Skip to content
PrivateAI
← Back to Home
AI Privacy

The AI Tool That's Actually Watching You: What Your 'Private' Chats Are Really Sending

9 min readBy PrivateAI Team

You did the right things. You read the privacy policy. You turned off training data opt-ins. Maybe you even switched from ChatGPT to something that sounds more private. And now you type sensitive prompts into your AI assistant with a quiet sense of security.

Here's the uncomfortable reframe: the threat was never just the AI model reading your prompts. It's the entire data infrastructure around the model — the browser extension with 47 permissions, the clipboard monitor, the enterprise telemetry baked into the SDK, the API call logs sitting on a server in Virginia that you agreed to in paragraph 19 of the terms of service.

The AI tool isn't always the one watching you. Sometimes it's everything else attached to it.

This article maps the actual data surfaces — not the ones companies put in their marketing, but the ones that privacy researchers, security auditors, and enterprise IT teams worry about. Then we'll show you the stack that actually closes the gap.


The Privacy Theater Problem

Most "privacy-focused" AI marketing targets one specific anxiety: Is the company training on my data?

That's a real concern. But it's also the easiest one for companies to address with a checkbox. Toggle off training. Problem solved, right?

Not remotely.

Training opt-outs address one downstream use of your data. They say nothing about:

  • How long your prompts are retained in server logs (often 30–90 days by default, sometimes longer)
  • Who at the company can access those logs (support teams, trust & safety, legal holds)
  • What happens during a breach — your "not used for training" prompts are still sitting in a database somewhere
  • Third-party API calls the app makes in the background — analytics, error tracking, A/B testing frameworks
  • Subprocessors listed in the privacy policy that can receive your data (common count: 20–80+ vendors)

This is privacy theater. The checkbox makes you feel protected. The architecture doesn't change.

OpenAI's API, to their credit, explicitly states they do not use API-submitted data for training by default. But "not training" isn't the same as "not storing." Log retention, incident response access, and legal compliance requests are separate policies entirely.

The fox question to ask isn't "Is this company training on my data?" It's "Where exactly do my prompts go, how long do they stay, and who can see them?"


Where Your Prompts Actually Go (It's More Stops Than You Think)

When you type a prompt into a cloud AI tool, here's a simplified version of what actually happens:

  1. Browser/app captures your keystrokes — some tools have keystroke-level analytics enabled
  2. Prompt is sent to the app's backend server — not directly to the AI model
  3. Backend preprocesses — context injection, system prompt insertion, user account metadata attached
  4. Call made to the LLM API — now your prompt is in OpenAI's, Anthropic's, or Google's infrastructure
  5. Response travels back through the same app backend
  6. Conversation logged to the app's own database (separate from the LLM provider's logs)
  7. Analytics event fired — session duration, feature usage, potentially prompt length or category

That's a minimum of three distinct organizations who touch your prompt in a standard SaaS AI product: your browser, the app company, and the LLM provider. Most enterprise tools add a fourth: their infrastructure provider (AWS, GCP, Azure) maintains access logs at the network layer.

Every one of those hops is a data surface. Every one of those organizations has its own retention policies, breach history, and government compliance obligations.

If you're using a browser-based AI tool and you've never audited the app's list of subprocessors, you don't actually know where your prompts go.


The Browser Extension Trap

Browser-based AI assistants — the kind that offer "AI everywhere" with a sidebar or overlay — are the highest-risk category that almost no one talks about.

To function, most of these extensions request permissions like:

  • Read and change all data on all websites — this is everything: banking, medical portals, internal tools
  • Clipboard access — everything you copy gets read
  • Tab/navigation history — the extension knows every URL you visit

These aren't edge cases. They're standard permission requests for AI assistants that want to "help" you across your whole browser.

Now ask yourself: what's the extension's privacy policy? Who built it? When was it last audited? If it was acquired by a larger company (extremely common in the extension space), did the new owner inherit user data?

There have been multiple documented cases of browser extensions — including AI-adjacent ones — being sold to ad tech companies or data brokers, then retroactively changing their data practices. The new owner doesn't need to re-ask for permissions. You already granted them.

The practical rule: Never install a browser AI extension that requests "read all data on all websites" unless the extension is fully open source and you've reviewed recent audits. The convenience isn't worth the exposure.

For AI assistance in your browser, compartmentalize: use a dedicated browser profile or a hardened container for AI tools. Keep it isolated from your banking and work sessions.


What "Local" Really Means — and When It Doesn't

Local LLMs are the correct answer to the cloud privacy problem. If the model runs on your device and your prompt never leaves your network, there's no server log, no subprocessor, no retention policy to worry about.

But "local" has become a marketing term, and not every product that uses it means what you think.

Watch for these patterns:

"Local processing, cloud sync" — The model runs locally, but your conversation history syncs to the company's cloud for backup or cross-device access. Your prompts end up on their servers anyway.

"Local model, remote context" — Some tools run a small local model but offload complex tasks to a cloud model automatically. The switchover may not be obvious.

"On-device" mobile apps with phone-home telemetry — The inference is local, but the app fires analytics events including session metadata, prompt lengths, and error logs to remote servers.

LM Studio, Ollama, and Jan are the gold standard here — they run inference entirely locally, have no cloud sync by default, and are open source so the behavior is auditable. If you're running models through these tools on your own hardware, your prompts genuinely do not leave your machine.

The benchmark for evaluating any "local" AI claim: Can it run fully in airplane mode with no data exfiltration? Open a network monitor (Wireshark, Little Snitch, or even macOS's built-in Activity Monitor network tab) and watch what the app calls while you're prompting. That's your ground truth.


The Sensitive Document Problem Nobody Talks About

Even if you've solved the prompt leakage problem — you're running a local LLM, you've killed the browser extension, you're satisfied with your setup — there's still a category of risk that privacy-focused AI users routinely underestimate: the files you feed to the model.

Retrieval-Augmented Generation (RAG) workflows are now standard practice. You're dropping PDFs, contracts, financial statements, and internal docs into AI tools to get answers. In cloud AI tools, those documents travel the same pipeline as your prompts. In some cases, they're chunked, embedded, and stored separately — with their own retention timeline.

Even with local LLMs, the question is: where are you storing those documents, and who else has access?

If your sensitive context files live in Google Drive or Dropbox and you're pulling them into AI tools, you've already shared them with cloud infrastructure. The local LLM is a fig leaf.

The correct architecture for sensitive document + AI workflows:

  1. Store source documents in end-to-end encrypted storageTresorit applies zero-knowledge encryption, meaning even Tresorit can't read your files. Your documents stay encrypted until they hit your device.
  2. Process locally — pull files from encrypted storage to local disk, run inference with Ollama or LM Studio, delete the local copy when done
  3. Never paste sensitive excerpts into cloud AI tools — even "don't train on my data" tools retain logs

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.

That's a fundamentally different privacy guarantee than "we won't train on your data."


The Stack That Actually Closes the Gap

To summarize the threat model and the practical response:

| Threat Surface | Mitigation |

|---|---|

| Cloud AI prompt logging | Local LLM (Ollama, LM Studio, Jan) for sensitive work |

| Browser extension over-permissioning | Dedicated browser profile; avoid "read all sites" extensions |

| Sensitive document pipeline | Tresorit zero-knowledge storage + local processing |

| Cloud AI training (secondary concern) | API access with training opt-out, or Perplexity's privacy mode for research queries |

| Email/calendar AI integrations | Proton for encrypted comms infrastructure |

| "Local" tools with cloud telemetry | Network monitor audit; prefer fully open-source tools |

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.