OpenAI released Privacy Filter in April 2026, an open-weight model built specifically for detecting and redacting personally identifiable information (PII) in text. The model ships with 1.5 billion total parameters, but only 50 million are active at inference time. It supports a 128K token context window, runs entirely on local hardware, and is licensed under Apache 2.0.
Privacy Filter achieves state-of-the-art results on the PII-Masking-300k benchmark with an F1 score of 96%, rising to a corrected 97.43% after accounting for label noise in the dataset. This is the first major open-weight PII detection model released by a frontier AI lab, and it changes how developers can handle sensitive data in their pipelines.
If you work with user data, logs, or any text that passes through LLM APIs, this model is worth your attention.
What Privacy Filter Detects
Privacy Filter identifies eight categories of sensitive information:
| Category | What It Covers | Example |
|---|---|---|
private_person | Full names, partial names | ”Jane Doe”, “Dr. Smith” |
private_address | Street addresses, postal codes | ”742 Evergreen Terrace, Springfield” |
private_email | Email addresses | ”jane@example.com” |
private_phone | Phone numbers in various formats | ”+1-555-867-5309” |
private_url | URLs that could identify individuals | ”linkedin.com/in/janedoe” |
private_date | Dates of birth, specific personal dates | ”born March 15, 1990” |
account_number | Bank accounts, SSNs, ID numbers | ”SSN: 123-45-6789” |
secret | Passwords, API keys, tokens | ”sk-proj-abc123…” |
The model uses BIOES (Begin, Inside, Outside, End, Single) span tags to mark entity boundaries. This tagging scheme lets it handle multi-token entities cleanly. A full name like “Jane Doe” gets tagged as B-private_person for “Jane” and E-private_person for “Doe”, while a single-token entity like an email address gets an S-private_email tag.
The secret category is particularly useful for developers. It catches leaked API keys, passwords, and authentication tokens that commonly end up in logs, code comments, and support tickets. If you are not already using a password manager to keep credentials out of plaintext, this model acts as a safety net.
Architecture
Privacy Filter is not a generative model. It is a bidirectional token-classification model with span decoding. This distinction matters for both speed and reliability.
How it works:
- The input text is tokenized and passed through the bidirectional encoder.
- Each token receives a classification label from the BIOES tag set.
- Viterbi decoding runs over the tag sequence to enforce coherent spans. This prevents impossible tag transitions like a B-private_person followed immediately by an E-private_email.
- The decoded spans are returned with their positions and categories.
The entire process happens in a single forward pass. There is no autoregressive generation, no beam search, and no sampling. This makes inference fast and deterministic. Given the same input, you always get the same output.
With only 50 million active parameters at inference time (out of 1.5 billion total), the model runs comfortably on consumer hardware. You do not need a GPU cluster to process documents at scale.
How to Use Privacy Filter
Privacy Filter is available on HuggingFace and GitHub. You can get started with a few lines of Python.
Basic usage with the Transformers library:
from transformers import pipeline
pii_detector = pipeline(
"token-classification",
model="openai/privacy-filter",
aggregation_strategy="simple"
)
text = "Contact Jane Doe at jane@example.com or call 555-867-5309."
results = pii_detector(text)
for entity in results:
print(f"{entity['entity_group']}: {entity['word']} (score: {entity['score']:.3f})")Output:
private_person: Jane Doe (score: 0.994)
private_email: jane@example.com (score: 0.998)
private_phone: 555-867-5309 (score: 0.991)Redacting detected PII:
def redact_pii(text, entities):
redacted = text
for entity in sorted(entities, key=lambda x: x['start'], reverse=True):
label = entity['entity_group']
redacted = redacted[:entity['start']] + f"[{label}]" + redacted[entity['end']:]
return redacted
redacted_text = redact_pii(text, results)
# "Contact [private_person] at [private_email] or call [private_phone]."Fine-tuning for domain-specific data:
The model can be fine-tuned on your own labeled data. This is especially valuable if your domain uses identifiers or formats that the base model has not seen. OpenAI provides fine-tuning scripts in the GitHub repository, and the Apache 2.0 license allows commercial use of fine-tuned models without restriction.
Performance
Privacy Filter sets a new benchmark on PII-Masking-300k:
| Metric | Score |
|---|---|
| F1 (raw) | 96.0% |
| F1 (corrected for label noise) | 97.43% |
| Precision | 96.2% |
| Recall | 95.8% |
The corrected score accounts for mislabeled examples in the benchmark dataset. OpenAI audited a sample of “errors” and found that many were actually correct predictions on noisy ground truth labels.
Fine-tuning results are dramatic. On domain-specific datasets (medical records, financial documents), the base model starts at roughly 54% F1 due to unfamiliar identifier formats. After fine-tuning on a few thousand labeled examples, F1 jumps to 96% or higher. This makes the model practical for specialized industries where off-the-shelf PII detection typically fails.
Use Cases for Developers
Pre-processing before LLM API calls
Strip PII from text before sending it to any external API. This reduces your exposure if the API provider logs inputs or if there is a data breach. Run Privacy Filter locally, replace detected entities with placeholders, then send the sanitized text to your LLM of choice. For more on this topic, see our guide on AI coding agents and privacy.
Log sanitization
Application logs often contain user data that should not be there: email addresses in error messages, phone numbers in request bodies, API keys in debug output. Run Privacy Filter as a post-processing step on your log pipeline to catch and redact PII before it hits your log storage.
Data pipeline privacy
If you are building ETL pipelines that process user-generated content, Privacy Filter can sit as a transformation step that flags or redacts sensitive fields. This is especially relevant for teams working toward GDPR compliance or operating under regional AI privacy laws.
GDPR and privacy compliance support
Privacy Filter can help identify personal data in your systems as part of data mapping exercises. It does not replace legal review, but it automates the tedious first pass of finding where PII lives in unstructured text.
Limitations
Privacy Filter is a detection tool, not a compliance solution. Keep these limitations in mind:
- Not an anonymization tool. It detects PII and marks its location. The redaction logic is up to you. Simple string replacement may not be sufficient for true anonymization, especially with structured data where context can re-identify individuals.
- Not a compliance certification. Using Privacy Filter does not make you GDPR-compliant, HIPAA-compliant, or compliant with any other regulation. It is one component in a broader privacy strategy.
- Can miss uncommon identifiers. The model performs best on common PII formats (US phone numbers, standard email addresses, English names). Unusual formats, non-Latin scripts, or domain-specific identifiers may be missed without fine-tuning.
- Confidence varies by category. The
secretcategory (API keys, passwords) has lower recall than categories likeprivate_emailbecause secrets come in highly variable formats. Always pair automated detection with proper secret management practices. - Human review is still needed. For high-stakes domains like healthcare, finance, and legal, treat Privacy Filter as a first pass. A human reviewer should verify the output before you rely on it for compliance purposes.
Why This Matters
Privacy Filter is the first open-weight PII detection model released by a frontier AI lab. That matters for three reasons.
It runs locally. The entire model runs on your hardware. Your sensitive data never leaves your machine, never hits an external API, and never gets logged by a third party. For teams that handle regulated data, this removes a major barrier to adopting AI-powered privacy tools.
It is open-weight and permissively licensed. Apache 2.0 means you can use it commercially, fine-tune it, and distribute modified versions. You are not locked into a vendor or a pricing model. The weights are public, so you can audit exactly what the model does.
It validates a new category of AI tooling. Until now, PII detection was dominated by regex-based tools and closed-source APIs. Privacy Filter shows that a small, efficient model can outperform both approaches while running locally. Expect other labs to follow with similar releases.
For developers building applications that handle user data, this model fills a gap that has existed for years. The combination of high accuracy, local execution, and open licensing makes it a practical addition to any privacy-conscious development workflow.
FAQ
Can Privacy Filter run on a CPU, or does it need a GPU?
Privacy Filter runs on both CPU and GPU. With only 50 million active parameters at inference, CPU inference is fast enough for most batch processing workloads. GPU acceleration helps if you need to process large volumes of text in real time, but it is not required. Most developer laptops can run the model without issues.
How does Privacy Filter compare to regex-based PII detection?
Regex-based tools work well for structured patterns like email addresses and phone numbers, but they struggle with names, addresses, and context-dependent PII. Privacy Filter understands context, so it can distinguish between “April” as a month and “April” as a person’s name. On the PII-Masking-300k benchmark, Privacy Filter’s F1 of 96% significantly outperforms regex-based approaches, which typically score between 60% and 80% depending on the PII category.
Can I use Privacy Filter in a production pipeline with real user data?
Yes. The Apache 2.0 license permits commercial use without restriction. Because the model runs locally, your user data stays on your infrastructure. For production deployments, consider fine-tuning on a sample of your actual data to maximize accuracy for your specific domain. Pair it with proper data handling practices and review our GDPR guide for developers to make sure your broader pipeline meets regulatory requirements.