Papers
Topics
Authors
Recent
Search
2000 character limit reached

MemPrivacy: Privacy-Preserving Personalized Memory Management for Edge-Cloud Agents

Published 10 May 2026 in cs.CR and cs.CL | (2605.09530v2)

Abstract: As LLM-powered agents are increasingly deployed in edge-cloud environments, personalized memory has become a key enabler of long-term adaptation and user-centric interaction. However, cloud-assisted memory management exposes sensitive user information, while existing privacy protection methods typically rely on aggressive masking that removes task-relevant semantics and consequently degrades memory utility and personalization quality. To address this challenge, We propose MemPrivacy, which identifies privacy-sensitive spans on edge devices, replaces them with semantically structured type-aware placeholders for cloud-side memory processing, and restores the original values locally when needed. By decoupling privacy protection from semantic destruction, MemPrivacy minimizes sensitive data exposure while retaining the information required for effective memory formation and retrieval. We also construct MemPrivacy-Bench for systematic evaluation, a dataset covering 200 users and over 52k privacy instances, and introduce a four-level privacy taxonomy for configurable protection policies. Experiments show that MemPrivacy achieves strong performance in privacy information extraction, substantially surpassing strong general-purpose models such as GPT-5.2 and Gemini-3.1-Pro, while also reducing inference latency. Across multiple widely used memory systems, MemPrivacy limits utility loss to within 1.6%, outperforming baseline masking strategies. Overall, MemPrivacy offers an effective balance between privacy protection and personalized memory utility for edge-cloud agents, enabling secure, practical, and user-transparent deployment.

Summary

  • The paper introduces MemPrivacy, a closed-loop framework integrating local privacy extraction with cloud-based semantic processing to secure sensitive user data.
  • It employs a four-level privacy taxonomy and semantic placeholders, achieving 85.97% F1 in privacy extraction while limiting utility loss to ≤1.6%.
  • The framework is validated with MemPrivacy-Bench, demonstrating robust, low-latency performance on edge devices and scalable deployment in sensitive domains.

MemPrivacy: A Framework for Privacy-Preserving Long-Term Memory Management in Edge-Cloud LLM Agents

Introduction and Motivation

The pervasive integration of LLM-powered agents into edge–cloud systems has driven a marked evolution toward personalized, memory-augmented architectures. Personalization, persistence of context, and long-term adaptation now underpin user-centric interaction, yet reliance on cloud-assisted memory modules introduces an expanded and persistent privacy attack surface. Empirical evidence demonstrates that memory systems retain, propagate, and potentially expose sensitive user data far beyond initial collection, and adversarial extraction attacks achieve high success rates by exploiting persistent memory stores.

Conventional privacy defenses in this domain, including coarse-grained masking, differential privacy, standard anonymization, or cryptographic measures, introduce significant semantic distortion or utility loss. As the field contends with the regulatory and social imperatives for privacy, a mechanism is demanded that selectively suppresses only sensitive spans while preserving the semantic context necessary for accurate retrieval, reasoning, and agentic behavior.

MemPrivacy Framework and Architectural Design

MemPrivacy is introduced as a closed-loop privacy-preserving memory management system tailored for edge–cloud LLM agent deployments. Core to the framework is a separation between privacy recognition/desensitization (executed locally on the edge device) and cloud-based semantic processing and memory management. User inputs are analyzed on-device using a lightweight privacy extraction model; sensitive spans are substituted with semantic, type-aware placeholders (e.g., <EMAIL_1>, <DOB_2>), while original–placeholder mappings are securely retained in a local database, enabling seamless local restoration post-inference. The cloud only processes sanitized representations, drastically reducing privacy leakage risk while ensuring the retention of semantic cues essential for high-quality agent performance (Figure 1). Figure 1

Figure 1: Comparison of privacy protection strategies for local-to-cloud agent interaction. MemPrivacy introduces semantic placeholders that preserve utility without direct exposure of private values.

The three-stage lifecycle is as follows: (1) Uplink desensitization: local privacy extraction and placeholder substitution; (2) Cloud processing: memory formation, retrieval, and reasoning on sanitized representations; (3) Downlink restoration: rapid replacement of local placeholders with original content to maintain transparent user experience (Figure 2). Figure 2

Figure 2: Overview of MemPrivacy's closed-loop architecture, highlighting end-to-end privacy preservation and utility maintenance through local restoration.

A fundamental design element is the four-level privacy taxonomy (PL1–PL4), stratifying private content by identifiability, harm potential, and operational exploitability. PL1 covers generic, non-identifying preferences (excluded from masking); PL2–PL4 denote increasing privacy risk, with PL4 (e.g., credentials, tokens) warranting maximal, irreversible protection.

Dataset Construction: MemPrivacy-Bench

MemPrivacy-Bench constitutes a high-density privacy annotation benchmark, synthesizing 200 user profiles and over 52k privacy instances, specifically engineered to assess privacy–utility trade-offs in agent memory. Dialogues span diverse settings, multi-turn interactions, and systematically cover the entire taxonomy spectrum. Annotation is bootstrapped via dual-LLM pipelines (Gemini-3.1-Pro, GPT-5.2), with stringent human post-verification (98%+ accuracy), ensuring robust, fine-grained privacy detection capacity. This resource enables effective training of compact (0.6B–4B) MemPrivacy models intended for edge deployment.

Model Training and Optimization

The MemPrivacy extraction models leverage a two-phase training protocol: supervised fine-tuning (SFT) for initial alignment, followed by RL with Group Relative Policy Optimization (GRPO). SFT imparts baseline extraction performance, while GRPO directly optimizes privacy F1 via relative groupwise reward signals, encouraging robust span detection and type assignment under realistic variation.

Empirical Results

Privacy Extraction Performance

MemPrivacy models produce substantially stronger privacy extraction F1 than both general LLMs and specialized token classifiers (e.g., OpenAI-Privacy-Filter). On MemPrivacy-Bench, MemPrivacy-4B-RL achieves 85.97% F1, a 7.6-point gain over the strongest general model and 50+ points over OpenAI-Privacy-Filter. Notably, even the smallest model (0.6B) outperforms foundation models many times its size, with lower inference latency, supporting practical edge deployment. Performance generalizes robustly to external datasets (e.g., PersonaMem-v2), further validating the approach.

Downstream Memory Utility

The critical metric is utility retention under privacy constraints. Standard defenses (irreversible masking or untyped placeholders) cause utility losses of up to 42 points (e.g., LangMem, Mem0) on privacy-heavy question–answering and memory retrieval tasks. MemPrivacy, by contrast, limits utility loss to ≤1.6% across all tested memory systems and achieves minimal performance degradation even as the density of privacy-sensitive queries approaches 100% (Figure 3). Figure 3

Figure 3: Overall accuracy on three memory systems as the proportion of privacy-related questions varies; MemPrivacy maintains high accuracy and stability.

Comparison across privacy extractors also reveals that the specialized MemPrivacy model crucially outperforms general-purpose large models as a privacy recognizer—even when these models are superior in overall capacity—demonstrating the need for dedicated, domain-aligned privacy span detectors.

Theoretical and Practical Implications

The research decisively separates the problem of privacy protection for agentic memory from traditional one-shot inference or dataset-level anonymization. By introducing placeholder-based, locality-preserving pseudonymization, MemPrivacy avoids semantic erosion, thus aligning privacy with the operational semantics of long-term memory in agents. The proposed taxonomy enables user- and scenario-specific policies, supporting future work in privacy customization and rights management. MemPrivacy-Bench sets a new standard and reference point for benchmarking privacy in agent architectures.

On a systems level, the approach establishes a viable architecture for deploying practical edge–cloud LLMs with strong privacy guarantees and transparent user experiences—critical for regulatory compliance in sensitive domains (e.g., healthcare, finance). The low-latency, edge-executable model design suggests scalable application to resource-constrained devices, while the taxonomy and benchmark offer a foundation for ongoing improvement, adversarial evaluation, and policy research.

Conclusion

MemPrivacy delivers a comprehensive, empirically validated framework for privacy-preserving, utility-maintaining memory management in edge–cloud LLM agents. By decoupling privacy protection from semantic destruction, and leveraging tight integration between local extraction, type-aware placeholders, and rapid post-hoc restoration, the system achieves state-of-the-art performance on both privacy risk and downstream utility. The methodology and resources introduced herein—model, taxonomy, benchmark—directly enable the next generation of personalized, compliant, and transparent agent systems. Future directions include dynamic user-level policy adaptation, integration with privacy regulation regimes, and adversarial adaptation against emerging attack surfaces.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 5 tweets with 6 likes about this paper.