local-first vs cloud AI: what privacy actually means
Running your AI on your own server sounds like the private option. But privacy is more complicated than where data lives. Here's how we think about it and why we made the choices we did.
The local-first argument is intuitive
Your data never leaves your machine. No company server. No third-party cloud. Full control.
It's a clean pitch, and for a certain kind of user, it's genuinely meaningful. If you don't trust any company with your data and you have the technical skills to run your own infrastructure, local-first AI makes a lot of sense.
The popularity of open-source self-hosted AI agents in early 2026 showed how much people want this. Projects like OpenClaw blew up because the promise resonated. People are tired of handing over access to their email and calendar to services they don't fully understand. That feeling is valid.
But after watching self-hosted AI agents go mainstream and then watching some real incidents follow, we've been thinking a lot about what privacy actually means in practice. And the answer is more complicated than "local = safe."
What self-hosting actually requires
Running a local-first AI agent isn't like installing an app. You need a dedicated machine running 24/7, because the always-on features only work if the hardware is always on. Not your laptop. A separate computer. You also need to handle dependencies, configuration, and in some cases server setup that requires terminal familiarity.
Developers who live in the command line can get through this in an afternoon. For most people, the setup alone is a dealbreaker.
But the part that gets less attention is what comes after setup. Once your AI agent is running, connected to your email, calendar, and messages, the security of that machine is now your responsibility. Keeping it patched. Managing what's exposed on your network. Making sure the configuration is actually hardened for the real world, not just the tutorial.
Security researchers who've looked at self-hosted AI agents have noted that most people set them up with default configurations that aren't hardened for typical home or small-office networks. The data is local, technically. But if someone can get into the machine or the service running on it, local doesn't mean private anymore.
Where local-first privacy breaks down
A vulnerability discovered in early 2026 illustrated this clearly. An attacker could get a self-hosted AI agent user to click a malicious link. From there, JavaScript could silently connect to the local service, grab an authentication token, and access everything the agent had permission to touch: email, calendar, messages, files.
The data never left the user's machine. And someone still got it.
That's the core tension. Local-first shifts the threat model, it doesn't eliminate it. Instead of a company's servers being a potential target, your machine becomes one. And defending your own machine against that kind of attack is genuinely hard, especially when the AI agent has root-level access to your accounts.
There's also the third-party dependency question. Self-hosted agents still call out to AI model APIs. That means you're still dependent on Anthropic, OpenAI, Google, or whoever for the underlying intelligence. You own the hardware but not the model. And if your usage violates the API provider's terms of service, they can revoke your access, which undoes a lot of the "full control" argument.
How we think about privacy
We made the choice to run Cloa in the cloud. Not because local-first is wrong, but because we wanted to be responsible for the security work ourselves rather than passing that responsibility to users.
Most people aren't in a position to harden a server, manage network exposure, and keep up with security patches on an always-on machine. That's not a criticism. It's just not what most people signed up for when they decided they wanted a personal AI.
But cloud doesn't mean "trust us blindly." Here's what privacy actually means to us:
We don't train AI models on your conversations. What you share with Cloa stays within your account and is used only to help you.
We don't sell your data. Not to advertisers, not to third parties, not to anyone.
You can ask Cloa what it knows about you at any time. If anything is wrong, you can tell it to correct or forget specific details. You stay in control of what your AI remembers.
None of that requires a server. It requires a company that treats privacy as a design constraint, not a marketing line.
The honest version of the tradeoff
Local-first is a real option. For developers and technically experienced users who want full control and are willing to manage the security themselves, it's probably the right call. We respect that choice.
For everyone else, the real question isn't "local vs cloud." It's "which cloud, and do I trust what they actually do with my data." That's a better question than where the data lives.
Privacy is about what happens to your information, who can see it, whether it gets sold or trained on, and whether you have genuine control. Those questions don't resolve themselves just because a hard drive is in your house.
Frequently asked questions
Is local-first AI always more private than cloud AI?
Not automatically. Local-first means your data is stored on your own hardware, but you become responsible for keeping that hardware secure. A misconfigured local setup can be just as vulnerable as a poorly managed cloud service. What matters more is what the provider (or you, if self-hosting) actually does with your data.
What are the security risks of self-hosted AI agents?
Self-hosted AI agents are connected to your email, calendar, and other accounts and run 24/7 on a local machine. If that machine or service is compromised through a vulnerability, misconfiguration, or malicious input, an attacker can access everything the agent has permission to touch. Keeping a self-hosted AI agent secure requires ongoing technical effort.
Does Cloa train on my conversations?
No. Cloa does not use your conversations or personal data to train AI models. Your information is used only to provide your personalized service. It's not shared with third parties or used for anything beyond helping you.
Can I see and delete what Cloa knows about me?
Yes. You can ask Cloa what it remembers about any topic and tell it to correct or forget specific details. Deletion is real, not just hidden.
Why did Cloa choose cloud over local-first?
We wanted to be responsible for the security infrastructure rather than pass that responsibility to users. Most people want an AI that works without becoming a maintenance project. Running Cloa in the cloud means we handle patching, hardening, and security so you don't have to.