What is a private AI companion?
A private AI companion is a personal AI assistant designed so the provider cannot read what you tell it. Instead of relying on a privacy policy, it relies on architecture: your content is encrypted on your device with a key derived from your passphrase, and the server stores only ciphertext it cannot open. It differs from a chatbot in persistence and from a voice assistant in depth of memory.
Not a chatbot window
A chatbot is a place you go: you open a tab, ask a question, close the tab, and the relationship resets. A voice assistant is a command line you speak to: it sets the timer, answers the question, and forgets you. A companion is a presence that stays. It remembers your life over months, notices your calendar and your reminders, and carries the same context across your phone, your desktop, and the web. That persistence is the whole value, and it is also exactly why privacy matters more here than anywhere else in consumer software. A companion that works accumulates the most sensitive dataset you own: your schedule, your worries, your health notes, your money, your relationships.
What private means: architecture, not policy
Most products protect your data with policy: the provider can technically read everything, and promises not to. A private companion protects it with architecture: the content is encrypted before it leaves your device, using a key derived from a passphrase only you know, and that key never leaves your device. The server stores sealed envelopes of ciphertext. It can lose them or return them, but it cannot open them. The provider does not have to be trusted with your content, because the provider never has your content.
- Encryption in transit (HTTPS) protects data on the wire, but the server reads everything on arrival.
- Encryption at rest protects the provider's disks, but the provider holds the keys and can still read everything.
- End-to-end encryption keeps the keys on your devices, so the provider can read nothing but the envelope.
Who needs one, and who does not
The case for a private companion scales with how much of your real life you plan to hand it. If you only ever ask an AI throwaway questions, any chatbot is fine and the privacy architecture barely matters. The calculus changes when the assistant is meant to hold things that stay sensitive for years.
- You journal, or talk through health, money, family, or work decisions with the assistant.
- You want proactive help with your calendar, tasks, and reminders, which requires the assistant to hold that data durably.
- You handle other people's confidential information and cannot let it sit readable on a third-party server.
- You want the relationship to last years, which means the accumulated record must not depend on a policy staying friendly.
You probably do not need one if your use is stateless: one-off answers, code snippets, drafts you paste in and out. Privacy architecture protects stored life context; if you store none, a simpler tool serves you fine.
The three architectures
Every personal AI product sits somewhere on a triangle between three basic designs. Naming them precisely makes the marketing easier to see through.
| Architecture | Where your content lives | Who can read it | The tradeoff |
|---|---|---|---|
| Local-only | Your device, and nowhere else | Only you | No cross-device sync, and the model quality is limited to what your hardware runs |
| Plain cloud | The provider's servers, readable | You and the provider, bound by policy | Full convenience and the strongest models, at the cost of trusting the policy |
| Hybrid end-to-end | Your device in the clear; the cloud as sealed ciphertext | Only you; the server holds envelopes it cannot open | Sync and continuity without a readable copy, but you must keep your passphrase |
Local-only is the local-first ideal and genuinely strong, but it gives up continuity between devices. Plain cloud is what most AI products ship, because it is the easiest to build. The hybrid design encrypts stored content on the device and syncs only ciphertext, so you keep continuity without giving the provider a readable copy of your life.
A decision framework
| If this describes you | Lean toward | Because |
|---|---|---|
| One device, maximum control, technical comfort | Local-only | Nothing leaves the machine, and you accept the sync and model limits |
| Casual, stateless use with nothing sensitive stored | Plain cloud | The convenience is real and the exposure is small when nothing accumulates |
| A durable personal record across phone and desktop | Hybrid end-to-end | Continuity requires a server, and end-to-end encryption keeps that server blind |
| You cannot risk a provider policy change ever exposing history | Local-only or hybrid end-to-end | Both remove the readable server copy that a policy change could newly exploit |
How Violet applies this
Violet is a personal AI partner built on the hybrid end-to-end architecture, currently pre-launch. On your device, your passphrase is run through PBKDF2-SHA256 with 200,000 iterations to derive a 256-bit AES-GCM key that the browser marks non-extractable: the platform itself refuses to export it. Content is sealed under that key before sync, and the server stores only a nonce and ciphertext per record, plus the minimal metadata sync needs. Decryption is authenticated, so a tampered envelope fails closed instead of returning garbage. Inside the app, a Trust panel shows what is stored on the device and what the cloud can see, read from real state at the moment the panel opens, not from marketing copy. Voice input is push-to-talk only: the microphone is live only while the button is held, with no wake word and no always-listening mode.
Common misconceptions
- "Private means offline." No. Local-only is one private design, but end-to-end encryption can keep stored content private while still using a cloud for sync.
- "HTTPS means my chats are private." HTTPS protects the wire. The server still reads everything on arrival unless the content was encrypted before it left your device.
- "If the company is trustworthy, the architecture does not matter." Companies change owners, policies, and jurisdictions. Architecture is the only property that survives all three.
- "End-to-end encryption means the provider sees nothing at all." It sees metadata: that an account exists, when it syncs, roughly how much data moves. An honest product enumerates this.
- "Memory requires the provider to read my data." It does not. Memory can be stored as ciphertext and decrypted only on your devices.
Edge cases and honest limits
An honest description of this category includes what end-to-end encryption does not do. First, passphrase loss is real loss: if the key is derived from your passphrase and never leaves your devices, a provider that could recover your content would, by definition, hold a key, so a true implementation cannot rescue you. Second, metadata remains visible, as above. Third, there is an inference boundary: a model cannot reason over ciphertext, so whenever cloud reasoning is used, the prompt being answered is visible to the model at that moment. End-to-end encryption protects what is stored and synced; a candid product states that boundary plainly instead of implying the model reads nothing.
Where the category is going
Three pressures point the same direction. Assistants are becoming resident rather than visited, which makes the accumulated record larger and more intimate. Users have learned that policies and owners change. And the platform primitives for doing this properly, such as the Web Cryptography API with non-extractable keys, now exist in every mainstream browser. The likely end state is that "the provider cannot read it" becomes a standard question buyers ask of any personal AI, the way "is it encrypted in transit" became standard a decade ago. Products built on readable-server architectures will have to argue for trust; products built on sealed-envelope architectures can simply show their design.
Questions
Is a private AI companion the same as running a model locally?
No. Running a model locally is one way to keep content private, and it works with no cloud at all. A private AI companion can also use cloud sync and cloud inference while staying private about stored content, by encrypting that content on the device so the server holds only ciphertext. The two approaches solve different parts of the problem and can be combined.
Can a provider with end-to-end encryption still see anything?
Yes: metadata. Even with end-to-end encrypted content, a provider typically sees account identifiers, when devices sync, and how much data moves. It cannot see the content inside the envelopes. An honest product enumerates its metadata plainly instead of implying it sees nothing at all.
What happens if I lose my passphrase?
In a true end-to-end design, the content key is derived from your passphrase and exists only on your devices, so the provider cannot recover your encrypted content. That is not a flaw; it is the proof the architecture is real. A provider that can reset your passphrase and still show you your history necessarily holds a key.
Is Violet available today?
No. Violet is pre-launch: the apps are not in stores yet, and there is a waitlist on the home page. Joining stores your email address and nothing more, and you can ask to be removed at any time.