10-15 Third-Party Services. Per Search.
That's how many companies get a piece of your data every time you search for a flight on a typical travel app. Analytics SDKs, ad networks, crash reporters, attribution platforms -- a single search on most OTAs triggers data transmission to Google Analytics, Mixpanel, Meta Pixel, Google Ads, Sentry, Adjust, and more.
And the airline itself? It records what you searched, when, what device you used, where you were, and whether you bought or bounced.
This isn't hypothetical. In 2022, the US Department of Transportation began investigating whether airlines use personal data to offer different prices to different people. In 2023, the EU's Digital Markets Act forced gatekeepers like Google and Booking Holdings to disclose how they rank travel results. In 2024, a Wall Street Journal investigation found hotel booking sites showing higher prices to logged-in loyalty members than to anonymous visitors searching the same dates. The loyalty program was working against you.
How Travel Sites Use Your Data Against You
Search history pricing. Airlines and OTAs track repeated searches for the same route. Search MIA-GRU three times in a week and the platform knows you're serious. Some travelers report prices increasing after multiple searches, then dropping when they switch browsers or devices. Airlines deny it publicly. But the ad-tech infrastructure powering their sites makes it trivially easy to implement.
Location-based pricing. Your IP address reveals your approximate location. Your device's language settings signal your nationality. Someone searching from Manhattan may see different prices than someone in Belo Horizonte for the same flight. This is especially common on OTAs operating across multiple markets.
Device profiling. Studies have found that Apple device users are sometimes shown pricier options first. The reasoning: higher average income, less price sensitivity. Whether airlines do this directly is debated, but the intermediaries feeding traffic to airlines absolutely profile by device.
Loyalty program lock-in. Once you've told an airline your elite status, home airport, and travel patterns, they know your alternatives. A United 1K based in Newark has fewer competitive options than a casual traveler in Dallas. Airlines can (and do) tune offers based on what they know about your switching costs.
Cookie-based retargeting. After you search, ads follow you across the web. These aren't just reminders -- they're price anchors. You see the $680 fare you almost bought, creating urgency. Meanwhile, the actual best price might be on a different airline or routing that the retargeting ad doesn't show you.
VPNs and Incognito Mode Don't Fix This
The standard advice -- use incognito mode or a VPN -- helps with surface-level tracking but misses the bigger problem.
Incognito mode stops cookie-based tracking within a session. But your IP address, device fingerprint (screen resolution, browser version, installed fonts), and behavioral patterns still identify you to sophisticated trackers. Airlines use server-side session tracking that survives incognito.
VPNs mask your IP but create a different headache: many travel sites block or degrade service for VPN traffic. You'll hit CAPTCHAs, slower load times, and sometimes entirely different inventory. Airlines have gotten good at detecting VPN connections and may refuse to honor fares booked through them.
Neither approach solves the real issue: to search for travel effectively, you need to provide personal context (dates, destinations, loyalty accounts, payment methods). The question is whether that context should live on someone else's server or on your device.
What On-Device AI Actually Means
On-device AI means machine learning models running entirely on your phone's processor. Your data doesn't travel to a cloud server for processing.
Apple introduced this at scale with Apple Intelligence at WWDC 2024. Their framing was blunt: "Powerful intelligence goes hand in hand with powerful privacy." The technical architecture uses the Neural Engine in Apple's A-series and M-series chips to run language models, image recognition, and personalization locally.
What does "locally" mean in practice? When Apple Intelligence summarizes your emails, it reads them on your device. The text never goes to Apple's servers. The model lives on your phone, the data lives on your phone, the output lives on your phone.
This matters for travel search because the data that makes search useful -- your loyalty balances, credit card portfolio, past trips, price sensitivity, preferred airlines -- is exactly the data travel companies would use against you if they had it.
What Travel Apps Normally Send to Their Servers
A conventional travel search app ships a surprising amount of data to its backend:
On every search: Origin, destination, dates, number of travelers, cabin class, your IP address, device ID, session ID, and often your loyalty program numbers (so the server can check award availability).
On account creation: Name, email, phone, passport nationality, home airport, loyalty program credentials (usernames and passwords or API tokens for balance lookups), credit card details, and travel preferences.
On every interaction: Which results you clicked, how long you looked at each option, how you sorted, which filters you applied, whether you completed a booking or bailed. This behavioral data feeds recommendation algorithms tuned for the platform's revenue, not yours.
Shared with third parties: Analytics SDKs, ad networks, crash reporters, and attribution platforms all get varying levels of your data.
What Lanzo Processes on Your Device
Lanzo's architecture flips this model. The core intelligence runs on-device using Apple's frameworks:
Loyalty balance analysis: Your points balances for programs like United MileagePlus, LATAM Pass, Avianca LifeMiles, Livelo, Smiles, and others sit in your device's secure enclave. When you search for a flight, the on-device model evaluates which programs have enough points, calculates the cents-per-point value of each redemption, and ranks them -- without transmitting your balances to any server.
Credit card optimization: Your card portfolio (which cards you hold, earn rates, transfer partners, travel protections) is stored locally. When Lanzo shows a flight result, it calculates which card to book with, which transfer path gets the best value, and which card's trip insurance applies. Your card numbers never touch our servers. We don't even know which cards you have.
Travel history learning: Your past trips teach the model your preferences -- preferred carriers, acceptable layover times, seat preferences, price sensitivity. This learning happens on-device. We don't build a profile of you on our servers. Your device builds a profile of you for you.
Price comparison: When Lanzo fetches flight prices, it makes anonymized queries to airline APIs and aggregators. The query contains the route and dates but nothing identifying. Pricing data comes back to your device, where the on-device model combines it with your loyalty data, card data, and preferences to generate personalized results. The server sees "MIA-GRU, March 20, economy." It doesn't see "John Smith, United 1K, Amex Platinum holder, searched this four times this week."
Privacy Isn't a Tradeoff Anymore
Most privacy conversations frame it as a sacrifice. Give up personalization for privacy, or give up privacy for convenience. On-device AI breaks that tradeoff.
Search without consequences. When your loyalty data stays on your device, there's no risk in checking options. Search the same route twenty times. Compare cash vs. points vs. mixed payment. The airline never sees that you've been searching obsessively -- the comparison happens locally.
Get honest prices. When the search query carries no user identity, there's no mechanism for dynamic pricing based on your profile. You see the same price as everyone else. The personalization happens after the price is fetched, on your device, using your private data.
Store sensitive data safely. Loyalty credentials, credit card details, and passport information are among the most sensitive data categories. A centralized travel app database with millions of users' loyalty credentials is a high-value breach target. When that data exists only on individual devices (protected by biometric authentication and hardware encryption), the attack surface shrinks dramatically.
Cross-border travelers benefit most. If you hold loyalty accounts in multiple countries (say, United MileagePlus and Livelo in Brazil), combining those into one optimization requires the app to know both. Server-side, that means trusting a third party with your financial data across two countries' regulatory frameworks. On-device, the data never crosses a border because it never leaves your phone.
What Apple Intelligence Enables
Apple's on-device stack provides several capabilities travel apps can use:
Core ML runs machine learning models on the Neural Engine. A model trained to evaluate award pricing can run inference on-device in milliseconds. No server round-trip.
Keychain and Secure Enclave store credentials and sensitive tokens with hardware-level encryption. Loyalty program API tokens live here, accessible only with biometric authentication.
App Intents and Shortcuts let the app expose actions to Siri and the system intelligence layer. "What's the cheapest way to get to Rio next month?" triggers an on-device evaluation of your points, transfer bonuses, and cash prices without anything leaving the phone.
Private Cloud Compute, introduced by Apple for tasks exceeding on-device capacity, processes data on Apple Silicon servers with cryptographic guarantees that Apple can't access the data. If a query needs more compute than your device can handle, Private Cloud Compute extends the privacy boundary without breaking the model.
The Honest Tradeoffs
On-device AI isn't magic. There are real limits.
Model size. On-device models are smaller than cloud models. They can't match a GPT-4-class model running on a server farm. For travel search, this doesn't matter much -- the task is structured data optimization, not open-ended generation. But complex natural language queries ("find me a business class award to Brazil for under 80k points with a stopover in Lisbon") may need Private Cloud Compute.
Real-time pricing. Flight prices change constantly. On-device AI can optimize and personalize, but it still needs to pull current prices from airline APIs. Those queries go to servers. The privacy advantage is that the queries are anonymized.
Initial setup friction. You need to input your loyalty accounts and card portfolio for the system to work. 10-15 minutes. It's a one-time cost, and the data stays on your device. But it's friction.
Device dependency. Lose your phone, lose your data (unless you've backed up to iCloud with end-to-end encryption). There's no server-side backup the app company can restore. That's a feature for privacy and a risk for convenience.
Why This Matters Right Now
Regulators in the US and EU are scrutinizing dynamic pricing, data sharing, and dark patterns in travel booking. Airlines are investing heavily in direct channels and personalization engines that use customer data to maximize their revenue.
For you, the question is straightforward: do you want the airline to know everything about you and optimize against you, or do you want to know everything about your own options and optimize for yourself?
On-device AI makes the second option technically possible for the first time. Your phone is now powerful enough to run the same optimization that airlines run on their servers -- but in your interest, not theirs.
Lanzo is built on this premise. We don't want your data. We want you to have better data than the airline, processed on hardware you own, protected by encryption you control. That's not a privacy policy. It's an architecture.