DFKI launches Privacy Guardrail: a protective layer for AI prompts directly in the browser

Generative AI has long since become part of everyday working life – in emails, support tickets, minutes, research notes and internal documents. However, this is precisely where a new security gap arises: anyone wishing to use AI productively often has to process text that should not, in principle, be passed on to external services without further ado. Privacy Guardrail therefore comes into play at the very moment when confidential text becomes an AI prompt.  

The extension automatically checks inserted content locally, flags any sensitive passages it detects and replaces them with standardised placeholders such as [EMAIL_1] or [PERSON_1] before sending. Users can review the detection results before sending, adjust them or deliberately ignore individual matches. Once the AI system has responded, known placeholders can be replaced locally with the original values, ensuring that the contextual meaning is preserved.

The key difference from many other approaches lies in the ‘local-first’ approach: recognition, placeholder mapping, anonymisation and restoration all take place entirely within the browser. Inserted text is not sent to an external inference service. Privacy Guardrail thus makes the browser itself the locus of data protection – right where a prompt is generated from sensitive content. 

All relevant data remains in the local Chrome profile of the respective browser. Depending on usage, this includes settings, placeholder mappings, Identity Vault entries, as well as local correction and feedback data; nothing is stored in Chrome Sync. This ensures that users retain control over their sensitive information.

Technically, Privacy Guardrail combines two local detection layers. Deterministic pattern recognisers detect structured content such as email addresses, credit card numbers, IBANs or IP addresses. In addition, the local AI component can recognise context-dependent terms such as people, organisations, addresses, locations or passwords. If WebGPU is available, inference runs locally via the graphics card; otherwise, the system uses a slower CPU/WASM path. For devices with limited resources, the extension can also switch to a pattern-only mode, in which structured formats are still recognised, but coverage of free-text sections is reduced.

Low-signal categories such as URL, DATE and MISC. The DFKI is deliberately open about the system’s limitations: sensitive content may be overlooked, harmless content may be incorrectly flagged, and unusually formatted text may be more difficult to recognise. Privacy Guardrail is therefore explicitly intended as an assistive protective layer and not as a guarantee of perfect anonymisation, complete prevention of disclosure or regulatory compliance. It is precisely this transparency that forms part of the concept: trustworthy AI is not created through blanket promises, but through transparent processes, open documentation and genuine user control.

Privacy Guardrail is released as an open-source project on GitHub and is licensed under the Apache 2.0 licence. The open source code, documented detection rules and local processing make the system auditable and verifiable. For the first public beta, the extension officially supports Chrome on desktop as well as the platforms chatgpt.com, chat.openai.com, claude.ai and gemini.google.com.

Other Chromium-based browsers may work in principle, but are not currently fully tested. Looking ahead, the team is working on improved detection quality, smaller and more efficient local models, additional platforms and potential mobile scenarios.