Sensitive field detector
Before you paste a database row or an API payload into an AI tool, it pays to know which fields carry risk. This detector reads your JSON or CSV, extracts the field names, and flags the ones likely to hold sensitive data — with a concrete pseudonymization strategy for each so you can clean the payload first.
How it works
Paste JSON or a CSV with a header row. The tool parses JSON (walking nested objects and arrays) or reads the CSV header, then classifies each field name against five categories: credentials and secrets, financial data, health data, general PII, and contact or location data. Matches are grouped and each comes with a handling recommendation — drop credentials, mask financial values, pseudonymize identifiers, coarsen locations. All of it runs locally in your browser.
The five categories and what to do with each
Credentials and secrets — API keys, passwords, tokens, private keys, connection strings. The recommended action is always drop entirely. There is no safe pseudonymization for a credential; even a masked value like sk-*** confirms the field exists and can still trip an overeager AI that asks clarifying questions. Remove these before the data leaves your system.
Financial data — card numbers, account numbers, routing numbers, CVVs, balances, transaction amounts. Mask numeric amounts to plausible ranges (replace the exact balance with a [FINANCIAL_VALUE] token or round to the nearest thousand). Card and account numbers should be tokenized or dropped.
Health data — diagnoses, medications, lab values, clinical notes, health identifiers. Health data carries HIPAA or GDPR special-category obligations and should be pseudonymized with opaque tokens. Aggregate or generalise where possible (replace a specific diagnosis code with its category, not the exact value).
General PII — names, national ID numbers, date of birth, biometric data. Stable tokens (PERSON_001) preserve relationships across records for AI analysis without exposing identity. If the relationship is not needed, drop the field.
Contact and location — email addresses, phone numbers, street addresses, GPS coordinates, IP addresses. For email and phone, replace with [CONTACT_REDACTED]. For location, coarsen to city or country level rather than full address.
Why field-name detection alone is not enough
The tool flags fields by name pattern, which is fast and works well for structured schemas where the DBA used descriptive column names. But fields called notes, description, comments, or metadata frequently contain freeform text that can include PII — a user who typed their phone number in a notes field, a doctor who wrote a patient name in a comment. Always read through the actual values in generic text fields before sending the data to any AI API, even if no field names were flagged.
Tips and notes
- Names, not values. A field called
notesordescriptionwon’t be flagged but can easily contain PII — always eyeball the actual values too. - Credentials get dropped, not masked. There is no safe way to send an API key to a third-party model; remove it entirely.
- Pseudonymize, don’t just delete, identifiers. A stable token like
USER_1keeps your data’s structure intact for the AI while removing identity. - Private by design. Nothing leaves your browser, which is the point — you shouldn’t have to upload sensitive data to find out it’s sensitive.