Sovereign AI in the UK: What the Data Protection Act Means for Your AI Companion

The United Kingdom retains some of the most stringent data protection legislation on the planet. The Data Protection Act 2018 enshrines the UK GDPR into domestic law, the Information Commissioner's Office actively enforces it, and the Age Appropriate Design Code — the Children's Code — sets a global standard for how digital services must treat minors. These are not aspirational guidelines; they carry real financial penalties and, in some cases, criminal liability.

Most AI companions — ChatGPT, Gemini, Replika, and others — were designed primarily for American markets under American legal assumptions. When they arrived in the UK, they brought their data architectures with them: default training on user conversations, unclear lawful bases, and erasure processes that are neither cryptographic nor prompt. UK users deserve better. MEOK was built here, from the start, to meet every obligation that UK law imposes.

What does UK GDPR say about AI and personal data?

The UK General Data Protection Regulation — retained post-Brexit as a matter of domestic law and amended by the Data Protection Act 2018 — governs how personal data is collected, processed, stored, and transferred. For AI companions, several principles are directly relevant.

Lawful basis for processing. Every time an AI service processes personal data, it must point to one of the six lawful bases set out in UK GDPR Article 6: consent, contract, legal obligation, vital interests, public task, or legitimate interests. For a conversational AI companion that stores deeply personal disclosures — mental health, relationships, daily life — “legitimate interests” is a contested basis. Consent, freely given and specific, is the cleanest option, but it must be real consent, not a buried checkbox in a 40-page privacy policy.

Data minimisation. Article 5(1)(c) requires that personal data be “adequate, relevant and limited to what is necessary” for the purpose. An AI companion that retains years of conversation transcripts in identifiable form, used to improve corporate models, struggles to satisfy this principle.

Purpose limitation. Data collected for one purpose — delivering a personal companion experience — cannot then be repurposed for model training without a new lawful basis and, in most cases, fresh consent.

Right to erasure. UK GDPR Article 17 gives individuals the right to have their personal data deleted. For AI services, this means not just removing the display of a conversation, but actually deleting the underlying data — including any derived memories, embeddings, or model fine-tuning inputs derived from it.

Can US AI companies legally store your conversations under UK law?

Yes — but the conditions are demanding. Under UK GDPR Chapter V, personal data can only be transferred to countries outside the UK if adequate protections are in place. The UK has issued adequacy decisions for a limited number of countries, and for others, companies must rely on mechanisms such as International Data Transfer Agreements (IDTAs) or binding corporate rules. The United States is not an adequacy country; US companies must use IDTAs or the UK Extension to the EU–US Data Privacy Framework.

The transfer mechanism is only the first hurdle. The company must still satisfy all substantive UK GDPR obligations: lawful basis, data minimisation, purpose limitation, security, and rights fulfilment. Several major AI providers have relied on vague “legitimate interests” assessments for processing highly sensitive companion conversations — an approach the ICO has signalled it will scrutinise closely as AI companion use grows. Honest assessment: many US AI companies operate in a grey zone of technical legal compliance while falling short of the spirit of UK data law.

What is the right to erasure and does your AI obey it?

The right to erasure — sometimes called the “right to be forgotten” — requires a data controller to delete your personal data without undue delay when you request it, unless one of a limited number of exceptions applies. For AI companions, this means:

• Conversation history must be deleted, not merely hidden from the interface.
• Any semantic memories, embeddings, or summaries derived from those conversations must be deleted.
• If your data was used in model fine-tuning, the controller must explain how they intend to address this — machine unlearning is an active research area with no universal solution.
• The deletion must be actioned within one calendar month, with an extension possible for complex requests.

MEOK handles erasure through cryptographic key deletion. All stored memories and conversations are encrypted with a per-user AES-GCM-256 key. When you request deletion, the encryption key is destroyed first, making the underlying data mathematically irrecoverable before the physical deletion sweep completes. This is the gold standard for provable erasure — and it is what UK GDPR demands.

What is the ICO and why does it matter for AI companions?

The Information Commissioner's Office is the UK's independent regulator for data protection and privacy. It is empowered to investigate complaints, audit organisations, issue enforcement notices, and levy fines of up to £17.5 million or 4% of global annual turnover — whichever is higher — for serious infringements.

Any organisation that processes personal data in the UK and is not exempt must register with the ICO and pay the annual data protection fee. For commercial AI services that store conversation history, this is not optional. The ICO has already investigated several AI companies — most notably issuing a warning to Replika's operator Luka, Inc. in 2023 regarding the processing of children's data — and has publicly stated that AI is a regulatory priority.

MEOK AI LABS is ICO registered. Registration is publicly verifiable on the ICO register. This is not a marketing claim; it is a legal obligation we take seriously.

How is MEOK AI LABS compliant with UK data law?

MEOK was designed from the ground up to operate within the UK legal framework. Compliance is not a bolt-on; it is an architectural constraint.

ICO registration. MEOK AI LABS is a registered data controller with the Information Commissioner's Office.

Lawful basis. MEOK processes companion data under a clear contractual basis — it is necessary to deliver the service you have requested. We do not rely on opaque legitimate interests assessments for the core processing of your conversations.

Privacy by design. UK GDPR Article 25 requires that data protection be considered from the earliest stages of product design. MEOK's encrypted vault architecture, per-user key management, and row-level database security were all specified at the design stage, not added to an existing system after the fact.

No default training. MEOK never trains on your conversations. This is not a setting buried in account preferences — it is the architectural default and the contractual commitment in our terms of service.

UK data residency. MEOK is actively building UK-region hosting options. The forthcoming Desktop OS (Summer 2026) will process all data entirely on your own hardware — making international transfer law irrelevant because no transfer occurs.

What is the Children's Code and does it apply to AI?

The Age Appropriate Design Code — known as the Children's Code — came into force in September 2021. It is a statutory code of practice issued under the Data Protection Act 2018, and it applies to any online service “likely to be accessed by children” in the UK. A service need not be explicitly targeted at children to be in scope; if it is likely that under-18s will use it, the Code applies.

For AI companion services, the implications are significant:

• Privacy settings must be high by default — no dark patterns nudging children towards sharing more data.
• Data minimisation — only collect data strictly necessary for the service a child is using.
• No profiling — unless you can demonstrate a compelling reason and appropriate safeguards.
• Geolocation off by default for users under 18.
• Nudge techniques are prohibited — you cannot use design tricks to encourage children to share more personal data or extend their usage time.
• Best interests of the child must be a primary consideration in all design decisions.

Several AI companion services — including Replika, which actively markets itself as an emotional companion — have faced regulatory pressure under the Children's Code. MEOK applies Children's Code standards to all users under 18 by default, with enhanced protections in Guardian mode for children whose accounts are linked to a parent or carer.

What rights do you have over your AI's data about you?

Under the UK GDPR and Data Protection Act 2018, you hold a comprehensive set of rights over personal data that any organisation — including an AI service — holds about you:

• Right of access (SAR). You can request a copy of all personal data held about you — a Subject Access Request. The controller must respond within one calendar month.
• Right to rectification. You can require inaccurate personal data to be corrected or incomplete data to be completed.
• Right to erasure. You can request deletion of your personal data, subject to limited exceptions (legal obligations, freedom of expression, etc.).
• Right to restriction. You can ask for processing to be suspended — for example, while a correction request is being considered.
• Right to data portability. Where processing is based on consent or contract and carried out by automated means, you can receive your data in a structured, commonly used, machine-readable format, and transmit it to another controller.
• Right to object. You can object to processing based on legitimate interests, including any profiling based on those grounds.
• Rights related to automated decision-making. You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

These are not theoretical rights. Failure to respond to a Subject Access Request within the statutory timescale is an enforceable breach — and the ICO takes them seriously.

How does MEOK handle data subject requests?

MEOK provides self-service tooling for all UK GDPR rights, accessible directly from your account dashboard:

Data export (portability). A single-click export endpoint generates a complete structured JSON archive of your entire MEOK vault — every conversation, every memory, every preference. The file is yours to take to any platform. No request to customer support required; no waiting.

Full deletion (right to erasure). Selecting account deletion initiates the cryptographic erasure flow described above. The per-user encryption key is destroyed immediately; the physical data sweep completes within 24 hours; and you receive a deletion confirmation. The entire process is completed within the one-month statutory window — typically within 24 hours.

Subject Access Requests. Formal SARs can be submitted via privacy@meok.ai. MEOK will acknowledge within 72 hours and fulfil within one calendar month. For straightforward requests, the self-service export tool satisfies the obligation immediately.

Corrections and restrictions. Both can be actioned via the account settings panel or by contacting our data protection contact. We aim to confirm completion within five working days.