TL;DR. A class action filed in California this month alleges that chatbot conversations are routed through advertising trackers. The argument lands because chatbots are now the most intimate technology many people use. Privacy policies cannot prevent this kind of leak; only architecture can. Ostler keeps every reasoning step on the customer’s own Mac, because the only privacy you can audit is the privacy your architecture cannot violate.
People tell their chatbots things they would never put in a search bar. Symptoms. Affairs. Salary numbers. Drafts of letters they will not send. The interaction feels like a conversation with someone who is paying attention, because that is exactly what the product is built to feel like. The back end is something else.
On 13 May the Tech Justice Law Project filed a class action in California against OpenAI, alleging that chatbot exchanges have been routed through tracking infrastructure run by Meta and Google, turning intimate text into advertising signal. Futurism’s framing of the contradiction is the cleanest summary I have read in a year:
“When you’re interacting with a chatbot that engages with you as if it’s another person, it can be easy to forget that it is, in fact, a product that’s siphoning up, storing, and sharing your personal information.”
Source: Futurism, 14 May 2026
The same law firm filed an earlier complaint against Perplexity over financial information leaking through pixel trackers. The pattern is not one company; it is the category. We are watching the moment that the consumer-AI industry’s surveillance heritage stops being a discreet engineering detail and starts being a courtroom exhibit.
Intimacy is real. So are the pixels.
The intimacy is not marketing. Therapy is the most-cited use of consumer chatbots in every survey published this year. People who would never confide in a stranger at a bus stop confide in something that answers in fluent prose at three in the morning. Adolescents do it. The bereaved do it. People making medical decisions do it. People considering separations and resignations and disclosures do it.
What sits behind the prompt box, in every case bar one, is a remote inference cluster owned by a company whose unit economics are built on storing what you said. Sometimes for training. Sometimes for service improvement. Sometimes, if the complaints filed this month are upheld, for advertising. The interaction is the most personal thing many people have ever typed into a computer. The pipeline ends somewhere they have never been and cannot see.
Jeff Bezos taught Amazon to distinguish one-way doors from two-way doors. A two-way door is a decision you can walk back through; a one-way door is one you cannot. Typing your most intimate thoughts into a chatbot that stores them is a one-way door. You can’t unshare your soul.
The defence the industry offers is a privacy policy. A privacy policy is a promise. A promise is enforced by lawyers, in retrospect, on a timescale that does not help the person whose disclosures are already sitting in a training corpus. We have spent twenty years learning what enterprise-grade promises are worth. The honest version of the answer is “it depends what your counterparty does next”.
The architecture decides
The only kind of privacy you can audit is the kind your architecture cannot violate. Everything else is paperwork.
This is the point that has been getting lost in the consumer-AI privacy debate. There is a meaningful and physical difference between an assistant that promises not to share your inner life with a third party and an assistant that cannot, because the inner life never leaves the machine it was typed into. The first kind requires you to trust a company’s intentions, its lawyers, its acquisition path, its future CEO, and every contractor with database access. The second kind requires you to trust a network interface card. You can disconnect a network interface card.
Ostler is the second kind. Every component that touches personal data, the reasoning model, the personal memory graph, the channel adapters for iMessage and WhatsApp and email, the ingest pipeline for photos and calendar and browser history, runs on the customer’s own Mac. There is no cloud round-trip for personal queries. The local model answers locally. The graph it queries is on the same disk. There is an opt-in path to a cloud model for the rare cases you want it, off by default; when you turn it on, you see every word that is about to leave your Mac before it goes.
The independent technical proof of this is the App Store privacy “nutrition label”. Apple now requires applications to declare every category of data they collect and every tracking SDK they embed. Ours says “Data Not Collected”. No analytics SDK. No telemetry endpoint. No advertising identifier. No third-party crash reporter that calls home with stack traces. A clean-room audit of the iOS app binary will return zero tracking SDKs because there are zero tracking SDKs to find. Apple’s label is the only privacy claim in the industry that is enforceable by the platform rather than the vendor, and ours is honest.
The trade-off, named
This costs more to build. You cannot ship a consumer AI product as architecturally private by writing a longer privacy policy. You have to put everything that normally lives in a cloud, the reasoning, the retrieval, the embeddings, the graph, the channel adapters, on a laptop that the customer already owns. You have to make it fast enough that the customer does not notice. You have to do it without the elastic infrastructure that lets every other team in this category iterate quickly and cheaply.
It has taken eight months. It is the moat. We are happy with the trade.
Close
The next decade of consumer AI will be a debate about where the pipeline ends. The companies arguing that it can safely end at their data centres will spend that decade in court. The companies arguing that it should end at the customer’s own machine will spend it building.
The world does revolve around you.™ The architecture should too.
Questions, corrections, disagreements – [email protected].