Remove personal data before pasting into ChatGPT or Claude
Pasting logs, emails or spreadsheets into an LLM can leak names, card numbers, API keys and more. Here's how to redact PII automatically, in your browser, before any of it leaves your machine.
"Here's the error log, what's going wrong?" You paste a few hundred lines into ChatGPT and move on. Buried in those lines: a customer's email, an internal API key, a card number from a webhook payload. It's now in a third party's logs, and depending on your plan and settings, possibly in a training set. This happens every day, and it's entirely avoidable.
Why this is easy to get wrong
Sensitive data hides in places you don't scan by eye: a stack trace with a signed URL, a spreadsheet column you forgot was there, a JWT in a request header. "I'll just delete the obvious bits" misses the rest, and doing it manually on a 500-line log is both tedious and error-prone. The fix is to scrub it automatically, and to do the scrubbing somewhere the data hasn't already leaked.
Redact in your browser, before anything leaves
Redact PII & Secrets scans your text with pattern matching, entirely on your own device, and replaces what it finds. It catches:
- Email addresses and phone numbers
- Credit-card numbers, validated with the Luhn checksum to avoid flagging random digit runs
- US Social Security numbers and Indian PAN
- IP addresses and URLs
- API keys and tokens, OpenAI
sk-keys, AWS keys, GitHub tokens, Google keys, Slack tokens and JWTs
Crucially, the page never uploads your text and makes no API call. The redaction happens in the same tab you're typing into, which is the only way redaction-before-sharing actually makes sense, doing it on a server means trusting that server with the very data you're trying to hide.
Placeholders the model can still reason about
Blacking everything out to [REDACTED]destroys meaning, the model can no longer tell whether two lines mention the same person. The default "numbered" mode solves this: each distinct value gets a stable token, so [email protected] becomes [EMAIL_1] everywhere it appears, and a second address becomes [EMAIL_2]. The thread stays coherent, the real values stay private. If you prefer, you can switch to a plain label ([EMAIL]) or a full block.
Fit it into your prep routine
Redaction is the last step before you hit send. If your source is a file, get clean text out of it first with Office to Text or PDF to AI-ready text, then redact, then paste. Working with a PDF you need to share as a file rather than as text? Use the browser-only PDF redactor instead, which truly removes the underlying text rather than just drawing a black bar over it.
The habit worth building
You don't need a data-loss-prevention platform or a policy document. You need a ten-second reflex: before any log, email or spreadsheet goes into an LLM, run it through a redactor that works on your own machine. The data you never send is the data that can never leak.
Tools mentioned in this post
Read next
How to prep documents and text for ChatGPT and Claude, free and in your browser
Cleaning, counting, chunking and scrubbing text before you paste it into an LLM saves money and protects your data. Here's a free, browser-only workflow that never uploads a thing.
How to redact a PDF in your browser, without uploading sensitive data
Redacting bank statements, ID scans, or contracts on a server you don't control is the privacy version of asking a stranger to hold your wallet. Here's the browser-only alternative, pattern-detect emails / SSNs / cards or paint black bars manually.