Technical documentation
Security White Paper
How Privatiser anonymizes sensitive data, what it protects against, and where the limits of that protection are. Written for security teams, IT leads, and the curious.
1. Overview
Privatiser is a privacy tool that strips sensitive information from text before it reaches an AI service. It replaces real values (IP addresses, API keys, passwords, names, credit card numbers, and dozens more) with consistent pseudonyms, and lets you swap the real values back in after you get a response.
The core design principle is simple: if data never leaves your machine, it cannot be leaked, logged, or trained on. Every part of Privatiser runs locally. There are no servers. There is no account. There is nothing phoning home.
The mapping between real values and pseudonyms is stored only in your browser's session memory, and is cleared when you close the tab. No mapping is ever persisted to a server or a database.
2. Architecture
Privatiser is distributed as a static website, browser extension, and VS Code extension. In all three cases, the anonymization logic is the same JavaScript engine running entirely on your machine.
Installation methods
privatiser.min.js) is loaded from the same origin as the page. No external scripts, no CDN dependencies, no analytics. You can verify by opening DevTools and checking the Network tab: after the initial page load, no further requests are made when you anonymize text.
activeTab permission (only runs when you invoke it), storage (saves your settings locally), and contextMenus/menus (right-click menu). It declares no host permissions beyond the AI sites it supports, and makes no external network requests.
package.json declares no external dependencies beyond the VS Code API.
3. Anonymization Pipeline
The anonymization engine processes text in a single deterministic pass. Here is what happens from the moment you click Anonymize to the moment you see output.
Why placeholder markers matter
Each match is immediately replaced with a null-byte marker before the next pattern runs. This prevents a later, lower-priority pattern from matching inside a value that has already been handled. For example, an email address contains a domain name. Without markers, a domain pattern could match the domain part of an already-redacted email, producing a confusing double-redaction.
Consistent pseudonyms
If the same IP address appears three times in your text, it will always be replaced with the same pseudonym (for example, IP_1). This is essential for the AI to reason about your text correctly. The mapping is stored in a JavaScript Map object in browser memory for the duration of your session.
4. Detection Patterns
Privatiser ships with 30+ detection patterns organized into 6 categories. Each pattern has a confidence level based on the risk of a false positive.
Table shows a selection. Privatiser detects 30+ pattern types in total.
Confidence levels
High means the pattern is highly specific and false positives are rare. These run first.
Medium means the pattern is reliable but may occasionally match something benign.
Low means the pattern is intentionally broad. It catches more, but may redact things you did not intend. Use the allowlist to exclude known safe values.
5. Threat Model
Privatiser is designed to address a specific, realistic threat: a staff member pasting internal data into a commercial AI assistant. Here is how it handles the most common attack surfaces in that scenario.
The AI service only ever sees anonymized text. Real values never leave your machine.
Pseudonyms cannot be reversed by the AI vendor. They have no mapping table.
Privatiser does not intercept clipboard access. If you paste anonymized text, only pseudonyms are exposed. But real values remain in your clipboard history.
If the extension itself were compromised, it could read text. The extension is published on the Chrome Web Store and Firefox Add-ons where it can be independently reviewed.
Non-standard formats or custom naming conventions may not be caught. Use custom words and review output before sharing sensitive material.
Mappings are held in JavaScript session memory only. They are not written to disk, localStorage, or any server.
What Privatiser does not protect against
- Malware or spyware running on your machine that reads memory or keystrokes
- Screen sharing or recording that captures your original text before anonymization
- Sensitive data embedded in images or binary files
- Secrets with custom naming schemes not covered by any pattern
No local tool can fully substitute for a proper data governance policy. Privatiser reduces risk significantly for the most common use cases, but should be part of a broader security approach.
6. Compliance Relevance
Privatiser is not itself a compliance product and does not make any regulatory certification claims. That said, its architecture directly supports a number of common compliance requirements around data handling and AI usage.
For enterprise deployments, a shared configuration file can be pre-loaded with the organisation's custom words, allowlist, and enabled categories via MDM or group policy. This enforces consistent anonymization across the whole team without relying on individuals to configure it correctly. Contact admin@privatiser.net to discuss a team deployment.
7. Known Limitations
Being honest about what Privatiser does not do is as important as describing what it does.
8. Pro Licence Architecture
Privatiser Pro adds paid features (custom regex, pattern packs, saved presets). The licence system uses public-key cryptography so verification happens entirely in your browser — no licence server, no account, no phone-home.
Key anatomy
privatiser-licence-{expiry}The total payload is 68 bytes, giving a fixed-length base64url string. Both the expiry timestamp and signature must pass independently. Altering the expiry bytes invalidates the signature.
Payment and delivery flow
Customer pays via Stripe Checkout (Stripe-hosted page). Card details never touch Privatiser infrastructure.
Stripe fires a checkout.session.completed event to a Cloudflare Worker endpoint over HTTPS.
The Worker validates the Stripe webhook signature using HMAC-SHA256 with timing-safe comparison and a 5-minute replay window. Replayed or tampered events are rejected.
The Worker signs privatiser-licence-{expiry} with the Ed25519 private key stored as an encrypted Cloudflare Worker Secret. The key never appears in source code.
The PRV1- key is emailed to the customer via Resend with a one-click activation link.
Customer enters the key on /activate.html. The browser verifies the Ed25519 signature using the embedded public key via crypto.subtle.verify. No server call is made. On success the key is saved to localStorage.
Each page load calls isProUser(), which re-verifies the stored key locally. Pro features unlock instantly. No network request is ever made during normal use.
Cryptographic properties
What the Worker does and does not see
- The Worker receives the customer email address from Stripe's session data, used only to deliver the licence. It is logged in partially masked form (
te***@example.com). - The Worker never sees any text the customer anonymizes. Anonymization runs in the browser only.
- The private key is imported at runtime with
extractable: false, preventing it from being exported from the WebCrypto API after import.
9. FAQ
activeTab, storage, and contextMenus. It does not have broad host permissions.
IP_1, the second becomes IP_2, and so on. The same real value always maps to the same pseudonym within a session. Pseudonyms contain no information about the original value.
IP_1 or API_KEY_3 carry no structural information about the original value. The mapping exists only in your browser's session memory. The AI vendor has no access to it.
Map in session memory. Nothing is written to localStorage, cookies, or any server. Closing the tab is a hard reset.
Questions not answered here? Email admin@privatiser.net. For enterprise security reviews or pen test requests, please include your organisation name and a brief description of your requirements.