A black box drawn over text hides nothing. Neither does a highlight, or a font color set to white. The underlying characters stay in the file, and any chatbot that reads the text layer will repeat them straight back to you. You can still hand an AI model sensitive material safely. The fix is to delete the identifying data first instead of hiding it.
So redaction for AI is two jobs, not one. First, decide what the model genuinely needs to do the task. Second, strip everything else out at the source, so what you paste is plain text with the secrets already gone. This guide walks through both, including a full before-and-after of a real-style document turned into a safe prompt that still gets a useful answer.
Why people paste sensitive data into AI in the first place
The help is real, and the data is right there. A 2023 Cyberhaven analysis of activity across 1.6 million knowledge workers found that about 11% of the content employees paste into ChatGPT is confidential: source code, client records, internal-only documents, and regulated information. The most common categories were sensitive internal docs, source code, and client data.
A model can summarize a 40-page contract, rewrite a denial letter, debug a stack trace, or translate medical jargon for a patient. None of those tasks actually require the model to know the client's name, the account number, or the diagnosis attached to a specific person. That gap, between what the task needs and what the document contains, is exactly where good redaction lives. Here is what most redaction guides won't tell you: for an AI prompt you never need a redaction tool at all. You control the text box, so you can simply not type the secret.
The goal is not to stop using AI on real work. The goal is to feed it the shape of the problem without the identities.
A black box is not redaction
Drawing a black rectangle over text covers a pixel layer while leaving the text layer untouched. The characters remain in the PDF content stream as real, selectable, copyable data. Select all, copy, paste into a plain text editor or Word, and the words behind the bar reappear. Search, OCR, programmatic extraction recover them too.
This is not theoretical. In multiple high-profile cases, people have un-redacted supposedly redacted court and government PDFs with nothing more than a select, a copy, and a paste into another application. The flaw is always the same: black bars drawn over text without deleting the characters underneath. Anyone with a free PDF reader can pull the hidden words back out in seconds, which is why proper-redaction guidance for lawyers stresses removing the characters rather than covering them.
Now add a chatbot to the picture. Upload that same file to an AI assistant, ask it to extract the text under the black bars, and it will, because it reads the text layer, not the rendered image you see. The model has no concept that a rectangle was meant to be a wall. To it, the rectangle is decoration and the hidden text is just text. What was a manual copy-paste trick becomes a one-line request.
Quick self-test on any file you think is redacted: open it, press select-all, copy, and paste into a blank note. If a single hidden character shows up, the file is not redacted. It is decorated.
What true redaction actually does
Real redaction removes the original text from the document's internal structure and rebuilds the content stream so nothing is left to recover by copy-paste, search, OCR, or extraction. Done properly it also flattens the page and strips the file's metadata, so no copy of the words survives in a hidden field. The visible black mark is the last step, not the only step. If the characters still exist anywhere in the file, the redaction failed, regardless of how solid the box looks on screen.
For files, that means using a tool's dedicated redaction feature (Acrobat's Redact tool with 'apply', or a similar permanent-removal function), then verifying with the select-all test before the file leaves your machine. For prompts, the equivalent is simpler and stronger: do not paste the document at all. Retype or transform the content into placeholder form, so the secrets never enter the model's input in the first place. You cannot leak text you never sent.
Delete, don't mask
The whole maxim fits in three words: strip the who, keep the what. Masking and deleting feel similar on screen, but only one of them survives a chatbot. Here is the line between them.
- Masking hides data while keeping it present: black boxes, white font, highlight overlays, blur on a copyable text layer. All recoverable.
- Deleting removes the data entirely: retyping without the identifiers, replacing names with placeholders, swapping real numbers for dummy ones.
- For AI prompts, deleting is almost always easier than masking, because you control what you type into the box.
- Treat any tool that 'covers' rather than 'removes' as cosmetic. If the original characters survive, so does the leak.
A worked example: turning a sensitive document into a safe prompt
Here is a representative insurance-appeal scenario. You want an AI model to draft a stronger appeal letter, but the source note is full of identifiers the model has no need to see. The trick is to keep the structure and the medical and procedural facts, while swapping every identifier for a stable placeholder. The names, numbers, and dates below are fictional, used only to show the mechanics.
Before (do not paste this)
Patient Maria Delgado, DOB 04/11/1979, policy #BCBS-4471-22890, was denied coverage for an MRI of the lumbar spine on 06/02/2026 by reviewer J. Hartwell at Meridian Health, claim #CLM-7789021. Treating physician Dr. Alan Reyes, NPI 1457882910, documented six weeks of failed conservative therapy and progressive left-leg radiculopathy.
After (safe to paste)
Patient [PATIENT], a 47-year-old, was denied coverage for a lumbar spine MRI by the plan's reviewer. The treating physician documented six weeks of failed conservative therapy and progressive left-leg radiculopathy. Draft a formal appeal letter arguing the MRI is medically necessary under standard imaging criteria for radiculopathy after failed conservative care. Use [PATIENT], [POLICY_NUMBER], [CLAIM_NUMBER], [PHYSICIAN], and [DATE] as placeholders I will fill in myself.
Notice what survived: the clinical facts that drive the argument (failed conservative therapy, radiculopathy, the imaging request). Notice what left: the name, date of birth, policy number, claim number, reviewer name, physician name, and NPI. The model can write an equally strong letter from the second version, because none of the deleted fields changed the medical reasoning. You paste the real values back in locally, after the draft returns.
Placeholder names and dummy numbers usually produce output as usable as the raw version. The task rarely depends on the identity. The model reasons about the situation, not the person.
A reusable redaction checklist for prompts
- Names of people and organizations: replace with [NAME], [CLIENT], [VENDOR]. Keep roles (reviewer, physician) since they carry meaning.
- Account, policy, claim, case, and invoice numbers: replace with [NUMBER] tokens or obviously fake stand-ins.
- Dates of birth, exact addresses, and phone numbers: drop entirely or coarsen (age band instead of DOB, city instead of street).
- Email addresses, API keys, tokens, passwords, and internal URLs: never paste, no exception, even into a 'private' chat.
- Source code: strip hardcoded credentials, internal hostnames, and proprietary identifiers; paste the logic, not the secrets.
- Free-text fields: scan for the identifiers that hide inside narrative sentences, which is where masking tools and humans both miss them.
Keep placeholders consistent within one prompt. If Maria becomes [PATIENT] in line one, she must stay [PATIENT] everywhere, or the model loses track of who is who and the draft turns to mush.
Redaction approaches compared
| Approach | Hides from your eyes? | Recoverable by a chatbot? |
|---|---|---|
| Black box / highlight over PDF text | Yes | Yes, reads the text layer instantly |
| White font or transparent text | Yes | Yes, copy-paste reveals it |
| True PDF redaction (remove + rebuild stream) | Yes | No, characters are deleted |
| Retype with placeholders (never paste the file) | Yes | No, secrets never enter the input |
Where a memory layer fits
Redaction handles the one-off paste. The harder problem is the running context you build up over months: the notes, photos, and documents you want an assistant to actually remember, where retyping everything into placeholders defeats the point. That is the job an external memory layer is built for.
I build MemX, a consumer AI memory app that stores your own documents, photos, and notes across Android, iOS, and WhatsApp, then answers from them. It is private by architecture: per-user keys, encryption at rest, and an on-device first pass, so your personal corpus stays in your own space rather than going into a public chat box. That is a different model from redaction, not a replacement for it. When you do hand text to any general assistant, strip the identifiers first. When you want a tool to remember your material over time, keep it in a system designed to hold it privately rather than in a chat box.
Frequently asked questions
01How do I redact data before pasting into ChatGPT?
Replace every identifier with a placeholder before you paste. Swap names for [NAME], account and policy numbers for [NUMBER], and drop dates of birth and addresses. Keep the facts the task needs, delete the who. Retyping is safer than uploading a file, because the secrets never enter the model's input.
02Is a black box over text in a PDF real redaction?
No. A black box covers the visible layer while the actual characters stay in the file's text layer. Copy-paste, search, OCR, or asking a chatbot to read the file all recover the text. Real redaction removes the characters from the content stream so nothing is left to extract.
03Can ChatGPT read text hidden under a black bar in a PDF?
Yes. AI assistants read the text layer, not the image you see on screen. If the characters were only covered and not deleted, the model can repeat them back. It is the same flaw behind the many failed-redaction cases where copying a blacked-out passage revealed the text, only now it is triggerable with a single request.
04Will placeholder names give me worse AI answers?
Usually not. Most tasks (drafting, summarizing, debugging, translating) depend on the situation, not the identity. A letter written about [PATIENT] is as strong as one about a real name. Keep placeholders consistent within the prompt, then fill the real values in yourself after the draft returns.
05What should I never paste into an AI chatbot even after redacting?
API keys, passwords, access tokens, full payment-card numbers, and internal credentials. These have no safe placeholder form and no legitimate reason to appear in a prompt. Strip them at the source. For source code, paste the logic while removing hardcoded secrets and internal hostnames.
The rule that survives every tool change is short: if the original characters still exist somewhere in what you send, you have not redacted anything. A black box does not change that. It only decorates the leak. Delete the data, keep the task, and the AI can still do its job without ever holding the part that mattered to keep private.
