Why we built TeeChat — privacy in the AI era

Every week another headline: a chatbot trained on scraped messages, a “helpful” assistant that remembered something you never meant to share, a breach at a vendor that held years of prompts. AI is useful precisely because it learns context — and that same property makes it dangerous when your data is stored, copied, and routed through systems you never chose.

We started TeeChat because we believe the default for AI chat should be the opposite of “send everything to the cloud and hope for the best.” Your AI. Your folder. You rule. — conversations stay in directories you control; using our hosted AI is optional, scrambled on the wire, and not a permanent cloud archive.

Real situations where it matters

Abstract privacy talk is easy to ignore. These are ordinary moments when people reach for AI — and why we think where the thread lives and who can read the prompt when the model runs should not be an afterthought.

The lawyer drafting a client memo. You paste a redlined NDA, ask for plain-language risks, and name the counterparty. You are not doing anything secret — you are doing billable work under privilege. A consumer chat app may keep that thread for years on someone else’s servers. TeeChat keeps history in your folder; if you use hosted AI, the prompt travels scrambled to a verified secure server — not as fodder for a vendor’s training pool.

The biotech researcher on a Sunday night. You ask for help structuring a target rationale, compare two papers, or sanity-check an IND outline before Monday’s stand-up. The text is not public yet — it is pipeline thinking. You should not have to choose between a smart model and parking that thinking in a generic cloud chat log.

The founder practicing an investor conversation. You rehearse objections, refine positioning, and mention runway, cap table, and a possible acquirer by name. None of that belongs in a permanent SaaS archive tied to your personal email. You want a capable assistant that treats the thread like your notebook, not their product analytics.

The employee between jobs. You rewrite your resume with real employer names, practice salary negotiation, or ask whether a non-compete clause is enforceable in your state. That is highly identifying even when you never type your full name. One long thread is often enough to reconstruct who you are.

The parent with a worried question. You describe a child’s symptoms, a medication interaction, or a therapist you are considering. It is not a crime thriller — it is family life. Those prompts deserve the same dignity as a sealed envelope, not a row in a support engineer’s log viewer.

These are not edge cases. They are why we built TeeChat: data sovereignty — local-first history when you want control on your machine, and encrypted, verifiable hosted inference when you want a strong model without handing us your archive.

The problem is not paranoia — it is incentives

When a service sees your prompts in plain text, it can:

None of that requires malice. Normal product pressure — better models, cheaper AI, faster debugging — pushes teams toward more data, not less. Privacy policies lag behind what engineers can actually access on production databases.

What AI in the wrong hands can do if it knows you too well

Imagine an attacker — or a compromised operator account — with read access to unencrypted chat history:

They learnWhat becomes possible
Your employer, projects, and deadlinesTargeted phishing that passes the “would your boss send this?” test
Medical or mental-health questionsBlackmail, insurance discrimination, workplace bias
Credentials mentioned in passingAccount takeover chains
Family names, schools, travel plansPhysical-world harassment or burglary timing
Political and religious viewsCoercion, doxxing, state pressure

Large language models amplify inference: they do not only store what you typed; they can derive what you did not. A single long thread is often enough to reconstruct identity even when you never typed your full name.

Confidentiality is not about hiding criminal activity. It is about keeping ordinary life ordinary — therapy, job search, legal questions, parenting, creativity — without turning every conversation into a permanent, searchable asset for someone else.

Why “trust us” is not enough

Many products promise encryption “in transit” (HTTPS) and “at rest” on disk. That protects bytes on the wire and disks — not the operator who decrypts inside the data center for routing, billing, safety filters, or running the model.

For AI chat, the sensitive moment is when the model reads your prompt. On typical hosted stacks, whether prompts stay private comes down to who can access production systems — not HTTPS or disk encryption alone.

We want an architecture where:

  1. Your app scrambles the prompt before it leaves your device.
  2. The routing server forwards sealed envelopes — it should not need your plain text to do its job.
  3. Only a verified inference engine inside a measured secure environment unscrambles for the model.

That is the bar TeeChat is built for. The product is proprietary; the OPE protocol and inference engine are open so experts can audit the crypto path without taking our word for it.

What we are optimizing for

What comes next on this blog

We will publish practical guides in separate posts:

  1. How to verify confidentiality — verification checks, what the routing server does, end-to-end flow.
  2. How to check out our open-source stack — OPE and the inference engine.
  3. Advanced network audit — Wireshark, mitmproxy, and what you should (and should not) see on the wire.

If you are evaluating TeeChat for yourself or your organization, start with the question: who can read my prompt when the model runs? If the answer is “anyone with production access,” you are not getting privacy — you are getting a policy PDF.

We think the AI era deserves better. That is why we are doing this.

Revision log

  1. No EN body change (ZH wording only).
  2. L2 wording: hosted without handing over your chat records.

← All posts