- The paper introduces MemPrivacy, a closed-loop framework integrating local privacy extraction with cloud-based semantic processing to secure sensitive user data.
- It employs a four-level privacy taxonomy and semantic placeholders, achieving 85.97% F1 in privacy extraction while limiting utility loss to ≤1.6%.
- The framework is validated with MemPrivacy-Bench, demonstrating robust, low-latency performance on edge devices and scalable deployment in sensitive domains.
MemPrivacy: A Framework for Privacy-Preserving Long-Term Memory Management in Edge-Cloud LLM Agents
Introduction and Motivation
The pervasive integration of LLM-powered agents into edge–cloud systems has driven a marked evolution toward personalized, memory-augmented architectures. Personalization, persistence of context, and long-term adaptation now underpin user-centric interaction, yet reliance on cloud-assisted memory modules introduces an expanded and persistent privacy attack surface. Empirical evidence demonstrates that memory systems retain, propagate, and potentially expose sensitive user data far beyond initial collection, and adversarial extraction attacks achieve high success rates by exploiting persistent memory stores.
Conventional privacy defenses in this domain, including coarse-grained masking, differential privacy, standard anonymization, or cryptographic measures, introduce significant semantic distortion or utility loss. As the field contends with the regulatory and social imperatives for privacy, a mechanism is demanded that selectively suppresses only sensitive spans while preserving the semantic context necessary for accurate retrieval, reasoning, and agentic behavior.
MemPrivacy Framework and Architectural Design
MemPrivacy is introduced as a closed-loop privacy-preserving memory management system tailored for edge–cloud LLM agent deployments. Core to the framework is a separation between privacy recognition/desensitization (executed locally on the edge device) and cloud-based semantic processing and memory management. User inputs are analyzed on-device using a lightweight privacy extraction model; sensitive spans are substituted with semantic, type-aware placeholders (e.g., <EMAIL_1>, <DOB_2>), while original–placeholder mappings are securely retained in a local database, enabling seamless local restoration post-inference. The cloud only processes sanitized representations, drastically reducing privacy leakage risk while ensuring the retention of semantic cues essential for high-quality agent performance (Figure 1).
Figure 1: Comparison of privacy protection strategies for local-to-cloud agent interaction. MemPrivacy introduces semantic placeholders that preserve utility without direct exposure of private values.
The three-stage lifecycle is as follows: (1) Uplink desensitization: local privacy extraction and placeholder substitution; (2) Cloud processing: memory formation, retrieval, and reasoning on sanitized representations; (3) Downlink restoration: rapid replacement of local placeholders with original content to maintain transparent user experience (Figure 2).
Figure 2: Overview of MemPrivacy's closed-loop architecture, highlighting end-to-end privacy preservation and utility maintenance through local restoration.
A fundamental design element is the four-level privacy taxonomy (PL1–PL4), stratifying private content by identifiability, harm potential, and operational exploitability. PL1 covers generic, non-identifying preferences (excluded from masking); PL2–PL4 denote increasing privacy risk, with PL4 (e.g., credentials, tokens) warranting maximal, irreversible protection.
Dataset Construction: MemPrivacy-Bench
MemPrivacy-Bench constitutes a high-density privacy annotation benchmark, synthesizing 200 user profiles and over 52k privacy instances, specifically engineered to assess privacy–utility trade-offs in agent memory. Dialogues span diverse settings, multi-turn interactions, and systematically cover the entire taxonomy spectrum. Annotation is bootstrapped via dual-LLM pipelines (Gemini-3.1-Pro, GPT-5.2), with stringent human post-verification (98%+ accuracy), ensuring robust, fine-grained privacy detection capacity. This resource enables effective training of compact (0.6B–4B) MemPrivacy models intended for edge deployment.
Model Training and Optimization
The MemPrivacy extraction models leverage a two-phase training protocol: supervised fine-tuning (SFT) for initial alignment, followed by RL with Group Relative Policy Optimization (GRPO). SFT imparts baseline extraction performance, while GRPO directly optimizes privacy F1 via relative groupwise reward signals, encouraging robust span detection and type assignment under realistic variation.
Empirical Results
MemPrivacy models produce substantially stronger privacy extraction F1 than both general LLMs and specialized token classifiers (e.g., OpenAI-Privacy-Filter). On MemPrivacy-Bench, MemPrivacy-4B-RL achieves 85.97% F1, a 7.6-point gain over the strongest general model and 50+ points over OpenAI-Privacy-Filter. Notably, even the smallest model (0.6B) outperforms foundation models many times its size, with lower inference latency, supporting practical edge deployment. Performance generalizes robustly to external datasets (e.g., PersonaMem-v2), further validating the approach.
Downstream Memory Utility
The critical metric is utility retention under privacy constraints. Standard defenses (irreversible masking or untyped placeholders) cause utility losses of up to 42 points (e.g., LangMem, Mem0) on privacy-heavy question–answering and memory retrieval tasks. MemPrivacy, by contrast, limits utility loss to ≤1.6% across all tested memory systems and achieves minimal performance degradation even as the density of privacy-sensitive queries approaches 100% (Figure 3).
Figure 3: Overall accuracy on three memory systems as the proportion of privacy-related questions varies; MemPrivacy maintains high accuracy and stability.
Comparison across privacy extractors also reveals that the specialized MemPrivacy model crucially outperforms general-purpose large models as a privacy recognizer—even when these models are superior in overall capacity—demonstrating the need for dedicated, domain-aligned privacy span detectors.
Theoretical and Practical Implications
The research decisively separates the problem of privacy protection for agentic memory from traditional one-shot inference or dataset-level anonymization. By introducing placeholder-based, locality-preserving pseudonymization, MemPrivacy avoids semantic erosion, thus aligning privacy with the operational semantics of long-term memory in agents. The proposed taxonomy enables user- and scenario-specific policies, supporting future work in privacy customization and rights management. MemPrivacy-Bench sets a new standard and reference point for benchmarking privacy in agent architectures.
On a systems level, the approach establishes a viable architecture for deploying practical edge–cloud LLMs with strong privacy guarantees and transparent user experiences—critical for regulatory compliance in sensitive domains (e.g., healthcare, finance). The low-latency, edge-executable model design suggests scalable application to resource-constrained devices, while the taxonomy and benchmark offer a foundation for ongoing improvement, adversarial evaluation, and policy research.
Conclusion
MemPrivacy delivers a comprehensive, empirically validated framework for privacy-preserving, utility-maintaining memory management in edge–cloud LLM agents. By decoupling privacy protection from semantic destruction, and leveraging tight integration between local extraction, type-aware placeholders, and rapid post-hoc restoration, the system achieves state-of-the-art performance on both privacy risk and downstream utility. The methodology and resources introduced herein—model, taxonomy, benchmark—directly enable the next generation of personalized, compliant, and transparent agent systems. Future directions include dynamic user-level policy adaptation, integration with privacy regulation regimes, and adversarial adaptation against emerging attack surfaces.