Heedful

Tracking since May 18, 2026.

Changelog

• Jun 6, 2026
  description

  PasteGuard watches for sensitive data in text you paste into AI chat sites and warns you before it is sent. All scanning runs entirely inside your browser. No clipboard content is ever uploaded, logged, or transmitted anywhere.
  
  HOW IT WORKS
  
  When you paste text into a supported AI chat site, PasteGuard scans it instantly. If it finds anything sensitive - an API key, a social security number, a credit card number, or a confidential business term - it shows a warning panel before the message is sent. You then choose to send anyway, remove the sensitive parts, or cancel.
  
  WHAT IT DETECTS
  
  Secrets and credentials
  AWS access keys and secret keys, Stripe live keys and webhook secrets, GitHub tokens and fine grained personal access tokens, Slack tokens, JSON Web Tokens, PEM private keys, npm tokens, database connection strings, OpenAI keys, Anthropic keys, Google AI keys, Google service account files, Hugging Face tokens, Replicate keys, Groq keys, Perplexity keys, OpenRouter keys.
  
  Personal identifiers
  Social security numbers, credit card numbers (verified with Luhn checksum), IBAN bank account numbers, US passports, US employer identification numbers, US individual taxpayer identification numbers, US DEA registration numbers.
  
  International PII across 16 countries
  United Kingdom: national insurance numbers, NHS numbers, UTR numbers, company registration numbers, VAT numbers, PAYE references, bank account numbers.
  Italy: codice fiscale, partita IVA.
  Spain: DNI, NIE, CIF, social security numbers.
  Germany: Steuer-ID, VAT numbers, social insurance numbers, Handelsregisternummer.
  France: NIR, SIREN, SIRET, RPPS, ADELI.
  Netherlands: BSN, KVK, VAT numbers.
  Belgium: national register numbers, VAT numbers, company numbers.
  Portugal: NIF, NISS, cartão de cidadão.
  Sweden: personnummer, organisationsnummer.
  Switzerland: AHV numbers, UID.
  Brazil: CPF, CNPJ, PIS, CNH, RENAVAM, título de eleitor.
  Canada: social insurance numbers, business numbers.
  Australia: TFN, ABN, ACN, Medicare numbers.
  India: Aadhaar, PAN, GSTIN, UAN, voter ID, DIN.
  Mexico: CURP, RFC, NSS, CLABE, INE.
  
  Semantic signals (requires on device AI support in Chrome)
  Customer and company names, internal project codenames, confidential business content.
  
  INDUSTRY COMPLIANCE PRESETS
  
  One click presets turn on the detectors most relevant to your regulatory context. Available presets: HIPAA, PCI DSS, SOC2, GDPR, Financial Services, Legal. Applying a preset only turns on the relevant categories. It does not turn off anything you have already enabled.
  
  FILE SCANNING (PRO)
  
  Drop a text file, PDF, or Word document onto the Scan page to check it for sensitive content before uploading it to an AI tool. Findings are highlighted directly inside the document view.
  
  REGION DEFAULTS
  
  Choose your country in settings and PasteGuard turns on the detectors most relevant to your jurisdiction by default. You can enable or disable any detector individually at any time.
  
  PRIVACY
  
  PasteGuard does not make any network requests of its own. The only permission it uses is storage, to save your settings locally. No clipboard content, no paste text, and no findings are ever sent to any server. The audit log (a count of findings by severity and site) is stored locally in your browser and can be exported or deleted at any time from the options page.
  
  The full privacy policy is available at: pasteguard.com/privacy
  
  v0.2.0 (Update)
  
  PasteGuard now covers 12 AI chat platforms.
  
  International PII detection across 16 countries: United Kingdom, Italy, Spain, Germany, France, Netherlands, Belgium, Portugal, Sweden, Switzerland, Brazil, Canada, Australia, India, Mexico and the United States. Over 70 detector patterns total.
  
  Industry compliance presets: one click configurations for HIPAA, PCI DSS, SOC2, GDPR, Financial Services and Legal. Each preset enables the detectors most relevant to that regulatory context and optionally elevates their severity.
  
  File scanning: drop a text file, PDF or Word document onto the new Scan page to check it for sensitive content before uploading it to an AI tool. PDF findings are highlighted directly in the document view.
  
  On device AI layer: if your device supports Chrome's built in language model, PasteGuard now runs a secondary semantic scan to catch customer names, internal codenames and confidential business signals that pattern matching alone cannot detect.
  
  Detection rules redesigned: detectors are now grouped by category with filter chips and a search bar so you can find and toggle specific rules quickly.
  
  Region picker: the country selector is now a compact flag and name grid instead of a long list.
  
  Send button interception: PasteGuard now also intercepts the send button and the Enter key, not just the paste event, so content typed or dragged in is also checked before it is sent.

  Heedful watches for sensitive data in text you paste into AI chat sites and warns you before it is sent. All scanning runs entirely inside your browser. No clipboard content is ever uploaded, logged, or transmitted anywhere.
  
  HOW IT WORKS
  
  When you paste text into a supported AI chat site, Heedful scans it instantly. If it finds anything sensitive — an API key, a credit card number, or a confidential business term — it shows a warning panel before the message is sent. You then choose to send anyway, remove the sensitive parts, or cancel.
  
  WHAT IT DETECTS
  
  Secrets and credentials
  Heedful recognizes the kinds of credentials developers handle every day, so an API key or signing token doesn't slip into an AI chat by accident. Rather than matching a single fixed string, it understands the patterns behind credentials issued by major cloud and developer platforms — covering more than two dozen distinct formats, from connection strings to service-account files. The full, always-current catalog of what it detects lives in our open-source rules repository, where you can review every pattern and suggest your own.
  
  Personal identifiers (United States)
  Recognizes the most common US personal and financial identifiers, including credit-card numbers, which it verifies with a Luhn checksum to reduce false positives.
  
  International PII across 16 countries
  Heedful's detection is localized for 16 countries, so it recognizes the personal and business identifiers that actually show up in each one rather than applying a single generic pattern. Every supported country gets its own tailored detector set, tuned to the local formats for things like national tax and identity numbers. The complete, per-country list of what each detector covers lives in the open-source rules repository, and because everything runs on-device, none of this text ever leaves your machine.
  
  Semantic signals (requires on device AI support in Chrome)
  Customer and company names, internal project codenames, and confidential business content detected by the on-device language model.
  
  INDUSTRY COMPLIANCE PRESETS
  
  Match Heedful's protection to your regulatory context in a single click. Each preset turns on only the detectors that matter most for the framework you work under, such as HIPAA, PCI DSS, or GDPR. Applying a preset adds the relevant checks and never switches off anything you've already enabled, so it's always safe to try one.
  
  FILE SCANNING (PRO)
  
  Drop a text file, PDF, or Word document onto the Scan page to check it for sensitive content before uploading it to an AI tool. Findings are highlighted directly inside the document view.
  
  REGION DEFAULTS
  
  Choose your country in settings and Heedful turns on the detectors most relevant to your jurisdiction by default. You can enable or disable any detector individually at any time.
  
  PRIVACY
  
  Heedful does not make any network requests of its own. The only permission it uses is storage, to save your settings locally. No clipboard content, no paste text, and no findings are ever sent to any server. The audit log (a count of findings by severity and site) is stored locally in your browser and can be exported or deleted at any time from the options page.
  
  The full privacy policy is available at: heedful.app/privacy

• Jun 6, 2026
  short_description

  On-device DLP for AI chats. Warns before API keys, SSNs, and customer data reach ChatGPT, Claude, Gemini & 5 more.

  On-device DLP for 12 AI chats. Warns before API keys, SSNs, customer data or files reach ChatGPT, Claude, Gemini and 9 more.

• Jun 6, 2026
  name

  PasteGuard — Stop Pasting Secrets into ChatGPT & Other AI Chats

  Heedful

• May 24, 2026
  description

  PasteGuard is a privacy-first Chrome extension that warns you before sensitive data is sent to an AI chat. It scans paste events, typed text, and Send-button clicks on every major AI chat site — and surfaces a warning modal the moment something looks like an API key, customer data, or other sensitive content.
  
  PasteGuard itself never sends your data anywhere. Every detection happens in your browser tab — no telemetry, no cloud classifier, no PasteGuard servers (we don't have any). The extension adds zero outbound network requests to your AI-chat workflow.
  
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  WHY THIS EXISTS
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  
  According to Cyberhaven's 2023 research, more than 1 in 9 things knowledge workers paste into ChatGPT is confidential — API keys, customer records, internal pricing, source code. Companies with budget have enterprise DLP. Individual workers have nothing. PasteGuard is for that gap.
  
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  WHERE IT WORKS
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  
  PasteGuard works on every major AI chat service, including ChatGPT, Claude, and Gemini, plus five additional widely-used AI chat platforms. See pasteguard.io for the full supported list.
  
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  WHAT IT DETECTS
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  
  PasteGuard ships with 25 built-in detection rules, organized into five categories:
  
  Authentication credentials
  API keys from major AI providers, cloud platforms, and developer-tool services. Each detector requires a specific prefix or shape, so false positives are rare.
  
  Identity and financial information
  US Social Security Numbers with context awareness, credit card numbers validated with the Luhn algorithm, international bank account numbers (IBAN) validated with mod-97, and US passport numbers.
  
  Cryptographic material
  Private keys in PEM format (RSA, EC, OpenSSH, encrypted variants), JSON Web Tokens with verified headers, and webhook signing secrets.
  
  Generic high-entropy strings
  A heuristic that flags long base64-style strings with high Shannon entropy. Off by default since the false-positive rate is higher than the targeted detectors.
  
  User-defined custom rules
  Add your own regular expressions for industry-specific identifiers — medical record numbers, legal case IDs, employee codes, internal account references, anything your work involves. A live tester verifies your pattern before you save it.
  
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  HOW IT WORKS — 3 LAYERS
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  
  1) Regex layer (always on, ~10ms):
  The 25 built-in detectors scan your text the moment you paste, type Enter, or click Send. Near-zero false positives — every detector requires a specific shape or context word.
  
  2) Custom rules:
  Add your own regex patterns in Options for industry-specific identifiers. Live tester lets you verify the pattern before saving.
  
  3) Semantic layer (optional, Gemini Nano):
  Uses Chrome's built-in on-device AI to detect customer names, internal codenames, and confidential business signals that regex can't catch. The AI runs entirely on your computer — nothing is sent anywhere.
  
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  WHAT HAPPENS IN THE MODAL
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  
  When something is flagged, the modal shows:
  • Each finding with severity (critical / high / medium / low)
  • The matched snippet with secrets masked (first 4 + last 4 chars only)
  • "Why was this flagged?" expand for plain-English explanation
  • Per-row "Ignore for this session" (temporary)
  • Per-row "Add to allowlist" (permanent)
  • Cancel · Redact and continue · Send anyway
  
  Click "Redact and continue" and we replace each secret with a [REDACTED-XXX] placeholder, then continue the paste. Click "Send anyway" and the message sends immediately — no second click or Enter press required.
  
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  PRIVACY — THE PRODUCT MOAT
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  
  • Zero outbound network requests from the extension code. Verify in DevTools → Network tab.
  • No telemetry. We don't know you exist.
  • No account, no email, no sign-up required.
  • No cloud classifier — every detection happens in your browser tab.
  • Open-source detection rules: github.com/Matteo-Coder2/pasteguard-rules
  • Audit log stores counts only (not text), 7-day rolling, local-only
  • Uninstall removes all stored data automatically
  
  Most "DLP for AI" tools route your text through their own cloud to classify it — which means your secret is now in two places instead of one. PasteGuard never does that. PasteGuard adds zero outbound traffic — what you do with the AI chat itself, of course, is still up to you.
  
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  FREE FOREVER + PRO
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  
  Free tier includes:
  • All supported AI chat services
  • Core detection rules for the most common secret types
  • 5 custom regex rules + 10 allowlist entries
  • Balanced sensitivity profile
  • Full modal flow with masked snippets, redact, and audit log
  
  Pro tier ($4.99/mo or $39/yr) adds:
  • Additional advanced detection rules
  • Optional semantic layer using Chrome's on-device AI to flag confidential business signals
  • Unlimited custom rules + allowlist entries
  • Loose + Strict sensitivity profiles
  • Cancel anytime — no commitment, end-of-period cancellation
  
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  WHO IT'S FOR
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  
  Knowledge workers at small and mid-size companies without enterprise DLP. Developers pasting SDK code containing API keys into AI chats. Customer success reps pasting tickets that mention customer names. Paralegals working with case data. Anyone who uses AI chat tools as part of their workflow.
  
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  WHAT IT DOESN'T DO
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  
  PasteGuard is a smart safety net, not a guarantee. It doesn't scan images, voice input, or files attached to AI chats. It doesn't replace good judgment for classified or HIPAA-protected work. It's a tool for individual workers — not a substitute for enterprise compliance.
  
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  
  Free download. No account. Works on Chrome, Edge, Brave. Open-source detection rules.

  PasteGuard watches for sensitive data in text you paste into AI chat sites and warns you before it is sent. All scanning runs entirely inside your browser. No clipboard content is ever uploaded, logged, or transmitted anywhere.
  
  HOW IT WORKS
  
  When you paste text into a supported AI chat site, PasteGuard scans it instantly. If it finds anything sensitive - an API key, a social security number, a credit card number, or a confidential business term - it shows a warning panel before the message is sent. You then choose to send anyway, remove the sensitive parts, or cancel.
  
  WHAT IT DETECTS
  
  Secrets and credentials
  AWS access keys and secret keys, Stripe live keys and webhook secrets, GitHub tokens and fine grained personal access tokens, Slack tokens, JSON Web Tokens, PEM private keys, npm tokens, database connection strings, OpenAI keys, Anthropic keys, Google AI keys, Google service account files, Hugging Face tokens, Replicate keys, Groq keys, Perplexity keys, OpenRouter keys.
  
  Personal identifiers
  Social security numbers, credit card numbers (verified with Luhn checksum), IBAN bank account numbers, US passports, US employer identification numbers, US individual taxpayer identification numbers, US DEA registration numbers.
  
  International PII across 16 countries
  United Kingdom: national insurance numbers, NHS numbers, UTR numbers, company registration numbers, VAT numbers, PAYE references, bank account numbers.
  Italy: codice fiscale, partita IVA.
  Spain: DNI, NIE, CIF, social security numbers.
  Germany: Steuer-ID, VAT numbers, social insurance numbers, Handelsregisternummer.
  France: NIR, SIREN, SIRET, RPPS, ADELI.
  Netherlands: BSN, KVK, VAT numbers.
  Belgium: national register numbers, VAT numbers, company numbers.
  Portugal: NIF, NISS, cartão de cidadão.
  Sweden: personnummer, organisationsnummer.
  Switzerland: AHV numbers, UID.
  Brazil: CPF, CNPJ, PIS, CNH, RENAVAM, título de eleitor.
  Canada: social insurance numbers, business numbers.
  Australia: TFN, ABN, ACN, Medicare numbers.
  India: Aadhaar, PAN, GSTIN, UAN, voter ID, DIN.
  Mexico: CURP, RFC, NSS, CLABE, INE.
  
  Semantic signals (requires on device AI support in Chrome)
  Customer and company names, internal project codenames, confidential business content.
  
  INDUSTRY COMPLIANCE PRESETS
  
  One click presets turn on the detectors most relevant to your regulatory context. Available presets: HIPAA, PCI DSS, SOC2, GDPR, Financial Services, Legal. Applying a preset only turns on the relevant categories. It does not turn off anything you have already enabled.
  
  FILE SCANNING (PRO)
  
  Drop a text file, PDF, or Word document onto the Scan page to check it for sensitive content before uploading it to an AI tool. Findings are highlighted directly inside the document view.
  
  REGION DEFAULTS
  
  Choose your country in settings and PasteGuard turns on the detectors most relevant to your jurisdiction by default. You can enable or disable any detector individually at any time.
  
  PRIVACY
  
  PasteGuard does not make any network requests of its own. The only permission it uses is storage, to save your settings locally. No clipboard content, no paste text, and no findings are ever sent to any server. The audit log (a count of findings by severity and site) is stored locally in your browser and can be exported or deleted at any time from the options page.
  
  The full privacy policy is available at: pasteguard.com/privacy
  
  v0.2.0 (Update)
  
  PasteGuard now covers 12 AI chat platforms.
  
  International PII detection across 16 countries: United Kingdom, Italy, Spain, Germany, France, Netherlands, Belgium, Portugal, Sweden, Switzerland, Brazil, Canada, Australia, India, Mexico and the United States. Over 70 detector patterns total.
  
  Industry compliance presets: one click configurations for HIPAA, PCI DSS, SOC2, GDPR, Financial Services and Legal. Each preset enables the detectors most relevant to that regulatory context and optionally elevates their severity.
  
  File scanning: drop a text file, PDF or Word document onto the new Scan page to check it for sensitive content before uploading it to an AI tool. PDF findings are highlighted directly in the document view.
  
  On device AI layer: if your device supports Chrome's built in language model, PasteGuard now runs a secondary semantic scan to catch customer names, internal codenames and confidential business signals that pattern matching alone cannot detect.
  
  Detection rules redesigned: detectors are now grouped by category with filter chips and a search bar so you can find and toggle specific rules quickly.
  
  Region picker: the country selector is now a compact flag and name grid instead of a long list.
  
  Send button interception: PasteGuard now also intercepts the send button and the Enter key, not just the paste event, so content typed or dragged in is also checked before it is sent.

• May 24, 2026
  host_permissions

  https://chatgpt.com/*, https://chat.openai.com/*, https://claude.ai/*, https://gemini.google.com/*, https://copilot.microsoft.com/*, https://m365.cloud.microsoft/*, https://chat.deepseek.com/*, https://www.deepseek.com/*, https://www.perplexity.ai/*, https://perplexity.ai/*, https://grok.com/*, https://www.grok.com/*, https://x.com/*, https://www.x.com/*, https://chat.mistral.ai/*, https://extensionpay.com/*

  https://chatgpt.com/*, https://chat.openai.com/*, https://claude.ai/*, https://gemini.google.com/*, https://copilot.microsoft.com/*, https://m365.cloud.microsoft/*, https://chat.deepseek.com/*, https://www.deepseek.com/*, https://www.perplexity.ai/*, https://perplexity.ai/*, https://grok.com/*, https://www.grok.com/*, https://x.com/*, https://www.x.com/*, https://chat.mistral.ai/*, https://poe.com/*, https://www.poe.com/*, https://you.com/*, https://www.you.com/*, https://character.ai/*, https://www.character.ai/*, https://beta.character.ai/*, https://meta.ai/*, https://www.meta.ai/*, https://extensionpay.com/*

Permissions & access

Permissions

storage

Host access

https://chatgpt.com/*, https://chat.openai.com/*, https://claude.ai/*, https://gemini.google.com/*, https://copilot.microsoft.com/*, https://m365.cloud.microsoft/*, https://chat.deepseek.com/*, https://www.deepseek.com/*, https://www.perplexity.ai/*, https://perplexity.ai/*, https://grok.com/*, https://www.grok.com/*, https://x.com/*, https://www.x.com/*, https://chat.mistral.ai/*, https://poe.com/*, https://www.poe.com/*, https://you.com/*, https://www.you.com/*, https://character.ai/*, https://www.character.ai/*, https://beta.character.ai/*, https://meta.ai/*, https://www.meta.ai/*, https://extensionpay.com/*

Screenshots