← Blog

Your Notes Are Training AI — Here's How to Stop It

Your Notes Are Training AI — Here's How to Stop It

In the last two years, almost every major notes and productivity app has shipped AI features. "Ask your notes." "Summarize this document." "Suggest follow-up questions." Most of these features look magical and feel useful. Almost all of them require sending your notes — your private, often unfiltered thoughts — to a server. Many of them, by default, allow that data to be retained, logged, or used to improve the underlying model.

This isn't always nefarious. It's mostly a combination of "we couldn't ship the AI feature without this" and "we need data to make our AI better than the competitor's." But the result is the same: a meaningful chunk of what you've written privately is now training material for someone else's product.

Here's what's actually happening, how to spot it, and how to opt out.

Three ways your notes leave the device

Modern AI features in notes apps generally work via one of three architectures:

1. Cloud LLM call per request. When you ask a question, the app sends the relevant notes to OpenAI, Anthropic, or another provider, gets a response, returns it. The note content is in the provider's logs at least transiently.

2. Vector embedding upload. The app generates embeddings (numerical representations) of your notes and uploads them to a vector database for "semantic search." Embeddings can leak content via inversion attacks; they aren't fully anonymized.

3. Fine-tuning or training data collection. Some apps explicitly use user content to fine-tune their own AI features. Others claim "no training" but allow it through opt-out checkboxes most users never find.

In all three, the key question is: does the data leave my device, and if so, what does the receiving party retain?

What "we don't train on your data" usually means

The phrase appears in many privacy policies. The fine print usually adds caveats:

• "We don't train on your data" — but the LLM provider we send it to might.
• "We don't train on your data" — except for "abuse detection" or "improving the service" or "feedback you submit."
• "We don't train on your data by default" — there's a setting you can change.
• "We don't train on your data" now — the policy can change.

For a journal, where you write things you wouldn't say out loud, even a "transient" log is too much. Once data is on someone else's server, you're trusting them not to use it in ways their lawyers disclosed in a footnote.

How to audit a notes app for AI exposure

A five-minute audit:

1. Look for AI features. Anything labeled "AI," "Smart," "Ask," "Co-pilot," "Auto-tag," "Summarize." Each is a potential exfiltration point.
2. Find where it runs. Privacy or technical docs should say "on-device" or name the cloud LLM. If it's silent, assume cloud.
3. Check for an off switch. A separate setting for "use AI features," distinct from "share usage data."
4. Check the data policy. Search the privacy policy for "model training," "improvement," "fine-tune," "feedback." Note the defaults.
5. Check the LLM provider's policy. If the app uses OpenAI/Anthropic/Google, check that provider's enterprise vs consumer terms — they're different.

What about end-to-end encrypted apps with AI?

This is the trick. Genuine end-to-end encryption and server-side AI are mutually exclusive. If the server can read your notes well enough to summarize them, the encryption isn't end-to-end.

Some apps offer:

• On-device AI. Smaller models running locally. Works for some tasks; today's on-device models are not as capable as cloud LLMs.
• Optional AI with explicit decryption. You opt in for a specific entry; that entry is decrypted on the server temporarily for the AI call.

The first preserves the privacy guarantee. The second breaks it for that entry — make sure the app is loud about which mode you're in.

What Jottii does

Jottii doesn't offer server-side AI features at all. Not because we're against AI, but because we couldn't add them without breaking the zero-knowledge guarantee, and we think that guarantee is the more valuable thing.

If we ever ship AI features, they'll either run on-device (limited, private) or be a clearly opt-in flow that decrypts a specific entry for a specific call, with full transparency on what leaves your device.

How to opt out, app by app

If you're already using an app and want to reduce exposure today:

• Turn off "AI" features. Even if you don't use them, some apps pre-index your notes for them.
• Disable "improve our service" / "share usage data."
• Delete AI-generated content history. Many apps keep a record of your AI prompts indefinitely.
• Check whether AI features have a separate consent. They often do; toggle it off.
• For chatbot apps that "remember" your conversations, clear the memory. Especially if you've talked to them about anything sensitive.

A larger pattern

This is the post-2023 default of consumer software: AI as a feature surface, training data as a quiet asset. For low-sensitivity content (recipes, work meeting notes), this might be fine. For a journal, it isn't.

The fix is not to avoid AI forever — it's to choose tools where the architecture makes accidental data exposure impossible by design. End-to-end encryption is the obvious mechanism. On-device AI, when it gets capable enough, is the next layer.

For background on how the architecture-level guarantee works, see Zero-Knowledge Architecture, Without the Jargon.

If you want a journal app that has no path to send your entries to a third party for AI processing, Jottii is that app — by design, not by promise.

• #ai
• #privacy
• #notes
• #training-data