For Healthcare professionals

De-identify patient records before AI, research or disclosure

Redact NHS numbers, names, dates and clinical identifiers on your device before a record goes to an AI assistant like OpenEvidence or UpToDate Expert AI, a researcher, an insurer or a solicitor. Built for medico-legal reports, research and subject access.

No upload. No install. Free to start.

Patient namesMedical record numbersDates of birthAddressesPhone numbersClinician namesInsurance IDsDiagnoses
Document redaction for Healthcare professionals

How it works

1. Open your document

Load any PDF, scan or image in your browser. Nothing is uploaded - it stays on your device.

2. Detect the personal data

On-device AI finds 60+ types of personally identifiable information automatically - names, addresses, IDs and more.

3. Redact and export

Apply permanent pixel-burn redaction - the text is destroyed, not just hidden - then export with an optional tamper-evident certificate.

Built for the work you actually do

Patient data is special-category and high-risk

Detect and redact health identifiers across records before sharing, without the file leaving your device.

Medico-legal reports and insurance requests

Redact third-party and patient data quickly, then export a professional, watermark-free copy.

De-identifying records for research

AI surfaces names, NHS numbers, dates of birth and contact details so you can strip identifiers consistently.

Uploading records to a redaction service

Nothing is uploaded for standard detection and redaction. The work stays on your device.

Nothing uploaded
Files stay on your device
60+ PII types
AI detection built in
Permanent pixel-burn
Text destroyed, not hidden
Tamper-evident exports
Verify with a QR code

De-identification is becoming routine clinical work

Stripping identifiers out of a patient record used to be an occasional job: a medico-legal report here, a research dataset there. It is turning into a routine one. Records now leave the clinical system for insurers, solicitors, researchers, audit, case conferences and, increasingly, AI assistants. Every one of those routes carries the same duty: remove anything that identifies the patient before the document goes anywhere.

AI at the point of care raises the stakes

Point-of-care AI has moved from pilot to daily practice. Tools built specifically for clinicians, such as OpenEvidence and UpToDate Expert AI, now sit next to general assistants in the consultation, and clinicians have growing reason to trust what comes back.

In a blinded review published in Nature Medicine in June 2026, frontier general-purpose models were rated higher than purpose-built clinical systems on real clinician queries, with no meaningful difference in safety outcomes. For records governance the implication is uncomfortable: the more clinically capable these tools become, the more real patient detail will be pasted into them, unless de-identification happens first.

Whichever tool a clinician reaches for, it is a cloud service run by a third party. An identifiable record pasted into one is a disclosure, regardless of how clinical the tool looks. De-identifying the record beforehand keeps the clinical value while removing the data that names the patient.

What counts as a patient identifier

A record carries far more identifying detail than the name at the top. Work through each document for all of it before sharing.

Record identifiers. NHS number, hospital number, MRN, and any local case or episode reference. These tie a document straight back to the individual and to every other record about them.

Demographics. Name, date of birth, address and postcode, phone and email. Date of birth plus postcode alone is enough to single most people out.

Re-identification by rarity. A rare diagnosis, an unusual occupation or a small catchment can identify a patient with no name attached at all. Strip admission dates and location detail wherever they are not needed for the clinical question.

Third parties. Names of relatives, carers, the referring GP and other clinicians in the record. Their personal data is not yours to share either.

One workflow, several destinations

The same on-device de-identification prepares a record wherever it is going. Load the letter, discharge summary, imaging report or note, and detection flags NHS numbers, names, dates of birth, addresses, clinician names and 60+ other identifiers. You redact, then export a clean copy for a subject access request, a medico-legal report, an insurer, a research dataset, or simply to paste the clinical detail into an AI assistant. The file and the personal data in it never leave your device.

Common questions

Can I redact NHS numbers and patient identifiers?

Yes. RedactProof detects names, NHS numbers, dates of birth, contact details and other identifiers, and removes them permanently.

Do patient records get uploaded?

No. Standard detection and all redaction happen in your browser; the file is never uploaded.

Do I need to de-identify records before using a clinical AI tool?

Yes. Tools like OpenEvidence and UpToDate Expert AI are third-party cloud services, so an identifiable record pasted into one is a disclosure. Remove NHS numbers, names, dates of birth and other identifiers first, then share only the clinical detail the tool needs.

Is this only for AI, or also for research and medico-legal work?

Both. The same on-device de-identification prepares a record for an AI assistant, a research dataset, an insurer or a solicitor. The file never leaves your browser in any of those cases.

How your files are processed

Your device

PDFs are opened, rendered, and redacted entirely in your browser. Files are never uploaded.

Our servers

Only cryptographic hashes and certificate metadata are stored - for tamper-evident verification.

Precision Engine

Extracted text (not files) is routed through Cloudflare for enhanced detection. Processed in memory, never stored.

Security architecture Β· Privacy policy

Redact a record free

Load a document, redact patient data in your browser, export a clean copy.