Stop Leaking PII Through Your OpenAI API Calls

Every chat.completions.create call sends your prompt to OpenAI's servers. If that prompt contains user data — support tickets, form inputs, CRM records — there's a good chance it includes names, emails, phone numbers, and worse. const response = await openai . chat . completions . create ({ model : " gpt-4o " , messages : [ { role : " user " , content : `Summarize this support ticket: From: Sarah Chen <sarah.chen@acme.com> Phone: (415) 555-0142 SSN: 521-44-8832 My order #38291 hasn't arrived. I live at 742 Evergreen Terrace, Springfield, IL 62704.` , }, ], }); That single request just sent a name, email, phone number, SSN, and home address to an external service. Under GDPR, CCPA, or HIPAA, that's a compliance incident waiting to happen. The problem is invisible Most teams don't audit what's inside their AI prompts. The Authorization header is your OpenAI key — that's expected. The problem is the request body . PII shows up in places you don't expect: Support tickets — customer names,