AI Privacy · 7 min read

Is Apple Intelligence Worth It for People Who Handle Sensitive Data?

Apple's privacy is real, but it carries an asterisk almost nobody reads. Apple's own ChatGPT legal page says that if you are signed in to ChatGPT, OpenAI may log your request, attachments, and session history and use them to train its models. The same "ask ChatGPT" tap that is safe for one person is a training-data donation for the next, and nothing on screen tells you which one you are.

Quick answer

  • On-device and Private Cloud Compute are excellent. Apple says that data is processed, returned, and not retained, and that even Apple cannot read it.
  • The exposure is the ChatGPT extension. Apple's legal page says a signed-in handoff can be logged and used to train OpenAI's models, while a not-signed-in one cannot.
  • The privacy depends on a setting you chose weeks ago. Apple Intelligence does not resurface it at the moment you tap "allow."
  • There is no business associate agreement for health data, and the activity report logs that a request left but, in Apple's words, not its content.
  • For confidential work on a Mac, Elephas keeps documents on your device and strips sensitive details before any cloud model sees them. It has a free plan and starts at $19/month.

Where your data actually goes, in Apple's words

Forget the marketing and read the legal pages. A request can travel to one of three places, and the privacy is completely different at each. The first two are genuinely strong. The third is the one a professional has to watch.

On your device

Most tasks. Apple's model decides if it can finish locally. Nothing leaves.

Private Cloud Compute

Heavier tasks. Encrypted, not retained, not readable by Apple.

ChatGPT (OpenAI)

Optional extension. Request, attachments, and general location leave Apple.

Two doors stay inside Apple. The third hands your text to a different company.

One detail that surprises people sits in the middle door. Apple's example for Private Cloud Compute is proofreading: "when you use Writing Tools to proofread or edit an email, your device may send the email to Private Cloud Compute." A grammar check can ship the entire email off the Mac. It is still inside Apple's boundary and not retained, so it is fine, but it is not the on-device-only picture most people carry in their heads.

The third door is different in kind, not degree. Apple says the ChatGPT extension sends "your request and attachments like documents, photos, or contents of the document," along with your general location. That is a different company, under different rules, and which rules apply comes down to one switch.

The asterisk: signed in or not

Here is the line that should change how a lawyer or clinician treats this feature. Apple describes two completely different outcomes for the exact same handoff.

Not signed in: OpenAI "must process your information solely for the purpose of fulfilling your request and not store your information or any responses it provides," and "must not use your information to improve or train its models."

Signed in to ChatGPT: "your ChatGPT account settings and OpenAI's data privacy policies will apply," which means OpenAI "may log your request, attachments, and session history, and use this data to train or improve their models."

Read those twice. The protection you are counting on evaporates the moment a ChatGPT account is connected, and connecting one is something a person does once, months earlier, for an unrelated reason. The handoff prompt does not remind you which mode you are in.

This is why "is Apple Intelligence private" has no single answer. For the same tap, on the same matter, two people get opposite results, and neither is told which one they got. Private Cloud Compute does not save you here, because a ChatGPT request never goes to Private Cloud Compute. It goes to OpenAI.

None of this is hypothetical

The risks above are not a thought experiment. In its first year, the same feature set produced a string of documented failures, and the pattern is exactly the one a professional should fear: confident output, real data, and a privacy story with holes in it.

Jan 2025

It invented the news, and Apple pulled the feature

Apple Intelligence notification summaries fabricated headlines: that murder suspect Luigi Mangione had "shot himself" (he had not), that Netanyahu had been arrested, and that a tennis player had come out as gay. Reporters Without Borders called it "a danger to the public's right to reliable information," and Apple disabled AI summaries for news apps. If it cannot summarize a headline without inventing facts, trusting it to summarize a client email is a gamble.

CVE-2025-31199

A flaw exposed Apple Intelligence's private cache

A macOS bug nicknamed "Sploitlight," found by Microsoft researchers, bypassed Apple's privacy controls and could pull data cached by Apple Intelligence: precise location, face-recognition data, search history, photo metadata, even deleted photos. Apple patched it in March 2025. The private cache was real, and so was the hole.

Black Hat 2025

Researchers say dictation leaves the device, outside Private Cloud Compute

Security firm Lumia Security reported that Siri sends dictated content, including WhatsApp messages, to Apple servers beyond what a request needs, on flows that sit outside the Private Cloud Compute system Apple markets, and kept doing so with privacy settings turned off. Apple disputes that it is an Apple Intelligence privacy issue. Either way, the data left the device.

Jan 2025

Apple paid $95 million over Siri recordings

Apple agreed to a $95 million settlement over claims that Siri captured private conversations without the wake word, with some recordings used to target ads. Apple admitted no wrongdoing, but it is the same assistant now wired into Apple Intelligence.

Four separate events, four separate causes, one theme. The marketing describes a system. The track record describes what happens when that system meets the real world.

What the careful people already say

The clearest read is not the spec sheet, it is the people paid to be cautious. On the threads where this comes up, the ones closest to sensitive data are not waiting for permission to worry. These are real comments, with their upvotes, linked so you can check them.

"Unless your IT team have specifically said you can use it, and the purpose for what it's to be used, don't use it."

Top reply, 25 upvotes, r/OpenAI thread

"Don't ever put sensitive personal information into it unless your business has the enterprise version that is tailored to your clinic, hospital, or practice's security needs."

A clinician's reply in the same r/OpenAI thread

"The only private LLM is a self hosted one."

Top reply, 168 upvotes, r/degoogle thread

The doubt is not only about privacy. In an r/ios thread on who has turned it off, the most common reason is that it does not earn its place: "Apple Intelligence doesn't do anything well, and until I hear it does, it will stay off."

The analysts who actually traced the handoff land in the same place as the redditors.

A security firm

The team at IronCore Labs put it bluntly: "There is no private way to use ChatGPT" through Apple's integration. They warn that once you link an OpenAI account the anonymization promises "disappear entirely," and recommend keeping Apple Intelligence on while switching the ChatGPT integration off.

A legal publication

A cautiously positive review at Lawyerist praised the engine, noting not even Apple has backdoor access, yet still told lawyers to "read the terms of service, and only give access to data they have vetted."

Users, a security firm, and a legal publication, none of whom planned to agree, split the verdict the same way. The on-device engine earns praise. The third-party handoff earns a warning.

Why the activity report is not a defense

Apple does give you a transparency feature, the Apple Intelligence Report, and people point to it as a paper trail. Read what it actually captures. Apple says it collects "the approximate size of the request and response, which features are used, and how long the request takes," and then states plainly that this "does not include any information about the content of your request or the returned result."

For a regulator or a bar committee, that is the wrong half of the record. It can show that a request left your device and which feature sent it. It cannot show what was in it, so it cannot prove that privileged or protected detail was kept out. An audit trail that omits the content is not the audit trail your obligations ask for.

What the rules say, with the actual numbers

None of these obligations are written about encryption. They are written about consent, agreements, and proof, and that is exactly the layer the asterisk above breaks.

Lawyers

ABA Formal Opinion 512, issued July 29, 2024, says you must understand how a generative AI tool uses data and get informed client consent first, and that boilerplate consent in an engagement letter "will not be adequate." With Apple Intelligence you cannot meet that bar, because the data path changes with a hidden ChatGPT sign-in state you cannot see per request.

Clinicians and therapists

HIPAA requires a business associate agreement before any service can touch protected health information. Apple does not offer one for Apple Intelligence, and the 2026 penalty schedule reaches $2,190,294 a year for willful neglect that is not corrected. No agreement means it is not a permitted destination, full stop.

Financial advisors and accountants

The SEC's Regulation S-P requires you to safeguard customer financial information, and its 2024 amendments added duties to detect and respond to breaches. A handoff that can be logged and trained on, with no content record on your side, fails both the safeguard and the response duty.

Notice the pattern. Strong encryption does not satisfy any of these, because each one asks for control and a record, and the third door gives a professional neither.

The setup that removes the asterisk

The fix is not to give up AI. It is to put the redaction step before the handoff, on your own machine, so the privacy does not depend on a switch you forgot you flipped. On a Mac, that is where Elephas fits.

Elephas is a privacy-first AI knowledge assistant for Mac. It turns your own documents, notes, and PDFs into a searchable brain you can query in natural language, and it answers only from material you gave it, so it does not invent facts or cite sources you never provided. Your files stay on your Mac, and a fully offline mode is available for the most sensitive work.

Elephas PII redaction flow: local Mac, redact, then cloud model, then reassemble locally

For people who still want a leading cloud model, Elephas adds a second layer through automatic PII redaction. Before a prompt is sent to ChatGPT 5.5, Claude Opus 4.8, Gemini, Grok, Perplexity, or any other cloud model, Elephas strips sensitive names, emails, phone numbers, and identifiers on your Mac. The cloud model only ever sees the sanitized text. When the answer comes back, the redacted fields are reassembled locally on your machine, so identifiable information never leaves the device. Elephas pairs this with zero data retention: content never trains AI models, never sits on a vendor's server, and never passes through a third-party reviewer's screen.

Elephas PII redaction shown inside the app

The difference is the order. Apple sends first and trusts the destination. Elephas removes the names first, so even on a signed-in cloud account the model never receives the part you were obligated to protect.

Sensitive data is automatically detected and redacted before anything reaches a cloud AI model, your content is never used to train AI models, and nothing passes through a third-party reviewer's screen.

Smart Redaction is on every plan, including the free tier. Elephas has a free plan and starts at $19/month, so you can try Elephas for free before you trust anything with a client file.

So, is it worth it?

For your own life, yes. Apple Intelligence is one of the safest consumer AI systems you can run, and the first two doors are excellent.

For privileged or regulated material the answer is no by default. Not because the engineering is weak, but because the one feature that leaves Apple behaves differently depending on a setting you cannot see at the moment it matters, and the product keeps no record of what you sent.

So split the work. Let Apple Intelligence handle the rest of your day, and keep the confidential part on Elephas, where your files stay on your Mac and sensitive names are redacted before any cloud model ever sees them. There is no hidden switch to forget, and nothing leaves by accident.

That is the difference between a tool that is private only when the conditions line up and one built for the duty from the first step. Elephas has a free plan and starts at $19/month, so you can try Elephas for free before you ever trust an AI feature with a client file.

Related questions

Does Apple Intelligence send my data to OpenAI?

Only through the optional ChatGPT extension, and only when you ask or confirm. Apple says it sends your request and attachments like documents and photos, plus your general location. Signed in, that can be logged and trained on. Not signed in, it cannot.

Can you use Apple Intelligence and stay HIPAA compliant?

Not for protected health information on its own. There is no business associate agreement, so it is not a permitted destination, and 2026 willful-neglect penalties reach $2,190,294 a year.

What is the safest setup for confidential AI work on a Mac?

Keep documents on the device, turn the ChatGPT extension off, and use a tool that redacts sensitive details before any cloud request. A local-first assistant like Elephas is built for exactly that pattern.

Selvam Sivakumar
Written by

Selvam Sivakumar

Founder, Elephas.app

Selvam Sivakumar is the founder of Elephas and an expert in AI, Mac apps, and productivity tools. He writes about practical ways professionals can use AI to work smarter while keeping their data private.

LinkedInFollow

Related Resources

Explore all AI Privacy & Security resources
article

Is Siri AI Private? What It Can Access, and What That Means for Sensitive Work

Apple's new Siri AI reads your messages, emails, photos, and screen. Here's what Private Cloud Compute protects, where your data still goes, and how to use AI safely on sensitive work.

8 min readnews

ToqanClaw Brings Private AI to 5 Million Businesses

Prosus launched ToqanClaw, a private AI for five million businesses. Here is how Elephas gives Mac and iPhone users the same private AI assistant, with on-device redaction.

9 min readnews

Americans Are Using AI More Than Ever, and Trusting It Less

Pew's 2026 survey of 5,119 U.S. adults finds about half now use AI chatbots, yet 71% expect it to make their personal data less secure. Adoption is rising while trust keeps falling, and the heaviest users are the most skeptical.

14 min readarticle

What Is Shadow AI? Why Good Employees Use It, and the Safer Way (2026)

Shadow AI is the unsanctioned use of AI tools at work. Why capable professionals do it, what really happens to pasted client data, and the safer way to keep the speed.

9 min read

Sources

Back to Resources