OpenAI Releases Privacy Filter, an Open-Source Model That Strips PII Locally Before Data Leaves the Machine
On April 22, 2026, OpenAI released Privacy Filter, a 1.5B-parameter open-source model under Apache 2.0 that detects and masks eight categories of personal data on-device. It scores 96% F1 on the PII-Masking-300k benchmark, runs on a CPU with 4 to 8 GB of RAM, and is published on Hugging Face and GitHub.
VaultTools · April 28, 2026
Photo on Unsplash
Table of Contents
- What happened
- What the model does
- Performance and hardware requirements
- Why an on-device model matters
- Limits acknowledged by OpenAI
- What this means for browser-based file tools
- Sources
What Happened
On April 22, 2026, OpenAI published a new open-source model called Privacy Filter. The release announcement on the OpenAI website describes it as a small model designed to identify and mask personally identifiable information (PII) in text before that text is stored, shared, or sent to another system.
The model is published on Hugging Face and on GitHub under the Apache 2.0 license. According to the OpenAI announcement, the model is “small enough to be run locally” so that “data that has yet to be filtered can remain on device.” The Model Card, dated April 22, 2026, confirms the same intent: the model is positioned for on-premises and offline use.
VentureBeat, Decrypt, The New Stack, and Help Net Security all covered the release on April 22 and 23, 2026, framing it as an on-device data sanitization tool aimed at enterprise teams that pipe text into LLMs.
What the Model Does
Privacy Filter is a bidirectional token-classification model. Standard large language models predict the next token from left to right. A token classifier reads a sequence in both directions and labels each token, which is the established architecture for named entity recognition and PII detection.
The model sorts sensitive data into eight categories: names, addresses, emails, phone numbers, URLs, dates, account numbers, and secrets. The “account numbers” category covers items such as credit card and bank account numbers. The “secrets” category covers items such as passwords and API keys.
The released checkpoint has 1.5 billion total parameters with 50 million active parameters and a 128,000-token context window. That window is large enough to process a long contract, a medical report, or a multi-message email thread in one pass.
Performance and Hardware Requirements
OpenAI reports a 96% F1 score on the public PII-Masking-300k benchmark, broken down as 94.04% precision and 98.04% recall. On a corrected version of the same benchmark that addresses annotation issues identified during evaluation, the score rises to 97.43% F1 (96.79% precision, 98.08% recall). Tonic.ai and Security Boulevard published independent benchmarking write-ups noting that real-world PII data still differs from public datasets, and that domain tuning remains relevant for high-sensitivity workflows.
Hardware needs are modest. According to coverage in The New Stack and a published deployment guide, the model runs on a GPU with roughly 3 GB of VRAM in FP16, with latency in the 100 to 300 millisecond range for medium-length text. On a CPU only, 4 to 8 GB of RAM is sufficient on a 2020-era Intel or AMD chip, with latency in the 1 to 2 second range.
Why an On-Device Model Matters
Most existing PII redaction services work the opposite way. The user, or an application, sends text to a cloud API. The API returns a redacted version. The unredacted text has already left the device by the time it is scrubbed. That is the configuration that produces the news cycle of accidentally indexed documents, exposed cloud buckets, and pipeline-side breaches.
OpenAI’s own framing in its announcement is direct: keeping the filter on-device means “PII can be masked or redacted without leaving your machine.” Help Net Security on April 23 quoted OpenAI describing the use case as “high-throughput data sanitization” workflows where teams need a model that runs on-premises.
This pattern is the same one that privacy-first browser tools have been arguing for: process the data where it already is. A redaction model that requires a network round-trip to a vendor cannot honestly claim local processing. A redaction model that runs as a 1.5B-parameter checkpoint on a laptop CPU can.
Limits Acknowledged by OpenAI
The Model Card and the announcement are explicit about the model’s failure modes. Privacy Filter can miss uncommon identifiers and ambiguous private references. It can over-redact or under-redact when context is short. In legal, medical, and financial workflows, OpenAI states that “human review and domain-specific evaluation and fine-tuning remain important.”
The model is also bound to its eight categories. Identifiers outside that taxonomy, for example employee ID schemes specific to a single company, may not be detected without fine-tuning. Tonic.ai’s benchmarking write-up made the same point: any PII detector needs to be evaluated on data that resembles the user’s actual production data.
What This Means for Browser-Based File Tools
The release validates a thesis that VaultTools and other privacy-first projects have been operating on for years: meaningful privacy guarantees require local processing, not policy. A vendor that claims to “not store your data” can still be breached, mis-indexed, or compelled to disclose. A model running on the user’s CPU cannot leak what it never receives.
Privacy Filter sits at the text layer. The same logic applies to file operations. Merging a PDF, stripping EXIF from a photo, converting an image format, or redacting metadata can all happen inside the browser using WebAssembly, with the file bytes never crossing a network boundary. VaultTools follows that pattern for every tool in its catalog.
The April 22 release adds a useful piece to the local-processing stack. Combined with on-device file tools, it gives a user, or an enterprise team, a way to sanitize a document end-to-end without uploading anything.
Sources
- Introducing OpenAI Privacy Filter (OpenAI)
- Model Card for OpenAI Privacy Filter, April 22, 2026 (OpenAI)
- openai/privacy-filter (Hugging Face)
- OpenAI Privacy Filter on GitHub (GitHub)
- OpenAI launches Privacy Filter, an open source, on-device data sanitization model (VentureBeat)
- OpenAI Just Open-Sourced a Tool That Scrubs Your Secrets Before ChatGPT Ever Sees Them (Decrypt)
- OpenAI’s new Privacy Filter runs on your laptop so PII never hits the cloud (The New Stack)
- OpenAI tackles a bad habit people have when interacting with AI (Help Net Security)
- OpenAI Unveils Privacy Filter as Local-Source Solution to AI Data Leaks (Techstrong.ai)
- Benchmarking OpenAI’s Privacy Filter: What it gets right, and where PII detection still needs real data (Tonic.ai)
- OpenAI Privacy Filter FREE: Complete Guide to the Open-Source Model That Masks Personal Data Offline (Pasquale Pillitteri)