Scan any text for 27 sensitive-data patterns. Credentials, financial identifiers, government IDs, health, network, personal contact. Credit cards are Luhn-checked, IBANs are mod-97 verified, AADHAAR is Verhoeff-checked, NHS is mod-11. Pure client-side; nothing leaves your browser.
Pairs with Data Classification Templater (decide handling) and GRC hub (NIST PR.DS / ISO 27001 A.5.12 / ISO 42001 A.7).
Primary Account Number — 13-19 digits with Luhn checksum.
International Bank Account Number — country code + check digits + BBAN, mod-97 verified.
9-digit ABA routing/transit number (ABA RTN).
AAA-GG-SSSS. Excludes obvious invalid ranges (000, 666, 9XX area).
12-digit Indian national ID with Verhoeff checksum.
Permanent Account Number — five letters, four digits, one letter.
NINO — two letters + 6 digits + suffix letter.
9-digit US passport number.
UK NHS patient identifier — 10 digits with mod-11 checksum.
AKIA / ASIA-prefixed 20-char key.
40-char base64-ish secret near an AWS context.
Classic ghp_ / fine-grained github_pat_ tokens.
gho_ / ghu_ / ghs_ / ghr_ prefixed tokens.
sk_live_ / rk_live_ / pk_live_ prefixed Stripe keys.
sk-… (legacy ~51 char) or sk-proj-…
sk-ant- prefixed Anthropic keys.
xoxa / xoxb / xoxp / xoxs / xoxr prefixed tokens.
Three-part base64url with eyJ header start.
-----BEGIN … PRIVATE KEY----- block.
AC-prefixed 32-char identifier.
GCP service-account "type": "service_account" header.
RFC-5321-ish email address.
International E.164 — +CCNNNNNNNNNN.
US-formatted phone — (NNN) NNN-NNNN or NNN-NNN-NNNN.
10/8, 172.16/12, 192.168/16 — internal infrastructure leak.
Plain IPv4 outside RFC1918 / loopback / link-local.
IEEE 802 hardware address.
Heuristic only. Does not replace a managed DLP product. Use as a triage tool, not as the sole control.