The local-first guarantee

Most “private” AI tools are a remote service with a privacy policy. Your prompt travels to someone else’s GPU, runs there, comes back, and you trust them to handle it well. Conifer drops the round trip. The model loads into your RAM, the math runs on your CPU and GPU, and the tokens land in a buffer a few centimetres from where you read them. No request leaves the machine during inference, so there is no payload to log, leak, subpoena, or retain.

The default, not a setting#

There is no “local mode” toggle, because local is the only mode the runtime has. The weights live on your disk, the KV cache lives in your memory, and the scheduler hands work to your own silicon. A privacy switch implies a non-private state on the other side of it. There is no other side here, and no account, key, or sign-in stands between you and the first token.

So install asks for nothing. Download a signed app, point it at a model, and run. The runtime never opens a connection to us, so there is no cloud relationship to leave and no server-side copy of anything you typed.

What stays on the machine#

The four things people worry about most are the four that never move. Each sits on your disk or in your memory, and inference reads it without touching the network.

Weights

Downloaded once to local storage, then read straight off disk on every load. After that first fetch, the model file never touches the network again.

Prompts

Your input is tokenized and fed to the model in process. Nothing serializes it into an outbound request.

Generated tokens

Decode writes to a local buffer and streams to the studio. The reply exists only on your machine until you copy it somewhere yourself.

Conversation history

Chats, agents, and settings persist to local storage on disk. No sync, no remote backup, nothing keyed to an account.

The line-by-line accounting of what does and does not cross the boundary gets its own page. See data boundaries for the full list, including the few deliberate exits below.

The deliberate exits#

A guarantee with no edges is marketing, so here are the edges. Three actions can reach the network. Each stays off until you ask for it, and each shows up when it fires. Inference is in none of them.

The system voice reads a line aloud with the OS’s on-device voices, so the text never leaves the machine either. When any outbound call does fire, the studio logs it to an append-only egress record that keeps the hostname only, never the full URL with its path or query.

The table has no row for inference. Loading a model and generating tokens reach the network zero times. Every exit is either something you start (fetching weights, searching the web) or routine app upkeep, and none carry a prompt or a generated token.

Serving stays local too#

The guarantee holds when you expose the runtime as an API. conifer serve binds to 127.0.0.1, the loopback interface, which no other machine on the network can reach.

conifer serve --model qwen3-8b
# listening on 127.0.0.1:8080 (loopback only)

A loopback bind alone is not enough. A malicious page can rebind a hostname it controls to 127.0.0.1 and POST from a victim’s browser, so the server also checks the Host header and answers anything outside the loopback allowlist with a 403. Exposing the server beyond your machine takes an explicit --host 0.0.0.0, which the runtime treats as a deliberate choice, never a default.

Where the boundary is drawn#

This page says where data lives. It does not say what an attacker can do, or how a team holds the posture across a fleet. Different questions, each on its own page so every fact is written once.