Proton Unveils Lumo: The Privacy-First AI Assistant with Zero-Access Encryption & No Data Logging

Privacy in the age of ubiquitous AI assistants is becoming an increasingly nebulous concept. Many neural network-powered services collect, store, and analyze user queries, transforming personal conversations into fuel for algorithmic training. Against this backdrop, Swiss company Proton has unveiled its latest innovation — Lumo, an AI assistant boldly positioned as a fully transparent solution that does not compromise digital privacy.

Renowned for its commitment to digital security through offerings such as Proton Mail, Proton VPN, and Proton Drive, the company officially transitioned to a nonprofit model in 2024, underscoring its prioritization of data protection over profit. Lumo is a natural extension of this philosophy — an AI tool designed to assist without harvesting any user data.

Unlike most mainstream models that operate as closed systems and transmit all interactions to external servers, Lumo is built on open-source language models. Its most distinctive feature is the absence of server-side query histories: no fragments of conversations are stored, and any user-selected data is encrypted such that only the user’s own device can access it. Technically, server-side content retrieval is rendered impossible by design.

Lumo leverages Proton’s open cryptographic framework, and its entire codebase is publicly accessible. This ensures that anyone — from developers to privacy advocates — can inspect how the system operates, not just in theory but line by line in practice.

By default, the assistant refrains from fetching external data and purges all chat history upon session termination. Users may interact with Lumo without a Proton account, although functionality is limited in guest mode: one may pose only a restricted number of questions and will lack access to chat history.

Registered Proton users benefit from enhanced features, such as the ability to upload files and preserve conversations with basic protection. The highest level of access is unlocked through a premium subscription, which lifts all limitations, enables the processing of large documents, allows full chat history navigation, and supports the creation of curated chat collections. Seamless integration with Proton Drive further allows users to securely upload files directly from their encrypted cloud storage.

Lumo’s interface follows the familiar structure of modern AI platforms — a message input window, conversation history, a send button, and file attachment support. All document uploads are automatically encrypted, offering users peace of mind that their files remain protected from unauthorized access.

The entire infrastructure is hosted within the European Union, operating under the jurisdiction of the General Data Protection Regulation (GDPR). This ensures that personal data cannot be transferred to territories with weaker privacy safeguards.

At launch, Lumo is available in English, French, German, Spanish, and Italian. Additional language support is anticipated in the future, though no definitive timeline has been provided.

Proton emphasizes that most AI companies retain chat logs on their servers — not merely as a technical convenience, but as a fundamental component of their business model. In the event of data breaches or external coercion, such information could be compromised. Lumo, by contrast, is designed with a diametrically opposed architecture: one that eliminates even the hypothetical possibility of retrospective dialogue analysis.

Though this design choice complicates model training, it aligns perfectly with Proton’s ethos — the user should never be forced to choose between convenience and privacy. Whether this vision proves effective in real-world usage remains to be seen, but the open-source community now holds the key to review, refine, and validate every aspect of its implementation.