FAQ: PII, GDPR & AI Privacy Questions
Quick answers about PII, GDPR, AI privacy risks, and how PrivacyPromptAI works
Showing 20 questions
PII stands for Personally Identifiable Information, any data that can identify a specific person, directly or in combination with other data. Examples include names, email addresses, phone numbers, national ID numbers, IP addresses, and dates of birth.
It depends on context. A common first name on its own is unlikely to identify anyone. However, a full name combined with any other data point, such as an employer, email address, or location, almost certainly constitutes PII. Under GDPR, even a first name can be personal data if it identifies a specific person within a given context.
PII is a US concept used in HIPAA and CCPA. Personal data is the GDPR term, defined as any information relating to an identified or identifiable natural person. Personal data under GDPR is broader; it covers indirect identifiers, online identifiers, and combinations of data that together identify someone.
It depends on what's in the document. If it contains personal data, sending it to an AI tool means that data leaves your organisation and is processed on external servers, potentially a GDPR violation. Remove PII first with PrivacyPromptAI and the risk disappears.
Removing names is not sufficient on its own. Under HIPAA's Safe Harbor method, 18 identifiers must all be removed. Under GDPR you must also consider re-identification risk. PrivacyPromptAI detects all 18 HIPAA Safe Harbor identifiers automatically.
Public Wi-Fi adds network-level risk. While AI platforms use HTTPS, public networks can be monitored. You should use a VPN and clean all PII out of documents before pasting into any AI tool. PrivacyPromptAI processes everything locally so using it on public Wi-Fi carries zero additional risk.
A DPIA is required by GDPR Article 35 before processing activities that are likely to result in high risk to individuals, such as large-scale processing of sensitive data or using new technologies including AI. Using PrivacyPromptAI to clean personal data out of documents before AI processing is itself a risk mitigation measure that strengthens a DPIA.
GDPR sets two tiers: up to €10 million or 2% of global turnover for less serious violations, and up to €20 million or 4% for the most serious. Notable fines include Meta (€1.2 billion), Amazon (€746 million), and WhatsApp (€225 million).
Yes. GDPR has extraterritorial reach under Article 3. It applies to any organisation that processes personal data of EU residents in connection with offering goods or services to them, or monitoring their behaviour, regardless of where the organisation is based.
Not directly. PrivacyPromptAI detects PII from text-based content. For scanned documents, first run OCR to extract the text, then paste into PrivacyPromptAI. Free OCR options include Adobe Acrobat online, Google Drive, or Microsoft Word.
Student data is highly sensitive and protected by GDPR for EU students and FERPA in the US. Before using AI for grading or lesson planning, remove all student names, ID numbers, dates of birth, and any identifying information. Anonymised assignments can be safely processed by AI.
Act quickly: delete the conversation immediately, clear any memory features, opt out of training data use, and assess whether the breach is notifiable under GDPR Article 33 (72-hour notification requirement if there is risk of harm to individuals). Notify your DPO immediately in any professional context.
ChatGPT is not automatically GDPR compliant for your use case. OpenAI offers a Data Processing Agreement (DPA) and an opt-out from training data use, but you remain responsible for establishing a lawful basis for processing, completing a Transfer Impact Assessment for data leaving the EU, and removing PII before inputting documents. Using ChatGPT with personal data, even with a DPA, may still violate GDPR if you lack a valid legal basis. See our GDPR & AI Compliance guide for a full breakdown.
You can use customer data in AI tools only if you have a lawful basis under GDPR Article 6, a signed Data Processing Agreement with the AI provider, and have conducted a Transfer Impact Assessment if data leaves the EU. The safest and simplest approach is to clean all PII first, eliminating these compliance obligations entirely and allowing you to use AI tools freely with no legal exposure.
True anonymisation for machine learning requires removing all direct identifiers (names, emails, IDs), pseudonymising indirect identifiers, and testing for re-identification risk. For document-based workflows, PrivacyPromptAI automates the first step, detecting and replacing all PII with neutral tokens (e.g.
[NAME_1], [EMAIL_1]) across 23 languages, reducing re-identification risk before data enters any ML pipeline. Learn more about PII types we detect.
Yes, if you are subject to GDPR. When you paste a document into ChatGPT, its content is transmitted to OpenAI's servers, a third-party data processor. Under GDPR Article 28, this requires a Data Processing Agreement and a lawful basis for processing. Removing PII first eliminates this obligation entirely. Read our full step-by-step guide on how to do this in under 60 seconds.
Using Claude (Anthropic) or Gemini (Google) with personal data is not automatically a GDPR violation, but it may become one if you have not signed a Data Processing Agreement with the provider, established a lawful basis for processing, or conducted a Transfer Impact Assessment for cross-border transfers. Cleaning all PII before use is the safest approach and removes all of these requirements. See our GDPR AI Compliance guide.
All cloud-based AI tools require PII removal if you are subject to GDPR or other data protection law. This includes ChatGPT (OpenAI), Claude (Anthropic), Gemini (Google), Microsoft Copilot, Perplexity, Mistral, and any other AI assistant that processes text on external servers. The rule is simple: if your text leaves your device, remove the PII first. Read our full guide for tool-specific guidance.
Manual removal can satisfy GDPR in principle, but it is error-prone and time-consuming. A single missed identifier, a date of birth, an indirect reference, or a combination of non-obvious data points, can constitute a reportable personal data breach. Automated tools like PrivacyPromptAI reduce this risk by systematically detecting all common PII types using pattern matching and Named Entity Recognition across 23 languages. Learn about the PII types we detect.
A Data Processing Agreement (DPA) is a contract required by GDPR Article 28 whenever you share personal data with a third-party processor, including AI providers. If you use ChatGPT, Claude, or Gemini with personal data, you need a signed DPA with that provider. Alternatively, cleaning all PII before use means no personal data is ever shared, which eliminates the DPA requirement entirely. See our Compliance page for more detail.
Yes. PrivacyPromptAI runs entirely in your browser, with no installation, no account, and no download required. Simply visit privacypromptai.com, paste your text or upload a file, and the tool detects and removes PII instantly. A free Chrome extension is also available for cleaning content directly on any webpage, but it is entirely optional.
Cleaning permanently removes or replaces PII so that the original value is no longer recoverable from the document. Masking partially obscures a value, for example, showing only the last four digits of a card number, while leaving the rest visible. PrivacyPromptAI performs full cleaning: each detected PII item is replaced with a labelled token such as
[EMAIL_1] or [IBAN_1], leaving no trace of the original value in the output.
PrivacyPromptAI supports plain text, PDF, DOCX and TXT file formats for direct upload. For CSV or Excel files, you can copy and paste the cell content as plain text into the tool and clean it before pasting back. Pro users can also use batch mode to process multiple text-based files at once. Native CSV and Excel file support is on our development roadmap.
Yes, and it is actually safer on a shared computer than most alternatives. Because PrivacyPromptAI processes everything locally in your browser and never uploads your document to any server, no data is stored or transmitted. When you close the browser tab, all content is immediately cleared from memory. As a general precaution on public devices, use a private or incognito browsing window to prevent session data from being stored in the browser cache.
Data minimisation is one of the seven core principles of GDPR, defined in Article 5(1)(c). It requires organisations to collect and process only the personal data strictly necessary for a specific, stated purpose. In practice, this means stripping all unnecessary PII from documents before sharing them with third parties, colleagues or AI tools. PrivacyPromptAI applies data minimisation automatically, identifying and removing all identifiable information, leaving only the content relevant to your purpose. See our Compliance guide for more.
Yes. PrivacyPromptAI scans the full text content of uploaded documents, including content inside tables, lists and structured sections. When you upload a DOCX or PDF containing a table with names, email addresses or ID numbers in cells, those values are detected and cleaned in the same pass as the rest of the document. The table structure is preserved in the output, only the PII values within the cells are replaced with tokens.
It depends on context. A job title alone, for example, "Senior Accountant", is generally not PII because it does not identify a specific individual. However, when combined with a name, company or department, it can become PII because the combination makes the individual identifiable. Under GDPR, the test is whether the data, alone or in combination, can identify a living natural person. When in doubt, clean it. See our full guide on what counts as personal information.
Before sharing any document with a third-party contractor, remove: full names and job titles of individuals, email addresses and phone numbers, national ID or passport numbers, bank account details and IBANs, salary figures tied to named individuals, client references containing personal data, and any health, legal or financial information relating to identifiable people. Under GDPR, sharing personal data with a contractor requires a signed Data Processing Agreement (DPA). Cleaning all PII out before sharing eliminates this obligation entirely.
Yes. The PrivacyPromptAI Pro licence is a one-time payment that unlocks unlimited document processing, batch mode for multiple files at once, custom local keywords, and priority access to new features. There are no monthly fees, no document caps, and no subscription. Once purchased, your Pro licence is permanent and covers personal use across your devices.
Yes. PrivacyPromptAI is well suited to DSAR workflows. When responding to a Data Subject Access Request under GDPR Article 15, organisations must provide the data subject with their own personal information while cleaning any PII belonging to third parties mentioned in the same documents. PrivacyPromptAI can quickly strip third-party PII from contracts, emails, HR records and case files before disclosure, ensuring you fulfil your DSAR obligations without exposing data about other individuals.
No questions match this filter
👆 Click a question to get started!
I get excited when you learn about privacy 🛡️
Help & FAQs
Still Have Questions?
Browse the full list of 20+ questions above, or contact us if you need more help.
PII stands for Personally Identifiable Information, any data that can identify a specific person, directly or in combination with other data. Examples include names, email addresses, phone numbers, national ID numbers, IP addresses, and dates of birth.
It depends on what is in the document. If it contains personal data, sending it to an AI tool means that data leaves your organisation and is processed on external servers, potentially a GDPR violation. Remove PII first with PrivacyPromptAI and the risk disappears.
Yes. GDPR has extraterritorial reach under Article 3. It applies to any organisation that processes personal data of EU residents in connection with offering goods or services to them, or monitoring their behaviour, regardless of where the organisation is based.
Anonymisation permanently removes all identifying information so that re-identification is impossible, anonymised data falls outside GDPR entirely. Pseudonymisation replaces identifiers with tokens or codes, but re-identification is still possible if you have the key. PrivacyPromptAI performs pseudonymisation: PII is replaced with tokens like
[NAME_1] or [EMAIL_1], preserving document structure while removing exposed identifiers. True anonymisation requires additional steps and careful verification.PrivacyPromptAI can help reduce HIPAA risk when sharing medical documents with AI tools. It detects and cleans Protected Health Information (PHI) including names, dates, phone numbers, email addresses, and other identifiers listed under HIPAA's Safe Harbour method. However, PrivacyPromptAI is not a certified HIPAA compliance solution and does not replace a formal risk assessment or Business Associate Agreement. It is a practical tool for reducing exposure before AI use.
If personal data about real individuals is submitted to ChatGPT, it is processed by OpenAI's servers and may be used to train future models unless you have opted out or are using a paid API plan with data retention controls. Under GDPR, this constitutes a transfer of personal data to a third-party processor. You should document the incident, assess whether individuals are at risk, and consider notifying your Data Protection Officer. Going forward, use PrivacyPromptAI to clean all PII before pasting any document into an AI tool.
Yes. PrivacyPromptAI runs entirely in your browser, so it works on any modern mobile browser including Chrome for Android and Safari for iOS. The text paste tool and file upload section are both mobile-friendly. The browser extension is currently Chrome/Chromium desktop only and is not available as a mobile app.
No. Once a document is cleaned with PrivacyPromptAI and the original is discarded, the cleaned version cannot be reversed. The tool replaces PII with tokens such as
[NAME_1] or [EMAIL_1], the original values are never stored on any server. If you need to recover the originals, you must keep a copy of the original document yourself before cleaning.A personal data breach is any incident where personal data is accidentally or unlawfully accessed, disclosed, altered, or lost. Under GDPR, most breaches must be reported to your supervisory authority within 72 hours. Cleaning PII before sharing documents with AI tools or third parties significantly reduces breach risk: if a cleaned document is accidentally exposed, no personal data is present to be compromised.
Yes. PrivacyPromptAI lets you remove personal information from PDF documents directly in your browser, with no software to install and no account required. Simply upload your PDF, and the tool detects and removes names, emails, phone numbers, passport numbers, bank details and more. Everything happens locally on your device: the file is never uploaded to a server.
The safest approach is to remove all personal information from the document before sharing it. PrivacyPromptAI does this automatically: paste or upload your document, and it detects and removes names, contact details, financial data, identification numbers and other personal information. Once cleaned, the document contains no personal data and can be shared freely by email, file transfer or any other method.
Word documents can contain personal information in two places: inside the visible text and inside the document metadata. The text may include names, addresses, email addresses, phone numbers, identification numbers and financial details. The metadata, which is invisible to most readers, can store the author name, company name, previous editors, revision history and creation date. PrivacyPromptAI removes personal information from the document text. For metadata, you should also use the built-in Inspect Document feature in Microsoft Word before sharing.
Yes. PrivacyPromptAI includes a Batch Mode that lets you process multiple documents in one session. You can upload several files and clean them one after the other without reloading the page. Pro users can process a higher number of files and access additional formats including PDF, Excel and CSV.
PrivacyPromptAI detects personal information in 23 languages, covering all major European Union languages as well as English. This includes French, German, Spanish, Italian, Dutch, Polish, Portuguese, Romanian, Swedish, Czech, Hungarian, Bulgarian, Croatian, Danish, Finnish, Greek, Lithuanian, Latvian, Slovak, Slovenian, Estonian and Maltese. The language is detected automatically, so no manual selection is needed.
Yes. PrivacyPromptAI is designed specifically for professional and corporate use. All processing happens locally in your browser: no document content, no personal data and no file is ever sent to an external server. This means it works safely within corporate network policies and does not create any data transfer that would need to be declared under GDPR or other privacy regulations. IT departments can verify this by inspecting network traffic during use.
PrivacyPromptAI supports 23 languages and detects the language of your document automatically, with no manual selection is needed. If your document contains text in multiple languages simultaneously, detection accuracy is best for the dominant language. Pattern-based detection (emails, IBANs, phone numbers, credit cards) works reliably across all languages regardless, as these formats follow international standards. See all features →
Cleanup permanently removes personal information from a document, the data is gone and cannot be recovered. Encryption scrambles data so it can only be read with the correct key, but the original data still exists and could be exposed if the key is compromised. For sharing documents with AI tools or external parties, cleanup is generally safer: there is no key to steal and no risk of decryption. Encryption is better suited to secure storage and transmission between trusted parties.
PrivacyPromptAI cleans personal information from the text content of your document, names, emails, IBANs and other PII visible in the body of the file. It does not remove file-level metadata such as the author name, creation date or revision history embedded inside a Word or PDF file. To strip metadata, use your word processor's built-in 'Inspect Document' feature (Word) or a dedicated metadata removal tool before sharing.
Yes. While PrivacyPromptAI was designed with GDPR in mind, it is equally useful for California Consumer Privacy Act (CCPA) compliance. The CCPA defines personal information broadly, including names, email addresses, IP addresses, geolocation data and financial details. All of which PrivacyPromptAI detects and cleans. Removing this data before sharing documents with AI tools or third parties reduces your exposure under both regulations. Read about compliance →
When you close the browser tab, all text you pasted or files you uploaded are immediately cleared from memory. Nothing is saved to any server. PrivacyPromptAI stores only your settings (such as custom keywords and Pro licence status) in your browser's localStorage, which stays on your device and is never transmitted anywhere. You can also manually clear your session at any time using the 'Clear Session' button on the homepage.
Yes. Law firms regularly work with documents containing highly sensitive personal data, full legal names, signatures, case details, financial records and contact information. PrivacyPromptAI is well-suited to this environment because all processing is local: no client data ever leaves the device or touches an external server. This is critical for attorney-client privilege and GDPR compliance. The Pro tier adds PDF and batch processing, which are particularly useful for legal workflows. See Pro features →
Yes. Simply copy and paste the email thread text into the PrivacyPromptAI tool. It will detect and clean names, email addresses, phone numbers and other personal information throughout the thread, including quoted replies. For best results, paste the full thread as plain text. If you need to process many email threads at once, the Pro batch mode allows you to handle multiple files in a single session. Try it free →
PII (Personally Identifiable Information) is a broad term for any data that can identify a specific individual, names, email addresses, national IDs, IBANs and more. PHI (Protected Health Information) is a subset of PII that specifically relates to a person's health status, medical records or healthcare payments, governed by HIPAA in the United States. All PHI is PII, but not all PII is PHI. PrivacyPromptAI detects and removes both. See our full PII vs PHI guide →
Yes. Courts and legal proceedings frequently require that personal data belonging to uninvolved third parties be removed from disclosed documents. PrivacyPromptAI can strip names, addresses, contact details and financial identifiers from contracts, statements and correspondence before submission. Note that formal legal cleanup for court use may also require physical marking or certified procedures depending on the jurisdiction. PrivacyPromptAI handles the personal data removal step quickly and locally.
Yes. A handwritten or electronic signature is personal data under GDPR because it is unique to an individual and can be used to identify them. When processed using biometric recognition technology, signatures additionally qualify as biometric data under GDPR Article 9, requiring explicit consent. Any document containing signatures should be treated as containing personal data before it is shared with AI tools or third parties.
Structured personal data is organised in defined fields, rows and columns in a spreadsheet or database, where each field has a fixed meaning (name, email, date of birth). Unstructured personal data appears in free-form content such as emails, PDFs, contracts and chat logs, where personal information is embedded in natural language without a fixed format. Unstructured data is significantly harder to clean because personal details can appear anywhere in the text. PrivacyPromptAI is specifically designed to detect personal data in unstructured documents.
Yes. Sharing a cleaned copy of a document back with the original sender is a common and legitimate practice, particularly in legal, HR and compliance workflows. Once personal data belonging to third parties has been removed, the document no longer triggers GDPR obligations in relation to those individuals. The original sender, already having access to the unmodified document, is not affected by your removal of third-party data from your copy.
Yes. Payroll providers are data processors under GDPR and should only receive the minimum personal data necessary for the task. If an HR document contains information about employees not relevant to payroll, such as disciplinary notes, health records or personal contact details, those fields should be removed before sharing. PrivacyPromptAI can strip names, IBANs, national IDs and other identifiers from HR documents locally before you send them, ensuring data minimisation compliance under GDPR Article 5(1)(c).
PrivacyPromptAI processes text-based documents. Scanned PDFs that are image-only do not contain extractable text and cannot be processed directly. To use the tool with a scanned document, first run it through an OCR tool such as Adobe Acrobat, Google Docs, or a free OCR service to convert the image to selectable text, then paste or upload the result into PrivacyPromptAI.
Nothing is lost from a privacy perspective. PrivacyPromptAI processes all documents entirely in your browser, with no data is ever sent to a server. If you close the tab before copying or downloading your cleaned text, that session's data is simply discarded. No trace remains anywhere. Pro users can use the session history feature to restore recent results within the same tab session.
Yes. The Detection Categories panel lets you toggle entire PII types on or off before running detection, for example, keep dates but remove emails, phones, and IBANs. This is available to all users. Pro users additionally have access to the selective override checklist, which lets you review every detected item individually and uncheck specific instances you want to keep before erasing.
Detection sensitivity (Pro) controls how aggressively the tool flags potential PII. Strict mode uses precise patterns and minimises false positives; it flags items it is confident about. Broad mode uses looser matching and catches more potential identifiers, including partial phone numbers and standalone number sequences, at the cost of more false positives. Strict mode is recommended for most professional use cases.
Yes, Pro users can define custom replacement tokens for each PII category. Instead of
[EMAIL_1] you can use [REDACTED], ████, or any label you prefer. Use {n} in the token to include a counter, for example [HIDDEN_{n}] produces [HIDDEN_1], [HIDDEN_2], and so on. Set your tokens in the Rename What Gets Removed panel and click Apply Tokens.Yes. After cleaning, all users can download an Audit Report in JSON format listing every detected PII item, its category, original value, replacement token, and position. Pro users can also download a one-page Cleanup Summary PDF showing a category-by-category count, document name, date, and a compliance statement, useful for GDPR audit trails and Data Protection Impact Assessments.
Yes. After running Step 2: Erase, click the Compare View button in the download bar. This shows the original and cleaned text side by side in two columns so you can verify every cleanup at a glance. Available to all users, free and Pro.
PII vs PHI: What's the Difference?
GDPR health data vs HIPAA, comparison table
GDPR Compliance for AI Tools
ChatGPT, Claude, Gemini & GDPR explained
How to Remove PII Before Using AI
Step-by-step guide, GDPR checklist
PII Visual Guides & Infographics
Plain-language privacy explainers
PII Knowledge Quiz
Test what you know about personal data
Browser Extension
Remove PII from any webpage
Nothing uploaded
No account needed
Free core tool
23 languages