Guides

Prompt Privacy Checklist

Use this prompt privacy checklist when you are about to paste work text, customer messages, technical logs, sales notes, or internal documents into an AI tool. It is designed to be practical: slow down, scan the obvious categories, replace what is not needed, then review before use.

This checklist will not catch every possible issue. It is a helper tool and a review habit. The more sensitive the context is, the more careful your final review should be.

1. People and contact details

Start by looking for direct personal details. These are often easy to identify but easy to overlook in long copied text. Names, emails, phone numbers, addresses, usernames, and personal identifiers should be replaced when the real value is not needed for the AI task.

If the AI is helping you rewrite a message, summarize an issue, or create a template, the exact person usually does not matter. Replace identity with role-based placeholders such as [CLIENT_NAME], [CUSTOMER_EMAIL], or [PHONE].

2. Business and customer records

Next, look for business records. These include order IDs, invoice numbers, ticket references, account numbers, internal notes, CRM records, pricing, negotiation details, and private customer history. A prompt can feel ordinary because it is part of your daily work, but it may still include information that should not be copied widely.

Replace exact values with placeholders that preserve context. For example, use [ORDER_ID] instead of a real order number or [SUPPORT_TICKET] instead of a private ticket reference.

3. Technical secrets and private systems

Technical prompts require an extra scan. Look for API keys, tokens, database URLs, internal hostnames, private repository links, webhook URLs, request headers, and environment variables. These values often appear in logs and code blocks where they are harder to notice.

If you need help debugging, show the structure and error but replace the secret. The AI can usually reason about a missing header, malformed request, or environment variable issue without seeing the real credential.

4. Context that reveals more than intended

Not all sensitive information looks like a number or token. Internal strategy, customer complaints, employee feedback, private planning notes, legal comments, and financial context can be sensitive even without a formal identifier.

Ask whether the AI needs the exact detail or only the general situation. If the general situation is enough, summarize or replace the detail before using the prompt.

5. Final read-through

After cleaning, read the prompt once from beginning to end. Confirm that the task is still clear, placeholders are understandable, and no obvious sensitive details remain. This final pass is important because detection tools and manual scans can both miss context.

If the prompt is high stakes, consider whether an AI tool is appropriate for the task at all, or whether you should use a more controlled internal workflow.

6. Decide whether to paste less

The best cleaned prompt is sometimes shorter than the original. Instead of pasting a full document, you can summarize the relevant facts yourself and ask the AI to help with structure, wording, or next steps. This is especially useful when the source text contains many private names, links, notes, or account details.

A shorter prompt also makes review easier. If you can explain the situation with placeholders in a few sentences, you reduce the number of places where possible sensitive information can hide.

Real example

You want an AI tool to turn an internal support note into a concise summary.

Unsafe prompt example

Summarize this for the team: Sarah Choi at sarah.choi@example.com called about account AC-99201. Her phone is 010-7777-8888. She says invoice INV-10291 was charged twice. Internal note: she is a high-risk churn account. Dashboard: https://admin.example.com/accounts/AC-99201. API log includes token Bearer sk-test-1234567890abcdef.

Cleaned prompt example

Summarize this for the team: [CLIENT_NAME] at [EMAIL] called about account [ACCOUNT_ID]. Her phone is [PHONE]. She says invoice [INVOICE_ID] was charged twice. Internal note: she may churn. Dashboard: [PRIVATE_URL]. API log token has been removed and replaced with [API_KEY].

Practical checklist

  • Names, emails, phone numbers, and addresses replaced where possible.
  • Order IDs, ticket IDs, invoice numbers, and account IDs reviewed.
  • Private URLs, document links, and dashboard links removed or replaced.
  • API keys, tokens, headers, and environment variables removed or replaced.
  • Internal notes and private context summarized when exact wording is not needed.
  • Cleaned prompt still explains the task, audience, tone, and desired output.

Common mistakes

  • Replacing direct contact details but leaving private links untouched.
  • Forgetting repeated identifiers in quoted emails or logs.
  • Using [REDACTED] everywhere and making the prompt hard to understand.
  • Skipping the final read-through because a tool already highlighted some items.

FAQ

How long should this checklist take?

For a short prompt, it may take less than a minute. Longer customer records, logs, or internal documents deserve more time.

Should I use placeholders or delete details completely?

Use placeholders when the role of the detail matters. Delete details when the AI does not need them at all.

Can I reuse the same placeholder style?

Yes. A consistent placeholder style such as [CLIENT_NAME], [EMAIL], and [ORDER_ID] makes prompts easier to read and review.

Related tools

Keep exploring

Prompt privacy is easier when the tool, guide pages, privacy notes, and project context are connected. These pages are useful next steps after reading this guide.

Clean a prompt before using AI

Use Prompt Privacy Cleaner to review possible sensitive information and replace selected items with placeholders before pasting text into an AI tool.

Open Prompt Privacy Cleaner