Here Are the 5 Essential Questions to Ask Before Pasting Into AI
Before pasting any text into an AI, ask yourself five quick questions. The fifth — send an anonymized version instead — removes the risk at the source.
Before you paste text into an AI, take thirty seconds. Ask yourself five simple questions. They fit into a single reflex. The most important is the last one: “could I send an anonymized version instead?” If yes, the risk nearly disappears. The first four questions spot what is sensitive. The fifth gives you the fix. Here are the five questions, in order.
The 5 questions at a glance
Here is the ranking, from the first question to the last:
- 1Does it contain someone's personal data? A name, an email or a number is enough.
- 2Would I be comfortable if this were kept for years, or read by a human? Both happen.
- 3Is there a name, an identifier, a number or a secret I can remove? Take it out first.
- 4Do my employer, my client or the law allow it? If not, don't paste.
- 5Could I send an anonymized version instead? If yes, do it — that's the ONYRI Sanitize method.
| Rank | Question | Why it matters |
|---|---|---|
| 1 | Does it contain personal data? | A name or a number is enough to identify someone — a legal category (GDPR) |
| 2 | Would you be comfortable if it were kept or read? | Prompts can be retained for a long time and read by a person |
| 3 | Can I remove names, identifiers and secrets? | Removing one name is rarely enough; clean everything before sending |
| 4 | Is this allowed (employer, client, law)? | Pasting a third party's data discloses it to an outside service |
| 5 | Can I send an anonymized version? | A “yes” neutralizes the risk at the source — the ONYRI fix |
Questions 1 and 2: what your text becomes
The first question has a legal answer, not just a feeling. The GDPR (Regulation (EU) 2016/679) defines “personal data” in its Article 4. It is any information relating to an identified or identifiable person. A name, an identification number, location data, an online identifier: all of it counts. If your text holds one of these, you are handling personal data. It's no longer an impression. It's a legal category.
The second question is a comfort test. Picture your text kept for several years. Picture a person reading it one day. Both are possible. OpenAI states that conversations may be used to train its models, unless you opt out. Its models are built partly from what users provide (see the OpenAI Help Center). And human reviewers may read exchanges to enforce the rules and improve safety. So your text isn't seen by a machine alone.
“Kept for years” is not an exaggeration. In the New York Times v. OpenAI case, a U.S. court ordered OpenAI to preserve its output logs. That included conversations users had deleted, normally erased on a roughly 30-day cycle. In November 2025, the court ordered about 20 million de-identified logs to be produced to the plaintiffs. Bloomberg Law and the National Law Review reported it. So pasted text can stay, then end up before a third party.
Questions 3 to 5: clean, check, anonymize
The third question is practical. Look at your text and hunt for what you can remove. A name, an identifier, a number, an API key, a password. Take it out before you send. One caveat: removing a single name often isn't enough. The ICO, the UK regulator, makes this point. Data is only truly anonymous when no one can be identified, and when the re-identification risk is “sufficiently remote.” So clean every identifier, not just one.
The fourth question is about the rules. Do your employer, your client or the law allow this send? Pasting a colleague's or client's data discloses it to a third party. The GDPR defines that “third party” in Article 4: any body other than you and your processors. In 2023, Samsung banned ChatGPT for its employees. Within about twenty days of use, engineers had pasted confidential source code and internal meeting notes (reported by Forbes). When in doubt, don't paste.
The fifth question is the fix. Could you send an anonymized version instead? Almost always, yes. The ICO describes pseudonymisation this way: replace the information that directly identifies people. You swap a name for a reference number, for example, using techniques like hashing, encryption or tokenisation. That's exactly what ONYRI Sanitize does. Answer “yes” to this question, and the previous four stop worrying you.
How to use them
Make it a thirty-second reflex. Before every copy-paste, run the list:
- Question 1: is there any personal data? A name or a number is enough.
- Question 2: would you be comfortable if it were kept or read? If not, be careful.
- Question 3: remove every name, identifier, number and secret — not just one.
- Question 4: check that your employer, your client or the law allows it.
- Question 5: send an anonymized version rather than the raw text.
Questions 3 and 5 are solved in one move with the right tool. To write prompts without leaking data, read our guide on writing AI prompts without leaks. For the step-by-step method, see our article on how to anonymize data before using AI.
That's the role of ONYRI Sanitize. The engine detects sensitive data and replaces it with reversible tokens before sending. Detection and the token↔value mapping stay in your browser. Only anonymized text reaches the tool. Whatever the model, it finds only tokens — not your real information.
Frequently asked questions
- What should you check before pasting text into ChatGPT?
- Ask yourself five questions. Does the text contain personal data? Would you be comfortable if it were kept or read? Can you remove names, identifiers and secrets? Is it allowed by your employer, your client or the law? And could you send an anonymized version instead? A “yes” to the last one neutralizes the risk at the source.
- Is pasting a client's name into an AI a problem?
- Yes, potentially. A name is personal data under the GDPR (Article 4). Pasting it into an outside tool discloses it to a third party. Without authorization or a lawful basis, that exposes you. It's better to anonymize the name before sending.
- Is removing a single name enough to make a text safe?
- Often no. The ICO notes that data is only truly anonymous when the re-identification risk stays very low. A text can remain identifying even without the name, through other clues. Remove every identifier — numbers, emails, secrets — not just the name.
Sources & references
- Pseudonymisation — ICO guidance (hashing, encryption, tokenisation; still personal data) — Information Commissioner's Office (ICO)
- Samsung Bans ChatGPT Among Employees After Sensitive Code Leak (source code and internal notes pasted) — Forbes
- GDPR Article 4 — Definitions (“personal data” and “third party”) — gdpr-info.eu (GDPR reference text)
Keep your sensitive data in your browser
ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.
Anonymize my prompt