Does Local AI Really Stay Local? A Local AI Privacy Audit of Ollama, LM Studio, Open WebUI, and Foundry Local
Local AI privacy sounds simple: install a model, run it on your computer, and keep your prompts away from the cloud. In practice, that is only part of the story. A local model can still sit inside a workflow that uses the internet for model downloads, update checks, cloud-hosted models, web search, document processing, remote embeddings, analytics, tool calls, plugins, sync folders, or a local server exposed to your network.
The right question is not just “does the model run locally?” The better question is: does the whole workflow stay local?
As of June 2026, the answer is mixed. Ollama, LM Studio, Open WebUI, and Microsoft Foundry Local can all be part of a privacy-conscious local AI setup. None of them should be treated as a magic privacy shield without checking the surrounding configuration.
Bottom line: local inference is not the same as local privacy
A workflow is meaningfully local only if all of these stay on your device, or on infrastructure you deliberately control:
- the model inference;
- your prompts;
- the model responses;
- uploaded documents;
- document chunks;
- embeddings;
- vector stores;
- chat history;
- logs;
- local server access;
- provider API calls;
- web search;
- tools, plugins, and MCP servers;
- sync or cloud storage; and
- telemetry, diagnostics, and crash-reporting paths.
Here is the practical summary.
| Product | Best privacy description | Good for sensitive work? | Main thing to check |
|---|---|---|---|
| LM Studio | Local by default, offline-capable, but network-capable | Yes, if configured conservatively | Offline operation, local server bind address, LM Link, plugins, MCP, and stored chats |
| Ollama | Strong local inference runtime, now cloud-capable | Yes, for local models | Disable Ollama cloud features if needed, keep the API on localhost, audit any front end |
| Open WebUI | Self-hosted and local-capable, but highly extensible | Yes, but only after configuration review | Providers, embeddings, storage, web search, tools, OpenTelemetry, Docker port exposure |
| Foundry Local | Microsoft on-device runtime for local inference | Yes, for local inference | First-time downloads, optional diagnostics, local endpoint, cache location |
Beginner recommendation: if you want the simplest private document-chat setup, start with LM Studio, download a local model, confirm offline mode works, and avoid LM Link, plugins, remote MCP servers, web search, and LAN serving.
Developer recommendation: if you want a narrow local inference layer, use Ollama or Foundry Local, keep the API bound to localhost, and audit any UI, RAG layer, or agent framework you connect to it.
Self-hosted UI recommendation: use Open WebUI only if you are willing to review provider URLs, embedding settings, storage settings, tool permissions, web search, telemetry, and Docker networking. Open WebUI can be private, but it is not private just because it is self-hosted.
What “local” should mean in local AI privacy
For local AI privacy, “local” should mean more than “the model file is on my computer.”
A local model means the model weights are stored and run on your machine. That is useful, but not complete.
A local workflow means the entire data path stays local. That includes prompts, documents, embeddings, generated answers, chat history, logs, local databases, API calls, and tools.
A local server means an app exposes an API from your computer. That can still be safe when it binds only to 127.0.0.1, which means your own machine only. It becomes riskier when it binds to 0.0.0.0, publishes a Docker port to all interfaces, or is placed behind a tunnel or remote-access service.
A RAG workflow means retrieval-augmented generation. In plain English, the app breaks your documents into chunks, turns those chunks into mathematical fingerprints called embeddings, stores them in a searchable index called a vector store, retrieves relevant chunks, and gives those chunks to the model. If the model is local but the embeddings or vector store are remote, the workflow is not fully local.
An MCP server is a Model Context Protocol server. It gives a model access to tools, such as a browser, file system, database, API, or external service. MCP is powerful, but it can also turn a local chat into a networked or tool-using workflow.
A practical privacy taxonomy for local AI
Use this taxonomy when evaluating any local AI app, not just the four products in this article.
| Category | What it means | Example |
|---|---|---|
| Fully local | Model inference, documents, embeddings, vector store, logs, tools, storage, and server access all stay local. | LM Studio with downloaded models, offline operation, no LM Link, no plugins, no LAN server. |
| Local inference only | The model runs locally, but the rest of the workflow is not necessarily local. | Ollama serving a model to a separate RAG app whose embedding provider is unknown. |
| Local by default but cloud-capable | The app starts from a local posture, but optional cloud, remote, or network features exist. | LM Studio with LM Link or plugins; Ollama with cloud features enabled. |
| Local front end with remote providers | The UI runs on your machine or server, but the actual model call may go to OpenAI, Anthropic, Azure, OpenRouter, or another provider. | Open WebUI connected to OpenAI-compatible APIs. |
| Not local | Prompts, files, embeddings, or tool calls are sent to third-party services for processing. | Cloud model APIs, external embedding APIs, web search providers, cloud file connectors, remote MCP tools. |
This distinction is the core of the article. Local inference is a component. Local privacy is an architecture.
What stays local by product?
| Product | Prompts and responses | Document chat | Embeddings | Chat history and logs | Models |
|---|---|---|---|---|---|
| Ollama | Local for local models. Cloud-hosted models process prompts and responses to provide the cloud service. | Not a complete first-party document-chat product by itself. Depends on the app connected to Ollama. | Can support local embedding workflows when clients use local Ollama endpoints, but privacy depends on the client. | Ollama documents local logs. Core Ollama is not a full chat-history workspace in the same way LM Studio or Open WebUI is. | Stored under platform-specific local model directories, such as ~/.ollama/models on macOS. |
| LM Studio | Local by default for downloaded models. The privacy policy says messages, histories, and documents are saved locally by default. | Local by default according to LM Studio’s offline docs. | Local by default for built-in document/RAG use. | Conversations are stored locally as JSON under .lmstudio/conversations. Debug logs can expose exact model I/O locally. | Stored under LM Studio’s local model directory by default. |
| Open WebUI | Depends entirely on the configured backend. It supports both local and cloud-based models. | Can be local, but depends on storage, loaders, provider settings, and document integrations. | Defaults can be local, but OpenAI and Azure OpenAI embeddings are configurable. | Chats are stored in Open WebUI’s database, typically webui.db by default. | Depends on the backend: Ollama, OpenAI-compatible server, cloud provider, or other model source. |
| Foundry Local | Microsoft says prompts and outputs are processed locally when using a Foundry Local endpoint. | Not primarily a first-party document-chat workspace. Depends on the app you build around it. | Not a full default RAG workspace in the same way LM Studio or Open WebUI is. | Models are cached locally. Status endpoints can report model directory paths. Optional diagnostics may involve log sharing. | Cached locally, with CLI commands to inspect and change the cache location. |
What can still use the network?
| Product | Network paths to know about | Default, optional, or workflow-dependent? | Safer setting for sensitive work |
|---|---|---|---|
| Ollama | Model pulls, automatic app updates, Ollama cloud models, web search, proxy use, browser origins, LAN exposure, tunnels. | Model downloads are normal. Cloud features and exposure are optional. | Disable cloud features with disable_ollama_cloud or OLLAMA_NO_CLOUD=1; keep OLLAMA_HOST on 127.0.0.1; do not tunnel the API. |
| LM Studio | Model search and downloads, update checks, local-network serving, LM Link, plugins, MCP servers, remote generator plugins. | Downloads and update checks are normal. LM Link, LAN serving, plugins, and MCP are optional. | Use offline operation after setup; keep server on 127.0.0.1; avoid LM Link and remote plugins for confidential work. |
| Open WebUI | Provider APIs, web search, external embeddings, cloud storage, OneDrive/SharePoint, MCP/OpenAPI tools, Open Terminal, OpenTelemetry, Docker port publishing. | Highly configuration-dependent. | Use only local providers and local embeddings; disable search, external tools, cloud storage, and OpenTelemetry; bind to loopback or protect behind a properly configured reverse proxy. |
| Foundry Local | First-time model downloads, execution-provider/component downloads, optional diagnostics, local web server for development. | Downloads are expected on first use. Diagnostics are optional. | Pre-download models before going offline; verify service status and local cache; avoid sharing logs unless necessary. |
The practical lesson is simple: offline-capable does not mean never-networked.
Product audit: Ollama
Ollama remains one of the best ways to run local LLMs from the terminal or from a local API. For local models, its current privacy language is strong. The Ollama Privacy Policy says Ollama does not collect, store, transmit, or access prompts, responses, model interactions, or other content processed locally.
But Ollama is no longer best described as “local only by definition.” Its own FAQ distinguishes local use from cloud-hosted models. The FAQ says that when cloud-hosted models are used, prompts and responses are processed to provide the service. It also documents a way to disable Ollama cloud features.
For privacy-sensitive users, that matters. If you want Ollama to be local-only, set one of these controls and restart Ollama:
{
"disable_ollama_cloud": true
}or set:
OLLAMA_NO_CLOUD=1Ollama’s FAQ says disabling cloud features removes access to Ollama cloud models and web search. That is the right tradeoff for confidential work.
Ollama’s local server is also a privacy boundary. By default, Ollama binds to 127.0.0.1:11434, which means only the local machine should be able to connect. The same FAQ explains that you can expose Ollama on a network by changing OLLAMA_HOST, and it gives examples for proxying and tunneling with tools like ngrok and Cloudflare Tunnel.
That does not make Ollama unsafe. It means you should not casually turn a localhost AI server into a LAN or internet-accessible AI server.
Ollama settings to check
| Setting or behavior | Why it matters |
|---|---|
disable_ollama_cloud or OLLAMA_NO_CLOUD=1 | Disables cloud models and web search for a local-only posture. |
OLLAMA_HOST | Controls whether the API stays on localhost or listens on a network interface. |
OLLAMA_ORIGINS | Controls which browser origins or extensions may access Ollama. |
| Model storage path | Confirms where downloaded models live on disk. |
| Logs | Local logs may matter for debugging and retention even if Ollama does not send prompts to the vendor during local use. |
| Connected front end | Open WebUI, browser extensions, IDE tools, RAG apps, and agents can change the privacy story. |
Choose Ollama if
You want a simple local inference runtime, a terminal-first workflow, or a local API that other tools can call. Use it for sensitive work only with local models, cloud features disabled if necessary, and the server kept on localhost.
Product audit: LM Studio
LM Studio is the clearest beginner-friendly privacy story among the four tools in this audit.
The LM Studio Desktop App Privacy Policy says that none of your messages, chat histories, and documents are transmitted from your system, and that everything is saved locally on your device by default. It also says the app receives usage information only when you search for or download models, when the app checks for updates, or when you email LM Studio directly. The same policy says the app does not include telemetry or user-specific tracking.
LM Studio’s Offline Operation page is similarly direct. It says LM Studio can operate entirely offline after you have model files. It also says that chatting with models, chatting with documents, and running a local server do not require internet access. For document chat, it says the document stays on your machine, document processing is local, and nothing uploaded into LM Studio leaves the application.
That makes LM Studio a strong default choice for beginners who want to chat with documents locally.
The caveats are not contradictions. They are feature boundaries.
LM Studio can search for and download models from online repositories. It can check for updates. It can run a local API server. Its server docs say the server binds to 127.0.0.1 by default, but can bind to 0.0.0.0 to listen on all IPv4 interfaces. The docs warn that any bind other than 127.0.0.1 exposes the server beyond localhost and recommend authentication.
LM Studio also now has LM Link. The LM Link page describes using local models remotely, including models loaded on remote devices, local devices, LLM rigs, or cloud VMs. It says chats remain local while the heavy processing happens on devices you own. That may be private enough for many personal users, but it is not the same as single-device local inference.
Finally, LM Studio has a plugin and MCP ecosystem. Its plugin docs say plugins can access external APIs, and generator plugins can replace the local model, which is useful for online adapters. Its MCP docs show models using external tool servers, including remote MCP endpoints and custom headers.
For sensitive documents, LM Studio is excellent only when you stay inside the local lane.
LM Studio settings to check
| Setting or behavior | Why it matters |
|---|---|
| Offline operation | Confirms the workflow works without internet after models are downloaded. |
| Conversation storage | Chats are stored locally as JSON under .lmstudio/conversations. |
| Server bind address | Keep it on 127.0.0.1 unless you deliberately need LAN access. |
| Server authentication | Important if you expose the server beyond localhost. |
| LM Link | Remote-device processing is not the same as single-machine local processing. |
| Plugins | Plugins can transform prompts, add tools, or call external services. |
| MCP settings | MCP can let a model call external tools or services. |
Choose LM Studio if
You are a beginner, teacher, writer, lawyer, consultant, or small-business user who wants a desktop app for local chat and local document chat with the fewest moving parts. For confidential work, download models first, confirm offline mode works, keep the server on localhost, and avoid LM Link, remote plugins, and MCP tools.
Product audit: Open WebUI
Open WebUI is powerful, but it requires the most careful privacy explanation.
The Open WebUI documentation describes it as a self-hosted AI platform designed to operate entirely offline. In the same sentence, it says Open WebUI supports Ollama and OpenAI-compatible APIs and works with both local and cloud-based models. Both statements can be true. That is exactly why Open WebUI needs configuration review.
Open WebUI is not just a local chat app. It is a front end, a routing layer, a document system, a knowledge base, a tool platform, and often a team workspace. That power is useful, but it means the privacy posture depends on the deployment.
Open WebUI’s environment configuration shows why. Its default database URL is sqlite:///${DATA_DIR}/webui.db, which means chats and app data can live in a local SQLite database by default. Its RAG settings include RAG_EMBEDDING_ENGINE, with options for default local SentenceTransformers, Ollama, OpenAI, and Azure OpenAI. Its storage settings include STORAGE_PROVIDER, with local storage by default but support for S3, Google Cloud Storage, and Azure storage. It also has documented integrations for OneDrive and SharePoint.
That means Open WebUI can be local. It also means Open WebUI can become non-local with a few admin settings.
The tool surface is even more important. Open WebUI’s tools documentation warns that Workspace Tools and Functions execute arbitrary Python code on the server. Open WebUI also supports MCP, OpenAPI tool servers, web search, and Open Terminal. If those tools call the internet, read files, hit APIs, or execute shell commands, then your local model is now part of a tool-using system.
OpenTelemetry is another audit item. The OpenTelemetry docs describe variables such as ENABLE_OTEL, ENABLE_OTEL_TRACES, ENABLE_OTEL_METRICS, ENABLE_OTEL_LOGS, and OTLP exporter endpoints. Observability is not bad in a production deployment, but for confidential local use, telemetry and log export settings must be reviewed.
Docker networking is the other common trap. Open WebUI’s quick start uses -p 3000:8080. Docker’s port publishing documentation says that when ports are mapped without a specific host address, Docker publishes ports to all host addresses by default. For a private local setup, bind explicitly to loopback or use a protected deployment.
Open WebUI settings to check
| Setting or behavior | Why it matters |
|---|---|
| Model provider URLs | Determines whether prompts go to local Ollama, local OpenAI-compatible servers, or remote providers. |
| API keys | Any provider key usually means the workflow can call a third-party model or service. |
RAG_EMBEDDING_ENGINE | Determines whether embeddings are local or remote. |
DATABASE_URL | Determines where chat and app data are stored. |
DATA_DIR | Controls where uploads, cache, and local data live. |
STORAGE_PROVIDER | Can move files from local disk to S3, GCS, or Azure. |
| Web search | Search queries and page fetching are network features. |
| MCP and OpenAPI tools | Tools may call external servers or execute actions outside the chat app. |
| Open Terminal | Can provide shell and file-system access. |
| OpenTelemetry | Can export traces, metrics, and logs. |
| Docker bind address | -p 3000:8080 can expose the app beyond localhost depending on the host/network. |
CUSTOM_NAME | Open WebUI docs say it polls api.openwebui.com for metadata. Use WEBUI_NAME if you want to avoid that behavior. |
Choose Open WebUI if
You want a self-hosted web UI, multi-user access, admin controls, tool use, RAG, and provider flexibility. Do not choose it as the “easy private” option unless you are willing to audit its providers, embeddings, storage, web search, tools, telemetry, database, and Docker networking.
Product audit: Microsoft Foundry Local
Foundry Local is Microsoft’s on-device AI runtime for shipping applications that run on user devices. The current Foundry Local overview says user data never leaves the device, responses start with zero network latency, and apps can work offline. It also says Foundry Local supports Windows, macOS on Apple silicon, and Linux.
That is a strong local inference statement, but the same Microsoft page gives the important nuance. It says Foundry Local can still use the network for model and component downloads, including execution providers for the user’s hardware, and for optional diagnostics if a user chooses to share logs.
Foundry Local is also not meant to be a general multi-user inference server. Microsoft’s docs describe it as optimized for hardware-constrained devices where a single user accesses the model at a time. If you need server-style batching, concurrent request queuing, or multi-user GPU sharing, Microsoft points users toward server inference stacks instead.
The Foundry Local CLI docs say first-time model and execution-provider downloads require internet access. They also document commands for downloading models in advance, listing cached models, checking the cache location, and changing the cache directory. The REST API reference shows local endpoints such as http://localhost:<PORT> and an /openai/status response that includes endpoint and ModelDirPath information.
That makes Foundry Local a good fit for developers building local AI into apps. It is not the same product category as LM Studio’s desktop document chat or Open WebUI’s self-hosted interface.
Foundry Local settings to check
| Setting or behavior | Why it matters |
|---|---|
| First-time model downloads | The initial setup is networked. |
| Execution-provider downloads | Hardware-specific components may download on first run. |
foundry model download | Lets you pre-download models before offline use. |
foundry cache location | Confirms where model files are stored. |
foundry service status | Confirms the local endpoint. |
/openai/status | Can report local endpoints and model directory path. |
| Optional diagnostics | Sharing logs with support is a data disclosure decision. |
Choose Foundry Local if
You are building or testing an app that needs Microsoft-supported on-device inference, OpenAI-compatible local endpoints, and model lifecycle management. For ordinary beginner document chat, LM Studio is simpler.
Risk by workflow
| Workflow | Risk level | Why |
|---|---|---|
| Chatting with a downloaded model in LM Studio while offline | Low | LM Studio documents local chat and offline operation. |
| Chatting with local documents in LM Studio while offline | Low | LM Studio documents local document processing for its built-in RAG flow. |
| Prompting a local Ollama model through the local API | Low | Local model inference is local, assuming no cloud model, web search, or remote wrapper. |
| Using Foundry Local after pre-downloading the model | Low | Inference is local, but first-time downloads and optional diagnostics are still network paths. |
| Running Open WebUI with local Ollama, local embeddings, local storage, no tools, and loopback-only access | Medium-low | It can be local, but there are more settings to verify. |
| Exposing Ollama, LM Studio, or Open WebUI on a LAN | Medium | The service is no longer limited to your own machine. |
| Turning on web search | High | Search queries and page retrieval use the network. |
| Using OpenAI, Anthropic, Azure OpenAI, OpenRouter, or another cloud provider | High | Prompts and often documents are sent to a remote provider. |
| Using remote embeddings | High | Your document chunks or search text may leave the device. |
| Using MCP, OpenAPI tools, plugins, or Open Terminal | Medium to high | Tools can call remote APIs, read files, execute code, or perform actions. |
| Syncing the data directory through Dropbox, iCloud, OneDrive, Google Drive, or enterprise sync | Medium to high | Local files can become cloud-synced files. |
| Using a browser extension against a local model server | Medium | The extension becomes part of the privacy boundary. |
Safer local-only configurations
Safest beginner setup
Use LM Studio with a downloaded model, offline operation, no LM Link, no plugins, no MCP, no LAN server, and no cloud sync for the conversation folder.
This is the easiest recommendation for most readers who want a private local AI app without becoming a system administrator.
Safest developer setup
Use Ollama or Foundry Local as the runtime, pre-download models, keep the service bound to localhost, and use a minimal client that you control. Avoid browser extensions, remote RAG services, web search, and external tools unless you have audited them.
This is the cleanest pattern if you want a small local API surface.
Safest self-hosted web UI setup
Use Open WebUI only with local provider URLs, local embeddings, local storage, web search off, cloud storage off, OneDrive and SharePoint integrations off, OpenTelemetry off, Open Terminal off, and no external MCP or OpenAPI tool servers. Bind the service to loopback unless you deliberately need a network deployment, and then use authentication, firewall rules, and a trusted reverse proxy.
This is powerful, but it is not the easiest beginner privacy setup.
Safest professional setup for confidential documents
For lawyers, consultants, HR teams, finance teams, and enterprise users handling confidential material, use a dedicated machine or profile, enable full-disk encryption, keep models and chats out of cloud-sync folders, disable web search, disable remote tools, and test the workflow with the network disconnected.
Do not rely on the phrase “local AI.” Document the actual data path.
Checklist for privacy-sensitive users
Before using local AI with sensitive documents, answer these questions.
| Question | Safe answer |
|---|---|
| Does the model run locally? | Yes, a downloaded local model is selected. |
| Are cloud models disabled or avoided? | Yes, no cloud-hosted model is selected. |
| Does document chat stay local? | Yes, documents are processed locally. |
| Are embeddings local? | Yes, the embedding engine is local. |
| Is the vector store local? | Yes, the vector database is stored locally. |
| Is web search off? | Yes, unless the query is not sensitive. |
| Are provider API keys configured? | No, or only for non-sensitive workflows. |
Is the server bound to 127.0.0.1? | Yes, unless LAN access is deliberately required. |
| Is Docker publishing the app to all interfaces? | No, or it is firewalled and authenticated. |
| Are plugins, MCP servers, and OpenAPI tools disabled? | Yes, unless individually reviewed. |
| Are chats and logs stored locally? | Yes, and the storage location is known. |
| Is the storage folder synced to a cloud drive? | No, not for confidential work. |
| Does the workflow still work offline? | Yes, after model download. |
Checklist for lawyers, consultants, and enterprise users
Professionals should apply a stricter standard than hobby users. A local LLM setup for client-confidential or regulated material should have a written privacy posture.
| Control | Recommendation |
|---|---|
| Matter confidentiality | Do not use cloud models, remote embeddings, web search, or remote tools unless approved. |
| Privileged documents | Keep documents in a local encrypted folder outside cloud sync. |
| Logs and chat history | Know where they are stored, who can access them, and how they are retained. |
| API server | Keep on localhost. If network access is required, use authentication and firewall controls. |
| RAG | Confirm local embeddings and local vector storage. |
| Tool use | Disable arbitrary tools, MCP servers, OpenAPI tools, and shell access unless specifically approved. |
| Updates and downloads | Pre-download models and document when the system needs internet access. |
| Vendor claims | Treat privacy policies as useful but incomplete. Architecture settings still matter. |
| Team access | Use role-based controls, endpoint management, and logging policies if multiple users share the system. |
| Audit evidence | Keep screenshots or notes showing provider URLs, embedding engine, storage location, and disabled remote features. |
Safe wording for privacy claims
If you publish or explain a local AI setup, use careful wording.
| Avoid saying | Safer wording |
|---|---|
| “Local AI is fully private.” | “Local AI can improve privacy when the full workflow is local or remote features are disabled.” |
| “Ollama never sends data anywhere.” | “Ollama local model inference runs locally, but Ollama also supports cloud-hosted models and web search unless cloud features are disabled.” |
| “LM Studio is always offline.” | “LM Studio can operate offline after models are downloaded, but model search, downloads, updates, LM Link, plugins, and MCP can use the network.” |
| “Open WebUI is private because it is self-hosted.” | “Open WebUI can be configured for local use, but providers, embeddings, storage, tools, search, telemetry, and Docker networking must be reviewed.” |
| “Foundry Local sends nothing to Microsoft.” | “Foundry Local processes prompts and outputs locally during inference, but model/component downloads and optional diagnostics can still use the network.” |
| “A local model means local document chat.” | “Document chat is local only if document parsing, embeddings, vector storage, prompts, and logs are also local.” |
Claims to avoid
Do not say “fully private” unless you have verified the full workflow.
Do not say “air-gapped” unless the machine is actually isolated from networks and the workflow works without connectivity.
Do not assume that local inference means local embeddings.
Do not assume that a desktop app is offline.
Do not assume that a self-hosted web UI is safe if Docker publishes it on your network.
Do not assume that a local server is safe if it is exposed to the LAN without authentication.
Do not treat vendor privacy claims as complete architecture documentation.
Do not treat a remote device accessed through a private link as the same thing as single-device local inference.
Suggested screenshots for this article
These screenshots would make the article more useful:
| Screenshot | Why it helps |
|---|---|
Ollama FAQ showing disable_ollama_cloud and OLLAMA_NO_CLOUD=1 | Makes the cloud-disable setting concrete. |
Ollama FAQ showing 127.0.0.1:11434 and OLLAMA_HOST | Shows the local-server boundary. |
| LM Studio Offline Operation page | Shows the official offline and document-chat language. |
| LM Studio server bind warning | Shows why localhost versus LAN matters. |
| LM Studio conversation storage path | Shows where local chats live. |
| Open WebUI provider settings | Shows that the UI can call local or remote providers. |
Open WebUI RAG_EMBEDDING_ENGINE setting | Shows why embeddings need separate verification. |
Open WebUI DATABASE_URL and STORAGE_PROVIDER settings | Shows where data may be stored. |
| Open WebUI tools warning | Shows the risk of arbitrary tool execution. |
| Docker port publishing docs | Shows why -p 3000:8080 can expose a service beyond localhost. |
Foundry Local service status or /openai/status | Shows local endpoint and model directory information. |
So, does local AI really stay local?
Local AI can stay local, but only if you verify more than the model.
For most beginners, LM Studio is the safest first choice for local AI privacy because its desktop app privacy policy and offline docs are direct, its document chat is built in, and its default workflow has fewer moving parts. Use it offline after downloading models, and avoid LM Link, plugins, MCP, LAN serving, and cloud sync for confidential work.
For developers, Ollama is an excellent local inference layer, but you should disable cloud features if you want local-only behavior and keep OLLAMA_HOST on localhost. Remember that any front end or RAG app connected to Ollama becomes part of the privacy audit.
For self-hosters, Open WebUI is powerful but configuration-sensitive. It can be local, but it can also connect to cloud models, remote embeddings, web search, cloud storage, telemetry exporters, and external tools. Treat it as private after configuration, not private by default.
For app builders, Foundry Local is a strong Microsoft-backed on-device runtime. It processes prompts and outputs locally during inference, but setup and support flows may still involve downloads and optional diagnostics.
The final recommendation is cautious but useful: local AI privacy is real, but it is earned by configuration. A local model is the start. A verified local workflow is the goal.
FAQ
Does Ollama send my prompts to Ollama?
For local models, Ollama’s privacy policy says prompts, responses, model interactions, and other locally processed content stay on your machine. However, Ollama also documents cloud-hosted models, where prompts and responses are processed to provide the cloud service. If you want local-only behavior, disable Ollama cloud features.
Is LM Studio private for document chat?
LM Studio’s offline documentation says that when you drag and drop a document into LM Studio for document chat or RAG, the document stays on your machine, document processing is local, and nothing uploaded into LM Studio leaves the application. That assumes you are using the built-in local workflow and not adding remote plugins, MCP servers, or LM Link.
Is Open WebUI private by default?
Open WebUI can be run locally, but it should not be described as automatically private. It supports local and cloud providers, configurable embedding engines, cloud storage, web search, external tools, OpenTelemetry, and integrations such as OneDrive and SharePoint. You must review the configuration.
Does Foundry Local send anything to Microsoft?
Microsoft says Foundry Local processes prompts and model outputs locally during inference. Microsoft also says Foundry Local can use the network for model/component downloads and optional diagnostics if a user chooses to share logs.
Are local embeddings important for privacy?
Yes. Embeddings are numerical representations of text. If your document chunks are sent to a remote embedding API, your document workflow is not fully local, even if the chat model runs locally. Always check the embedding provider in RAG workflows.
Is a localhost AI server safe?
A localhost server is safer than a LAN or internet-exposed server because it listens only on your own machine. It can still create local logs and local attack surface. If you bind it to 0.0.0.0, publish Docker ports broadly, or put it behind a tunnel, it is no longer localhost-only.
What is the safest local AI setup for confidential documents?
For most non-engineers, use LM Studio with downloaded models, confirm it works offline, keep the local server off or bound to localhost, avoid plugins and MCP, and store chats outside cloud-sync folders. For developers, use Ollama or Foundry Local with a minimal local client and no remote tools or providers.
3. Source-Backed Claims
| Factual claim | Supporting source link | Source type | Caveat |
|---|---|---|---|
| Ollama says local prompts, responses, model interactions, and locally processed content are not collected, stored, transmitted, or accessed by Ollama. | Ollama Privacy Policy | Primary | Applies to local processing, not necessarily cloud-hosted models or third-party tools connected to Ollama. |
| Ollama says cloud-hosted models process prompts and responses transiently to provide the service. | Ollama Privacy Policy | Primary | Vendor privacy statement. Does not remove the need to avoid cloud models for sensitive local-only workflows. |
Ollama documents disable_ollama_cloud and OLLAMA_NO_CLOUD=1 as ways to disable cloud features. | Ollama FAQ | Primary | Configuration must be applied and Ollama restarted. |
| Ollama says disabling cloud features removes access to cloud models and web search. | Ollama FAQ | Primary | This is a product-specific setting and may change with future releases. |
Ollama binds to 127.0.0.1:11434 by default and can be exposed by changing OLLAMA_HOST. | Ollama FAQ | Primary | Localhost behavior can be changed by the user or deployment environment. |
Ollama documents model storage paths including ~/.ollama/models on macOS and platform-specific locations for Linux and Windows. | Ollama FAQ | Primary | Users can change model location with OLLAMA_MODELS. |
| LM Studio says messages, chat histories, and documents are not transmitted from the system and are saved locally by default. | LM Studio Privacy Policy | Primary | Applies to the desktop app default behavior, not every plugin, LM Link, MCP, or remote-provider workflow. |
| LM Studio says the app does not include telemetry or user-specific tracking. | LM Studio Privacy Policy | Primary | The policy still identifies update checks and model search/downloads as network events. |
| LM Studio says it can operate entirely offline after model files are present. | LM Studio Offline Operation | Primary | Model search, model downloads, and update checks still require network access. |
| LM Studio says document chat/RAG documents stay on the machine and document processing is local. | LM Studio Offline Operation | Primary | Applies to LM Studio’s built-in document workflow, not necessarily third-party plugins or external tools. |
LM Studio stores conversations locally in JSON under .lmstudio/conversations. | LM Studio Manage Chats | Primary | Local storage still requires device security, backups, and retention controls. |
LM Studio’s local server binds to 127.0.0.1 by default and warns that other bind addresses expose the server beyond localhost. | LM Studio local server docs | Primary | LAN exposure can be deliberate and may be safe with authentication and firewall rules. |
| LM Link lets users load models on remote machines and use them as if they were local. | LM Link | Primary | End-to-end encrypted remote use is not the same as single-device local inference. |
| LM Studio plugin docs say generator plugins can replace the local model and are suitable for online model adapters. | LM Studio Plugins | Primary | Plugins must be audited individually. |
| LM Studio MCP docs show MCP servers can be remote and may use custom headers. | LM Studio MCP docs | Primary | MCP is powerful but changes the data path. |
| Open WebUI describes itself as self-hosted and offline-capable while supporting Ollama and OpenAI-compatible APIs for local and cloud-based models. | Open WebUI docs | Primary | The phrase “offline-capable” depends on actual configuration. |
Open WebUI’s default DATABASE_URL is sqlite:///${DATA_DIR}/webui.db. | Open WebUI environment variables | Primary | Admins can change the database to other backends. |
| Open WebUI’s RAG embedding engine can use local SentenceTransformers, Ollama, OpenAI, or Azure OpenAI. | Open WebUI environment variables | Primary | The privacy posture depends on which embedding engine is configured. |
Open WebUI supports cloud storage providers such as S3, GCS, and Azure through STORAGE_PROVIDER. | Open WebUI environment variables | Primary | Default is local, but cloud storage changes the data path. |
| Open WebUI documents OneDrive and SharePoint integration for file access from Microsoft accounts. | Open WebUI OneDrive and SharePoint integration | Primary | Optional integration. Relevant only if enabled. |
| Open WebUI tools can execute arbitrary Python code on the server. | Open WebUI tools docs | Primary | Tool safety depends on installed tools, permissions, and server isolation. |
| Open WebUI documents OpenTelemetry variables for exporting traces, metrics, and logs. | Open WebUI OpenTelemetry docs | Primary | OpenTelemetry is useful for operations but must be reviewed for sensitive deployments. |
| Docker publishes mapped ports to all host addresses by default when no host address is specified. | Docker port publishing docs | Primary | Docker version and host firewall still matter. Bind explicitly to loopback for local-only use. |
| Microsoft says Foundry Local runs AI applications on the user’s device and user data never leaves the device. | Foundry Local overview | Primary | Vendor claim for Foundry Local local inference; surrounding app behavior still matters. |
| Microsoft says Foundry Local processes prompts and model outputs locally when sent to a Foundry Local endpoint. | Foundry Local overview | Primary | Does not mean setup never uses the network. |
| Microsoft says Foundry Local can still use the network for model/component downloads and optional diagnostics. | Foundry Local overview | Primary | This is the key caveat to “local inference.” |
| Foundry Local supports Windows, macOS on Apple silicon, and Linux. | Foundry Local overview | Primary | Platform support may evolve as the product develops. |
| Foundry Local CLI docs say first-time model and execution-provider downloads require internet access and that users can pre-download models for offline use. | Foundry Local CLI docs | Primary | Offline readiness requires downloading models and components first. |
Foundry Local REST status can report local endpoints and ModelDirPath. | Foundry Local REST API reference | Primary | Useful for verification, not a complete privacy audit by itself. |
4. Publication Blockers
No publication blockers identified.
5. Editorial QA Checklist
| Checklist item | Status |
|---|---|
| It does not overstate model performance. | Confirmed. The article is about privacy behavior and configuration, not performance rankings. |
| It distinguishes “can run” from “pleasant to use.” | Confirmed where relevant. Foundry Local and Open WebUI are distinguished by workflow fit, not just capability. |
| It distinguishes open source, open weight, locally runnable, and private. | Confirmed. The article repeatedly distinguishes local inference from local end-to-end privacy. |
| It does not claim privacy unless the whole workflow is local. | Confirmed. The article avoids “fully private” claims except as a conditional configuration category. |
| It identifies license or commercial-use caveats. | Not materially applicable. The article does not make model-license or commercial-use claims. |
| It identifies quantization, context-window, RAM, VRAM, or runtime assumptions where relevant. | Not materially applicable. Hardware and quantization are not central to this privacy article. |
| It distinguishes model capability from runtime support. | Confirmed. Ollama and Foundry Local are treated as runtimes, while LM Studio and Open WebUI are treated as broader apps/platforms. |
| It distinguishes total parameters from active parameters for MoE models where relevant. | Not applicable. The article does not compare MoE model specifications. |
| It avoids unsupported benchmark claims. | Confirmed. No benchmark claims are made. |
| It avoids vendor hype. | Confirmed. Vendor statements are treated as source claims with caveats. |
| It is ready to paste into a CMS. | Confirmed. The article is complete, uses clean Markdown, includes tables, source-backed claims, publication blockers, and an editorial QA checklist. |