Data & Privacy Practices

A plain-English look at how PII Shield actually handles your data.

The one thing that matters. Your documents, spreadsheets, emails, audio and the personal data inside them are detected and anonymized on your own computer and are never sent to us or to anyone else. There is no account and no cloud processing of your files. This page explains exactly what that means — what stays on your device, what the app stores locally and how to delete it, and the few technical network calls the app makes (none of which carry your content). For the formal, legal version, see our Privacy Policy.

1. Everything happens on your device

PII Shield runs its detection and anonymization locally. The AI model that finds personal data runs on your machine; audio is transcribed by an on-device speech model. There is no cloud AI and no server that your files pass through. The originals — and the personal data inside them — never leave your computer. Only the placeholders (for example <PERSON_1>) travel if you choose to share the anonymized result.

2. What PII Shield stores on your device — and how to delete it

Everything below is written to your own computer, stays under your control, and is never visible to us. We list it in full so nothing is a surprise.

  • Restore mappings — these contain your original personal data. When you anonymize a file, the app saves a mapping of each placeholder to the real value it replaced, so you can restore the original later. These files live in a protected .pii_shield folder in your user profile, readable only by your account. They hold the actual personal data and are not encrypted, so treat them like the originals. By default they are kept for 7 days and then deleted automatically (you can change this in Settings). They are not removed when you uninstall the app — to delete them yourself, remove the .pii_shield folder from your user profile.
  • License data. Your license key, activation status and a device identifier are stored locally so the app can validate your license and keep working offline between checks.
  • Settings. Your preferences and a randomly generated, resettable install identifier (not tied to your identity) are stored locally.
  • Local audit log (optional, no personal data). For your own record-keeping and compliance, the app can keep a tamper-evident log of what was processed. It records activity without storing the personal data itself, stays on your device, and is kept for up to a year.
  • Diagnostic logs (no personal data). Local technical logs, built to contain no documents and no personal data. They stay on your device unless you deliberately choose to send us a report.
  • Detection & speech models. The downloaded AI models are cached locally so the app can run offline.

3. The network calls the app makes

PII Shield isn’t completely silent on the network, but the only things it ever sends are the technical items below — never your documents or the personal data inside them.

  • License activation & validation. When you activate a license, and then briefly on each launch to re-check it, the app contacts our licensing provider, Lemon Squeezy, and sends your license key and a device identifier (a value generated on your computer that binds the license to one device and does not reveal your files or your identity). Offline, the app keeps working for a grace period.
  • Software updates. The app checks our public releases page on GitHub for a newer version and downloads the installer if one exists. GitHub receives standard request information such as your IP address. You can turn off automatic downloads in Settings.
  • One-time model download. On first use, the app downloads its detection model (and, for audio, a speech model) from Hugging Face, plus a speaker-separation model. These are ordinary file downloads; the providers receive standard request information such as your IP address. Once the models are present, the app runs offline and stops contacting them.
  • Diagnostics — optional, off by default. Crash and basic usage reporting are disabled by default and are engineered to contain no documents and no personal data. In the shipping build nothing is transmitted automatically. If you send feedback or an error report, it is prepared as an email you review and send yourself to [email protected], scrubbed of personal data first.

4. Local-only helper servers

To power the optional browser extension and Word add-in, PII Shield runs small servers that listen only on your own computer (local loopback). They are not reachable from the internet, and nothing leaves your machine through them — data goes from the extension or add-in straight to the local engine and back.

5. No telemetry by default; no advertising

The app ships with no analytics or usage tracking turned on, and it contains no advertising or third-party marketing trackers. This website is a static page hosted on Cloudflare; it uses no advertising or cross-site tracking cookies and currently no analytics at all.

6. What this means for your compliance

Because your files never reach us, you remain the controller of the personal data in them, and we do not act as your processor — so no data-processing agreement with us is required for that content. PII Shield helps you find and remove personal data, but automated detection is not perfect: always review the findings and verify the output before you share or rely on it. See the Terms & License for the full picture.

7. Questions

Anything unclear? Email [email protected]. For the formal legal documents, see our Privacy Policy and Terms & License.