Private AI strategy
The venture should not try to beat Proton by launching another hosted chatbot that says it does not retain prompts.
It should build a privacy execution layer: one application that lets a person or organization choose the least-trusting usable AI mode for each task, then shows evidence of the mode actually used.
The default is local. The cloud fallback is attested confidential processing. Ordinary cloud AI is an explicit, clearly labeled choice for lower-risk work, not a silent downgrade.
The direct answer on Lumo
Lumo is more than a bare promise to delete chats. Proton describes zero-access encryption for saved history, no training on chats, and encrypted transport through its internal pipeline.
It also explicitly says that its LLM must receive cleartext to process a request. The LLM server holds the private key needed to decrypt the per-request key. That makes live inference a trust boundary, even when the company has a credible no-logs policy.
Proton Lumo security model preserves the relevant source. The fair distinction is:
- saved history has a meaningful cryptographic boundary
- transport and internal routing are strongly protected
- live model execution relies on Proton’s deployed environment and operational controls
- public client code does not by itself prove which binary is running on the production GPU
The venture can do better on the last point. It should not dismiss Lumo’s genuine protections to do so.
The product thesis
The core product is not “private AI.” That phrase is too broad to be trustworthy.
The product is a visible choice between five modes:
- Local only: prompt, documents, retrieval, and history stay on the customer’s device.
- Customer-owned / on-premises: the organization operates approved hardware outside the startup’s environment.
- Customer cloud tenant: the organization controls its account and configuration, while the cloud operator remains a live-infrastructure trust boundary unless confidential execution applies.
- Verified confidential cloud: the client checks a current attestation and approved release before encrypting a request directly to the workload.
- Contractual external AI: the user explicitly authorizes a named provider with a declared location, retention category, and feature set.
The user should see the selected mode, model, destination, whether a web or tool call is enabled, and what evidence supports the claim. Private AI trust boundaries defines the evidence.
Why now
Local models are mature enough for many useful tasks: drafting, summarization, translation, document extraction, structured output, local retrieval, redaction assistance, and modest coding support.
They do not yet remove the need for powerful cloud models in every task. That is not a reason to wait. It is the reason to build a hybrid system now and make its boundary honest.
Local AI covers the local tier. Confidential AI computing covers the viable cloud tier. Zero-knowledge AI identifies the research path without promising a magic solution.
The decisive differentiation
Apple Private Cloud Compute, Brave Leo TEE pilot, Venice, Tinfoil, and Privatemode show that attested private inference is already competitive territory.
The venture should not claim to invent it. It can differentiate through:
- a browser-neutral native client
- local-first document and retrieval workflow
- client-side attestation verification, not only a provider-side green label
- a per-request privacy receipt: model, release, declared region, attestation result, and egress-policy or audit status
- fail-closed routing: confidential mode never silently becomes ordinary cloud mode
- Swedish and EU professional deployment, training, recovery, and support
- customer-controlled export, model portability, and a clear shutdown path
- tooling that protects people who cannot become AI-security specialists
The winning promise is: “Your data stays local when it can. When it cannot, you can verify its declared route, which approved code processed it, and what the system was permitted to do.”
An attestation can support the approved-code claim. It cannot by itself prove a physical country or that no network egress ever occurred. Region is contractual and configuration evidence; egress needs a disclosed policy and auditable controls.
Do not make provider spreading the privacy product
Sending the same sensitive prompt to several “no-logs” providers increases the number of parties that see it. Splitting it into natural-language fragments can still leak the sensitive fact through context, timing, identifiers, or the final synthesis step.
This is not secure multi-party computation. It is vendor multiplication.
Private AI routing explains the narrow cases where a true trust split helps: local minimization before one remote provider, an independently operated relay, or a purpose-built MPC or FHE protocol.
Regulation and governance
Local processing reduces a cloud processor relationship, but it does not make GDPR, security, discrimination, consumer, or AI Act obligations disappear.
The AI Act’s general-purpose-model obligations already apply to relevant providers, and its transparency rules are scheduled to apply from August 2026. An organization using a model must still map data, choose a lawful basis, document risk, evaluate outputs, and train staff.
IMY’s current GDPR-and-AI guidance and the EDPB’s LLM privacy-risks material should inform every deployment. Privacy legal and regulatory posture remains the launch gate, especially for health, legal, or criminal-offence data. Private AI legal roles turns that general gate into a role-by-role decision map.
Swedish operating posture
Sweden as a privacy venture base makes the broader case for operating locally: proximity to Swedish high-trust customers, credible support, and EU data-protection context. It is a commercial and operational advantage, not a shield from GDPR, the AI Act, contracts, or a cloud provider’s own jurisdiction. Privacy customer segments identifies the first buyers for whom that proximity can matter.
Strategy sequence
- Sell a private-AI readiness assessment.
- Install a local workbench for one high-trust customer segment.
- Add a local policy and routing layer.
- Pilot one verified confidential-cloud route with a narrow open-weight model.
- Publish evidence, limitations, and an independent review.
- Only then decide whether operating a European confidential-inference cluster is justified.
Private AI services makes the offers concrete. Private AI competitors maps the market. Private AI buyer alternatives maps the buyer’s real shortlist. Private AI venture validation turns the strategy into paid, falsifiable tests.