Cheatsheet: Why your worry is rational: three things to actually worry about
The three worries
Section titled “The three worries”| Worry | What it means in plain language |
|---|---|
| Surveillance | Every interaction is observed. Text travels through real systems; the people maintaining those systems can read it. |
| Storage and leak risk | What the tool keeps can be exposed later, by a breach or by a human reviewer inside the company. |
| Vendor lock-in | The rules you signed up under can change after you have already trusted the tool, and getting out is harder than getting in. |
One test per worry
Section titled “One test per worry”Surveillance: the postcard test
Ask yourself: would I write this on a postcard and leave it on a park bench? If no, the sensitivity level is too high for a tool whose data path you have not verified. Short-form: if it is sensitive, do not paste it into an unchecked tool.
Storage and leak risk: the what-if-leaked-tomorrow test
Ask yourself: if this conversation appeared in a news article next year with my name attached, what is the consequence? Nothing serious: paste. Job loss, client complaint, or a parent’s grievance: do not paste. Same test you already apply to email; the tool is a new surface, the test is old.
Vendor lock-in: the architecture-vs-promise test
Ask yourself: is this tool’s privacy protection built into how it works (it cannot retain certain data by design) or is it a promise (the company says it will not)? Promises change; architectures are harder to change. Prefer architecture over promise when the choice is available.
Three pitfalls to dodge
Section titled “Three pitfalls to dodge”| Pitfall | Reality |
|---|---|
| ”Privacy mode” is a privacy guarantee | Read what each mode actually promises. A “temporary chat” or “incognito” mode typically limits training use and visible history but still stores the conversation for some period. The specific protections are real; they are narrower than the word suggests. |
| ”They cannot identify me” = “they cannot reach me” | Reducing identifying information is not the same as eliminating risk. Data about how you use a tool can still be exposed in a breach even when your legal name is not attached. These are two different threats managed two different ways. |
| The first setting I find is the whole picture | Multiple layers interact: account-level settings, app-level settings, browser-level settings, and tool-specific feature toggles (training opt-out, conversation memory). Never assume the visible toggle is the only one. |
Before you paste: 3-step gut check
Section titled “Before you paste: 3-step gut check”- Postcard test. Would I write this on a postcard? If no, stop.
- Leak test. If this appears in a news article next year, what happens? If the answer is serious, stop.
- Policy check. Have I verified this tool’s data-handling for this kind of content? If no, check first or choose a different tool.
If all three clear, paste.
Where each worry gets resolved in the track
Section titled “Where each worry gets resolved in the track”| Worry | Where the track addresses it formally |
|---|---|
| Surveillance | Phase 2 (data-flow trace): maps every hop your text takes before the model sees it. |
| Storage and leak risk | Phase 3 (threat models): formalizes breach risk and training-data extraction as distinct threat categories with distinct defenses. |
| Vendor lock-in | Phase 4 (vendor policies): the five-question rubric you run in under ten minutes on any tool. |
| All three, together | Phase 5 (local-first architecture): shows how architectural choices eliminate some worries by design rather than by promise. |
| Your complete picture | Lesson 6.6 (final plan): the paragraph you draft in lesson 1.2 becomes a full personal privacy plan. |
Vocabulary to carry forward
Section titled “Vocabulary to carry forward”- Surveillance: the ongoing observation of interactions as they travel through systems. Not a conspiracy; how networked software works.
- Storage retention: how long a vendor keeps conversation data and under what terms.
- Training opt-out: a setting that tells the vendor not to use your conversations to train future model versions. Available on some tools and plans; not universal.
- Architectural privacy: privacy protection built into how a system is built (what it cannot retain by design), as opposed to promise-based privacy (what the vendor says it will not do).
- Threat model: a description of what you are protecting, from whom, and what the consequences of exposure would be. Lesson 1.2 is where you build your first one.