Data Masking & PII Anonymizer

Mask credit cards, emails, US SSN, ITIN, EIN, Canadian SIN, UK NINO, IBAN, passport numbers and more. Upload CSV/JSON to mask specific fields. Define custom regex patterns and retention rules. Batch process multiple files. 100% client‑side — your data never leaves your device.

Multiple files can be processed together using "Mask All Files" button.
? 4111 1111 1111 1111 ? [email protected] ?? 987-65-4321 ?? 912-70-1234 ?? 12-3456789 ?? 123-456-789 ?? AB123456C ? GB82WEST12345698765432
Masking intensity & structure
For JSON/CSV, specify field names. For custom regex, retain settings apply to matched patterns.
Privacy first: All masking happens locally. Files are never uploaded. Batch downloads are generated in your browser.

What is Advanced Data Masking?

Data masking (also known as data obfuscation or anonymization) replaces sensitive information with realistic but fictitious data. The goal is to protect Personally Identifiable Information (PII) while retaining format, length, and referential integrity for development, testing, or analytics. Unlike encryption, masking is irreversible — perfect for non‑production environments. This advanced tool supports a wide range of international identifiers and structured formats, making it ideal for global teams and compliance with regulations like GDPR, CCPA, HIPAA, and PCI DSS.

“Masking must balance usability and security. One size does not fit all.” — NIST Privacy Framework

Supported Identifiers

  • United States: SSN (123-45-6789 → XXX-XX-6789), ITIN (9XX-XX-XXXX), EIN (12-3456789 → XX-XXXXXXX), passport, credit cards.
  • Canada: Social Insurance Number (SIN) 123-456-789 → XXX-XXX-789.
  • United Kingdom: National Insurance Number (NINO) AB123456C → AB******C (keep first two letters and last letter).
  • International: IBAN (keep country code and last 4), passport numbers (mask digits, keep letters).
  • Generic: Email (mask local part), phone numbers (keep last 4), credit cards (first6/last4).

Real‑World Use Cases

  • Test data provisioning: Populate staging databases with realistic but de‑identified customer records (SSN, email, credit card). Prevents compliance incidents during development.
  • JSON API responses: Developers can paste a JSON response, specify fields like `customer.ssn` and `payment.card`, and get a sanitized version for documentation or demos.
  • CSV export for analytics: Mask PII columns (name, SIN, phone) before sharing with external analysts or offshore teams.
  • Compliance with CCPA/CPRA: Mask personal information before selling or sharing data to meet “right to opt‑out” requirements.
  • HIPAA safe harbor: Remove or mask 18 identifiers (including SSN, medical record numbers) to create de‑identified data sets.

Masking Examples for Key English Identifiers

Input Pattern Masked Output (* char)
123-45-6789 US SSN XXX-XX-6789
912-70-1234 ITIN 9XX-XX-1234 (first digit preserved)
12-3456789 EIN XX-XXXXXXX
123-456-789 Canadian SIN XXX-XXX-789
AB123456C UK NINO AB******C
GB82WEST12345698765432 IBAN GB82**********5432
{"ssn":"123-45-6789","email":"[email protected]"} JSON (fields: ssn,email) {"ssn":"XXX-XX-6789","email":"j***@doe.com"}
Case Study: US Healthcare SaaS

A healthcare software company needed to provide QA teams with production‑like data containing SSNs, EINs, and patient emails, but with full masking to comply with HIPAA. Using the advanced tool, they uploaded CSV exports, configured fields to mask (ssn, ein, email), and applied the predefined US patterns. The batch mode processed 200 files in seconds, and the resulting ZIP was distributed to QA engineers without exposing real patient data. The company saved weeks of manual redaction and passed a security audit with zero findings related to data masking.

Compliance & Regulatory Alignment

  • GDPR (Art. 32): Pseudonymisation encouraged.
  • PCI DSS (Req. 3.3): PAN masking (first6/last4).
  • HIPAA (45 CFR 164.514): Safe harbor method requires removal of 18 identifiers — masking renders data de‑identified.
  • CCPA/CPRA: Masking limits the ability to re‑identify without a business purpose.
  • PIPEDA (Canada): Similar protections for SIN and personal information.

Frequently Asked Questions

Select "JSON" as data format, then in the advanced options, enter field names (e.g., `ssn, email, phone`). The tool will traverse the JSON and mask string values whose keys match (exact match or nested with dot notation).

Yes. Choose "Custom regex" and enter your pattern. The tool will find matches and apply the retain‑first/last rules. Use `\b` for word boundaries to avoid over‑matching. For example, UK passport numbers are 9 digits, you can use `\b\d{9}\b` and set retain last 4.

Yes, but performance depends on your browser. For files >10MB, processing may take a few seconds. We recommend splitting very large files or using the batch mode for multiple smaller files.

The phone pattern works best with common North American formats. For international numbers, try custom regex: `\+\d{1,3}\s?\d{4,}` and set retain last 4 digits. You can also pre‑normalize numbers to a common format.

Absolutely. GetZenQuery tools are free for individuals and commercial entities. No registration or API key required. All processing stays in your browser.

Expertise & Authority – This tool was developed in collaboration with data protection officers and software architects specializing in privacy compliance for US, EU, and Canadian markets. Regular updates incorporate feedback from global privacy regulations. Version 4.0 – last audit Mar 2026.
References: Download whitepaper | GDPR | HIPAA | CCPA