Is OpenRedaction free?

Yes, the regex-only library is free and open-source. You can use it locally without any external services. AI-assist via the hosted API has a free tier with IP-based limits, and a Pro tier with 50,000 requests/month for £9/month.

What is the difference between regex mode and AI mode?

Regex mode uses 500+ tested patterns for fast, deterministic PII detection. It works completely offline and is free. AI mode is optional and uses a hosted AI proxy for better detection on messy or unstructured text. AI mode requires the hosted API and has usage limits.

Does OpenRedaction store my data?

No, the hosted API is stateless and does not store raw text. Processing happens in memory and data is discarded after redaction. Minimal metadata may be logged for rate limiting. For complete privacy, you can self-host the open-source library.

What is the API limit?

Free tier: IP-based rate limiting with fair-use limits (approximately 200 AI-assist requests per day). Pro tier: 50,000 AI-assist requests per month with an API key. Regex-only redaction has no limits and works completely offline.

PII Detection for AI: How to Safely Use User Data with LLMs

Large language models are incredibly good at turning messy real‑world data into something useful. They are also incredibly good at ingesting sensitive information you did not realise you were sending. If you are feeding real user data into AI systems, you already have a PII problem – the question is whether you have visibility and control.

This article explains how PII detection fits into AI workflows, where personal data typically leaks, and how to design a PII‑aware architecture using a hybrid "pattern‑first + AI assist" approach like the one in OpenRedaction. For a primer on the basics of PII detection, see the article "Understanding PII Detection" on the OpenRedaction blog, or check out our PII Detection guide for practical implementation details.

Where PII hides in AI workflows

PII shows up everywhere once you start looking, especially around AI:

Inbound: user prompts, chat messages, uploaded PDFs and Word docs, CSV exports from CRMs, support tickets and email threads, call transcripts, screenshots.

Processing: prompt/response logging, debug traces, observability tools capturing requests and responses, intermediate queues and event streams.

Storage: vector databases for RAG, fine‑tuning datasets, analytics warehouses where raw prompts and responses are stored "just in case".

Outbound: model responses that echo user details, include copied text from uploads, or reconstruct information from context.

The net effect is that a single user message can spray personal data across half a dozen systems. Without a consistent PII detection and redaction layer, those systems become shadow copies of your most sensitive data.

Threat model: what can go wrong

Before deciding how to detect PII, it helps to be clear on what you are protecting against:

Accidental logging: prompts and responses with names, emails, IDs and access tokens end up in log management tools, ticketing systems or shared debug dashboards.
Data residency and vendor risk: PII is sent to third‑party LLM APIs in other jurisdictions, sometimes against policy or contract.
Model and RAG leakage: unredacted data used for fine‑tuning or retrieval‑augmented generation later shows up in responses to unrelated users.
Compliance headaches: once PII is scattered across logs, vector stores and training sets, responding to deletion or subject access requests becomes painful.

PII detection is not a silver bullet, but it is one of the few controls you can place right at the boundary of your AI systems to reduce the blast radius of all these risks.

Pattern‑based vs AI‑based PII detection

There are two main families of approaches for detecting PII, and in practice you often want both.

Pattern‑based (regex) detection

Pattern‑based detection uses explicit rules, usually regular expressions plus validation logic, to find identifiers with predictable shapes. Typical examples include:

Email addresses and phone numbers
IP addresses and MAC addresses
Credit card and bank account numbers
Government ID numbers and passport numbers
Access tokens, API keys and session IDs with known formats

This approach is:

Deterministic: the same input always produces the same output.
Transparent: you can inspect and adjust the actual rules.
Fast and cheap: runs locally, with no external calls.

The downside is that pattern‑based detection struggles with:

Names and locations
Free‑form descriptions like "my colleague John in the London office"
Domain‑specific identifiers whose formats are not well known

AI / NER‑based detection

AI‑based detection uses trained models (often named entity recognition / NER models or LLMs themselves) to find entities like "Person", "Location", "Organization", "Email", "PhoneNumber" and so on directly in text.

This approach is strong when:

Text is messy, multilingual or full of typos.
You care about entities that do not follow strict formats (names, employers, schools, addresses).
Users can paste anything into a free‑text field.

The trade‑offs include:

Opacity: understanding why a model did or did not detect something is harder.
Operational complexity: you have to manage latency, cost, versioning and confidence thresholds.
Data flow: many AI PII detectors are cloud APIs, which may conflict with strict data residency or privacy requirements.

A hybrid approach

A robust setup combines the strengths of both:

First, run pattern‑based detection locally to catch anything with a known shape.
Then, optionally call an AI model to find additional PII in the remaining free‑text.
Merge results and apply redaction in a consistent, predictable way.

This is the philosophy behind OpenRedaction's "pattern‑first with optional AI assist" design. The core library ships with a large collection of hardened regexes and does not require sending data anywhere. When you need more coverage on messy text, you can enable an AI assist layer on top.

For more on the basics of pattern‑based detection and how OpenRedaction does it, see Understanding PII Detection.

Designing a PII‑aware AI architecture

Think in terms of where to insert PII detection in your AI stack. A good mental model is four key stages.

1. Classify AI use cases by risk

Not all AI use is equal. Classify flows roughly as:

Low‑risk: internal tools on synthetic or low‑sensitivity data, local models, no external logging.
Medium‑risk: internal use with real customer data, logs in shared systems, vendor APIs within your region.
High‑risk: public‑facing AI features, cross‑border API calls, long‑term storage of prompts/responses.

The higher the risk, the more aggressive your PII detection and redaction should be.

2. Insert PII detection at system boundaries

You typically want detection at:

Inbound request edges

Middleware in your API gateway, backend or chat server that runs PII detection/redaction on prompts before they reach your model gateway or vector ingestion code.

File ingestion paths

For uploads (PDFs, DOCX, CSV, images), run text extraction (and OCR if needed), then PII detection, then chunk/embedding. This ensures your vector database never sees raw identifiers.

Event and log pipelines

Before logs, metrics or traces leave your core infrastructure for third‑party tools, pass them through a PII filter to guarantee that observability does not become a shadow PII store.

OpenRedaction is deliberately built as a text‑in/text‑out engine that slots naturally into these boundaries, whether you use it as a library or a sidecar.

3. Post‑process model outputs

It is easy to focus only on inputs, but outputs deserve similar care:

Echo suppression

LLMs can repeat back PII that was present in user prompts or documents. A post‑processing step can detect and mask those before responses are stored or shown.

Guardrails

For some products, you may want to explicitly block the model from outputting certain classes of identifiers unless there is a strong justification (for example, internal tools used only by staff).

A simple pattern is:

Model generates a response.
Run PII detection over that response.
Mask or tokenise any detected spans before returning to the client or storing in logs.

4. Choose your redaction style

Once you have spans, you still need to decide how to transform them. Common strategies:

Full masking

Replace the entire span with a generic token such as [EMAIL], [PHONE], [NAME] or [CARD]. This is usually the safest default for anything leaving your VPC or going to third‑party APIs.

Partial masking

Keep a small part of the identifier for context (for example, last 4 digits of a card) and mask the rest. This is helpful in debugging and customer support, but should be used cautiously in AI training datasets.

Tokenisation / pseudonymisation

Replace identifiers with irreversible or keyed tokens (for example, user_12345) so interactions can be linked over time without exposing raw PII. This can be useful inside analytics or internal LLMs.

OpenRedaction treats redaction as a second step after detection, so you can pick whichever strategy fits a specific pipeline. You can learn more about how detection and redaction fit together in the OpenRedaction ecosystem at openredaction.com.

How OpenRedaction fits into AI pipelines

OpenRedaction was built to be simple to drop into real‑world data flows:

Self‑hosted and open source – You can run detection on your own infrastructure so prompts and documents never leave your environment unless you explicitly decide to use an AI assist layer.
Pattern‑first detection – A broad library of regex patterns for emails, phones, IPs, payment cards, government IDs and more gives you high‑precision coverage for the most critical identifiers without any model dependencies.
Optional AI assist – When you have high‑value free‑text (for example, long support conversations) and need extra coverage, you can layer on AI‑powered PII detection to find names, organizations and looser patterns.

Some concrete integration patterns:

LLM gateway middleware

Wrap your calls to OpenAI/Anthropic/others with a middleware that sends the request body (for example, prompt or messages) through OpenRedaction first. Only redacted content is ever sent over the network.

RAG ingestion

In your document ingestion pipeline: extract text → run OpenRedaction → chunk and embed redacted text → store in your vector DB. Retrieval then operates on redacted content by default.

Prompt/response logging

Before writing prompts and responses to logs, analytics or long‑term storage, pass them through OpenRedaction so debugging and product analytics never deal with raw PII.

If you are new to OpenRedaction, the home page has a concise overview and links to the playground so you can try detection and redaction on sample text.

You can also explore more how‑to content on the blog.

Practical implementation patterns

Here are three simple ways to think about integrating PII detection without adding too much friction for your team.

Backend middleware (Node.js / Python / Go)

Wrap your AI calls in a small function that:

Accepts a prompt or messages payload.
Passes it through OpenRedaction's detection + redaction.
Sends the cleaned prompt to the LLM API.
Optionally runs OpenRedaction again on the response before returning it.

Because OpenRedaction is just text‑in/text‑out, this is usually only a few lines of glue code.

ETL and data lake ingestion

For analytics or training:

As data is extracted from transactional systems, run a transformation step that calls OpenRedaction on free‑text fields.
Store redacted versions in your lakehouse or warehouse.
Make redacted tables the default source for analytics, RAG and fine‑tuning.

This avoids building models or dashboards on raw PII by accident.

Observability pipelines

In log forwarders or collectors (for example, Fluent Bit, Vector, Logstash):

Add a filter step that passes log messages through OpenRedaction before forwarding them to your central logging platform.
For traces and metrics containing large blobs of text (responses, payloads), selectively process those fields.

That way you can still have rich observability without quietly centralising all your PII in one place.

Measuring success

To know whether your PII detection and AI controls are working, define a few simple checks:

Technical checks

Periodically search logs, vector DBs and analytics tables for known PII patterns (for example, test email addresses, synthetic ID numbers) and confirm they do not appear.
Track latency overhead from the PII detection layer to ensure it stays within acceptable bounds.

Process checks

Add regression tests that send synthetic PII through your AI endpoints and confirm that what reaches the model (and what gets logged) is redacted.
Treat detection rule updates as code, with review and CI around them.

Over time, you can tighten your patterns, thresholds and redaction strategies as you better understand your data and risk profile.

Where to go next

If you are designing or hardening AI features, a practical next step is:

Map where prompts, documents and model outputs enter and leave your system.
Pick one high‑risk boundary (for example, your LLM gateway) and add OpenRedaction as a PII filter there.
Extend from there into ingestion, logs and RAG pipelines.

To dive deeper into the foundations of PII detection and how regex‑based approaches work, read "Understanding PII Detection" on the blog.

For more guidance, examples and updates, explore the rest of the blog.

If you want to discuss bespoke use cases, integrations or get help rolling OpenRedaction out across your stack, you can reach the team via the contact page.

To understand pricing options and how OpenRedaction can support larger deployments or enterprise needs, see pricing.

Ready to get started?

Read Understanding PII Detection for a primer on the basics
Learn about how OpenRedaction evolved from a regex library to a hybrid API
Visit the homepage to learn more about OpenRedaction
Get in touch if you have questions or need help