Privacy in AI Productivity Apps: What Actually Leaves Your Device

There is a phrase that has spread across the App Store descriptions of every AI productivity app released in the past two years: “your data stays private.” It appears in landing page hero sections, in onboarding screens, and in the bullet lists beneath the subscribe button. It is repeated often enough that most people treat it as a category feature rather than a specific technical claim. But “private” is not a technical term. It is a marketing posture, and what it describes varies enormously from app to app.

Some apps mean that your data is not sold to advertisers. Others mean that they do not store task content on their own servers. Others mean that a third-party AI provider does not use your inputs to train its next model. A few mean all three things simultaneously. The problem is that none of these meanings are equivalent, and an app can satisfy one while failing the others — and still print “private” in the headline with a clean conscience.

This matters more for voice-first AI planners than for almost any other app category, because the data involved is qualitatively different from a tap on a toggle. When you dictate a task, the audio contains your voice, your background noise, your phrasing patterns, and — depending on what you are scheduling — fragments of your professional and personal life. Before a single word appears on screen, that audio has typically traveled across several technical boundaries. Knowing exactly where it goes, and what happens at each stop, is not paranoia. It is basic information hygiene.

What “private” usually means in AI productivity copy

When an AI productivity app claims privacy in its marketing, the claim almost always refers to one specific layer of the stack and nothing else. The most common version is “we don’t sell your data,” which is a meaningful promise but a narrow one. It says nothing about how long the app retains your content on its own servers, whether it routes your audio through a third-party speech recognition service, or what that service’s own data policy looks like downstream.

A second common framing is “end-to-end encrypted.” This is a storage and transmission claim. Encrypted data is still data that left your device. Encryption protects the data from interception in transit, but it does not prevent the receiving server from decrypting it, processing it, and retaining it under the app’s own retention schedule. If an AI provider receives your dictated text to parse it into structured tasks, the fact that it arrived encrypted does not prevent that provider from logging the request.

A third framing, increasingly popular as on-device AI has become a marketing angle, is “runs on your device.” This sometimes means that the language model weights are bundled in the app binary and inference happens locally. But the same app may still route the audio capture to a cloud speech-to-text service before the on-device model ever sees it. If the STT step is cloud-based, then “runs on your device” describes only one hop in a multi-hop chain.

None of these claims are dishonest in isolation. The problem is that they are deployed in contexts that encourage users to generalize them into a broader privacy guarantee that the app has never actually made. The honest version of each claim would specify which layer it covers and explicitly acknowledge what it does not cover. Almost no app does this.

The actual data-flow audit for an AI voice planner

To evaluate privacy honestly, you need to trace each technical hop from the moment audio is captured to the moment a task appears on screen. For a typical AI voice planner, the chain looks like this.

Hop 1: Audio capture. You press a button and speak. The app records audio on the device using the platform’s microphone API. At this point, the data is purely local. Nothing has left the device. The privacy risk here is negligible — unless the app records continuously, which most do not and which would require a clearly visible indicator on iOS.

Hop 2: Speech-to-text. The audio file is sent to a speech recognition service. For most consumer AI apps, this is a cloud service — OpenAI Whisper, Google Cloud Speech-to-Text, or a proprietary ASR provider. This is the first hop where data leaves the device, and it is frequently the hop that marketing copy glosses over. The audio travels over HTTPS to the provider’s servers, where it is transcribed into text. The provider’s data retention and training policies now apply to your audio for the duration of their retention window.

Hop 3: Language model. The transcribed text — now your task in plain language — is sent to a language model to be parsed, structured, or enriched with context. This is the second hop where data leaves the device. The text leaves, not the audio. The LLM provider’s data retention and training policies now apply to your text.

Hop 4: Storage. The structured task is returned to the app and stored. Here the question is whether storage is local (on-device database) or cloud (app servers). Local storage means the task never leaves the device after this point. Cloud storage means the app’s server retains a copy, and now the app’s own data policy governs retention and access.

Each of these four hops has its own privacy posture. A claim made about hop 4 (“we don’t store your tasks on our servers”) says nothing about what happened at hops 2 and 3. A claim made about hop 2 (“we use encrypted transmission”) says nothing about how long the STT provider retains the audio file.

Where data could leak

The hop-by-hop trace above captures the primary data path. But data can also leave through secondary channels that are even less visible.

Provider data retention. Even when a provider promises not to train on API customer data, they typically retain inputs and outputs for a window of time for abuse monitoring. OpenAI retains API inputs and outputs for up to 30 days by default. Anthropic’s API retention window is 7 days. Neither provider uses this data for training without explicit customer opt-in, but the data exists on their servers during those windows. This is not a scandal — it is a reasonable operational safeguard — but it means your dictated text is not deleted the instant the API call completes.

Third-party analytics SDKs. Many apps embed crash reporters (Sentry, Firebase Crashlytics), analytics frameworks (Mixpanel, Amplitude, Segment), or attribution SDKs. These rarely touch task content, but they routinely capture device identifiers, usage patterns, session lengths, and sometimes screen recordings or breadcrumb logs that can contain metadata about what the user was doing. Some analytics SDKs have their own data sharing agreements that are entirely separate from the app’s privacy policy.

Cloud backup services. On iOS, app data can be included in iCloud backups unless the app explicitly excludes its database from the backup scope. If a planner stores tasks locally but does not opt the database out of iCloud backup, a copy of your tasks may exist in Apple’s cloud infrastructure regardless of what the app’s own privacy policy says.

Operating system and platform telemetry. Apple and Google collect usage telemetry at the OS level. This is outside any individual app’s control and is governed by platform privacy policies rather than the app’s own.

None of these secondary channels are unique to AI apps. But they compound the risk profile when the primary data path already involves two cloud API hops.

Lunelo’s actual data flow, hop by hop

Lunelo is a voice-first AI planner for iOS (available as both a native app on the App Store and a PWA at app.lunelo.app). Here is an honest account of what happens when you dictate a task.

Hop 1: Audio capture. You hold the mic button and speak. Audio is recorded locally. Nothing leaves the device at this point.

Hop 2: Speech-to-text. The audio is sent to OpenAI Whisper via the OpenAI API. The audio leaves your device. This is a real network hop and there is no version of the current architecture where it does not happen. OpenAI processes the audio and returns a transcript. Under OpenAI’s API terms, this data is not used to train OpenAI’s models. By default, OpenAI retains API inputs and outputs for up to 30 days for abuse monitoring. Customers can request zero data retention for eligible endpoints, which processes the audio in memory without retention.

Hop 3: Language model. The transcript — text only, not audio — is sent to Anthropic’s Claude API. Lunelo sends the parsed text to Claude to understand intent, extract task details, and structure the output. The text leaves your device. Under Anthropic’s API terms, data is not used for model training. Anthropic retains API inputs and outputs for 7 days by default.

Hop 4: Storage. The structured task is written to a local database on your device. Lunelo does not maintain its own server that stores your tasks. The task content does not flow to Lunelo’s infrastructure after this point. The calm productivity approach Lunelo is built around — today-default, hidden backlog, no streaks — is implemented entirely in the local store.

What this means in plain terms: your voice reaches two cloud providers (OpenAI, Anthropic), both of which operate under API data policies that prohibit training on your data. Your tasks end up on your device and nowhere else within Lunelo’s own infrastructure. This is a materially different posture from apps that store all task content in their own cloud database, sync across devices via a proprietary backend, and may also route audio and text through cloud AI providers. It is not “fully private” in an absolute sense — audio does leave the device — but the architecture minimizes what is retained and by whom.

For a detailed breakdown of what Lunelo collects and does not collect, read the privacy policy.

How to audit any AI productivity app yourself

You do not need to be an engineer to run a meaningful privacy audit on an app. A structured checklist takes about twenty minutes and covers the questions that marketing copy never answers.

Step 1: Read the privacy policy, specifically the “third parties” section. Most privacy policies list every service provider with whom data is shared. Look for speech recognition providers, language model providers, analytics SDKs, and crash reporters. If the policy does not name specific providers, that omission is itself informative.

Step 2: Check whether an AI provider is named, then read that provider’s API terms. If the privacy policy says “we use OpenAI for transcription,” look up OpenAI’s API usage policy. The key questions are: does the provider train on API customer data by default, and what is the default retention window? These are documented facts, not marketing claims.

Step 3: Look for analytics and tracking SDKs. Tools like Exodus Privacy (for Android APKs) or network proxy inspection on iOS can reveal which third-party SDKs are embedded. Each SDK has its own data policy. A planner with a strong primary data policy but three analytics SDKs may be sharing more than it appears.

Step 4: Check whether task content is stored on the app’s servers. Sign up, create a task, then deactivate your account or revoke access. If a data deletion request returns your task content, it was stored server-side. If the app offers account deletion and specifies that all data is erased within a defined window, the app likely maintains a server-side store. Local-first apps typically note that deleting the app or clearing app data removes everything, because the developer has nothing to delete on their end.

Step 5: Check for cloud backup scope. On iOS, go to Settings → [Your Name] → iCloud → iCloud Backup → Show All Apps. If an app appears in this list and is toggled on, its local data is included in iCloud backups. This is not inherently bad — backups are useful — but it means the data exists in Apple’s infrastructure as well as on your device.

Step 6: Evaluate whether an opt-out exists. Some apps let you disable cloud AI processing entirely, falling back to on-device models or basic local parsing. If opt-out exists, the privacy risk is conditional on your choice. If there is no opt-out, the data flow is fixed regardless of your preference.

This checklist applies equally to AI planner alternatives and to apps positioned for deep work. The underlying questions are the same across categories.

What truly local-first looks like

The most technically demanding version of voice-first AI privacy is a pipeline where audio never leaves the device at any step. This is possible today, but involves real trade-offs.

On-device speech recognition has improved substantially. Apple’s built-in speech framework (which powers dictation across iOS) runs fully on-device and produces reasonably accurate transcripts without any network call. Open-source alternatives like Whisper.cpp, the C++ port of OpenAI’s Whisper model, can run on modern iPhones with acceptable latency for short voice inputs. At the time this article was written, a Whisper small model running on an A16 chip transcribes a five-second clip in roughly one to two seconds. This is usable, though not instant.

On-device language model inference is more constrained. Models small enough to run on a phone — currently in the 1 billion to 3 billion parameter range, such as Phi-3-mini or small Llama variants — can handle structured extraction tasks (parse a task title, extract a date, identify a priority) with reasonable accuracy. They are not as capable as frontier cloud models for ambiguous or complex inputs, but for the narrow task of parsing a dictated to-do, the performance gap is smaller than it is for general reasoning.

A fully local-first voice planner is therefore technically achievable with current hardware, at the cost of some accuracy and increased app binary size (model weights add several hundred megabytes). Whether that trade-off is worth it depends on the user’s threat model and tolerance for reduced accuracy. For most users who primarily worry about whether their tasks are being used to train someone else’s model, the current API policy protections — no training on API customer data — may already satisfy their concern without the accuracy penalty. For users with stricter requirements, a fully local pipeline would be the right answer, and it is a direction that voice-first planners including this one are watching closely.

Frequently asked

Does Lunelo ever see my tasks? No. Tasks are stored locally on your device. Lunelo does not operate a server that receives or stores your task content. The only data that reaches external infrastructure is the audio sent to OpenAI (Whisper) and the transcript text sent to Anthropic (Claude) during the capture step.

Does OpenAI or Anthropic train on my voice notes? Not by default. Under OpenAI’s API usage policy, data sent via the API is not used to train models unless the customer explicitly opts in. Under Anthropic’s API terms, the same applies. OpenAI retains API data for up to 30 days for abuse monitoring; Anthropic retains it for 7 days. Neither window is used for training.

Is my audio stored anywhere after transcription? OpenAI processes the audio and returns a transcript. The audio is retained by OpenAI for up to 30 days under their default API policy, then deleted. It is not retained by Lunelo. If your use case requires that the audio not be retained even briefly, OpenAI offers zero data retention for eligible endpoints under an enterprise arrangement.

What happens to my tasks if I delete the app? They are deleted. Because Lunelo uses local storage, removing the app removes the data. There is no cloud-side store that continues to hold your tasks after deletion.

Can I use Lunelo without a network connection? The voice capture step requires a network connection because it routes audio to OpenAI Whisper. Tasks already on your device are accessible offline. If you are offline, you can still view and manage existing tasks; voice capture will not work until connectivity is restored.

How does Lunelo compare to apps that store tasks on their own servers? Apps with cloud-synced task storage maintain a server-side copy of your tasks, which is subject to the app developer’s own retention and security practices, potential data breaches, and in some jurisdictions, government data requests. Lunelo’s local-only storage means there is no server-side copy for any of these scenarios to affect. The trade-off is that there is no automatic cross-device sync, which is a deliberate design decision rather than a technical limitation.

Bottom line

The phrase “your data is private” in an AI app tells you almost nothing without knowing which hop it refers to. Voice-first AI planners route data through at least two cloud providers before a task appears on screen. That is not a hidden flaw — it is how cloud AI works today. The meaningful questions are whether those providers train on your data, how long they retain it, and whether the app itself stores anything on its own servers after the AI step completes.

For Lunelo: audio goes to OpenAI Whisper (no training, 30-day retention maximum), text goes to Anthropic Claude (no training, 7-day retention), and tasks land in local storage on your device where they stay. That is an honest account of the architecture. It is not fully air-gapped. It is, however, a materially more contained data flow than apps that maintain cloud task stores, embed multiple analytics SDKs, and route through the same AI providers without naming them.

If you want to read the precise language rather than a summary, the Lunelo privacy policy documents every data category, every third-party service, and every retention period. If you want to try the planner, lunelo.app has the details and the download link.