Is OpenRedaction free?

Yes, the regex-only library is free and open-source. You can use it locally without any external services. AI-assist via the hosted API has a free tier with IP-based limits, and a Pro tier with 50,000 requests/month for £9/month.

What is the difference between regex mode and AI mode?

Regex mode uses 500+ tested patterns for fast, deterministic PII detection. It works completely offline and is free. AI mode is optional and uses a hosted AI proxy for better detection on messy or unstructured text. AI mode requires the hosted API and has usage limits.

Does OpenRedaction store my data?

No, the hosted API is stateless and does not store raw text. Processing happens in memory and data is discarded after redaction. Minimal metadata may be logged for rate limiting. For complete privacy, you can self-host the open-source library.

What is the API limit?

Free tier: IP-based rate limiting with fair-use limits (approximately 200 AI-assist requests per day). Pro tier: 50,000 AI-assist requests per month with an API key. Regex-only redaction has no limits and works completely offline.

Understanding PII Detection

Personally identifiable information (PII) sits at the heart of modern privacy and security risk. Detecting it reliably is the first step to protecting users, complying with regulations, and enabling safer logging, analytics, and AI workflows.

This article explains what PII is, why detecting it is hard in practice, and how pattern‑based and AI‑assisted approaches like OpenRedaction's can be combined for robust redaction pipelines. For a practical guide on implementing PII detection, see our PII Detection guide.

What counts as PII?

PII is any information that can directly or indirectly identify a specific person. Some identifiers are obviously sensitive, while others become identifying when combined with other attributes.

Common PII categories include:

Direct identifiers: names, email addresses, phone numbers, national IDs, credit card numbers, bank account numbers.
Quasi‑identifiers: dates of birth, postcodes, job titles, demographic attributes that may identify people in combination.
Contextual identifiers: IP addresses, device IDs, cookie IDs, and customer IDs that tie activity back to individuals.

Different regulations define and scope PII slightly differently. For example, GDPR speaks more broadly about "personal data" (see our GDPR Redaction guide), while sector rules like HIPAA focus on health data but list specific identifiers that must be removed or de‑identified (see our HIPAA Redaction guide).

Why PII detection matters

Detecting PII early lets teams prevent sensitive data from leaking into logs, analytics, and third‑party services. This reduces breach impact, simplifies incident response, and can materially reduce regulatory and contractual risk.

PII detection is also a prerequisite for safe data sharing and AI adoption. Before sending text to external LLMs, analytics tools, or partners, organizations increasingly run detection and redaction pipelines to strip out identifiers while keeping data useful.

Operationally, automated PII detection reduces reliance on manual review, which is slow, inconsistent, and itself a privacy risk. With robust automated detection, teams can enforce privacy controls consistently across services and environments.

Challenges in detecting PII

PII detection is more complex than scanning for obvious patterns like email addresses. Real‑world data is messy, multilingual, full of typos, abbreviations, and domain‑specific identifiers that do not follow simple formats.

False negatives (missed PII) create privacy and compliance risk, while false positives (over‑flagging) can destroy data utility. For example, detecting every number as PII may protect privacy but makes logs, metrics, and analytics almost unusable.

PII can also appear in unstructured content such as free‑text comments, support tickets, legal documents, audio transcripts and screenshots. Detecting PII in these channels often requires a mix of text processing, OCR, and language‑aware models.

Key approaches to PII detection

Most modern systems blend deterministic pattern‑matching with probabilistic AI or NER (named entity recognition) models. Each approach has strengths and weaknesses that matter when designing a pipeline.

Pattern‑based (regex) detection

Pattern‑based detection relies on explicit rules such as regular expressions to match emails, phone numbers, card numbers, and similar tokens. For example, card numbers can be matched with format checks plus checksum validation, and phone numbers by known country‑specific patterns.

Pattern‑based detection is transparent, deterministic, and very fast, making it ideal as a first pass in logs, text streams, and structured fields. The trade‑off is that it struggles with unusual formats, obfuscated data, and context‑dependent identifiers such as names or organization‑specific IDs.

AI and NER‑based detection

NER‑based detection uses machine learning models trained to recognize entities like "Person", "Location", "Email", "PhoneNumber", and so on within text. These models can spot identifiers even when formats vary or when meaning is largely contextual, such as recognizing a person's name next to a company name in a sentence.

AI models are powerful on free‑form and multilingual text, but they introduce complexity: model selection, latency, cost, confidence thresholds, and possible misclassifications. Many platforms expose these capabilities via cloud APIs for PII detection and redaction, often returning entities with types, offsets, and confidence scores.

OCR for visual content

For screenshots, scanned documents, and video frames, systems apply OCR to extract text and then run PII detection over the recognized content. This enables PII detection in UI recordings, PDFs, scanned forms, and on‑screen dashboards captured during support or testing.

OCR‑based pipelines must account for recognition errors, layout, and multiple languages. Confidence thresholds and secondary validation become important to avoid both missing visible PII and over‑redacting misleading OCR artifacts.

How OpenRedaction approaches PII detection

OpenRedaction focuses on fast, transparent PII detection and redaction that can run entirely on your infrastructure. It combines a large library of hardened regex patterns with an optional AI assist layer, giving developers control over accuracy, speed, and privacy posture.

By default, OpenRedaction uses regex‑based detection over text, applying a large set of tested patterns covering emails, phone numbers, IPs, payment data, IDs and more. Optionally, an AI proxy can be enabled to augment regex with additional PII spans discovered by an AI model, particularly for entity types that are hard to encode as patterns, such as person names.

For more on how OpenRedaction evolved from a regex library to a hybrid API, see our developer journey blog post. To integrate PII detection into your Node.js applications, check out our Node.js Redaction guide.

Why pattern‑first detection?

Leading with pattern‑based detection keeps the system deterministic: the same input always produces the same output, and detection logic is fully inspectable. This is especially important for regulated environments and for debugging complex pipelines where teams need to understand exactly why specific tokens were redacted.

Pattern‑first detection also avoids sending data to third‑party AI services by default, which is crucial for privacy‑first workflows and strict data residency requirements. Because there are no external network calls in the default path, performance is predictable and suitable for high‑throughput systems like log processors or API gateways.

Optional AI assist

OpenRedaction's AI assist is explicitly opt‑in and layered on top of regex results. When enabled, text is sent to a hosted AI proxy that returns additional PII spans, which are then merged with the pattern‑based matches before redaction.

This hybrid model allows teams to capture more subtle identifiers in free‑text content without surrendering full control to a black‑box AI. It can be particularly helpful in support tickets, chat logs, or fields where users might paste arbitrary personal information that does not follow strict formats.

Common PII types and patterns

Different domains prioritize different PII types, but a typical detection configuration covers several core categories. These often align with regulatory lists (e.g., the HIPAA "Safe Harbor" identifiers) or internal data classification schemes.

Typical PII for pattern‑based detection includes:

Contact details: email addresses, phone numbers, postal addresses (partially), IP addresses.
Financial and ID numbers: credit card numbers, bank account numbers, national IDs, passport numbers.
Network/application identifiers: IPs, MAC addresses, JWTs, API keys, session IDs, customer IDs when formats are known.

For these categories, regex and checksums can detect most instances with high precision, especially when combined with boundary checks and context rules. Names, locations, and free‑form descriptors usually require either very careful custom rules or AI‑based NER to achieve useful coverage.

Precision, recall and thresholds

Designing a PII detector always involves tuning the trade‑off between precision (few false positives) and recall (few false negatives). In protection‑first contexts like log shipping to external services, teams often prefer higher recall, accepting some over‑redaction to minimize risk.

When AI models are part of the pipeline, confidence thresholds become a major tuning knob. Increasing the threshold improves precision but may miss borderline entities; lowering it catches more possible PII at the cost of more noise.

A practical pattern is to:

Use strict, validated regex for high‑impact PII such as card numbers and IDs where false positives are costly.
Use more permissive rules or lower AI thresholds for lower‑risk tokens like generic names, especially in environments where over‑redaction is acceptable.

Redaction strategies

Detection is only half the story; handling detected PII safely is the other. Redaction transforms or removes PII so that downstream systems cannot reconstruct the original identifiers, while preserving enough structure for debugging or analytics where needed.

Common redaction strategies include:

Full masking: replacing the entire span with a placeholder token such as [EMAIL] or [CARD].
Partial masking: keeping some non‑sensitive characters (e.g., last 4 digits) while masking the rest.
Tokenization or hashing: substituting identifiers with irreversible or keyed tokens so that records can still be linked without revealing raw PII.

For many teams, full masking for logs and external integrations and tokenization for internal analytics offers a balanced compromise. OpenRedaction's pattern‑based spans make it straightforward to implement consistent masking strategies at the text level before data leaves a secure boundary.

Building PII detection into your stack

PII detection is most effective when integrated into the data lifecycle rather than treated as a one‑off batch task. That means embedding detection at the edges of your system and in the pipelines that move data between services.

Typical integration points include:

Ingestion: run detection and redaction as data enters logs, data lakes, or event streams.
Pre‑export: scrub PII before sending data to third‑party monitoring, analytics, or AI services.
Migration and audits: scan existing databases and object stores to identify and remediate sensitive fields or misclassified tables.

OpenRedaction's open‑source core and simple text‑in/text‑out interface make it suitable for embedding in log forwarders, middleware, sidecars, and ETL jobs. Because detection logic is local and inspectable, it fits well into "privacy by design" architectures where teams must justify and document how they handle personal data.

Comparing detection approaches

The table below summarizes key differences between the main approaches and where OpenRedaction fits.

Aspect	Pattern‑based (regex)	AI / NER‑based detection	Hybrid (OpenRedaction style)
Transparency	Fully inspectable, deterministic rules	Opaque model internals	Clear base rules plus optional model spans
Performance	Very fast, low CPU, no network	Higher latency, often network‑bound	Fast baseline, optional slower extra coverage
Strengths	Structured IDs, emails, phones, cards	Names, context‑dependent entities	Strong formats plus better coverage of free‑text
Data residency/privacy	Easy to keep fully local	Often cloud‑hosted APIs	Local by default, opt‑in remote assist
Tuning	Edit rules and patterns directly	Adjust thresholds, retrain models	Adjust patterns and assist configuration

Good practices when implementing PII detection

Several practical practices help teams get more value from PII detection while avoiding unnecessary friction.

Recommended steps include:

Map data flows so you know where PII enters, moves, and leaves your systems, then prioritize high‑risk paths for detection.
Start with well‑defined, high‑impact PII types (emails, phone numbers, card numbers, IDs) and expand coverage iteratively.
Add detection to CI, integration tests, or staging pipelines to ensure new features do not accidentally leak PII into logs or external tools.
Periodically review patterns, thresholds, and redaction behavior as regulations, products, and data types evolve.

Finally, treat PII detection as one building block in a broader privacy strategy that includes encryption, access controls, retention limits, and training. Combining strong PII detection with sane defaults across the stack allows teams to move quickly while still respecting user privacy and regulatory obligations.

Ready to get started?

Learn about PII Detection for AI and how to safely use user data with LLMs
Read about how OpenRedaction evolved from a regex library to a hybrid API
Visit the homepage to learn more about OpenRedaction
Get in touch if you have questions or need help
Check out the open-source repository on GitHub