Tool inputs are processed in your browser. We don't log or transmit what you paste.
privategram

PII Redactor

Auto-redact emails, phone numbers, SSNs, credit cards (Luhn-validated), API keys, GPS coords, IPv4/IPv6, and JWTs from any text. Pure regex, browser-only.

Bookmarking this URL will save the un-redacted text in your browser history. The URL hash is not sent to servers, but local history is local.

Got more to redact? Use Image EXIF Stripper for photos, then AES Text Encryption if you need to share what's left.

About this tool

Logs leak. Stack traces leak. Email threads with screenshots leak. A single shared CSV often contains rows of personal data the person sharing didn't realize were in there. The PII Redactor scans pasted text for patterns that almost always represent personal information — email addresses, phone numbers, Social Security numbers, credit card numbers, GPS coordinates, IP addresses, JWTs, API keys — and replaces each match with a category placeholder.

The detection is regex-based, no machine learning, no external service, no library. Each category has a hand-tuned pattern in src/lib/pii.ts with comments explaining the trade-offs. Two patterns include a JS-side validator: credit cards are only flagged after passing the Luhn checksum (rejects most random number sequences); GPS coordinates are only flagged when both values fall within plausible lat/lng ranges and aren't both zero (which would be the test case "0, 0" in the middle of the Atlantic). IPv6 is matched permissively then validated by a small parser.

Categories you can toggle. Each PII category has an on/off chip. Turn off categories you know aren't in your input to reduce false positives, or turn off ones you don't want redacted (e.g., keep IPs visible while redacting customer info). Each chip shows the count of matches found in the current text.

Replacement style. Two modes: by default, every match is replaced with a labeled placeholder like [REDACTED-EMAIL] — clear, searchable, easy to explain. Toggle "Preserve length" to instead replace with █ characters that match the original character count, useful for sharing screenshots where the redacted text needs to occupy the same visual space. Both modes give you the full match list in the "details" disclosure for review.

Cross-promo with the rest of the site. Image metadata is the same problem in a different format — see EXIF Stripper. Once redacted, if what's left still needs to be shared securely, the AES Encryption tool turns it into ciphertext only the recipient (with the password) can read.

Privacy. Detection runs entirely in your browser. No fetch, no XHR, no upload. The pasted text is reflected in the URL hash for shareability of the configuration (toggle states + preserve-length flag) and small inputs — but URL hashes are not transmitted in HTTP requests, so the data stays on your device. Note that bookmarking the URL DOES save the unredacted text to your browser history; the tool warns about this where it matters.

Frequently asked questions

What gets redacted?

Emails, US phone numbers, Social Security numbers, credit card numbers (Luhn-validated to drop false positives on order numbers and ISBNs), GPS coordinate pairs, IPv4 and IPv6 addresses, JWTs, and common API key prefixes (sk-, ghp_, AKIA, AIza, sk_live_, xox[abprso]-, etc.). Each category can be toggled on/off independently.

How does Luhn validation work for credit cards?

The Luhn algorithm is a checksum used by all major credit card networks to detect typos. We only flag a 13-19 digit number as a credit card if its Luhn checksum passes. This rejects most random number sequences that happen to be 13-19 digits long, like order numbers or tracking IDs, while catching real card numbers with high confidence.

Why don't I see EU phone numbers detected?

The phone number regex is currently US-format-focused. International number detection is harder because the formats vary widely and false-positive rates climb. A more permissive pattern would catch more numbers but also catch more dates, ID numbers, and other non-phone strings. International support is on the v2 list.

Will the URL hash leak my unredacted text?

The URL hash (anything after #) is never sent to servers in HTTP requests, so the input doesn't leak over the network. But it IS saved in your browser history and tab session — bookmarking the page or sharing the URL with someone preserves the unredacted text. The tool warns about this. If the input is sensitive, clear the URL hash before bookmarking, or close the tab when done.

Can I plug in my own patterns?

Not yet from the UI. The detection logic lives in src/lib/pii.ts (open source per category, not as a single regex blob) and supports adding custom patterns — but exposing that as a UI affordance is a v2 feature. If you have a specific pattern you keep wanting, mention it in a contact email.

Are matches overlapping handled cleanly?

Yes. When two categories' regexes both match the same text (e.g., a number that's both a valid Luhn-passing 16-digit string AND looks like an extended phone number), the longer match wins. The tool resolves overlaps before applying replacements so you never see partially-replaced text.

Related tools