Talk to the model. Without handing it your customers.

Burner is a native Mac app for private AI chats. Names, clients, codenames, API keys, OAuth tokens, private endpoints, and acquisition targets are detected on-device and replaced with tokens before any text leaves this machine. The model reads structure. Your secrets stay on the disk.

Request a TestFlight Read the threat model

Burner, while you type. Names, API keys and acquisition targets are caught and tokenized before the prompt ever leaves the disk — the model still gets a useful question to answer.

Burner · Incident note — Project Halon
Sealed
    What you typed
    What leaves this Mac
    PII Filter · on Claude Sonnet

    Three things we won't break.

    Not feature checklists. Constraints we'll defend when the easier thing is to compromise them. They limit what Burner can do — by design — so the things it can do, it does well.

    1. 01
      Your conversations stay sealed on this Mac.
      Chat history is sealed with a hardware-backed key derived from your account. Lose the Mac, lose the keys. There is no cloud copy because there is no cloud.
    2. 02
      Nothing phones home.
      No analytics, no crash beacons, no "helpful" usage pings. The only outbound traffic is the prompt you chose to send, to the model you chose to route it to.
    3. 03
      Local first. Remote on demand.
      Apple Foundation Models and LM Studio handle anything local. Remote inference is opt-in, per message, with redaction on by default. The keypress to stay on-device is one keystroke shorter than the keypress to reach out.

    What you typed

    Draft an incident note. The Project Halon API key sk_live_8a3df2c941b0 was exposed in the public repo last night. Affected accounts include Maria Chen at Northwind and Theo Vance at Bluefin. Sentinel's security lead (jamie@sentinel.co) wants a written summary by EOD.

    Composer · local buffer 14:02:11

    What left this Mac

    Draft an incident note. The <Pr·1> API key <K·1> was exposed in the public repo last night. Affected accounts include <P·1> at <O·1> and <P·2> at <O·2>. <O·3>'s security lead (<E·1>) wants a written summary by EOD.

    Outbound · TLS · 8 entities redacted 14:02:11.214
    One prompt · two messages · only one is on the internet now

    Entities out. Types in.

    Burner's PII scanner runs on every keystroke. People, organizations, project codenames, emails, and credentials — API keys, OAuth tokens, cloud secrets, private keys — become type-preserving tokens. The remote model sees the shape of the problem; Burner reverses the tokens locally, so the conversation reads naturally — to you, and only to you.

    Maria Chen<P·1>
    Theo Vance<P·2>
    Northwind<O·1>
    Bluefin<O·2>
    Sentinel<O·3>
    Project Halon<Pr·1>
    sk_live_8a3df2c941b0<K·1>
    jamie@sentinel.co<E·1>

    Same discovery. Different conversation.

    Six months from now, a discovery request lands — for a deal that went sideways, a leak you didn't cause, a regulator on a fishing trip. The question becomes simple: what's discoverable about your customers in someone else's server logs? With Burner, the answer is on this page.

    Without Burner · Exhibit B-01

    Every name, every key, the M&A target.

    Produced in full. Verbatim. Maria, Theo, Sentinel, Project Halon, jamie@sentinel.co, sk_live_8a3df2c941b0 — searchable, time-stamped, attached to your user ID. Privilege already gone. The cheap reply was expensive after all.

    PRODUCED ROWS
    Maria Chen  Northwind  Theo Vance  Bluefin  Project Halon  Sentinel  sk_live_8a3df2c941b0  jamie@sentinel.co  …
    With Burner · Exhibit B-02

    Type-preserving tokens. Nothing identifying.

    Produced in full. Verbatim. Type-preserving placeholders for every person, org, credential, project, and email. The names, the API key, and the acquisition target never left this Mac. Discovery still happens. It just produces less.

    PRODUCED ROWS
    <P·1>  <O·1>  <P·2>  <O·2>  <Pr·1>  <O·3>  <K·1>  <E·1>  …

    Pick the model. Or let the prompt pick.

    Burner is model-agnostic. Short replies and edits go to Apple Foundation. Open-weight runs go through LM Studio or Ollama. The heavyweight reasoning lives on a remote — with the filter in front of it. The route is always visible, always reversible.

    • On-device
      Apple Foundation Models
      Native on-Mac inference for short replies, summaries, and edits. Nothing leaves the device. Cold-start is sub-second.
    • On-device
      LM Studio
      A polished UI for open-weight models — Llama, Mistral, Qwen. Pick a quant, pick a runtime. Burner routes through it.
    • On-device
      Ollama
      A friendlier CLI for the same. Pull a model once, run it forever. Burner sees the local endpoint and treats it like the rest.
    • Remote
      Leading frontier models
      When the task wants the heavyweight, route there explicitly — with the privacy filter on by default. Provider names appear only where strictly necessary.