Read the privacy policy of any major AI app on your iPhone. Not the summary page — the actual policy. You will find, in careful legal language, that your conversations may be stored for extended periods, reviewed by human contractors for safety and quality purposes, used to improve model performance, and retained in ways you cannot easily control or delete.
This is not a conspiracy. It is a business model. AI companies need data to improve their models. User conversations are data. The incentive to collect and retain them is strong, and the legal language in privacy policies reflects that incentive honestly, if not prominently.
Satcove's position is different. Privacy Shield is not a policy choice that a future leadership team can reverse. It is an architectural commitment: the system is designed not to store your queries in identifiable form, because data that is never collected cannot be misused.
What ChatGPT's Privacy Policy Actually Says
OpenAI's privacy policy states that it collects the content of conversations you have with ChatGPT. This content is used to train and improve their models, unless you have specifically opted out in settings (a setting that does not exist for API integrations, and that many users never discover). Your conversation history is linked to your account. OpenAI employs contractors who may review conversation content for safety purposes.
This is not a critique of OpenAI. ChatGPT's privacy practices are broadly consistent with the rest of the AI industry, and OpenAI provides more transparency than many of its competitors. But the practical consequence is clear: when you ask ChatGPT about a medical symptom, a legal problem, or a financial difficulty, that query is stored, potentially reviewed, potentially used in training, and associated with your identity.
The same is true, in varying degrees, for Claude, Gemini, and Perplexity's own consumer apps.
Satcove's Architecture Is Different
Satcove sits between you and the AI providers. When you submit a query through Satcove, it is anonymized before being transmitted to Claude, GPT-4o, Gemini, Mistral, and Perplexity. The query that reaches each AI provider carries no information that identifies you. Not your account. Not your IP address. Not any persistent identifier.
The AI providers see an anonymous query. They generate a response. That response is returned to Satcove, synthesized, and delivered to you. No persistent record is maintained linking your identity to the content of your question.
This is what Privacy Shield means in practice. It is not a toggle you switch on in hopes that a policy will be honored. It is how the system works, at the infrastructure level.
What This Means for Health Questions on iPhone
Your iPhone is the device you have with you when health questions arise. A pain that started this morning. A medication interaction you need to check before taking a second dose. A symptom that appeared yesterday that you have been pushing to the back of your mind. A mental health concern you have not mentioned to anyone.
These are exactly the questions where AI assistance is most useful — and exactly the questions where most AI apps' data practices are most problematic.
Ask a mental health question through the ChatGPT app, and you have added a data point to OpenAI's longitudinal record of your AI interactions. That record is stored, potentially linked to your account indefinitely, and governed by a privacy policy that can change.
Ask the same question through Satcove on iPhone with Privacy Shield active, and there is no data point to store. The query was anonymized before it left your device's network context. Satcove does not know what you asked. The AI providers received an anonymous query they cannot trace to you. The answer was returned and displayed. Nothing persisted.
GDPR, Data Rights, and Why Architecture Beats Policy
GDPR gives European users the right to access, correct, and delete their data held by services they use. This is an important right. It is also a right that is only as useful as the data it can be applied to.
A company that stores your conversation history can, in response to a GDPR access request, provide you with everything it holds about you. That is a meaningful exercise of transparency. But it also reveals that the data existed in the first place.
Satcove's approach to GDPR compliance is simpler: the anonymized query processing means that identifiable personal data from your conversations is not held. The right to deletion becomes trivial when there is nothing to delete. The right to access is simple when your queries are not stored against your identity.
Data minimization — collecting only what is strictly necessary — is a GDPR principle. Satcove takes it further: the system is designed so that the sensitive content of your queries is not retained at all.
Privacy Shield on All Plans: A Principle, Not a Premium
In 2026, many AI products gate privacy features behind their most expensive subscription tiers. Privacy mode, anonymous queries, reduced data retention — these are presented as premium features that users pay extra for.
Satcove's view is that this is backwards. Privacy is most important for the users who can least afford to ignore it — which is not necessarily the same as the users who can afford the highest subscription tier. Charging for privacy creates an implicit tiering of data protection by income, which is not a principle Satcove accepts.
Privacy Shield is active on the free plan. It is active on Starter. It is active on Pro. Every user who sends a query through Satcove on iPhone gets the same anonymous query processing regardless of their subscription level.
Face ID and On-Device Security
Beyond the server-side Privacy Shield, the Satcove iOS app respects iOS's native security model. The app operates within the iOS sandbox. Access to the app itself can be protected with Face ID or Touch ID through iOS's built-in app protection features.
The combination of on-device biometric security and server-side anonymous query processing creates a layered privacy architecture. Physical access to your phone requires biometric authentication. If someone does access your phone and your Satcove history, the conversation content is present — but the queries were never transmitted in a way that links them to your broader identity in Satcove's systems.
The Honest Limitation
Privacy Shield addresses the data retention problem. It does not make AI infallible. The five models that Satcove queries still have the limitations of their training — knowledge cutoffs, potential hallucinations, domain gaps. Privacy Shield ensures your sensitive questions are processed anonymously. The consensus engine ensures the answers are more reliable than any single model could provide. Together, they address the two biggest concerns about using AI for sensitive questions: reliability and privacy.
For health, legal, financial, and other sensitive questions, the combination of multi-AI consensus and Privacy Shield is qualitatively different from anything else available on iPhone today.
Download Satcove on the App Store. Ask your sensitive questions the private way.