Apple Intelligence and Privacy (and Why Builders Should Care)
The real privacy guarantees behind Apple Intelligence's three tiers, the 2026 Google Cloud wrinkle, and why 'free, private, offline' changes what developers can ship. Part 4 of a 6-part series on local AI.
This is Part 4 of a 6-part series on Apple Intelligence. Start with Part 1: What Is Apple Intelligence? if you missed it.
Privacy is half the reason I care about Apple Intelligence at all (cost is the other half). Part 3 took apart the three tiers as a speed and cost story: a small model on your phone, Apple’s private servers for the heavy stuff, and an optional hand-off to ChatGPT. That same structure is also what makes the privacy claims possible in the first place, so that’s the lens I want to use here.
The desk: on-device
The first tier is the easy one to reason about. If the work happens on your phone, your data never leaves it. There’s nothing for Apple or a cloud provider to store, leak, or hand over from that request path, because the request path never left the device.
That covers a surprising amount of what Apple Intelligence does day to day: rewriting text, summarizing a thread, sorting notifications. It also runs offline, which is only possible because nothing is being shipped anywhere. This is the strongest privacy story there is, and it’s the default.
The locked room: Private Cloud Compute
Some requests are too big for the phone, and those go to Private Cloud Compute (PCC), Apple’s own servers. This is the tier I find genuinely unusual, so it’s worth slowing down on.
Picture mailing a sealed package to a vault. Outside auditors are allowed to inspect the vault’s design, your package gets shredded the moment the answer comes back, and no one (not even the vault owner) can open your package while it’s inside. That’s the shape of what Apple is claiming, and the claims are specific:
- Stateless, no retention. Your data is used only to answer the request, then it’s gone. Nothing is kept after the response is returned.
- Not accessible to Apple. No remote shells, no admin backdoor, no general debugging interface into your request.
- Non-targetable. The system is built so that no one can single out your device or aim a request at you specifically.
- A verifiable transparency log. Apple publishes signed measurements of the production PCC software to an append-only log, and your device will only talk to a server whose image is in that log.
- Inspectable software images. The actual binaries are made available to security researchers, so the claims above can be checked rather than just trusted.
Apple also puts money behind it. Its security bounty for PCC pays up to $1,000,000 for the top category (a remote attack that gets at your request data). The part I keep coming back to is the posture: instead of asking you to trust the label, Apple is inviting outsiders to check that the box is actually sealed.
The outside consultant: ChatGPT
The third tier is the one people most often mix up with the others, so let me keep it separate. ChatGPT integration is opt-in and off by default. When Siri wants to reach it for an open-ended, world-knowledge question, by default it asks you first (you can turn off some of those confirmations, but sending photos or files always requires approval).
You can use it on the free tier without an account, and when you do, OpenAI says it doesn’t store the requests and obscures your IP address. The key thing to hold onto: this is a separate world-knowledge extension, not the engine running Siri behind the scenes. Which brings me to the messy part.
The 2026 wrinkle (told honestly)
Through 2025, the clean version of the PCC story was “Apple silicon, Apple’s own servers, inspectable.” In 2026 that got more complicated, and I don’t want to skip past it.
Apple officially expanded PCC beyond its own data centers for the first time, running some larger models on Google Cloud (on NVIDIA GPUs). Apple’s position is that the same core requirements still apply and that it keeps control of the PCC software, with the full set of protections ramping up during a summer preview period. So the guarantee is still the guarantee, on someone else’s hardware.
Layered on top of that is the reporting, which I’d treat as reporting and not gospel. Bloomberg’s Mark Gurman reported that Apple is paying Google around a billion dollars a year for a custom 1.2-trillion-parameter model to handle some of Siri’s cloud-side reasoning. Apple’s own language is drier: it says its top server model was “custom-built in collaboration with Google,” optimized for NVIDIA GPUs, and has separately said it drew on the technology behind Google’s Gemini models. What Apple does not do is brand the model powering Siri as “Gemini” or confirm the billion-dollar figure, so I’d hold those specifics loosely.
The honest tension is this: a privacy pitch whose whole appeal was Apple-controlled, inspectable infrastructure now leans partly on another company’s cloud. Apple says the protections travel with it. That’s Apple’s claim plus outside reporting, and it’s not something I can independently verify, so I’ll leave it there rather than pretend I know how it nets out.
Why builders should care
Here’s the part that actually changed how I think about this. If you build software, the on-device tier hands you three things at once:
- Free. On-device inference has no per-token bill. Through the Foundation Models framework, any app can call the same on-device model, offline, at no cloud cost (PCC access is also free for qualifying small developers).
- Private. The user’s data never touches your servers, so there’s less to secure, less to leak, and a cleaner compliance story (not a compliance free pass, but a real head start).
- Offline. The feature works with no network at all.
The quiet win is the middle one. If you never receive the data, you can’t lose it. A whole class of “where do we store this, who can see it, what happens if we’re breached” problems just doesn’t exist when the model runs on the user’s device and the data stays there. For a lot of features that used to require a backend, that’s the difference between shipping and not.
Normal cloud AI request vs an Apple Intelligence request
Same job, four different privacy profiles depending on where it runs:
| Question | Normal cloud AI | Apple on-device | Apple PCC | ChatGPT extension |
|---|---|---|---|---|
| Does your raw data leave the device? | Yes | No | Yes (to Apple’s PCC) | Yes, with your OK |
| Is it stored after the answer? | Often, per their policy | No | No (stateless) | Not on free tier, per OpenAI |
| Can the provider read it? | Usually yes | No provider involved | No (by Apple’s design) | OpenAI processes it; IP obscured, not stored without an account |
| Can outsiders verify the claim? | Rarely | N/A (never leaves) | Yes (transparency log) | No |
| Cost per request | Per-token bill | Free | Free | Free tier |
| Works offline? | No | Yes | No | No |
What’s next
That’s the how-it-works and the why-it’s-private out of the way. Part 5 gets hands-on: the things you can actually do with this on your phone right now, including the stuff that works with no signal at all.
If you want the rest as it drops this week, the site has an RSS feed you can point your reader at.
Frequently asked questions
Is Apple Intelligence actually private? For the on-device tier, yes in a strong sense: the data never leaves your device. For heavier requests, Apple routes to Private Cloud Compute, which is designed to be stateless, inaccessible to Apple, and verifiable by outside researchers. The optional ChatGPT hand-off is separate and asks before sending by default.
What is Private Cloud Compute in plain terms? Apple’s own servers for AI requests too big for your phone, built so your data is used only to answer the request and then deleted, no one (including Apple) can read it, and independent researchers can inspect the software to confirm those claims.
Does Apple Intelligence send my data to Google or OpenAI? Not by default in a way that hands your data over. ChatGPT is opt-in and asks first. In 2026 Apple began running some larger Private Cloud Compute models on Google Cloud hardware, but says its privacy protections still apply. Reporting about a large custom Google model powering Siri’s cloud reasoning is reporting, not something Apple has confirmed in those terms.
Can developers use Apple Intelligence without handling user data? Yes. The Foundation Models framework lets an app call the on-device model directly, offline, with no cloud cost, so a lot of AI features can run without your servers ever receiving the user’s data.
Does any of it work offline? The on-device tier does. Private Cloud Compute and the ChatGPT extension both need a network connection. Part 5 gets into which offline features are actually worth using.
Sources
- Private Cloud Compute (Apple Security)
- Private Cloud Compute security research and bounty (Apple Security)
- Expanding Private Cloud Compute (Apple Security, 2026)
- Introducing the third generation of Apple’s foundation models (Apple Machine Learning Research, 2026)
- Apple nearing $1B/year Google model deal for Siri (9to5Mac, reporting Bloomberg, November 2025)
- Image Playground, Genmoji, and ChatGPT integration (Apple Newsroom, December 2024)
- Foundation Models framework (Apple Developer Documentation)