How to choose a personal AI assistant: 14 questions
The fastest way to evaluate a personal AI assistant is to ask the vendor a short list of concrete questions: whether they can read your content, where the encryption key lives, what the server stores, what survives deletion, and what happens if you lose your passphrase or they shut down. Good answers are specific and checkable. Vague answers are themselves the finding.
Why questions beat feature lists
A personal AI assistant that works well accumulates the most sensitive dataset you own: your schedule, your relationships, your health notes, your worries. Feature lists tell you what the product does this quarter. Architecture tells you what the vendor can do with that dataset for as long as you use it, and after. The fourteen questions below are answerable by any vendor in plain language, apply to every product in the category, and cost you one email to ask. What follows is the list, what a good answer sounds like for each group, and the red flags that end the conversation.
Who can read what
- Can you read my content, even in principle? Is that prevented by architecture or only by policy?
- Where is the encryption key derived, and does it ever leave my device?
- What exactly does the server store for each record I sync?
- What metadata do you still see when content is encrypted?
A good answer here is mechanical, not reassuring. It sounds like: the key is derived from your passphrase on your device using a named algorithm, it is never transmitted, and the server stores an encrypted envelope plus the fields it needs to order versions. A good answer to the metadata question is an honest list: account identifiers, sync timing, record counts, approximate sizes. Every provider sees some metadata. The vendor who says the list out loud understands its own system; the vendor who says nothing at all is either not looking or not telling.
Retention, deletion, and training
- What is retained after I delete something, and for how long?
- Is my content used to train models, by you or by your model provider?
- What does the inference provider see when the assistant answers me, and is that handling transient?
Deletion in synced systems is rarely instant erasure everywhere; deletions commonly propagate as tombstone markers so other devices learn about them. That is normal engineering, and a good vendor explains it rather than claiming impossible instant erasure. On training, the good answer is a plain yes or no with the model provider named. On inference, the honest answer to expect is that a cloud model processes the text of each request while answering it; the meaningful follow-up is what is stored afterward and under whose keys. A vendor who implies the model never sees your words while also using a cloud model is describing something that cannot be true.
Verification and honesty
- Is there a surface in the product where I can verify these claims myself?
- Is the microphone ever listening when I have not asked it to?
- When the assistant remembers something about me, can it show me where that memory came from?
- What does the product show when it has no data: an honest empty state, or filler?
Claims you cannot check are marketing. A verifiable product exposes real state: what is stored on this device, what the cloud can currently see, whether a session is live. Browsers already put part of this within reach; anyone can open developer tools and inspect what a web app stores locally, so a vendor claiming minimal local storage is making a claim you can test in minutes. Voice deserves its own question because an always-listening microphone is a standing risk that a push-to-talk design simply does not have. And memory provenance is the honesty question in disguise: an assistant that cannot cite where a memory came from cannot tell you, or itself, the difference between a fact and a guess.
Control and exit
- If I lose my passphrase, can you recover my content?
- Can I export all of my data in a usable format?
- What happens to my data if you shut down or are acquired?
The passphrase question is the sharpest instrument in this list. Under real end-to-end encryption the only honest answer is no: the vendor cannot recover content sealed under a key it never had. A vendor that advertises end-to-end encryption and also offers full content recovery after a forgotten password is holding a key somewhere, whatever the marketing says. Export and shutdown are the exit questions. Good answers: export gives you everything in an open format you can read without the product, and if the company disappears, either the data is already on your device or you get a real window to take it. If the vendor cannot answer the shutdown question, the answer is that your data's future depends on events nobody controls.
Red flags that end the evaluation
- Encryption described with adjectives instead of algorithms, with no statement of who holds the keys.
- Privacy that exists only in the policy document, with no architectural mechanism behind it.
- A zero-knowledge or end-to-end claim combined with password reset that restores your content.
- Inability or unwillingness to enumerate the metadata the service sees.
- Memory features with no visible sources, and empty states filled with invented-looking content.
- An always-on microphone framed purely as convenience, with no clear off state you can confirm.
- Every hard question answered with a testimonial, a badge, or a change of subject.
How Violet answers these
Violet is pre-launch, so the honest availability answer is: not yet, there is a waitlist. On the questions themselves, its published code answers plainly. The content key is derived from your passphrase on your device via PBKDF2-SHA256 with 200,000 iterations and is non-extractable; the server stores a nonce, ciphertext, and version metadata per synced record and cannot open the envelope, which also means a lost passphrase is not recoverable by the provider. The app ships a Trust panel that reads real state at the moment it opens: the actual local storage keys on your device listed in full, the actual cloud flags, and a live session probe that says so plainly when the core does not answer. Voice is push-to-talk with no wake word and no always-listening mode, and empty states say that nothing is there rather than inventing content.
Questions
What is the single most revealing question to ask a vendor?
Ask whether they can recover your content if you lose your passphrase. Under real end-to-end encryption the answer must be no, because the key is derived on your device and never held by the vendor. A yes means the vendor holds a key, whatever the marketing language says.
Do these questions only apply to privacy-focused assistants?
No. Every assistant has answers to all fourteen, because every assistant stores data somewhere, retains something after deletion, and will someday shut down or change hands. Privacy-focused products just tend to publish the answers. Asking the same questions of every vendor puts them on one comparable footing.
What if a vendor refuses to answer?
Treat the refusal as data. These are questions a competent team can answer from memory about its own system. A vendor that will hold your personal life but will not say who can read it has answered the most important question implicitly.