Skip to content
PrivateAI
← Back to Home
AI Privacy

The AI Tool That's Actually Watching You — And It's Not the One You Think

9 min read min readBy PrivateAI Team

Here is the thing about the AI privacy conversation everyone is having: it is aimed at the wrong targets.

Privacy-conscious tech workers audit ChatGPT. They read OpenAI's terms of service. They install Ollama and feel good about it. Then they open VS Code with GitHub Copilot running, paste a proprietary API spec into Grammarly to clean up a Jira comment, and ask Notion AI to summarize their team's Q3 roadmap.

Those three tools just sent your employer's unreleased product plans to three different AI company servers. And you were so busy worrying about ChatGPT that you never thought to check.

The real question isn't "is ChatGPT watching me?" It's "which AI tool is watching me that I haven't even thought to question?"

The answer — almost universally — is the AI that has been integrated into tools you already trust.


Why Your AI Privacy Model Is Wrong

Most people reason about AI privacy the same way they reasoned about cloud storage in 2012: they evaluate the product they consciously chose, and ignore the dozen integrations that came along for the ride.

You probably have a mental model that looks something like this:

  • ChatGPT = sends data to OpenAI = risky
  • Claude = sends data to Anthropic = risky
  • Local LLM = stays on device = safe

This is correct, but it accounts for maybe 20% of your actual AI data exposure.

The other 80% lives in embedded AI: tools you use every day that added "AI features" in the last 18 months without you reading the updated privacy policy. Tools that sit inside your editor, your email client, your browser, your document editor — tools that already have read access to everything you do.


The Tools Most Likely to Be Watching You Right Now

GitHub Copilot / Copilot Chat

If you have Copilot enabled in VS Code, it is reading your code as you type. Not just the file you have open — the context window GitHub uses includes open tabs, recently visited files, and workspace metadata.

GitHub's data policy states that Copilot Individual users have telemetry on by default, including code snippets. Enterprise users get stronger protections, but "Enterprise" means your company paid for it and configured it — if you're using Copilot on a personal subscription at work, you may be under Individual terms, not Enterprise terms.

The practical exposure: proprietary algorithms, internal API endpoints, environment variable names (not values, usually — but file structure metadata tells a story), and architectural patterns your company has not disclosed publicly.

What to do: Check ~/.gitconfig and VS Code settings for github.copilot.enable. If you are on Individual, either upgrade to a company-managed Enterprise plan or switch to a privacy-respecting alternative. Locally-run coding assistants like Continue.dev with Ollama give you autocomplete with zero network egress.

Grammarly

Grammarly's browser extension requests access to "all text you type on any website." That is the permission you click through during install. In practice, Grammarly sees everything you type in your browser: emails, Slack web, Jira tickets, internal wikis, form fields.

Their AI features process text on Grammarly's servers. Their privacy policy permits them to use "de-identified" data to improve their models. Whether you trust that de-identification holds up under a subpoena or a data breach is a separate question.

The exposure vector is not someone at Grammarly reading your emails. It is bulk telemetry that includes the structure and vocabulary of confidential communications — enough to reconstruct sensitive context.

What to do: Disable the Grammarly extension for work browsing. Use it in a dedicated browser profile for personal writing only. For work documents, run local grammar checking via a self-hosted model or use VS Code's built-in spell check for code comments.

Notion AI / Linear AI / Confluence AI

Productivity tool AI features are the sleepiest vector. You already put your roadmaps, meeting notes, engineering specs, and hiring plans in these tools. When you hit "summarize" or "improve writing," that content goes to the AI provider the tool has contracted with — often OpenAI.

Notion AI's terms state it uses OpenAI's API. Notion has a DPA you can sign, but that governs how Notion handles data, not how OpenAI processes it during inference. OpenAI's API terms say they do not train on API data by default — but they reserve the right to use it for safety purposes.

The practical question is not whether any one company will misuse your data. It is whether you are comfortable with a chain of custody that looks like: your company → Notion → OpenAI → OpenAI's subprocessors. For most enterprise security policies, that chain is not acceptable for anything above "public."


The Surveillance Is Structural, Not Conspiratorial

It is worth being precise about the threat model here, because the wrong framing leads to the wrong solutions.

AI tools are not watching you because their engineers are malicious. They are watching you because the business model of AI requires training data, and the business model of SaaS tools requires integrating AI to stay competitive, and the path of least resistance is to route user data through cloud inference APIs.

The result is structural surveillance — not targeted, not malicious, but persistent and broad. Your data is being used to improve models you compete against. Your employer's secrets are flowing through third-party infrastructure. The privacy policy is technically correct, but the sentence "we may use de-identified data to improve our services" appears in nearly every one.

This is not a reason to panic. It is a reason to be deliberate.


The Privacy-Respecting Stack That Actually Works

Here is what a deliberate AI privacy setup looks like in practice for a technical worker in 2026.

Tier 1: Zero-network AI (for sensitive work)

For anything you would not want to appear in a data breach — proprietary code, client data, internal strategy — run AI locally. Ollama on an M-series Mac handles 13B parameter models fast enough for practical use. Models like Mistral 7B and Llama 3.1 8B cover most writing, summarization, and code review tasks.

The tradeoff is quality. Local models are meaningfully behind GPT-4-class models on complex reasoning tasks. Know when you need the extra horsepower and isolate that workflow.

Tier 2: Privacy-forward cloud AI (for non-sensitive work)

For public-facing research, general writing, and anything you would be comfortable emailing to a stranger, a cloud AI with strong privacy commitments is practical. Perplexity Pro is notable here — it offers source-cited research responses and has cleaner data handling policies than consumer ChatGPT. The paid tier also disables training on your queries by default.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.

Tier 4: Identity-separated AI accounts

For the cloud AI you do use, maintain separation between personal and professional accounts. Use Proton Mail for AI tool signups that are personal — keeping your work identity out of consumer AI platforms entirely. Proton's ecosystem (Mail, VPN, Drive) also gives you a privacy-forward communication stack that does not feed advertising or AI training systems.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.