PII Redactor
Detect and redact personal and sensitive data — emails, SSNs, credit cards, phone numbers, IPs, API keys — from any text or logs before sharing. Runs 100% in your browser; nothing is uploaded.
Input
Building something secure?
I ship production-ready SaaS apps in 6 weeks — built secure from day one by someone who knows how attackers think. Or get a pen test if you already shipped.
What Counts As PII — And Why Redaction Matters
Personally identifiable information (PII) is any data that can identify a specific person. The obvious cases are direct identifiers: name, email, phone number, Social Security number, credit card. But logs and documents also leak indirect identifiers — IP addresses, device IDs, session tokens, account numbers — that combine to identify someone.
The risk is mundane and constant: a developer pastes a production log into a public issue tracker to ask for help, and it contains a customer's email and IP. A support agent shares a ticket in a vendor chat that includes a full card number. Someone drops a document into a cloud AI to "just summarize it" and exposes employee data. Each of these is a potential breach under GDPR, HIPAA, or PCI-DSS — and each is avoidable by redacting first.
This tool detects the structured PII that follows reliable patterns (emails, SSNs, Luhn-valid card numbers, phones, IPs, keys) and lets you produce a clean version to share. The technical content you actually need to communicate — the error, the request flow, the timing — stays intact; only the personal data is masked.
Rules vs. AI: Why This Tool Uses Both
Detecting sensitive data well requires two different approaches, and this tool combines them.
Pattern matching (rules) is perfect for structured data. An email always has the shape [email protected]; a US SSN is three digits, two digits, four digits; a credit card passes the Luhn checksum. Regular expressions catch these reliably and instantly, with no false negatives on well-formed values and — thanks to validation like the Luhn check — few false positives. Everything the rules find is redacted deterministically.
AI is for the unstructured remainder. Person names, street addresses, and organization names have no fixed pattern — "Robert" and "robert" the word are indistinguishable to a regex. A small language model, run locally in your browser, can read context and flag likely names and addresses. But AI is fallible in both directions: it misses some real names and invents others. So the tool treats AI output as suggestions to review, never as automatic redactions.
The result: deterministic, trustworthy redaction of structured PII, plus an optional intelligent sweep for the contextual data rules cannot catch — all without your text leaving the browser.
Frequently Asked Questions
Common questions about the PII Redactor
Nothing is uploaded. All detection and redaction happens in your browser with JavaScript. Your text never touches our servers. This is the entire point: you can safely paste logs, documents, or support tickets containing real personal data, redact them, and copy out the clean version — all without that sensitive data ever leaving your device. Verify it by going offline and using the tool.
Structured PII and secrets that have reliable patterns: email addresses, US Social Security numbers, credit card numbers (validated with the Luhn checksum so random 16-digit numbers are not falsely flagged), US and international phone numbers, IPv4 and IPv6 addresses, AWS access keys, generic API keys and tokens, JWTs, PEM private-key blocks, MAC addresses, and US ZIP codes. You can toggle each type on or off before redacting.
Not reliably with rules alone — names and street addresses do not follow fixed patterns, so a regex either misses them or flags ordinary words. That is where the optional in-browser AI helps: it can scan for contextual PII like person names, physical addresses, and organization names and list them as suggestions for you to review. Crucially, the AI suggestions are never auto-redacted — you decide what to remove, because AI can both miss real names and flag false ones.
Three options. Full masking replaces the value with solid blocks (████████) so the length and content are hidden. Label masking replaces it with a typed tag like [EMAIL] or [SSN], which is useful when you want the reader to know what kind of data was there. Partial masking keeps the first and last characters visible (j•••@•••.com), helpful for debugging where you need to tell entries apart without exposing the full value.
Logs, error reports, and support tickets routinely contain customer emails, IP addresses, session tokens, and sometimes payment data. Pasting them into a forum, a bug tracker, a vendor support chat, or an AI assistant can leak that data and create compliance violations (GDPR, HIPAA, PCI-DSS). Redacting first lets you share the technical content — the stack trace, the request flow — without exposing anyone's personal information.
The Secrets Scanner focuses on credentials and API keys in code (AWS keys, tokens, private keys) and is geared toward catching secrets before they are committed. The PII Redactor is broader and aimed at any text or logs — it covers personal data (emails, SSNs, cards, phones) as well as keys, and its job is to produce a clean, redacted version you can share. Use the Secrets Scanner for code review; use this for sanitizing data you are about to send somewhere.
Explore More Tools
Continue with these related tools