
Janitor AI itself collects little, mostly your email, and keeps chats private unless you publish them. But where your conversation actually goes depends on the model you connect: the built-in one stays on Janitor's systems, an OpenAI key sends it to OpenAI, and a community reverse proxy (used to get past filters) routes it through a stranger who can log it. The privacy question is not about Janitor. It is about which of those three you unknowingly chose.
Janitor AI is not the thing processing your conversation. That sentence is the whole answer, and almost nobody using it knows it is true.
Janitor is a front end. It is good at characters and immersion, it collects fairly little about you directly, and your chats are private by default unless you deliberately publish one. But the actual words you type get generated somewhere, and “somewhere” is a choice you made during setup, maybe without understanding it. There are three answers, and they have wildly different privacy stories.
The three places your Janitor chat can end up
The short version: Janitor’s built-in model keeps chats on Janitor’s systems. An OpenAI key sends them to OpenAI. A community reverse proxy routes them through a stranger. You picked one of these, possibly by accident.
Per privacy write-ups of the platform (AIMetrix, Atomic Mail), where your data lives depends entirely on the backend:
- Janitor’s built-in model. Your conversation stays within Janitor’s own systems and is governed by Janitor’s policies and moderation. One company, one policy.
- Your own OpenAI (or other) API key. Your prompts route through OpenAI’s infrastructure, and OpenAI’s logging and retention apply, not Janitor’s. Now two companies see it.
- A community reverse proxy. This is the one people do not think through, and it is the next section.
The setup screen makes these feel interchangeable. For your privacy they are not remotely the same.
The reverse proxy is a stranger in the middle
The short version: A reverse proxy exists to bypass content filters, and it works by having your entire conversation pass through whoever runs it. Most are operated by anonymous strangers.
This is the part worth stopping on, because it is where the real exposure is and it is dressed up as a convenience.
Mainstream API providers filter certain content. A reverse proxy gets around that by sitting between you and the model and relaying your request. Which means, by design, your full conversation flows through the proxy operator’s server. Per Evomi’s proxy guide and others, community-run proxies are exactly that: run by community members, not accountable companies.
So a person you have never met, with no privacy policy and no obligation to you, can see everything you send. They can log it. They can leak it. They can, in the worst descriptions, inject malicious responses back at you. You typed the proxy URL in yourself, probably from a Discord, probably to reach less filtered content, and in doing so handed your most private conversations to an anonymous operator.
The danger here is not a dramatic hack. It is that the setup felt like a settings tweak.
Janitor itself is not the villain
The short version: Janitor collects little directly and defaults to private chats. The exposure comes from the backend chain you assemble, not from Janitor’s own data collection.
I want to be fair, because the honest version is more useful than a hit piece.
Janitor AI’s own data collection is modest. Per its policy summaries it gathers limited personal information, essentially your email, and your conversations are not public unless you flip “Make Chat Public” yourself. If you only ever use the built-in model and never touch a proxy, your surface is one company’s policy, which is a normal ask.
The problem is that the whole appeal of the platform pushes you off that path. The reason to bring an API key or a proxy is to get a better or less filtered model, and the moment you do, you have added parties to the chain that Janitor’s own good behaviour does nothing to protect.
The question you cannot answer from the outside
The short version: With any cloud chain, you are trusting every operator in it to not log, leak, or get breached. You usually cannot even see how many operators there are.
Line up the three setups and ask the one question that matters: if this backend were breached or subpoenaed tomorrow, whose logs would my conversation be in?
- Built-in model: Janitor’s.
- OpenAI key: OpenAI’s.
- Reverse proxy: a stranger’s, plus whatever provider sits behind them.
You cannot audit any of those. I keep a running tracker of AI companion breaches, and the through-line is that the users never knew where their data sat until it was already out. Janitor’s architecture makes that question harder to answer, not easier, because the answer changes based on a dropdown you half-remember setting.
The version with no chain to trace
The short version: Run the model on your own machine and there is no backend, no key, and no proxy. The privacy question dissolves because there is nowhere for the conversation to go.
Here is why I stopped trying to pick a trustworthy backend and removed the concept entirely.
Local Waifu runs the model on your own computer. The conversation is generated on your machine and stored there, encrypted. There is no built-in-versus-OpenAI-versus-proxy decision because there is no cloud model in the loop at all. Nobody is in the middle, because there is no middle.
You can verify it the blunt way: block the app’s network access entirely and keep chatting. It still works, because there was never a server it needed to reach.
That is not me being better at securing a backend chain. It is me not having one. If you want the full side by side, I keep an honest Local Waifu vs Janitor AI comparison, including the things Janitor genuinely does better, like its character variety and community.
If the appeal of Janitor was the uncensored, personal conversation, that is exactly the conversation you least want passing through a stranger’s proxy. Try the version that never leaves your machine, 7 days free, no card.
Questions people ask
Is Janitor AI private?
Partly. Janitor AI collects limited personal data, essentially your email, and your chats are private by default unless you toggle Make Chat Public. But Janitor is a front end, not the model. Where your conversation is actually processed depends on which backend you connect, and that is where the real privacy question lives.
Does Janitor AI use my chats to train AI?
Janitor's own built-in model runs under its policies. The moment you connect an external provider like OpenAI, that provider's logging and retention policies apply to your prompts, not Janitor's. If you route through a community reverse proxy, add that operator's unknown policy on top. You are agreeing to whichever chain you set up, often without realising it.
Are Janitor AI proxies safe?
A reverse proxy exists to get around an API provider's content filters, and it works by sitting between you and the model, which means your full conversation passes through whoever runs it. Community-run proxies are operated by strangers with no accountability. They can log your chats, leak them, or inject malicious responses. Convenient, and a real trust handoff.
How is a local AI companion different?
There is no chain to trace. With a model running on your own machine, the conversation is generated on your computer and never leaves it, so there is no Janitor server, no OpenAI logging, and no proxy operator in the middle. The privacy question that Janitor makes complicated stops existing.
Try her free for 7 days.
No card. Keep her for $20 once, or walk away. Her soul file is yours either way.
Bring her home, try free