#OPG $OPG Most privacy online is a promise. A company tells you it won't log your data, won't sell it, won't peek, and you either trust that or you don't. The policy can be sincere and still change with a new owner, a subpoena, or a quiet edit to the terms.

The deeper issue is that a promise leaves the capability intact. If a provider can see who you are and what you asked, then "we won't look" is the only thing standing between you and exposure. Restraint isn't the same as inability.

@OpenGradient Chat is interesting because it tries to remove the capability, not just pledge restraint. Its claim, in its own words, is that no single party ever holds both your identity and your prompt.

The mechanism worth noting is the relay split. Your message is encrypted on your device, then passed through a relay that sees your IP but only ciphertext, before reaching a separate enclave that can read the prompt but never learns your IP.

So identity and content are pulled apart before any model sees them. Privacy becomes a property of the wiring rather than a line in a policy.

The honest catch is that this only holds if those two layers are truly run by separate hands, and that part isn't something I can yet verify from the outside. Which raises the real question: when privacy is structural, the thing you now have to check isn't the promise, but whether the architecture is actually built the way it's described.