×marble
all posts
Jun 26, 2026·12 min read

Privacy-Preserving Personalization Techniques: On-Device, Federated, Encrypted

On-device personalization, federated learning, and encrypted compute make personalization without raw user data possible. What's production-ready in 2026.

Alex Shrestha·Founder, ×marble

Privacy-Preserving Personalization Techniques: On-Device, Federated, Encrypted

TL;DR.

  • Privacy-preserving personalization techniques split into three families: on-device inference, federated learning, and encrypted compute. Only one of the three is fully production-ready in 2026.
  • On-device personalization is shipping at scale today. Apple's Core ML and Google's Gboard both run personalization models directly on the phone with no raw data ever leaving the device.
  • Federated learning works in narrow domains — keyboard prediction, ASR adaptation, news ranking — but the engineering tax is heavy. Apple reports a 1.98% lift on news article views from federated tuning; Google's Gboard runs production federated training with differential-privacy noise at ε=8.9 per round.
  • Encrypted compute (homomorphic encryption, secure enclaves) is split: trusted execution environments like AWS Nitro Enclaves are production-ready for batch personalization. Fully homomorphic encryption is still research outside niche workloads.
  • The pragmatic 2026 stack: on-device for inference, federated for model updates on sensitive signals, TEEs for any centralized compute that touches user data.

If you're building personalization in 2026 and you've decided you'd rather not store raw behavioural data in a central warehouse, your options are narrower than the marketing pitches suggest. The phrase "privacy-preserving personalization" gets used to mean five different things, only one of which is genuinely shippable at scale. This post walks through the three real families — on-device personalization, federated learning, and encrypted compute — separates what's production from what's still research, and gives you a stack you can actually deploy.

What "privacy-preserving personalization" actually means

The term is overloaded. Three definitions float around:

  1. Data never leaves the user's device. Models run locally; the server never sees raw clicks, watch history, or text input. This is the strictest version.
  2. Data is aggregated before it leaves. The server sees model updates or aggregate statistics, not individual events. Federated learning is the canonical case.
  3. Data leaves the device encrypted and stays encrypted during compute. Servers process the data without ever decrypting it. Homomorphic encryption and trusted execution environments live here.

Most "privacy-preserving" marketing copy means the second or third definition; only the strictest implementations achieve the first. The privacy-preserving personalization techniques that survive contact with production tend to be hybrids — on-device for the hot path, federated or encrypted for the cold-start and aggregate paths.

A small but important point: privacy-preserving personalization is not the same as privacy-compliant personalization. GDPR and CCPA compliance can be achieved with raw data centralization plus consent and retention controls. The techniques in this post go further — they remove the need to ever hold raw behavioural data in the first place. That distinction matters when you're answering a CISO or a security review board.

Family one: on-device personalization (production today)

On-device personalization is the version that's actually shipping at consumer scale right now. Apple's Core ML, introduced in 2017 and extended for on-device training in Core ML 3, powers QuickType keyboard suggestions, Siri voice recognition tuning, and the Found In Apps feature, all by training tiny personalization layers directly on the iPhone. Google's equivalent runs through TensorFlow Lite and the Android Neural Networks API.

The architecture pattern is consistent: ship a general baseline model to every device, then let each device fine-tune a small head — usually the last few layers, sometimes just an embedding lookup table — using local data. The personalized model never leaves the phone. Inference happens locally with latency typically under <30 ms on modern mobile silicon.

Where on-device personalization shines: prediction tasks with a tight user-bound context. Next-word, query autocomplete, on-device ranking of locally cached candidates, voice command adaptation. Where it stops: anything that needs cross-user signal. You cannot do collaborative filtering on a single device. You cannot recommend items the user has never interacted with using only their local history. On-device personalization needs to be paired with one of the other two families if you want full coverage.

Most teams underestimate the engineering surface. You're now shipping models as part of your app binary or model store, you're versioning them across OS upgrades, and you're debugging in an environment where you have no logs from production users. The discipline is closer to embedded systems than to data science. We covered the broader engineering trade-offs in our reference architecture for real-time personalization.

Family two: federated learning (early production)

Federated learning works like this: each device computes a model update from its local data, the updates get aggregated on a central server (usually with cryptographic secure aggregation), and the resulting averaged update is broadcast back to every device. The server sees the aggregate; it never sees any individual user's data. Google introduced the technique in 2017 and has been deploying it in Gboard, the Android keyboard, ever since.

The production track record is real but narrow. Google's recent Gboard federated learning runs use DP-FTRL (Differentially Private Follow-the-Regularized-Leader) with a per-round privacy budget around ε=8.9 to train next-word prediction, query suggestion, and smart-reply models. Apple's federated personalization paper describes a deployed system used for news recommendation and ASR personalization; the team reports a 1.98% increase in daily article views from federated tuning of news ranking parameters. MIT's FTTE work, published in 2026, reduces federated training time by 81% versus prior baselines and trims on-device memory overhead by 80%, which finally puts federated training within reach of mid-range phones.

The honest assessment: federated learning is production-grade for a handful of high-volume, simple-signal tasks. Keyboard prediction works because every user types every day; the gradient signal is dense. Recommendation on a long-tail catalog with sparse signal is much harder. Convergence is slow, debugging is brutal because you have no access to the data the gradients came from, and the communication cost can be punishing if your model is large. Most teams that try to use federated learning for product recommendations end up either falling back to centralized training on aggregated cohort statistics or layering federated personalization on top of a centrally-trained backbone.

If you're considering federated learning, start by asking: do my users have enough on-device data to train a useful local update? Can my model fit and run in <200 ms on a mid-range device? Is the signal I care about dense enough that I'll see convergence within a few rounds? If any answer is "no", the next family is probably better.

Family three: encrypted compute (split production status)

Encrypted compute is the family with the widest spread in production readiness. It contains two very different sub-families.

Trusted execution environments (production-ready)

Trusted execution environments — AWS Nitro Enclaves, Intel TDX, AMD SEV-SNP, Apple's Secure Enclave — are isolated hardware-attested compute regions where code runs without the host operating system being able to inspect memory. Data flows in encrypted, gets decrypted only inside the enclave, gets processed, and flows back out encrypted. The host operator, your DevOps team, and a compromised hypervisor all see ciphertext.

For personalization, the use case is straightforward: run your model server inside an enclave, send the user's encrypted feature vector in, get the encrypted recommendation out. Nitro Enclaves are particularly accessible — if your code runs in Docker, it runs in an enclave with minor modifications. Gartner forecasts that 50% of large organizations will adopt privacy-enhancing computation by 2026, and TEEs are the dominant mechanism.

The catch: Intel deprecated SGX on consumer CPUs and is steering new workloads to TDX. If you're building today, target Nitro Enclaves on AWS or TDX-backed instances in cloud platforms that support them, not desktop SGX. Also: TEEs protect the host operator from seeing your data, but they don't prevent the application running inside the enclave from logging the data. The personalization engine you put inside still has to behave.

Fully homomorphic encryption (research-grade)

Fully homomorphic encryption (FHE) lets you compute on ciphertext without ever decrypting it. The dream is straightforward: a user sends their encrypted profile to your server, your model computes a recommendation against the ciphertext, and the user decrypts the answer locally. The server never holds raw data.

The reality in 2026 is brutal. FHE adds roughly 5x overhead versus traditional encryption for the data path, and orders of magnitude more for arbitrary computation. A 2025 paper proposed an efficient sparse-matrix factorization scheme using FHE that handles sparse user-item rating matrices in encrypted form, which is a real advance — but it's still measured in seconds-per-recommendation, not milliseconds. 64% of enterprises cite performance as the dominant barrier to FHE adoption.

Where FHE is shipping: narrow workloads where the trade-off is acceptable. Healthcare cohort analysis. Banking risk scoring. Sometimes encrypted-set intersection for ad measurement. We have not seen FHE used in mainline production personalization at consumer scale and we don't expect that to change in the next 18 months.

Family four (sort of): differential privacy as a primitive

Differential privacy isn't a separate family — it's a noise-addition primitive that overlays the others. Apple uses it on top of on-device aggregation when uploading telemetry, with a published privacy budget of ε=2 per day for most data types and ε=4 for exploratory collections. Google overlays DP on federated learning via DP-FTRL.

The role of differential privacy in privacy-preserving personalization techniques is to give you a mathematical guarantee on what an adversary can learn from your aggregated outputs. It's not a substitute for on-device or federated computation; it's a hardening pass on top. If you're publishing aggregate stats from a centralized pipeline, DP keeps you defensible. If you're publishing nothing because you're doing on-device inference, you don't need DP.

For most builds, treat DP as a layer you add when you're ready, not a foundational architecture choice.

What a practical 2026 stack looks like

A defensible privacy-preserving personalization stack in 2026 has three tiers:

  • On-device for hot-path inference and last-mile personalization. Ship a base model in your app; let it fine-tune a small head locally. Latency <30 ms, no network. Use this for re-ranking, autocomplete, and any UI surface where staleness is more painful than imperfect signal.
  • Federated learning for cross-user signal on sensitive features. Use it where the signal is dense (text input, voice, daily-usage features) and where centralized collection would create a legal or PR liability. Don't try to use it for cold-start or for sparse long-tail recommendations.
  • TEEs for centralized compute that has to touch user-identifiable data. Profile enrichment, identity stitching, audience segmentation. Run the workload inside Nitro Enclaves or a TDX-backed instance so the cloud operator and your own ops team can't read raw inputs.

Cross-cutting: apply differential privacy noise to any aggregate that leaves an enclave or any update that leaves a federated client. Keep an explicit privacy budget per user and per epoch. Audit it.

The architectural trick is splitting the personalization pipeline into "needs cross-user signal" and "doesn't". The first tier sits in TEEs and federated rounds; the second tier sits on the device. This is the same split logic we discussed in our piece on the cold-start problem and day-zero personalization, but applied through a privacy lens.

Why the knowledge-graph layer matters here

A pattern we keep seeing in privacy reviews: the team has solved the data path (on-device inference, TEEs, federated updates) but their personalization model is still effectively a global recommendation engine that needs every user's full history to work. Privacy-preserving compute on top of a privacy-hostile model design doesn't help.

The fix is to push as much of the personalization logic into structured, low-entropy representations — entities, relationships, traits — and away from raw event streams. A knowledge-graph layer that represents a user as a sparse set of typed edges into a shared entity graph is dramatically easier to handle privately than a model that needs the user's raw click stream. It's also easier to explain, audit, and revoke. This connects to the broader argument in knowledge graphs vs vector embeddings — graph-shaped state isn't just better for explainability, it's better for privacy posture.

How ×marble fits in

We built ×marble so that the structured side of personalization — the knowledge graph, the entity resolution, the trait derivation — runs as a service you don't have to design from scratch. The output is a compact, typed user state vector you can keep on-device, push through a TEE, or distribute via federated rounds. Our Vivo daily briefing is the showcase for what this enables: personalized AI video without retaining a raw event log per user. If you're building a personalization layer where the privacy posture is part of the product story — fintech, health, B2B with strict data controls — talk to us before you commit to a stack. We've seen the failure modes.

FAQ

What is privacy-preserving personalization?

Privacy-preserving personalization is a class of techniques that produce personalized experiences without centrally collecting raw user data. The three production families are on-device personalization (model runs on the user's device), federated learning (only model updates leave devices), and encrypted compute using trusted execution environments. Each one trades off latency, model quality, and engineering complexity differently.

Is on-device personalization production-ready in 2026?

Yes. On-device personalization is the most mature of the three privacy-preserving personalization techniques. Apple's Core ML has shipped on-device training since iOS 13, powering features like QuickType keyboard suggestions, Siri voice tuning, and the Found In Apps feature. Google ships equivalent capabilities through TensorFlow Lite. Inference latency on modern mobile silicon is typically <30 ms. The main constraints are model size and the fact that on-device personalization alone cannot do collaborative filtering across users.

How does federated learning enable personalization without sharing data?

In federated learning, each device computes a model gradient or update from its own local data, the updates are aggregated cryptographically on a central server (so the server sees only the aggregate, never individual updates), and the resulting averaged model is sent back to all devices. Google's Gboard uses this in production with DP-FTRL noise at ε=8.9 per round. Apple uses it for news ranking and ASR personalization, with a published 1.98% lift on news article views. It works best for dense-signal tasks like text or voice and struggles with sparse recommendation problems.

Can homomorphic encryption be used for production recommendation systems?

Not at consumer scale, not yet. Fully homomorphic encryption (FHE) adds roughly 5x overhead versus traditional encryption for the data path, with much larger overhead for general computation. A 2025 sparse-matrix factorization scheme for FHE recommendation is a real advance but still operates in seconds-per-query, not milliseconds. For production today, trusted execution environments like AWS Nitro Enclaves or Intel TDX deliver most of the privacy benefit at a tiny fraction of the performance cost.

What is the difference between on-device personalization and federated learning?

On-device personalization runs inference and sometimes training entirely on the user's device, with no model updates leaving the phone. Federated learning involves devices sending encrypted model updates (not raw data) to a central server for aggregation, and receiving improved models back. On-device is simpler and more private per-user, but cannot incorporate cross-user signal. Federated learning enables cross-user learning at the cost of a much heavier engineering pipeline.

Further reading

the product behind these notes

×marble is the personalization graph.

One API. A living knowledge graph per user. Day-zero ready, explainable by construction. We built it so you don't have to.

See ×marble