What types of PII does it detect?

It detects email addresses, IPv4 addresses, payment card numbers (Luhn-validated), UK National Insurance numbers, US Social Security numbers, 9-digit passport numbers, and UK/US phone numbers. Each distinct value gets a numbered token.

How are card numbers validated?

Candidate card numbers (13–19 digits) are checked with the Luhn algorithm before being redacted, so random long numbers that fail the checksum are left alone. This cuts down on false positives from order IDs and reference numbers.

Why does the same email get the same token?

Tokens are stable per value: every occurrence of a given email maps to [EMAIL_1], a different email maps to [EMAIL_2], and so on. This keeps the redacted text readable and lets you tell distinct people apart without exposing their data.

Will it catch every piece of personal data?

No. Regex-based detection catches structured identifiers reliably but cannot reliably find free-text names, addresses, or context-dependent data. Always review the output by eye before sharing anything sensitive — treat the tool as a first pass, not a guarantee.

Is my text sent to a server?

No. All pattern matching and redaction run entirely in your browser. Nothing is uploaded, logged, or stored, which is exactly why it is safe to use on confidential documents.

PII Detector & Redactor

Before you paste a log, support transcript, or document into a ticket, a chat, or an AI tool, you should strip out personally identifiable information (PII). This detector scans text locally for the structured identifiers that most often leak — emails, phone numbers, government IDs, and card numbers — and replaces each with a typed, numbered token so the result is safe to share but still readable.

How it works

Each PII type has a dedicated rule that runs entirely in your browser:

Email and IPv4 are matched with standard format patterns.
Payment cards are matched as 13–19 digit runs and then confirmed with the Luhn checksum, so numbers that fail the check digit are ignored.
UK National Insurance numbers use the official prefix rules (excluding invalid prefixes like BG, GB, NK) and an A–D suffix.
US SSNs exclude impossible group/area values such as 000, 666, and 9xx.
Phone numbers are matched broadly and then required to contain at least 10 digits to avoid catching short codes.

Overlapping matches are resolved so a single span is never double-tagged, and each distinct value is assigned a stable token — [EMAIL_1], [PHONE_2], and so on.

Tips and notes

Run the output through your own eyes before sharing. Names, street addresses, and other free-text PII are deliberately not auto-detected because heuristic name matching produces too many false positives and misses.
The numbered tokens preserve structure: if a log mentions the same user three times, all three become [EMAIL_1], so the redacted text still makes sense.
Passport detection is intentionally broad (any 9-digit run) and may catch other 9-digit identifiers — review those matches in context.
Because everything is local, this is safe for confidential material. There is no upload, no network request, and no storage of your input.