OpenAI has released Privacy Filter, an open-weights model designed to detect and mask personally identifiable information in text. The launch is relevant not so much because of its size, but because of the problem it aims to solve: helping companies, developers and data teams reduce the exposure of names, addresses, phone numbers, email addresses, identity documents and other sensitive data before processing or sharing information.
The model is available under the Apache 2.0 licence on Hugging Face and GitHub, allowing experimentation, customisation and commercial use. However, it is worth clarifying that OpenAI presents it as an open-weights model, not as a magic anonymisation solution. Its usefulness can be significant in privacy workflows, but it requires testing, tuning and oversight in sensitive environments.
A local filter for personal information
Privacy Filter is a bidirectional token-classification model. Instead of generating text word by word, it analyses a sequence and labels fragments that may contain personal information. Those fragments can then be hidden, replaced or handled according to each organisation’s policy.
According to the model card, it can detect eight main categories: account numbers, private addresses, private email addresses, private person names, private phone numbers, private URLs, private dates and secrets. This last category may include patterns similar to credentials, keys or tokens, although OpenAI warns that the model may fail with new or highly specific formats.
One of its most striking features is that it can run locally in a browser or on a laptop. OpenAI describes it as a model with 1.5 billion total parameters and around 50 million active parameters, with support for browser execution through Transformers.js and WebGPU. This makes it possible to build applications where text does not need to be sent to an external server for review.
For sectors where privacy is a daily concern, that option can be very useful. Legal, financial, healthcare, human resources or customer support teams could use tools of this kind to review documents, tickets, case files, emails or knowledge bases before processing them with other systems.
Designed for high-volume workflows
OpenAI describes Privacy Filter as a tool aimed at high-throughput data sanitisation workflows. Its context window reaches up to 128,000 tokens, allowing it to work with long documents without constantly splitting them into chunks. This can make a difference with contracts, reports, support histories, case files or large text-based data dumps.
The model also allows users to adjust the balance between precision and recall. In practice, this means an organisation can configure it to be more conservative and detect more potential personal data, even if it masks some extra content, or make it more precise and reduce false positives, accepting the risk that some data may be missed.
That control matters because not every company has the same privacy policy. Some will want to remove any potentially personal reference before training internal models or preparing datasets. Others will need to preserve part of the context for audits, human review or traceability.
The Apache 2.0 licence adds another interesting element. It allows companies and developers to include the model in products, adapt it to their own data and deploy it in internal environments without the usual restrictions of closed models. For OpenAI, which is usually associated with proprietary models and hosted services, this release is a meaningful move towards practical tools that can live inside the customer’s own infrastructure.
A useful aid, not an anonymisation guarantee
OpenAI’s own documentation includes an important warning: Privacy Filter is an aid for redaction and data minimisation, not a guarantee of anonymisation, regulatory compliance or complete security. That distinction is essential.
The model can make mistakes. It may fail to detect uncommon names, regional identifiers, specific document formats, credentials split across several lines or personal data written in unusual structures. It may also over-mask content when it confuses public entities, organisations, locations or harmless strings with sensitive information.
Its performance may also vary in non-English text, non-Latin scripts or highly specialised domains. OpenAI mentions multilingual support and evaluation, but also warns that performance may drop outside the patterns most represented in training.
For that reason, responsible use requires evaluating it with real data from the environment where it will be deployed, calibrating its thresholds, fine-tuning it if internal policy differs from the model’s default boundaries, and maintaining human review in high-risk workflows. In sectors such as healthcare, education, banking, public administration or human resources, both false negatives and false positives can have serious consequences.
Privacy Filter fits into a broader trend: bringing privacy controls closer to the source of the data. If an organisation can detect and mask sensitive information before sending it to a model, storing it in a data lake or sharing it with third parties, it reduces part of the operational risk. It does not remove the need for governance, auditing and security, but it offers a useful component within a broader privacy architecture.
Frequently asked questions
What is OpenAI Privacy Filter?
It is an open-weights model designed to detect and mask personally identifiable information in text, such as names, emails, phone numbers, addresses, private dates or possible secrets.
Can it run without sending data to the cloud?
Yes. The model can run locally in a browser or on a laptop, for example through Transformers.js and WebGPU, allowing text to be reviewed without sending it to external servers.
Does Privacy Filter guarantee full anonymisation?
No. OpenAI presents it as an aid for redaction and data minimisation, not as a guarantee of anonymisation or regulatory compliance. It should be evaluated and tuned before being used in production.