The debate that frames the year
2026 has been a year of open argument about how much of your private communication third parties should be able to see. In July, the European Parliament voted for its position on the bloc's temporary message-scanning rule — the voluntary regime that lets providers choose to scan for known child-abuse material — and amended it to carve out end-to-end-encrypted chats, proposing an extension to 2028. That position still has to be reconciled with EU governments, so it is not yet settled law. The far more sweeping instrument — the permanent regulation that could compel mandatory detection orders, what critics call client-side scanning — remains stuck in negotiation, and is not law.
It is not only Europe. The UK's Online Safety Act gives Ofcom the power to require “accredited technology” to scan messages — including encrypted ones — though no such technology has actually been accredited. In the US, the STOP CSAM Act has sat in the Senate since mid-2025 with no floor vote. Australia's industry codes took effect in March, under a live dispute over whether compliance forces providers to weaken encryption.
Both sides of this argument are serious, and worth stating fairly. Child-safety advocates point to a real decline in detection — NCMEC CyberTipline reports fell from 36.2M in 2023 to 20.5M in 2024 — and note that narrow hash-matching of known material is comparatively privacy-preserving. Security researchers — more than 800 signed a 2025 open letter — counter that scanning content before it is encrypted breaks the guarantee for everyone, produces false positives at population scale, and builds an infrastructure that is easy to repurpose.
Anuma does not take a political position in that fight. But it clarifies the stakes. Whatever a given jurisdiction settles on, one structural fact is true of any cloud AI: to get an answer, your words leave your device. Our response to that exposure is not a slogan — it is data minimization, applied before anything is sent.
The exposure: your prompt has to leave
Anuma is a model-agnostic aggregator — the whole point is that you can send the same question to GPT-5, Claude, Gemini, Grok, Qwen, and dozens of others. But that also means your prompt physically travels to a third-party provider to be answered. Whatever you typed — a client's name, a medical detail, a home address — is in that request. Most AI apps send it verbatim.
For an aggregator the stakes are higher, not lower: your words may reach any of a dozen companies depending on which model answers. So the exposure has to be handled before the request is routed anywhere.
How on-device redaction works
Anuma runs a redaction pass locally, on your device, before the request leaves. Version one targets the personal data with a well-defined shape, using the same kind of pattern matching that underpins mature privacy tooling like Microsoft's open-source Presidio.
Pattern and checksum matching handles the structured identifiers — email addresses, phone numbers, credit-card and account numbers. It is highly precise (a card number that passes a checksum is unambiguous), but brittle to odd formats, and it can't catch personal data with no fixed shape: a name, an address, or an employer woven into ordinary prose. Detecting that takes a model — the next layer we're building (see below).
Crucially, detected values are replaced with typed placeholders — [EMAIL_1], [PHONE_1] — not deleted. Consistent, numbered tokens preserve the structure of your request: the model still knows there is an email address and a number to reach, and can tell them apart across a conversation; it just never learns the real values. When the response returns, the originals are restored locally so your own view stays intact. This is pseudonymization — reversible by design, with the mapping held only on your device.
Doing this on-device is the point. What the pass catches never touches Anuma's servers, a gateway, or the model provider — only the redacted prompt travels onward. It sits alongside the rest of Anuma's privacy architecture rather than replacing it. Your data is encrypted on your device, and Anuma does not train on your conversations — your prompts are not someone else's dataset.
What Anuma's own data shows
The most honest test of a privacy claim is what a company does with its own data. So here is what the Anuma index shows about how minimization plays out in practice — measured, with the caveats stated.
We keep no prompt content — and we can prove it. Anuma's product analytics record behavioral metadata only: which model answered, token counts, latency, cost. They store no prompt or response text at all. Across every model generation we logged in a recent week, the fields that could hold conversation content were empty — zero characters — and the event schema has no place to put it.
Users already reach for models they can control. Roughly one in four deliberate model picks in the past week went to open-weight, self-hostable models — the Kimi, GLM, MiniMax, Qwen and peer families that can run without a single large-lab API in the loop. One honest note: a recent 30-day reading of ~38% was inflated by a single model, Qwen-3.6-Max, that has since been retired. Stripped of that spike, the open-weight share is a durable ~quarter of deliberate choices — and it has held as that model left, carried by the rest of the field. Demand for controllable models is real, not a one-model artifact.
Privacy is built in at the account layer, too. Anuma accounts are wallet-based — you can use the product without ever handing over an email address, which is itself a piece of PII most apps collect by default. Fully private, temporary chats — which retain nothing — are so far used by a small, deliberate minority; we'd rather report that plainly than dress up a thin number.
Limits, and what we don't claim
Redaction is best-effort, and the honest framing matters more than the pitch. Detection forces a tradeoff between catching everything (which over-redacts and strips the context the model needs) and catching only what it's sure of (which lets some data through). Personal data in unusual formats, or woven into free-form prose, can slip past — and coverage is weaker outside English, where entity models degrade sharply.
Two deeper limits deserve to be named. First, removing direct identifiers is not anonymity: 87% of Americans are uniquely identifiable from ZIP code, birth date, and gender alone — none of which a per-item redactor necessarily strips. Re-identification exploits combinations, not single fields. Second, redacting theinput does not stop a model from inferring or memorizing on its own side. So this is a strong reduction of exposure — not a guarantee of zero exposure, and we won't call it one.
Version one — and where it goes next
What ships today is version one: pattern-based detection of structured PII with reversible, typed placeholders. It is deliberately a floor, not a ceiling. The directions we consider most credible for advancing it:
A local small-model detector — a compact, on-device model to catch the contextual PII that patterns miss (names and addresses woven into prose), keeping raw data off our servers entirely. A richer, versioned taxonomy that keeps up with how personal data actually evolves — crypto wallet addresses, device identifiers, new national-ID formats. Multilingual parity, given how sharply English-only detection falls off. User-tunable aggressiveness, with a visible confidence signal per redaction instead of a silent yes/no. And for the content that genuinely must reach a large cloud model, confidential-computing enclaves — GPU trusted execution environments now run inference at under ~7% overhead, so even the provider's host never sees plaintext. The research frontier beyond that is query-aware redaction: stripping only the personal data that isn't needed to answer, and keeping what is.
Redaction is one layer, not the whole story. It works together with on-device encryption, a no-training policy, and the option to run open models with zero retention for the most sensitive work. The goal isn't a slogan — it's to make the private path the default one.
This piece describes Anuma's on-device PII-redaction approach at a conceptual level; the hero example is illustrative, and the exact detected categories and behavior evolve as the feature ships. Legislative status is summarized as of July 2026 and is actively changing — the EU's July vote was Parliament's position on the voluntary regime, not final law, and the mandatory detection-order regulation remains unresolved. Usage figures are drawn from Anuma's own Consumer Model Index; open-weight and private-chat shares are directional and, where small, are reported as such.