De-identify patient records before AI, research or disclosure
Redact NHS numbers, names, dates and clinical identifiers on your device before a record goes to an AI assistant like OpenEvidence or UpToDate Expert AI, a researcher, an insurer or a solicitor. Built for medico-legal reports, research and subject access.
No upload. No install. Free to start.
How it works
1. Open your document
Load any PDF, scan or image in your browser. Nothing is uploaded - it stays on your device.
2. Detect the personal data
On-device AI finds 60+ types of personally identifiable information automatically - names, addresses, IDs and more.
3. Redact and export
Apply permanent pixel-burn redaction - the text is destroyed, not just hidden - then export with an optional tamper-evident certificate.
Built for the work you actually do
Patient data is special-category and high-risk
Detect and redact health identifiers across records before sharing, without the file leaving your device.
Medico-legal reports and insurance requests
Redact third-party and patient data quickly, then export a professional, watermark-free copy.
De-identifying records for research
AI surfaces names, NHS numbers, dates of birth and contact details so you can strip identifiers consistently.
Uploading records to a redaction service
Nothing is uploaded for standard detection and redaction. The work stays on your device.
De-identification is becoming routine clinical work
Stripping identifiers out of a patient record used to be an occasional job: a medico-legal report here, a research dataset there. It is turning into a routine one. Records now leave the clinical system for insurers, solicitors, researchers, audit, case conferences and, increasingly, AI assistants. Every one of those routes carries the same duty: remove anything that identifies the patient before the document goes anywhere.
AI at the point of care raises the stakes
Point-of-care AI has moved from pilot to daily practice. Tools built specifically for clinicians, such as OpenEvidence and UpToDate Expert AI, now sit next to general assistants in the consultation, and clinicians have growing reason to trust what comes back.
In a blinded review published in Nature Medicine in June 2026, frontier general-purpose models were rated higher than purpose-built clinical systems on real clinician queries, with no meaningful difference in safety outcomes. For records governance the implication is uncomfortable: the more clinically capable these tools become, the more real patient detail will be pasted into them, unless de-identification happens first.
Whichever tool a clinician reaches for, it is a cloud service run by a third party. An identifiable record pasted into one is a disclosure, regardless of how clinical the tool looks. De-identifying the record beforehand keeps the clinical value while removing the data that names the patient.
What counts as a patient identifier
A record carries far more identifying detail than the name at the top. Work through each document for all of it before sharing.
Record identifiers. NHS number, hospital number, MRN, and any local case or episode reference. These tie a document straight back to the individual and to every other record about them.
Demographics. Name, date of birth, address and postcode, phone and email. Date of birth plus postcode alone is enough to single most people out.
Re-identification by rarity. A rare diagnosis, an unusual occupation or a small catchment can identify a patient with no name attached at all. Strip admission dates and location detail wherever they are not needed for the clinical question.
Third parties. Names of relatives, carers, the referring GP and other clinicians in the record. Their personal data is not yours to share either.
One workflow, several destinations
The same on-device de-identification prepares a record wherever it is going. Load the letter, discharge summary, imaging report or note, and detection flags NHS numbers, names, dates of birth, addresses, clinician names and 60+ other identifiers. You redact, then export a clean copy for a subject access request, a medico-legal report, an insurer, a research dataset, or simply to paste the clinical detail into an AI assistant. The file and the personal data in it never leave your device.
Common questions
Can I redact NHS numbers and patient identifiers?
Yes. RedactProof detects names, NHS numbers, dates of birth, contact details and other identifiers, and removes them permanently.
Is it suitable for medico-legal work?
Yes. Redact third-party and patient data, then export a professional copy with an optional tamper-evident certificate.
Do patient records get uploaded?
No. Standard detection and all redaction happen in your browser; the file is never uploaded.
Do I need to de-identify records before using a clinical AI tool?
Yes. Tools like OpenEvidence and UpToDate Expert AI are third-party cloud services, so an identifiable record pasted into one is a disclosure. Remove NHS numbers, names, dates of birth and other identifiers first, then share only the clinical detail the tool needs.
Is this only for AI, or also for research and medico-legal work?
Both. The same on-device de-identification prepares a record for an AI assistant, a research dataset, an insurer or a solicitor. The file never leaves your browser in any of those cases.
How your files are processed
PDFs are opened, rendered, and redacted entirely in your browser. Files are never uploaded.
Only cryptographic hashes and certificate metadata are stored - for tamper-evident verification.
Extracted text (not files) is routed through Cloudflare for enhanced detection. Processed in memory, never stored.
Redact a record free
Load a document, redact patient data in your browser, export a clean copy.