If you send user text to an LLM, you are probably sending personal data with it without meaning to. A support message, a chat transcript, a pasted form. They carry names, emails, phone numbers, and sometimes card numbers, and all of it ends up in your prompt. Once that prompt leaves your server, the personal data is sitting in someone else's logs, which is a real problem under GDPR and HIPAA.

The fix is simpler than most people expect, and it does not mean giving up the model. You redact the personal data before the prompt goes out, send the safe version to the model, then put the real values back into the answer. This post walks through that pattern with working code.

The pattern in three steps

Redact. Take your raw text and swap each piece of personal data for a placeholder like [EMAIL_1]. Keep a small map on your side that records which placeholder stands for which real value.

Call the model with the redacted text. The model only ever sees placeholders, so the real data never lands in logs you do not control.