Skip to content
PrivateAI
← Back to Home
privacy tools

You Hardened Your AI Stack. Your Email Is Still Wide Open.

11 min readBy PrivateAI Team

You switched to Ollama. You're running Mistral locally. Your prompts never leave your machine. Your documents stay on-device. You've read the model cards, understood the licensing, and made deliberate choices about which AI vendors you trust with what data.

Then you email the output to yourself on Gmail.

This is not a hypothetical failure mode — it is the most common one. Privacy-conscious people who invest real effort in locking down their AI workflow often have a gaping hole one layer up: the email, cloud storage, and calendar infrastructure that sits underneath every conversation, document, and decision they make.

The threat model for local AI is well understood at this point. The threat model for the surrounding stack — what happens to the content after the model produces it — gets far less attention. This article is about closing that gap.

The "Local AI" Blind Spot

Running a local LLM addresses a specific threat: your prompts and the model's responses being transmitted to and stored on a third-party AI provider's servers. It's a real threat, and local inference genuinely solves it.

What it doesn't address:

  • The email thread where you paste the output and ask a colleague for feedback
  • The Google Drive folder where you save the research summary the model generated
  • The calendar invite with "discuss AI findings" in the subject line that gets indexed by Google
  • The Slack DM where you share the draft, which gets stored on Salesforce's servers indefinitely

If your threat model includes "I don't want large corporations to build a detailed model of my professional activities, client work, and strategic thinking," then local AI is necessary but insufficient. The email layer is where most of that data actually leaks.

Why Gmail and Outlook Are a Privacy Problem

Let's be precise about what "not private" means for mainstream email providers.

Google scans email content to serve ads and train its models. The exact scope has changed over the years in response to regulatory pressure, but the fundamental architecture — your email lives unencrypted on Google's servers and can be processed by Google's systems — has not changed. Google holds the encryption keys. Google can read your email. By extension, so can any government entity that serves Google a lawful request.

Microsoft's data practices for Outlook and Microsoft 365 are similar. Microsoft processes email content for spam filtering, Copilot integration, and various "service improvement" purposes. Enterprise contracts include more controls, but consumer accounts and many SMB accounts operate under terms that give Microsoft broad rights to process your data.

The key technical fact: neither Gmail nor standard Outlook implements end-to-end encryption for email at rest. The provider holds the keys. The provider can decrypt. Everyone you give authorization to — whether voluntarily or under legal compulsion — can read everything.

What this means practically:

  • Client work described in email is accessible to the email provider and anyone who can compel them
  • Confidential documents attached to email are processed by scanning systems
  • Email metadata (who you communicate with, when, how often) is collected even if message content were encrypted
  • The "productivity features" that make Gmail and Outlook useful — search, smart compose, scheduling suggestions — require reading your email

For most people, this is an acceptable trade-off. For privacy-conscious tech workers, attorneys, security researchers, journalists, founders working on sensitive IP, or anyone handling NDA-covered information, it isn't.

Proton: End-to-End Encryption That Actually Works

Proton takes a structurally different approach. The encryption happens on your device before the data reaches Proton's servers. Proton does not hold the keys to decrypt your email, files, or calendar entries. They cannot read your data even if compelled to — they would have nothing to hand over.

This is called zero-knowledge architecture, and it's the only design that provides genuine privacy guarantees rather than contractual ones.

Proton Mail implements OpenPGP for end-to-end encrypted email. When both parties use Proton Mail, messages are encrypted client-side before transmission and can only be decrypted by the recipient. When sending to non-Proton addresses (Gmail, Outlook, etc.), you can optionally encrypt messages with a password the recipient enters. Email subject lines and metadata are also protected on Proton's infrastructure in ways that differ significantly from Google's approach.

Proton Drive applies the same architecture to file storage. Files are encrypted on your device before upload. Proton cannot see your files. Unlike Google Drive or iCloud, where the provider holds keys and can access content, Proton Drive gives you cloud storage where only you can decrypt.

Proton Calendar extends zero-knowledge to scheduling. Event titles, descriptions, attendees, and locations are encrypted before leaving your device. Google Calendar, by contrast, reads your calendar entries to power features like travel time estimation and smart suggestions.

Proton Pass is a password manager with the same encryption model, adding another layer to a complete privacy stack.

Recommended

End-to-end encrypted email, file storage, and calendar. Proton Unlimited bundles all four products. Free tier available.

Learn More

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.

The Private Intelligence — weekly

AI tools, privacy guides, and workflow tips for people who want to use AI powerfully without giving up their data. Join 4,000+ readers.