PII: Super-Easy to Understand
No legal jargon. No textbooks. Four illustrated characters explain exactly what personal data is, what makes it risky, and what the law says about it — in one visual.
Want the full technical breakdown? Read the complete PII types guide →
The PII Risk Lineup
Four types of personal data. Four very different consequences. Which one is hiding in your documents right now?
© 2026 PrivacyPromptAI. All rights reserved. Reproduction without written permission is prohibited.
The catch most people miss
All four types can appear in the same document. A standard HR report might contain a job title (Not PII), an email address (Standard PII), a bank account number (High-risk PII), and a disability note (GDPR Article 9) — all on the same page.
Pasting that document into an AI tool without redacting it first puts you in breach of GDPR — regardless of intent. The law does not distinguish between deliberate and accidental disclosure.
Go deeper on privacy
The complete technical guide to all PII types, with legal definitions and real-world examples.
Think you understand PII? Test yourself and find out where the gaps are.
What GDPR actually requires when you use AI tools at work — and how to stay compliant.
Explore the full suite of privacy services we recommend to keep your data safe.
Frequently asked questions
Questions about PII types, risk levels, and what to do about them.
What is the difference between the four PII risk levels in the infographic?
Not PII cannot identify anyone. Standard PII identifies a person and is protected under GDPR Article 4 — email addresses, phone numbers, IP addresses fall here. High-risk PII directly enables fraud — passport numbers, IBANs, credit card numbers. GDPR Article 9 data is the most sensitive legal category — health records, biometrics, genetic data — requiring explicit consent and carrying the highest fines.
Can non-PII data become PII when combined with other fields?
Yes — this is called the aggregation problem. A zip code, a date of birth, and a gender identifier are each not PII individually. But research has shown that combining just those three fields can uniquely identify 87% of the US population. Always consider what your data looks like in combination, not just in isolation. See our full PII types guide for more examples.
What happens if I paste a document with PII into ChatGPT or another AI tool?
The content is sent to and processed on external servers outside your control. Under GDPR, this constitutes a transfer of personal data to a third-party processor. Without a Data Processing Agreement in place, this may be a reportable breach — even if completely unintentional. GDPR Article 9 data carries the highest penalties. PrivacyPromptAI redacts all PII locally in your browser before you send anything anywhere.
Is a person's name always considered PII?
Usually yes. A full name is considered Standard PII because it identifies a specific person. A very common name like "John Smith" may require additional data points to pinpoint one individual, but in practice you should always treat full names as PII and redact them accordingly.
Does GDPR apply to me if I am not based in Europe?
Yes — GDPR applies to any organisation that processes the personal data of EU residents, regardless of where the organisation is located. Most countries also have equivalent legislation: CCPA in California, PDPA in Singapore and Thailand, LGPD in Brazil, PIPL in China, and POPIA in South Africa. Read more in our GDPR & AI compliance guide.
How do I remove PII from a document before using it with AI?
Paste your document into PrivacyPromptAI. It automatically detects and redacts all four PII categories — names, emails, phone numbers, IBANs, passport numbers, health data, and more — entirely in your browser. Nothing leaves your device. It is free and supports 23 European languages.
Now you know what PII is — remove it in seconds
PrivacyPromptAI detects all four PII categories automatically — entirely in your browser. Free, instant, and works across 23 languages.