Tutorials 15 min read

Redact Before You Hand a Note to an AI

MMNMNOTE
privacyaidata-minimizationredactionplain-textnote-taking

Before you paste a note into a hosted AI, strip the secrets the model never needs. Redaction is a habit, not a tool: read the note once, delete or mask the names, IDs, and credentials, send only the minimum required to answer, then check what left. Run it on your own plain-text file so the diff is yours to see.

The reason to bother is older than chatbots. The EU's data-protection law states the principle plainly: personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')" 1. That is the law's name for send less.

The research community has been measuring how hard redaction is to do well. A 2026 benchmark, RedacBench, finds that "while more advanced models can improve security, preserving utility remains a challenge" 2. Redaction is not free, and it is not magic. It is a discipline you practice in five minutes before every paste.

What to strip before you paste

Strip three classes of content before a note leaves your machine: direct identifiers (names, emails, phone numbers, account and case IDs), secrets (passwords, API keys, tokens, card and government numbers), and context that re-identifies (a rare job title plus a city, a unique project codename). The principle is least-necessary exposure — send only what the question actually requires.

Enterprise security writing states the rule in operational terms. Kiteworks, a data-governance vendor, advises teams to "apply least-necessary exposure: only send the minimum data required to answer the question or complete a task, and omit classified items from external prompts entirely" 3. The same idea sits under the law's "data minimisation" clause 1.

Each class catches a different failure. Strip them in this order, because each answers a distinct what could go wrong:

For a note-taker, the whole thing collapses to one question per paragraph: does the model need this sentence to help me? If not, it does not go.

The five-minute version

The five-minute pass is a fixed checklist you run top to bottom on the note before you paste. It is deliberately mechanical so you do not have to decide what counts as sensitive while you are also trying to think about your actual task. Read once, mark, replace, send the minimum.

  1. Read the note once, end to end. No editing yet — just notice every name, number, and credential.
  2. Delete what the model does not need. Whole paragraphs of background often go.
  3. Mask what must stay for the answer to make sense. Replace the secret, keep the shape (next section).
  4. Send the minimum. Paste only the passage the question touches, not the whole file.
  5. Keep the original untouched. Redact a copy; your real note stays complete on your device.

The honest cost is about two minutes once the habit is built, longer the first week. That is the price of not handing a stranger your client list.

Mask, don't just delete: placeholders that keep the shape

When deleting a token would break the sentence, substitute a placeholder instead. The technique is entity recognition — find the names and numbers, then swap each for a typed marker. Kiteworks gives the canonical example: "replace 'John Doe' with '[NAME]' and '555-12-3456' with '[SSN]'" 4. The model still sees a person and a number-shaped thing; it just never sees which person.

The substitution approach is corroborated across independent sources. Gravitee, an API-gateway vendor, describes the same move for automated pipelines: "Sensitive entities are replaced with placeholders before forwarding the request" 5. Academic work on text sanitization reaches the same conclusion about why you prefer masking to deletion — "removing words is, in general, a drastic measure, as it can degrade text coherence and contextual information. Less severe measures include substituting a word for a safe alternative" 6. Delete the secret; keep the grammar.

A worked example you can adapt — the substitution table is the artifact; keep your own copy of it:

# redaction map — copy of the note only, never the original

Acme Health Group   → [ORG]
Dr. Priya Raman      → [NAME]
[email protected]  → [EMAIL]
+1 415-555-0142      → [PHONE]
MRN 88-41-2207       → [ID]
case "Northstar"     → [PROJECT]

# then, on a COPY of the note:
#   sed -E -f redaction.sed note-copy.md > note-safe.md
# read note-safe.md before pasting. the map proves what you stripped.

Each line is a decision you can audit later. The map is not the secret; it is the receipt that you removed the secret.

The honest limits (read this part)

Redaction lowers risk; it does not make a hosted model private. The host still sees everything you did not strip, automatic tools miss things, and the very act of redacting can backfire if you do it carelessly. Four caveats matter enough to state before any of the steps above.

Redaction reduces exposure — it does not make a cloud model private. Whatever you leave in the prompt, the provider receives. For genuinely sensitive material, the cleaner option is not better masking but no upload at all: run a local model so the text never leaves your device. The trade-off is real — researchers behind the PAPILLON privacy pipeline note that "models that users can host locally are often less capable than proprietary frontier models" 7. Their best hybrid pipeline "maintains high response quality for 85.5% of user queries while restricting privacy leakage to only 7.5%" 8 — strong, but 7.5% is not zero.

Do not redact by pasting into the very model you are protecting from. Asking a hosted chatbot to "remove the PII from this" hands it the PII first — the leak happens at the moment you paste. Do the redaction with sed, a regex, or a local tool on your own file. The point of a plain-text note is that you can: it is just characters you control.

Automatic redaction is imperfect. RedacBench measures redaction against "8,053 annotated propositions that capture all inferable information in each text" 9 — meaning context can re-identify a person even after the obvious tokens are gone. A nickname plus a date plus a hospital can rebuild a name no regex caught. A human reading the redacted copy once beats blind trust in any tool.

Placeholders can break things. Swapping a name for [NAME] drops gender and number, which can scramble translation or grammatical agreement; deleting a word outright "can degrade text coherence" 6. Pick masking over deletion when the sentence must hold together, and re-read the redacted version as prose before you send it.

Why plain text makes this auditable

Redaction is only trustworthy if you can see exactly what you removed, and plain text is what lets you see it. When your notes are plain Markdown files on your device, a redaction is a visible change: git diff or a side-by-side of two files shows every token that left — no hidden database row, no opaque export.

This is an architecture point, not a feature pitch. A plain-text note that lives locally on your machine is a file you own, so you can grep it, sed it, diff it, and keep the original beside the redacted copy. MNMNOTE is built on exactly that substrate — local-first, plain open Markdown, offline, with bring-your-own-key AI and no account — so redaction here is something you can verify, not take on faith.

The honest, lower-risk path for truly private material is still to keep the model local and skip the upload, the way you would chat with your notes without uploading them.

How this fits your wider AI hygiene

Redaction is one habit in a small set that together keep your notes yours. Strip secrets before the paste; prefer a local model when the material is sensitive; mind the trust boundary where a note meets a hosted model; and keep your history under your own roof afterward. Each is a separate, auditable move on a file you control.

The neighbours of this habit are worth knowing. Local AI is becoming the default for privacy-sensitive work, which is the honest answer when redaction is not enough. Your note app's plugins are an attack surface covers the interface where text crosses into a model. After the conversation, owning your AI chat history keeps the after-the-fact record local. And all of it rests on the fact that Markdown is already AI-ready — plain text is what makes every one of these moves inspectable.

The reason any of it works is older than the tools. As Obsidian's Steph Ango put it: "Apps are ephemeral, but your files have a chance to last" 10. A file you can read is a file you can redact.

Frequently asked questions

These are the questions note-takers actually ask before pasting a note into a hosted model: what to strip, whether the chatbot can do the stripping for you, whether masking is enough, and why a habit this small is worth building. Each answer points back to a primary source you can check.

What should I remove from text before sending it to an AI?

Remove direct identifiers (names, emails, phone numbers, account or case IDs), secrets (passwords, API keys, tokens, card and government numbers), and re-identifying context (a rare title plus a location, a unique codename). The operating rule is least-necessary exposure: "only send the minimum data required to answer the question or complete a task" 3. If the model does not need it to help you, strip it.

Can I just ask ChatGPT to redact the PII for me?

No — that defeats the purpose. The moment you paste the text in, the provider has already received the personal data you wanted to protect. Redact before the paste, using a regex, sed, or a local tool on your own plain-text file. Hosted redaction is fine only inside a trust boundary you already accept; for protecting from that host, it is a contradiction.

Is masking with placeholders safe enough?

It lowers risk but does not eliminate it. Context can re-identify someone even after obvious tokens are gone — RedacBench scores models against "8,053 annotated propositions that capture all inferable information in each text" 9. Placeholders also drop gender and number, which can break translation or agreement 6. Read the redacted copy as prose before sending, and for truly sensitive material run a local model instead.

Does this make a hosted AI private?

No. Redaction is data minimization — it reduces what leaves your machine — not a privacy guarantee. The host still sees everything you did not strip. For genuinely private material the cleaner option is to not upload at all: a local model keeps the text on your device, at the cost that local models "are often less capable than proprietary frontier models" 7.

Why does the law care about this?

Because sending less is a legal principle, not a preference. EU data-protection law requires personal data to be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')" 1. Redacting before a paste is the everyday version of that rule — and, as Google's Guillaume Laforge frames it, also "the right thing to do" 11.

How long does the habit take once it is built?

About two minutes per note after the first week, longer while the checklist is new. The five-minute version is a fixed top-to-bottom pass — read once, delete, mask, send the minimum, keep the original — so you are not improvising what counts as sensitive while also doing your real work. The point is to make it boring enough to actually do every time.

Redaction is not a setting you switch on; it is a sentence you read before you press paste — and on a plain-text file you own, you can always prove what you took out.

This habit builds on Guillaume Laforge's framing that protecting people's data is "the right thing to do" 11 and on the privacy-pipeline research behind PAPILLON 7 8. To keep redaction auditable, keep your notes as plain text you control — mnmnote.com.

Footnotes

  1. "Art. 5 GDPR — Principles relating to processing of personal data," Regulation (EU) 2016/679, Article 5(1)(c), verbatim mirror at gdpr-text.com. https://gdpr-text.com/read/article-5/. Regulation dated 2016-04-27; accessed 2026-06-19. 2 3

  2. Jeon, H., Kim, K., & Shin, J. (2026). "RedacBench: Can AI Erase Your Secrets?" arXiv preprint. https://arxiv.org/abs/2603.20208. Accessed 2026-06-19.

  3. Freestone, T. "How to Prevent LLM Data Leakage: Controls That Work." Kiteworks, updated 2026-03-12. https://www.kiteworks.com/cybersecurity-risk-management/prevent-llm-data-leakage-controls/. Accessed 2026-06-19. 2

  4. Freestone, T. "How to Prevent LLM Data Leakage: Controls That Work." Kiteworks, updated 2026-03-12. https://www.kiteworks.com/cybersecurity-risk-management/prevent-llm-data-leakage-controls/. Accessed 2026-06-19.

  5. "How to Prevent PII Leaks in AI Systems: Automated Data Redaction for LLM Prompts." Gravitee, 2026-04-10. https://www.gravitee.io/blog/how-to-prevent-pii-leaks-in-ai-systems-automated-data-redaction-for-llm-prompt. Accessed 2026-06-19.

  6. Albanese, F., Ciolek, D., & D'Ippolito, N. (2023). "Text Sanitization Beyond Specific Domains: Zero-Shot Redaction & Substitution with Large Language Models." arXiv:2311.10785, 2023-11-17. https://arxiv.org/abs/2311.10785. Accessed 2026-06-19. 2 3

  7. Li, S., Chithrra Raghuram, V., Khattab, O., Hirschberg, J., & Yu, Z. (2025). "PAPILLON: Privacy Preservation from Internet-based and Local Language Model Ensembles." NAACL 2025 Main. arXiv:2410.17127, abstract dated 2024-10-22. https://arxiv.org/abs/2410.17127. Accessed 2026-06-19. 2 3

  8. Li, S., et al. (2025). "PAPILLON," NAACL 2025 Main. arXiv:2410.17127. https://arxiv.org/abs/2410.17127. Accessed 2026-06-19. 2

  9. Jeon, H., Kim, K., & Shin, J. (2026). "RedacBench: Can AI Erase Your Secrets?" arXiv:2603.20208. https://arxiv.org/abs/2603.20208. Accessed 2026-06-19. 2

  10. Ango, S. (2023). "File over app." https://stephango.com/file-over-app. Accessed 2026-06-19.

  11. Laforge, G. (2024-11-25). "Redacting sensitive information when using generative AI models." glaforge.dev. https://glaforge.dev/posts/2024/11/25/redacting-sensitive-information-when-using-generative-ai-models/. Accessed 2026-06-19. 2