Onyrisanitize
All articles
Guide6 min read

I pasted sensitive data into AI — what should I do now?

Already pasted sensitive data into ChatGPT? Treat it as exposed. The concrete steps to contain the damage — and stop it from happening again.

By Pierre de ONYRI

If you've already pasted sensitive data into ChatGPT, Claude or Gemini, treat it as exposed. Four reflexes: if it was a secret (API key, password), revoke and regenerate it right now; delete the conversation and turn off history/training; assess the sensitivity — for personal, health or financial data, check whether a notification duty applies; then tool up anonymization so it can't recur. You can't undo the send, but you can limit the damage.

First: assume it's exposed

Once sent, data has left your perimeter: it can be logged, retained, even — depending on the plan and settings — reused. Deleting the conversation doesn't undo what was already copied or indexed. The right starting point isn't “is this bad?” but “how do I contain it?”

Diagram: data already past a pane of glass, and on the user's side a containment plan (revoke, checks, shield raised).
You can't take back data that has left — you act on your side to contain it and prevent a repeat.

If it was a secret: revoke and regenerate now

  1. 1Revoke the key/token in the provider's console, without waiting.
  2. 2Generate a new one and update your services.
  3. 3Check access logs for any abnormal use in the meantime.
  4. 4If the secret granted access to data, assess what could have been reached.

If it was personal data: assess and contain

  • Delete the conversation and turn off history/training in the settings.
  • Document the incident: what, when, which people are concerned.
  • Assess the risk to those people — health or financial data weighs heavily.
  • Check the notification duty: in the EU, a risky breach is notified to the authority (in France, the CNIL, within 72 hours in principle), and people informed if the risk is high.

Then: make sure it never happens again

An isolated incident is a useful alarm. The durable fix isn't “be more careful” (vigilance fails under a deadline), but removing the sensitive data before it leaves: an engine detects it, swaps it for a reversible token, and restores the answer in your browser. The right move becomes automatic.

ONYRI Sanitize anonymizes sensitive data before sending and keeps the mapping in your browser. After an incident, it's the measure that turns “I hope I don't do it again” into “it can't leave in the clear anymore.”

Frequently asked questions

If I delete the conversation, is my data erased?
Not in any guaranteed way. Deleting a chat doesn't undo what was already copied, logged or indexed. Treat the data as exposed and act accordingly (revoke a secret, assess the risk) rather than relying on deletion.
Do I have to report the incident?
It depends on the data. For personal data, especially sensitive (health, finances), a breach likely to create a risk must in principle be notified to the authority (in France, the CNIL, within 72 hours) and people informed if the risk is high. When in doubt, document it and seek advice.
How do I stop it from happening again?
Tool up anonymization to make it automatic: sensitive data is detected and replaced with a token before any send, then restored in your browser. Protection stops depending on your vigilance at every message.

Sources & references

Keep your sensitive data in your browser

ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.

Anonymize my prompt

Read next