Does it inspect values or just field names?

It classifies by field name, which is fast and private but means a generically named field like "notes" can still hold PII. Always spot-check the actual values before sending anything to an AI API.

What categories does it detect?

Five — credentials and secrets, financial data, health data, general PII, and contact or location data. Each has its own recommended handling, from dropping outright to tokenizing.

Does my data leave the browser?

No. Parsing and classification happen entirely in your browser. Nothing is uploaded, logged, or stored.

Why are credentials handled differently from PII?

Credentials should never be sent to an AI API at all — there is no safe pseudonymization for an API key. PII can often be tokenized so the structure survives while the identity does not.

Does it handle nested JSON?

Yes. It walks nested objects and arrays and collects every key it finds, so deeply structured payloads are covered, not just top-level fields.

Sensitive Field Detector

Sensitive field detector

Before you paste a database row or an API payload into an AI tool, it pays to know which fields carry risk. This detector reads your JSON or CSV, extracts the field names, and flags the ones likely to hold sensitive data — with a concrete pseudonymization strategy for each so you can clean the payload first.

How it works

Paste JSON or a CSV with a header row. The tool parses JSON (walking nested objects and arrays) or reads the CSV header, then classifies each field name against five categories: credentials and secrets, financial data, health data, general PII, and contact or location data. Matches are grouped and each comes with a handling recommendation — drop credentials, mask financial values, pseudonymize identifiers, coarsen locations. All of it runs locally in your browser.

Tips and notes

Names, not values. A field called notes or description won’t be flagged but can easily contain PII — always eyeball the actual values too.
Credentials get dropped, not masked. There is no safe way to send an API key to a third-party model; remove it entirely.
Pseudonymize, don’t just delete, identifiers. A stable token like USER_1 keeps your data’s structure intact for the AI while removing identity.
Private by design. Nothing leaves your browser, which is the point — you shouldn’t have to upload sensitive data to find out it’s sensitive.