How does Duck.ai anonymize and proxy prompts to external models in technical detail?

1. How Duck.ai’s proxying architecture routes prompts

When a user submits a prompt, Duck.ai routes that request through DuckDuckGo’s servers, which then make the outbound call to the chosen underlying model provider on behalf of the user; DuckDuckGo acts as the network originator so the model provider sees DuckDuckGo’s IP and not the end user’s ^{[4] [6]}. This proxying approach mirrors the company’s earlier “AI‑assisted answers” architecture where DuckDuckGo “uses our own IP address instead” to call third‑party models, and Duck.ai “anonymizes by us” in the help pages ^{[4] [1]}.

2. What metadata is removed and how anonymization is described

Duck.ai’s public documentation and help pages state that all metadata containing personal information—explicitly calling out IP addresses—is removed before sending prompts to model providers, and that the service redacts obvious personal identifiers from prompts as part of its guardrails ^{[3] [7] [2]}. Third‑party summaries and product pages reiterate that Duck.ai “strips personal identifiers like your IP address” and claims chat history is saved locally, not on DuckDuckGo servers ^{[6] [8]}.

3. Request rewriting, rotation and “anonymizing proxy” heuristics

Some coverage and third‑party summaries describe additional measures beyond IP removal—phrases like “rotates request details” or “forwards prompts without personal metadata” suggest Duck.ai may normalize or randomize certain headers and ancillary network details before forwarding, although DuckDuckGo’s own documentation focuses primarily on IP removal and proxying rather than publishing a full header‑normalization spec ^{[7] [4]}. Independent analyses of proxy patterns in similar systems advise that rotation and header stripping are typical hardening steps, but specific implementation details for Duck.ai are not published in the sources provided ^{[7] [5]}.

4. Local storage, generated content, and provenance signals

Duck.ai emphasizes that recent chats are stored locally on the user’s device rather than on DuckDuckGo servers and that generated images can be kept in‑browser; the company also embeds C2PA‑compatible metadata in images to indicate AI provenance, underscoring a design choice to minimize server‑side retention of content ^{[9] [1]}. Product notes and help pages explain local history can be cleared by users and that no account sign‑in is required, which aligns with the privacy posture of minimal centralized logs ^{[6] [8]}.

5. Contracts, retention windows, and non‑training assurances

Duck.ai says it has agreements with model providers that prohibit using Prompts and Outputs to train models and require deletion of information once no longer necessary—DuckDuckGo’s documentation cites deletion “at most within 30 days” with limited exceptions for safety and legal compliance ^{[3] [2]}. Multiple outlets repeat the claim that anonymized prompts and outputs are not used for model training, portraying contractual limits as a key non‑technical control layered onto the proxy ^{[10] [11]}.

6. Limitations, threat models, and single‑party trust

Academic work on proxy approaches warns that relying on a single trusted intermediary makes the user’s anonymity contingent on that party’s integrity and that such systems “do not natively hide users’ network‑level identity” against stronger adversaries and provide no cryptographic integrity guarantees for responses—criticisms directly applicable to Duck.ai’s tradeoffs ^[5]. Reporting and product notes acknowledge privacy is a spectrum and note that extreme cases—pasting highly sensitive personal data into a third‑party model—retain residual risk despite anonymization ^{[8] [2]}.