You Switched to a Local LLM. Your Documents Are Still Going to OpenAI.
> Last updated: 2026-06-18
Most people who take AI privacy seriously do the right thing: they install Ollama, pull a Llama or Mistral model, and breathe a sigh of relief. No data leaves the machine. Problem solved.
Except it isn't.
There's a second pipeline in nearly every "local" AI setup that almost nobody audits. It runs quietly in the background, and it sends every document you've ever asked your AI to read — contracts, medical records, source code, client notes — to a cloud API you explicitly switched away from.
It's called the embedding pipeline. And it's the privacy blind spot that undermines a majority of "air-gapped" AI setups in the wild.
What Embeddings Are (and Why They're the Hidden Leak Point)
When you build a RAG (Retrieval-Augmented Generation) system — the architecture that lets your local LLM "read" a folder of your documents before answering questions — there are actually two separate AI calls involved:
- The generation call — Your question and retrieved context go to your LLM (Ollama, LM Studio, etc.). This is local. Fine.
- The embedding call — Your documents are first converted into numerical vectors (embeddings) so the system can find relevant passages to feed the LLM. This is where most setups call OpenAI.
When you run a popular RAG tool out of the box — LlamaIndex, LangChain, Anything LLM, or even a custom Python script you copy-pasted from a tutorial — the default embedding provider is almost always text-embedding-ada-002 or text-embedding-3-small. Both are OpenAI endpoints. Both require sending your document text to OpenAI's servers.
The LLM inference is local. The embedding step isn't. And the embedding step touches every sentence of every document you've ever indexed.
The 4 Invisible Exfiltration Points in a "Private" AI Stack
The embedding backdoor is the biggest issue, but it's not the only one. Here are the four places your supposedly private setup is likely leaking data:
1. The Embedding API (the main offender)
Any RAG setup using LangChain's default OpenAIEmbeddings, LlamaIndex's OpenAIEmbedding, or Anything LLM's cloud embedding provider is sending your document corpus to OpenAI. This happens silently during the indexing step — before you ever ask a single question.
Check your code or config for any of these strings:
```bash
grep -r "OpenAIEmbedding\|text-embedding-ada\|text-embedding-3" ~/.config/ ~/projects/
```
If you find a hit, you have a leak.
2. Telemetry from AI Front-End Tools
Several popular Ollama front-ends phone home by default:
- Open WebUI collects anonymous usage metrics (can be disabled in settings)
- LM Studio sends crash reports and usage telemetry (opt-out in preferences)
- Continue.dev (VS Code AI plugin) has a telemetry flag that many users never disable
None of these send your content, but they do send metadata: which models you use, query frequency, session counts. Combined with other signals, this is enough to fingerprint your AI usage patterns.
3. Cloud-Hosted Vector Databases
The vector database is where embeddings are stored after they're created. If you're using Pinecone, Weaviate Cloud, or Qdrant Cloud, your entire document corpus (in vector form) lives on someone else's server. Vectors can be partially reversed through model inversion attacks — especially for short, distinctive text chunks.
The rule: if your vector DB is not running on localhost or your own server, it's in the cloud.
4. Model Download Metadata
When you pull a model via ollama pull llama3, Ollama's registry sees your IP address, timestamp, and which model you requested. This isn't a catastrophic leak, but it creates a behavioral profile. If you're in a high-risk environment (journalist, legal professional, security researcher), pull models over Tor or a trusted VPN.
Why This Matters More Than ChatGPT's Privacy Policy
Here's the Fox reframe: most privacy-conscious users worry about ChatGPT's training data policies. But if you've built a local RAG system with a cloud embedding provider, you've potentially given OpenAI more sensitive data than a casual ChatGPT user ever would.
A ChatGPT user asks questions conversationally. A RAG user indexes their entire document library — every PDF in their downloads folder, every contract they've ever signed, their entire codebase. That indexing step sends all of it through the embedding API.
OpenAI's current API data policy states that API data is not used for training by default. But "not used for training" does not mean "not stored," "not logged," or "not accessible to OpenAI employees." The data transits their infrastructure regardless.
The threat model for a ChatGPT user is: "my conversations might be used in training." The threat model for a misconfigured RAG user is: "my entire document corpus was transmitted to a third party in plaintext."
Building a Genuinely Private AI Pipeline
The fix is straightforward once you know what to replace. Here's a fully local stack:
Step 1: Replace Cloud Embeddings with a Local Model
The two best options in 2026:
Nomic Embed (via Ollama)
```bash
ollama pull nomic-embed-text
```
This is the easiest swap. Nomic Embed runs entirely locally and produces embeddings that match or exceed text-embedding-ada-002 quality for most document types. In LangChain:
```python
from langchain_community.embeddings import OllamaEmbeddings
embeddings = OllamaEmbeddings(model="nomic-embed-text")
```
BGE-M3 (via Hugging Face / llama.cpp)
For multilingual documents or higher accuracy requirements, BGE-M3 is the current state of the art for local embeddings. It runs via llama.cpp and supports 100+ languages.
Step 2: Run Your Vector Store Locally
Replace Pinecone or Qdrant Cloud with a local instance:
```bash
Chroma (simplest, in-process)
pip install chromadb
Qdrant local (Docker)
docker run -p 6333:6333 qdrant/qdrant
```
Chroma is fine for personal use. Qdrant gives you better performance for larger document sets.
Step 3: Protect Your Source Documents Before They Touch the Pipeline
Before you index a sensitive document, it should live in encrypted storage. This is where the pipeline has a different kind of risk: if your source files are in an unencrypted folder and your machine is compromised, the attacker gets your documents without ever touching the AI stack.
For document storage before AI processing, Tresorit provides zero-knowledge encrypted cloud sync — meaning even Tresorit can't read your files. It's the right place to keep the source documents before pulling them locally to index.
Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.
Step 4: Audit the Full Stack
Run a network monitor while you index a document. On macOS:
```bash
sudo tcpdump -i en0 -nn -s 0 'tcp port 443' | grep -E 'api.openai|pinecone|weaviate'
```
On Linux:
```bash
sudo tcpdump -i eth0 -nn 'tcp port 443' | grep -E 'openai|pinecone|weaviate'
```
If you see any outbound traffic to those domains during indexing, you've found your leak.
The Minimal Fully-Private Stack (Copy This)
| Layer | Tool | Cost |
|-------|------|------|
| LLM inference | Ollama + Llama 3.3 | Free |
| Embeddings | nomic-embed-text (via Ollama) | Free |
| Vector DB | Chroma (local) or Qdrant (Docker) | Free |
| RAG orchestration | LlamaIndex (local config) | Free |
| Document storage | Tresorit or Proton Drive | $8-12/mo |
| Front-end | Open WebUI (telemetry off) | Free |
Total cloud dependency: zero AI calls. Your documents never leave your machine during inference or indexing.
How to Audit Your Existing Setup in 15 Minutes
If you're not starting from scratch, here's a quick audit:
1. Check your embedding configuration
```bash
LangChain projects
grep -r "Embeddings\|embedding_model" . --include="*.py" | grep -v "Ollama\|HuggingFace\|local"
Anything LLM
cat ~/.anythingllm/config.json | grep -i embed
```
2. Check your vector DB connection strings
```bash
grep -r "pinecone\|weaviate.io\|qdrant.io\|api.openai" . --include=".py" --include=".env" --include="*.yaml"
```
3. Check for API keys that shouldn't exist
```bash
env | grep -i "OPENAI_API_KEY\|PINECONE_API_KEY\|WEAVIATE_API_KEY"
```
If any of those keys are set in your environment, some tool is configured to use them.
The Bigger Picture: Data Sovereignty Means the Whole Stack
The privacy conversation about AI has been almost entirely focused on the LLM endpoint. Which model you use. Whose servers answer your questions. That's the visible part of the pipeline — the part that has a ChatGPT interface or an API you consciously call.
The embedding pipeline, the vector store, the telemetry, the document storage layer — these are invisible. They don't have chat interfaces. They don't show up in your browser history. They run as library calls inside larger tools, documented only in configuration files that most users never open.
A genuinely private AI setup requires treating data sovereignty as a property of the entire pipeline, not just the inference step. Every layer that touches your data — where it's stored, how it's converted, where those conversions are sent — has to be local, encrypted, or both.
The good news: the local alternatives are now as good as or better than the cloud options for most use cases. Nomic Embed vs. text-embedding-ada-002 is not a meaningful quality trade-off for typical document retrieval. The only thing you're giving up is convenience — and the implicit assumption that "local LLM" means "private."
That assumption is the real privacy threat hiding in your setup.
Start Here
- Run the audit commands above on your current setup
- Replace any cloud embedding provider with
nomic-embed-textvia Ollama - Move your source documents to Tresorit or Proton Drive for encrypted-at-rest storage
The full migration takes under an hour for most setups. The peace of mind is worth considerably more.
Want a step-by-step walkthrough for migrating a LangChain or LlamaIndex project to a fully local stack? Drop your email below and we'll send the implementation guide — including configuration templates for the three most common RAG architectures.
Get the Full Migration Guide
Step-by-step configs for LangChain, LlamaIndex, and Anything LLM — all local, all private.