The Privacy Threat That Isn't Hackers
Most people think their data is at risk from breaches. The more likely risk is the company itself: bankruptcy, acquisition, or a policy change you didn't notice.
When 23andMe filed for Chapter 11 bankruptcy in March 2025, the genetic data of roughly 15 million people became a line item in a liquidation proceeding. Not because someone hacked the servers. Because the company ran out of money.
The privacy policy customers had agreed to — when they spit in a tube, mailed it off, and learned they were 23% Norwegian — included a clause about data transfer in bankruptcy. The court-appointed Consumer Privacy Ombudsman later found that it was "highly unlikely that a typical 23andMe customer knew or understood what they were agreeing to" in that policy. Twenty-eight states tried to block the sale. About 1.9 million people deleted their data before proceedings closed.
The rest became an asset.
The threat model most people have wrong
When people worry about data privacy, they picture a hacker. Someone with stolen credentials, a cloud database exfiltrated overnight. That threat is real. The Change Healthcare breach in early 2024 exposed health data for roughly 190 million Americans, making it the largest healthcare breach on record.
But the hacker scenario is one of the less likely ways your personal data ends up somewhere you didn't intend. More common are the quieter transfers: a company is acquired and its data goes with the deal, bundled in like any other asset. A startup pivots to B2B and liquidates its consumer user base. A note-taking app updates its privacy policy to allow AI training on user content. A productivity tool is bought by a private equity firm that monetizes differently than the founders did.
Evernote was acquired by Bending Spoons in late 2022. Within months, nearly all of Evernote's original staff were laid off, prices went up significantly, and the product's direction changed entirely. The notes you'd added for years were now under the stewardship of a company that didn't build what you used. The data didn't go anywhere, but the relationship you'd implicitly agreed to did.
None of that required a hacker.
What local-first actually protects against
The privacy argument for local-first software is specific and modest. It doesn't solve everything. But it eliminates a particular class of risk: the risk of your data becoming an asset on someone else's balance sheet.
If your notes live on your own machine — in a folder of Markdown files, backed by a SQLite database, synced by software you run yourself — there is no company to go bankrupt with them. No acquisition where they're included in the deal. No privacy policy update that changes how they can be used.
Martin Kleppmann, Adam Wiggins, and colleagues at Ink & Switch wrote the original local-first essay in 2019, and privacy was one of their seven core ideals: local-first apps should store data on your device first, with servers as a secondary sync layer rather than the single source of truth. The privacy benefit isn't only about encryption. It's about where authority over your data actually resides.
There's also a practical security argument. When data lives in a central cloud database shared across millions of users, that database is a high-value target. A compromise exposes everyone. Local storage has a smaller attack surface by design — your data is only worth attacking specifically, which makes it dramatically less interesting to most threat actors.
What it doesn't protect against
Honesty requires naming the real costs.
Local-first software is harder to build. Sync is genuinely difficult to get right: conflict resolution, multi-device state, offline edits merging without losing data. Most teams that have tried to build local-first sync have found it's one of the hardest problems in product engineering. And local data isn't immune to risk. If your laptop is stolen, your data goes with it unless you've managed encryption correctly. Files can be deleted. Backup discipline matters. You can still be phished.
Local-first also doesn't help with the services you have to use. Your email lives on Google's servers. Your calendar is on Apple's. A large portion of your life's context is already in cloud systems you don't control, and a local notes app doesn't change that.
So the honest pitch is narrow: for the specific knowledge you care most about — notes, plans, decisions, the people and projects that matter — keeping it in local, portable formats removes one meaningful category of risk. Not all of them.
The architecture is the policy
There's something worth naming about what local-first design signals, beyond the practical tradeoffs.
When a product stores your data in an open format you can read with a text editor, it's making a promise that doesn't depend on the company staying solvent. When a company lets you self-host their software, it's acknowledging that your data should survive their business decisions. The architecture isn't just a technical choice. It's a statement about whose interests the product actually serves.
The 23andMe situation was extreme. Genetic data is not notes about meetings. But the underlying dynamic — company holds your data, situation changes, interests diverge — applies to nearly any cloud product you've relied on for more than a year.
Your threat model probably doesn't require defenses against nation-state actors. But thinking about what happens to your data if the company behind it stops existing seems, at this point, like ordinary prudence.
Asgeir Albretsen is the founder of Harbor.