I went down this rabbit hole because of the OpenAI–Musk case.
If you followed the discovery fight, you'll have seen people's AI chats getting pulled into evidence, which is embarrassing enough. But then I started actually thinking about it and it gets worse. Ask ChatGPT "what the hell is my lawyer on about here" and paste in the email, and there's a real argument you've just broken privilege — that conversation isn't protected any more, and it's discoverable. You took something covered by attorney-client privilege and handed it to a third party. Gone.
Once you see that, you can't unsee it. Who else is quietly walking into this? The clinician typing case notes into an assistant. The journalist working a source on a laptop they'll carry through a border checkpoint where a guard can ask them to unlock it. The activist. The executive who wants to think out loud without every half-formed thought becoming a future exhibit. For all of these people, every mainstream AI tool has the same architecture: it keeps everything. Every prompt, every document, every recording, forever, on someone else's server. For most of us most of the time that's just convenient. For anyone handling genuinely sensitive material it's a liability that never expires and that you have no real control over.
The whole industry runs on "trust us." So I built Burn Box — mostly, if I'm honest, to see if I could — on the opposite principle: you don't have to.
The tagline I landed on says it best: the AI that forgets on command. Here's how it actually works, because the mechanism is the point.
Everything is encrypted on your device. The cloud only ever sees ciphertext. Not "we promise not to look" — we can't look, because we never hold anything readable. Zero-knowledge in the literal sense: the operator has zero knowledge of your content.
Which immediately raises the obvious objection: if the server only ever sees ciphertext, how does the AI read your data to do anything useful? You can't run inference on noise. This is the genuinely hard part, and the answer is sealed-enclave inference. The model runs inside a confidential-computing environment — a TEE — with hardware attestation, so the data is decrypted only inside the enclave, where neither the hosting company nor the model provider can introspect it. I built this on Phala, running the model in the enclave with the working memory locked so it can't even get swapped out to disk where something could scrape it. The chat is encrypted from your device, through the network, into the sealed enclave and back. There is no point in that path where a human at the hosting company can quietly tail your prompts. That's the bit I'm proudest of, because "private AI" usually means "private until it reaches our servers, then trust us" — and this genuinely isn't that.
And then you can burn it — with proof. This is where the spy-movie stuff lives, and yes, I enjoyed building it far too much. Any conversation, document, meeting or recording can be destroyed on command, and you get back a signed receipt anyone can verify. Not "trust me, I deleted it." Cryptographic evidence.
The honest mechanism, for the engineers in the room, is crypto-shredding: your content only ever existed as ciphertext, so to destroy it you destroy the key. No key, and the ciphertext is mathematically indistinguishable from noise — unrecoverable by anyone, including me, including a court order served on me, because there is nothing left to hand over. The burn receipt attests that the key is gone, signed, verifiable. You're not proving you deleted a file; you're proving you destroyed the only thing that ever made it readable.
The fun part is how you can trigger a burn:
- A tap, obviously.
- A TTL — set it to forget on a timer.
- A geofence — burn if the device leaves (or enters) a place.
- A duress burn — a passphrase that looks like it's unlocking but is actually torching everything. For the border-checkpoint scenario, that one's not paranoia, it's the whole use case.
- A voice passphrase.
- And a deadman switch — if you don't check in, it burns. With an optional twist: instead of just destroying, it can send to someone you nominated first. The "if you're reading this, something happened to me" envelope, made real. Like in the movies, except the cryptography is load-bearing.
It's not just a chat box, either. It does conversations, meetings and files, with the same workspace surfaces I lean on everywhere else — chat, cowork, meeting, documents — so it's an actual private workspace, not a privacy toy you'd never do real work in.
Where it's at: early access on macOS, and as of writing I'm wiring up payments before a beta. So this is genuinely "shipped enough to use, rough enough to be honest about" — the usual state of the things I'm most excited by.
But here's why I think it's more than a weekend flex. We're sleepwalking into a world where every AI interaction is logged forever and increasingly discoverable — by courts, by hackers, by border officials, by whoever buys the company that holds your data three acquisitions from now. The defining property of that world is that nothing is ever truly gone. Burn Box is a small argument that it should be able to be. The most private data is the data you never retained. The safest conversation is the one that can prove it no longer exists.
Most AI is built to remember everything. This one is built to forget on command — and to prove it did.
Which, in 2026, might be the more radical feature.