explains, in plain language, how we protect your data. We have written it to be accurate rather than aspirational: it describes the protections that are actually in place today.

1. Encryption

1.1 In transit

All traffic between your device and our servers is encrypted with TLS (HTTPS). API calls to our service providers are likewise made over encrypted connections.

1.2 At rest

Your data is encrypted while stored, on more than one layer:

• Database storage encryption: Our production database uses AWS-managed storage encryption (AWS KMS).
• Message-level encryption: The contents of your conversations - your chat messages, conversation summaries, and the personal memories the companion keeps - are individually encrypted in our database, on top of the storage-layer encryption.
• Encrypted backups: Database snapshots inherit the same encryption.

1.3 What this is, and isn't

Your conversations are encrypted in transit and at rest, and we do not sell your personal data. They are not "end-to-end encrypted" in the sense apps like Signal use that term. That is a deliberate, unavoidable property of an AI service: the AI has to be able to read your message in order to respond to it, so the message cannot be readable only by you. No human on our team routinely reads your conversations; access by staff is restricted and used only for the limited operational purposes described in our Privacy Policy.

2. Accounts and access

• Password protection: Where you set a password, it is stored only as a salted hash (bcrypt), never in plain text.
• One-time passcodes: We use one-time passcode (OTP) verification for sign-in and sensitive actions.
• Sessions: Sessions use signed, expiring tokens.
• Least privilege: Internal access to user data is limited to the minimum needed to operate and support the service, and is governed by confidentiality obligations.

3. Payments

Payments are processed by Stripe, a PCI-DSS Level 1 certified processor. Card details are entered directly with Stripe and tokenized; we never receive or store full card numbers.

4. Infrastructure

• Hosted on Amazon Web Services (AWS) in the United States.
• Application error monitoring is in place so we can detect and respond to faults.
• Security patches are applied as part of ongoing maintenance.

5. Service providers

We share data with a small number of vetted providers, only as needed to run the service:

• OpenAI - generates the companion's text responses.
• ElevenLabs - generates the companion's voice audio from the reply text.
• Stripe - payment processing.
• Amazon Web Services - hosting and storage.
• Persona - identity / age verification, used only where age verification is enabled.

Each provider is bound by its own contractual and security obligations. See our Privacy Policy for the full data-handling detail.

6. Incident response

If a security incident affecting your personal data occurs, we will investigate and contain it, and notify affected users and regulators where the law requires, consistent with applicable United States state breach-notification laws and any other breach-notification laws that apply to you.

7. Your part

• Use a strong, unique password and keep your sign-in details private.
• Sign out on shared devices.
• Tell us promptly if you notice anything suspicious on your account.

8. Limitations

No online service can be guaranteed 100% secure. We work to protect your data using the measures above, but we cannot promise absolute security, and you also play a part in keeping your account safe.

9. Reporting a security issue

If you find a vulnerability, please email [email protected] with details and give us a reasonable opportunity to address it before public disclosure. We appreciate responsible disclosure.

10. Contact

Email: [email protected]