MemPrivacy: Privacy-Preserving Personalized Memory for Edge-Cloud Agents

Authors: Yining Chen, Jihao Zhao, Bo Tang, Haofen Wang, Yue Zhang, Fei Huang, Feiyu Xiong, Zhiyu Li
ArXiv: 2605.09530
GitHub: MemTensor/MemPrivacy
Hugging Face Models: IAAR-Shanghai/memprivacy

🧠 Motivation

As LLM-powered agents become widespread in edge-cloud settings, personalized memory is crucial for long-term adaptation and user-centric interaction. However, cloud-based memory risks exposing sensitive user information, while naive privacy solutions (like *** masking) destroy task semantics, harming memory utility and personalization.

Goal: Protect sensitive data without sacrificing semantic utility.

Why MemPrivacy?

Cloud agents typically send user messages to remote LLMs and store conversation traces in memory systems (e.g., Mem0, LangMem, Memobase) for long-term personalization. This creates a large privacy attack surface:

• plaintext prompts and logs may contain PII, medical/financial data, credentials
• cloud memory stores can leak via retrieval, prompt injection, inversion, or misconfiguration
• naïve mitigation (e.g., *** masking) destroys task semantics, harming retrieval and personalization

Goal: reduce privacy leakage without sacrificing utility.

Core Idea

MemPrivacy implements local reversible pseudonymization:

1. On-device privacy detection (local)
   Detect privacy spans in user input and classify them by:

   • privacy level (PL1–PL4)
   • privacy type (e.g., Email, Real Name, Medical Health, Recovery Code)

2. Typed placeholder replacement (local → cloud)
   Replace protected spans with semantically meaningful typed placeholders, e.g.:

   • 160/110 (blood pressure) → <Health_Info_1>
   • recovery code RC-7291 → <Recovery_Code_1>

3. Local secure mapping (persistent across sessions)
   Store the mapping placeholder ↔ original value in a local SQLite DB.

4. Cloud reasoning and memory operations (cloud)
   The cloud agent/memory only sees placeholders—preserving semantic roles while hiding raw values.

5. Downlink restoration (local)
   Restore placeholders in the cloud response back to the original values for a fluent user experience.

This yields architecture-level isolation: cloud components never see/store raw sensitive values.

Key Contributions & Advantages

1) Privacy–Utility Balance (vs. masking)

• Irreversible masking (***) protects privacy but loses meaning and breaks memory retrieval.
• Untyped placeholders (<Mask_1>) keep structure but lose semantic roles.
• MemPrivacy (typed placeholders) preserve the semantic role and hide raw values, minimizing utility loss.

2) Configurable Protection via a 4-Level Privacy Taxonomy

MemPrivacy introduces PL1–PL4 to support user-configurable policies:

3) Benchmark & Evaluation for Memory Systems

This repo builds MemPrivacy-Bench and evaluates privacy protection strategies across real memory systems:

• MemPrivacy-Bench: 200 synthetic users, bilingual (Chinese/English), multi-turn dialogues with dense privacy exposure, plus memory QA tasks.
• Evaluations on MemPrivacy-Bench (in-distribution) and PersonaMem-v2 (out-of-distribution, annotated here).

4) Lightweight & Practical

The framework is designed for edge deployment:

• local detection + placeholder substitution + SQLite lookup are low-latency operations
• works as a drop-in privacy layer for existing cloud agents / memory systems

5) Open-Source MemPrivacy Models

We release a family of MemPrivacy models trained via Supervised Fine-Tuning (SFT) and Reinforcement Learning (RL) across different parameter sizes. You can access the full model collection here.

Evaluation Results

1. Privacy Extraction Performance

Key Takeaways:

• Superior Accuracy: MemPrivacy consistently outperforms 11 general LLMs and OpenAI-Privacy-Filter. The best model (MemPrivacy-4B-RL) achieves F1 scores of 85.97% and 94.48%, significantly surpassing the top general models (78.41% and 92.18%). Even our smallest 0.6B model beats most general models.
• Robustness on Complex Data: While lightweight filters like OpenAI-Privacy-Filter are fast, they struggle with implicit and linguistically diverse privacy expressions (only 35.50% F1 on MemPrivacy-Bench). MemPrivacy accurately handles fine-grained, heterogeneous conversational scenarios.
• High Efficiency: Despite its accuracy, MemPrivacy remains highly efficient. Processing latency per message is consistently below one second on PersonaMem-v2, making it well-suited for seamless on-device deployment without noticeable delays.

2. Memory System Performance under Different Protection Methods

Key Takeaways:

• Optimal Privacy-Utility Trade-off: Compared to traditional masking (***) or untyped placeholders (<Mask_1>), MemPrivacy preserves the utility of downstream systems (LangMem, Mem0, Memobase) significantly better by retaining critical semantic roles.
• Minimal Degradation: When applying stringent protection (PL2–PL4), system accuracy drops by merely 0.71%–1.60%. If protecting only critical secrets (PL4), the drop is below 0.89%.
• Extractor Dependency: The effectiveness of the entire framework heavily depends on accurate privacy extraction. Replacing the MemPrivacy model with general LLMs (e.g., DeepSeek-V3.2-Think, GPT-5.2) causes substantial accuracy degradation, validating the necessity of our specialized fine-tuning.

🔗 Links

• Paper on arXiv
• GitHub Repository
• Hugging Face Models