PII in Prompts: What You're Probably Leaking
2025-11-19
here’s something i noticed while building AI backends: users will paste literally anything into an AI chat.
emails with phone numbers. support tickets with SSNs. product screenshots with credit card numbers. screenshots of patient records. API keys. home addresses. dates of birth. all of it lands in the prompt and gets shipped straight to your LLM.
and most AI apps don’t even try to stop it.
the problem nobody talks about
you probably have a privacy policy that says you’re HIPAA compliant. or GDPR compliant. or PCI-DSS compliant. maybe it’s all three.
but if you’re forwarding user input directly to an LLM without any inspection, you’re processing PII on behalf of your users without their knowledge. you’re creating compliance exposure for data you didn’t even intend to handle.
the real kicker? HIPAA and GDPR don’t care if it was an accident. GDPR fines you up to 4% of global revenue for unintentional processing of personal data. HIPAA penalties start at $100 per record, per violation. PCI-DSS will literally kick you off payment networks if you pass card numbers to third parties.
and if your LLM provider stores that data for training or safety testing? you’ve just created a much bigger problem.
the fix isn’t the users’ problem
the obvious answer is to tell users: “please stop pasting sensitive data into our AI app.” but that’s not realistic. users don’t think about what’s sensitive. they’re trying to solve a problem.
the real fix is to detect and redact PII at the gateway layer — before it ever reaches the model.
how GatewayStack handles it
our transformabl module detects common PII patterns automatically: email addresses, phone numbers (US and international), social security numbers, credit card numbers, IP addresses, and dates of birth.
when it finds PII, you choose what happens next. redact it. mask it. flag it for manual review. classify the entire request for regulatory risk. it’s all configurable.
the best part? it’s middleware. one line of code in your request pipeline. no changes to your application logic. it runs as a gateway layer between your app and the LLM.
transformabl:
detection:
- email
- phone
- ssn
- credit_card
- ip_address
- dob
action: redact
classify_risk: true
that’s it. now your prompts are cleaned before they reach Claude or GPT.
what regex can’t do
regex-based detection isn’t perfect. it catches email addresses and credit cards reliably. but it won’t catch someone’s name or home address without much more sophisticated NER (named entity recognition), which is slower and harder to tune.
but here’s the thing: the most dangerous and common patterns — emails, phones, SSNs, card numbers — are the ones you need to catch first. getting 90% of your exposure under control is infinitely better than doing nothing.
the compliance conversation is changing
more companies are realizing that shipping user input directly to third-party LLMs creates legal exposure they didn’t think about. compliance teams are asking harder questions. regulators are paying attention.
the companies that are ahead of this are the ones building governance into their AI stacks now, before they get audited.
what’s your approach right now? are you thinking about PII detection at all?