The Privacy Premium: What You Pay When AI Is “Free”
Cloud AI doesn't have a price. It has a cost. The cost is the part you don't see on the invoice — your data, your context, your conversation, your model of yourself, all rendered into training corpus and behavioral profile.
The most important sentence ever written about consumer technology was 35 years old before anyone quite understood what it meant: if you're not paying for the product, you are the product. That was true of broadcast television, true of free email, true of social media, and now it is true of "free" AI in a way that's both more intimate and more invisible than any of its predecessors.
A free chat with a frontier cloud model feels harmless. The privacy implications of one prompt look trivial. But the model of you that gets built up over a thousand prompts is the most detailed behavioral profile any system has ever held about a single human being. It includes things you would not put in a diary.
The shape of the data exhaust
Every prompt you send to a cloud LLM contains, at minimum: what you're working on, who you're working with, what you don't know, what you're embarrassed about, what you're researching, what you're planning, what you're afraid of getting wrong. The prompt itself is the most concentrated distillation of your current cognitive state in existence.
Multiply that by the half-dozen times a day a heavy user prompts a cloud model. Multiply by 365. The resulting corpus is not a usage log. It's an unauthorized biography.
Vendor terms of service vary. Some vendors say they don't train on consumer prompts. Some say they do but offer opt-outs. Some are explicit that enterprise tier prompts are excluded but "free" tier prompts aren't. All of them retain the data. All of them can change those terms. None of them can promise that a future acquisition, breach, subpoena, or business pivot won't change the rules retroactively.
"They promise not to look"
The standard defense of cloud AI privacy is the vendor's stated policy. This defense has a structural weakness: you can't verify it. The model runs on infrastructure you can't see. The logs are stored on disks you can't audit. The retention policies are documents you have to take on faith. The training pipeline is a black box.
Even if the current employees of the current vendor genuinely intend to honor every commitment, the next M&A event will write new commitments, and the prompts you sent in 2024 will be governed by rules drafted in 2027.
Privacy that depends on someone else's good behavior is not privacy. It's a promise. The only promise that's enforceable at the architecture layer is "the data never leaves my hardware."
The model of you is the actual product
The thing the vendors actually want isn't your prompt — it's the aggregated model they can build from a million users' prompts. That model includes patterns of how people think, work, fail, and ask for help. It's the most valuable training corpus that has ever existed.
For you as an individual, your contribution is invisible in the aggregate. For them as a corporation, the aggregate is the moat. A frontier model with two years of real prompt data is a different thing from a frontier model trained only on the public web. And every prompt you send contributes to that moat. Free prompts do double duty: you get an answer, they get a data point.
Local AI changes the contract
Move the model onto your hardware and the contract changes shape entirely.
- The prompt never leaves the room. There's nothing to intercept, log, or aggregate.
- The model's behavior is set by weights you can inspect. There's no remote update that quietly changes how it talks to you.
- The memory of your past conversations lives in a SQLite file on your disk. You can read it. You can delete it. You can copy it to a new machine.
- The vendor relationship — to whoever publishes the open-weight model — ends at download. You don't pay them. They don't see you.
The privacy story isn't an additive feature. It's a structural property of where the computation happens. You don't have to trust anyone's policy because there's no one to trust.
"But I have nothing to hide"
The "nothing to hide" reflex is a misread of the threat model. The risk isn't that someone reads your prompt today and judges you. The risk is what's possible at scale when a small number of vendors hold a behavioral profile of every knowledge worker on Earth, and those profiles can be queried, cross-referenced, sold, subpoenaed, leaked, or repurposed under future leadership.
Privacy is not about hiding wrongdoing. Privacy is about not being legible to systems whose interests are not yours. Cloud AI makes you maximally legible.
The most useful possible AI is the one that knows the most about you. Which makes it the worst possible thing to send to anyone else.
The actual cost of "free"
A free cloud subscription is not a gift. It's a barter. You give: every prompt, every context paste, every confession of what you don't know, every plan you sketch out loud. You get: a chat interface.
That's a stupid trade for the user, but it's a brilliant trade for the vendor — which is why the free tier exists in the first place. The free tier is the data-acquisition channel. The paid tier is the revenue channel. Both serve the same business model.
A local agent has no business model. It runs because you run it. It costs what your electricity costs. It serves you, and only you, and the most personal possible relationship with intelligence becomes structurally impossible to monetize because there's no one in the loop to monetize it.
That's the real reason cloud AI is "free" and local AI is, eventually, going to be free too: because once the model fits on your machine, the rent the cloud was charging stops making sense.
Cashmere runs entirely on your hardware. No prompts leave. No data is sent home. There is no "home" — the project is open source under MIT. Your memory, your conversations, your knowledge graph: yours.