Adding AI to a Privacy-First Tool Site Without Breaking the Privacy Promise — the Architecture Decisions

I run a utility-tools site that has always claimed "everything runs in your browser, nothing leaves your device". For two years that claim was true across every feature - the PDF tools, image processing, word counter, QR generator, all of it. Then I wanted to add AI. AI features genuinely cannot run client-side. The model weights are tens of gigabytes; you cannot ship them to a browser. The moment AI is involved, some user data has to leave the device. The question is what data, when, and how clearly you disclose it to the user.