Feature explainer · April 2026

Privacy filter

Remove personal info from your screen data before it reaches any AI model — inside an enclave you can verify didn't store, log, or leak anything.

What it does

When the Privacy toggle in chat is on (the shield icon next to the send button), every piece of text Screenpipe pulls from your screen — OCR of what you're reading, audio transcripts, accessibility text, memory notes — is run through a privacy filter before it's shown to the AI you're chatting with.

The filter replaces personal info with placeholders:

Before:  "email louis.beaumont@gmail.com about the Stripe invoice for 555-1234"
After:   "email [EMAIL] about the Stripe invoice for [PHONE]"

Currently detected:

• [PERSON] — names
• [EMAIL] — email addresses
• [PHONE] — phone numbers
• [ADDRESS] — physical addresses
• [ACCOUNT] — account numbers, SSNs, card numbers
• [URL] — URLs that look personal
• [DATE] — dates that look personal
• [SECRET] — API keys, tokens

Why it's different from a regex

Most "PII scrubbers" are pattern matches — find anything that looks like @ + domain, replace it. That catches obvious stuff and misses everything else. Names without context, addresses without zip codes, account numbers formatted oddly — all slip through.

Our filter uses a 1.5B-parameter token-classification model (openai/privacy-filter) fine-tuned specifically to find private info in free text. It reads the whole sentence and decides, token by token, what is and isn't personal.

The confidential part

We run this filter in a confidential-compute enclave hosted by Tinfoil. A confidential enclave is a virtual machine whose memory is encrypted by the CPU (AMD SEV-SNP / Intel TDX) — even the cloud provider running the hardware can't read what's inside.

The practical guarantees:

• Attested code. The enclave publishes a signed measurement of the exact container image it's running. Anyone can fetch the measurement and check it against the open-source code. If the measurement doesn't match, the enclave is compromised and your client will refuse to talk to it.
• No disk. The enclave has no persistent storage. Nothing written during a request survives past the request — by design, not policy.
• No logs. The server code doesn't log request bodies. Anyone can audit it.
• Encrypted transport. HTTPS from your machine to the enclave. Tinfoil's load balancer terminates TLS inside the attested boundary, so the decrypted text only exists in enclave memory.

What Screenpipe sees

Your screenpipe-server (running locally on your computer) calls the enclave directly. The text leaves your device, gets redacted inside the enclave, and comes back with names/emails/etc. replaced. Screenpipe's own cloud is not in the path — we can't see the raw text even if we wanted to.

The enclave caches recent redactions by content hash (SHA-256) for 1 hour so repeated screen content (the same email thread, the same IDE file) doesn't re-pay the round trip. Nothing else persists.

Where it's applied

• Chat: toggle the shield icon above the send button. The app adds filter_pii=1 to every search the AI performs on your screen data.
• Pipes: set privacy_filter: true in a pipe's front-matter to have every search the agent runs pre-redacted.
• Direct API: append ?filter_pii=1 to any /search request against your local screenpipe-server.

Limits

• Latency. Adds ~1–2 seconds per search. We cache aggressively so repeated data is nearly free, but the first hit on new text pays a round-trip.
• Model imperfection. The model is very good (>99% on common categories in our tests) but not perfect. Don't rely on it as your only line of defense for secrets you must not leak — combine with the "ignored windows" filter and don't record password managers.
• Not raw frames. Screenshots are binary images; the filter works on the text already extracted from them. If raw-image upload is ever added, that's a separate feature with its own consent.
• Pro tier. The toggle is enabled for Pro subscribers — the compute isn't free. Non-pro users see the shield icon with an upgrade link.

Open source

All of this is auditable:

• Filter service + Dockerfile + Tinfoil deploy config: https://github.com/screenpipe/privacy-filter
• Client-side integration in Screenpipe: crates/screenpipe-engine/src/privacy_filter.rs
• Tinfoil's attestation SDK for verifying the running enclave: docs.tinfoil.sh

Questions or suggestions? louis@screenpi.pe.