anonym.legal

By · Last updated 2026-05-17

STATEMENT OF THE FOUNDER

Why I Initiated This Ecosystem — A Professional Conviction After 28 Years

George Curta·curta.solutions·est. 1998·26 countries·March 2026
// core principle

Your data. Your keys. Your rules.

Every product in this ecosystem is built on a single architectural commitment: your data, your keys, your control. Your password never leaves your device. Your documents are never stored. Your encryption key is yours alone. No US cloud law, no vendor subpoena, no data broker — can reach what was never shared.

Zero-Knowledge AuthLocal-First ProcessingUser Holds the KeysOffline-CapableNo Vendor Lock-InEU Jurisdiction OnlyAir-Gap CompatibleReversible — By You

Background

For 28 years I have worked at the intersection of technology, security, and organizational compliance. I founded curta.solutions in 1998. Since then I have served regulated organizations across 26 countries. Sectors include financial services, healthcare, legal, government, manufacturing, and technology. I partner with them on IT architecture, security, digital transformation, and compliance.

Systems Architect — enterprise infrastructure for sensitive dataSecurity Consultant — ISO 27001 programs, penetration testing, security architectureData Protection Advisor — alongside DPOs, legal teams, compliance officersAI Integration Specialist — deploying AI in regulated, data-governance-critical environmentsFounder & Initiator — identifying the gap, defining the vision, assembling the team to build what the market lacked

What I have observed over 28 years is not a slow evolution. It is a crisis in slow motion. Generative AI and the global proliferation of overlapping privacy regulation pushed it to a breaking point.

My Conviction

I believe every person, organization, and institution has the right to share information selectively. They should disclose to a regulator only what a regulator is entitled to see. They should collaborate with a partner only over data that has been explicitly authorized. They should participate in commercial and public life without surrendering what must remain private.

I believe this right must be practically exercisable by everyone — not only by organizations with compliance departments and enterprise software budgets. Privacy cannot be a privilege of scale.

US law can reach any data held by any US company anywhere on earth. 77% of employees feed sensitive data into AI tools they do not control. In such a world, only one architecture delivers a meaningful privacy guarantee. The data must never leave the user's control in the first place. Not contractual guarantees. Not privacy policies. Technical architecture.

Zero-knowledge authentication. Local-first processing. Reversible encryption where the key belongs to the user. Offline-capable operation. EU jurisdiction, no exceptions. These are not product features. They are the minimum standard for any tool that claims to protect personal data.

I have spent 28 years inside the organizations that handle the world's most sensitive information. Across those years, I have watched the gap between regulatory intent and technical reality widen. That experience grants me both the understanding and the responsibility to initiate what the ecosystem still lacks. My job: define the vision, assemble the right team, and ensure it gets built to the standard the problem demands.

The right to anonymize personal information is not a technical feature. It is a fundamental right. And a right that cannot be practically exercised is no right at all.

// That is what anonymize.solutions is.
// That is why it exists.
// That is why it cannot wait.
George Curta — Founder & Initiator
curta.solutionsanonymize.solutionscloak.businessanonym.legalanonym.plusanonymize.today

The Problems I Have Observed

01

Regulatory Fragmentation: Too Many Rules, No Common Language

A mid-sized global organization must navigate 48+ national and regional privacy laws at once. The list includes GDPR, UK GDPR, CCPA, LGPD, PDPA, PIPL, DPDPA, APPI, PIPEDA and dozens more. The EU alone has 24 national DPAs issuing binding guidance. Their principles align; their practice diverges. What satisfies the German BfDI does not automatically satisfy the French CNIL, the Irish DPC, or the Dutch AP. Sector-specific layering adds further requirements — HIPAA, PCI-DSS, NIS2, the AI Act. These rarely harmonize with each other.

The result is not a compliance framework. It is a moving target with 48 different bullseyes.

02

The Paper Monster: Agreements Nobody Reads, Controls Nobody Verifies

Organizations maintain data processing agreements with hundreds of subprocessors. Standard Contractual Clauses run to 30+ pages per transfer relationship. Then come Records of Processing Activities, DPIAs, TIAs, LIAs. Each requires technical input that most legal teams cannot independently verify. In practice, organizations sign what they must sign, file what they must file, and hope the technical reality matches the contractual description. The paper monster generates the appearance of compliance. It rarely generates the substance of it.

03

Technical Inadequacy: The Tools Do Not Match the Obligation

// Probabilistic AI Recognition

Generative AI-based PII detection is non-deterministic. The same document processed twice produces different results. Fundamentally incompatible with compliance — where you must demonstrate, reproducibly and verifiably, that specific data was detected and handled correctly.

// DIY Deterministic Systems

Microsoft Presidio, spaCy, Stanza — engineering platforms, not compliance tools. Deploying to production requires custom recognizers for every entity type and language. Engineers must build pre/post-processing pipelines, integrate with document formats, and maintain everything as regulations evolve. Typically 30–80 hours of specialist engineering precede a single document. Most organizations lack that expertise in-house.

// Language and Document Recognition

A personnummer in a Swedish employment contract. A Steuer-ID in a German tax form. A PESEL in a Polish insurance document. A Codice Fiscale in an Italian invoice. Each requires both language detection and document-type-aware entity recognition. Language models trained predominantly on English produce a 69% PII miss rate in non-English text. The law makes no distinction by language.

// Big IT Players: High Cost, No Guaranteed Compliance

Microsoft Purview, AWS Macie, Google Cloud DLP — expensive, require cloud connectivity, lock organizations in. More critically: all are US-headquartered. The CLOUD Act of 2018 obligates them to disclose data anywhere in the world on a valid US government request. FISA Section 702 enables intelligence collection without individual warrants. Schrems II invalidated the EU-US Privacy Shield for exactly this reason. A six-figure annual contract with a US cloud provider does not produce GDPR-compliant data processing.

04

The Uncontrolled AI Problem: The Market Has No Answer

77% of employees share sensitive work information with AI tools at least weekly. 34.8% of all AI tool inputs qualify as sensitive under at least one privacy framework. Employees use ChatGPT, Copilot, Claude, Gemini to draft contracts, summarize notes, analyze spreadsheets. They do this constantly, automatically, without awareness of what they paste into a prompt.

Traditional DLP systems cannot understand the semantic content of a natural-language prompt. They cannot tell a developer asking about a code pattern apart from one pasting a 50,000-record production database. The AI models process everything. They offer no protection, no warnings, no audit trail a DPO can rely upon.

What is missing is the technical layer that makes policy enforceable in practice. No vendor offers that layer at a price a mid-sized organization can afford. No vendor offers it in a form that works across the AI tools employees actually use. This is one of the gaps this ecosystem was built to close.

05

The Accessibility Gap: Compliance as a Privilege of Scale

A solo practitioner, a community organization, a small public authority, a research institution. Each one faces the same GDPR, the same right to erasure, the same breach notification obligation as a global bank. None has the legal team, the engineering resources, or the enterprise software budget to implement them properly. The compliance ecosystem has served large organizations adequately, if expensively. It has served everyone else with a mandate and no practical means of satisfying it.

The Ecosystem Response — One Platform, Multiple Expressions

anonymize.solutions

The umbrella platform and primary access point. Hybrid dual-layer PII detection (285+ entities, 48 languages, 121 compliance presets) across all deployment models — SaaS, managed private cloud, and self-managed. All derived products share the same detection engine and the same founding principle: power in the user's hands.

cloak.business

Enterprise air-gapped edition. 390+ entities, 317 custom regex patterns, 100% offline processing, image OCR in 37 languages. Zero cloud dependency — the data never leaves the device.

anonym.legal

Cloud-first PII platform with the widest access. Chrome Extension for real-time AI interception, MCP Server, Office Add-in, reversible encryption. Free to €29/month — compliance for every budget.

anonym.plus

Desktop-first, fully local. Presidio sidecar on-device, 7 document formats + OCR, batch processing, encrypted vault. One-time perpetual license — no subscriptions, no cloud, fully offline after activation.

anonymize.today

Instant public demo platform. No account required — paste text, anonymize immediately, see the engine in action. The fastest way to experience what the ecosystem does.

anonymize.solutions

Umbrella Platform — SaaS · Managed Private · Self-Managed · 3 deployment models

Hybrid Dual-Layer Detection285+ entities · 48 languages
  • //Organizations report 67% of developers have accidentally exposed secrets in code — deterministic regex catches what NLP misses and vice versa
  • //General-purpose AI detection achieves 69% miss rate in non-English text — dual-layer with spaCy + XLM-RoBERTa closes the gap across all 48 languages
121 Compliance PresetsGDPR · HIPAA · FERPA · PCI-DSS
  • //Inconsistent redaction across teams is the #1 cited ICO and DPA audit finding — presets enforce identical detection behavior across every user, every session
  • //95% of 2024 data breaches tied to human error — shared presets eliminate the per-person configuration decisions that create variance
6 Integration PointsAPI · MCP · Office · Desktop · Extension · Air-gap
  • //Multi-vendor PII stacks create audit trail gaps — 60%+ of organizations using 3+ PII tools report reconciliation failures between tools
  • //Format fragmentation: organizations process PDF, DOCX, XLSX, CSV, JSON simultaneously — each format previously required a separate approach, a separate tool, a separate audit record
3 Deployment Models + EU Hosting100% EU · Hetzner Germany · ISO 27001
  • //Enterprise PII tools cost $50,000–$500,000/year — organizations with cost constraints have historically had no option at all
  • //CLOUD Act + FISA Section 702 mean US-hosted "GDPR-compliant" processing is a contractual fiction — EU-only hosting removes this exposure entirely
DifferentiatorUnified platform across all deployment models. One detection engine, one API, one audit trail — whether processing is SaaS, private cloud, or fully self-managed on your own infrastructure.
cloak.business

Enterprise Air-Gapped — 390+ entities · 317 custom regex · 100% offline · Image OCR

390+ Entities · 317 Custom RegexHighest coverage in ecosystem
  • //Industry-specific PII goes uncovered by any commercial tool. Examples: nuclear facility codes, military service numbers, proprietary internal IDs. Custom recognizers in raw Presidio require weeks of specialist engineering.
  • //Coverage incompleteness sets the detection ceiling. No general tool covers all PII types, all languages, all formats. 317 curated patterns close the gaps that out-of-the-box frameworks miss.
100% Offline — Zero Cloud DependencyNo data leaves the device
  • //The vendor paradox: to protect PII you must share it with a vendor. Cloud processing requires trusting the processor — an architectural contradiction for organizations handling the most sensitive data
  • //Air-gapped environments (defense, intelligence, critical infrastructure, research labs) cannot use cloud-dependent tools at any price — offline-first removes the architectural barrier entirely
Image OCR — Text PII in Images37 OCR language packs
  • //Microsoft Purview explicitly cannot scan JPEG/PNG — text PII in screenshots is completely invisible to the enterprise DLP stack by design
  • //SparkCat malware (iOS/Android, Dec 2025) used OCR to steal crypto wallet recovery phrases from screenshots. Image-based text PII is an active attack target, not a theoretical risk.
Zero-Knowledge Auth · AES-256-GCM VaultPassword never leaves device
  • //300% increase in cloud-based data breaches between 2022 and 2024 — zero-knowledge means a breach of our servers exposes nothing, because nothing is stored
  • //ISO 27001:2022 certified with regular full-stack pentesting — the security posture that regulated procurement requires is documented, verified, and independently audited
DifferentiatorThe only product in the ecosystem where data processing is guaranteed to never leave the local device. Zero cloud dependency, zero trust required in any third party. The user holds every key.
anonym.legal

Cloud PII Platform — Free to €29/mo · Chrome Extension · MCP Server · Office Add-in

Chrome Extension — Real-Time AI InterceptionChatGPT · Claude · Gemini · Copilot
  • //8.5% of all LLM prompts contain PII. Real-time interception before submission is the only prevention that works. Post-hoc detection misses the only window that matters.
  • //Traditional DLP fires after the data has left the organization. The Chrome Extension intercepts at the point of input, before any model receives or processes sensitive content.
3-Layer Hybrid Detection (Presidio + NLP + Stance)100% accuracy · 419/419 tests
  • //Generative AI detection is non-deterministic. The same document produces different results on different runs; no probabilistic system can form the basis of a regulatory defense
  • //Presidio alone misses context-dependent entities. XLM-RoBERTa alone generates false positives in formal legal language. A third stance-classification layer eliminates the false positives that make compliance teams distrust automated tools.
Reversible Encryption (AES-256-GCM)Only the user can decrypt
  • //Legal discovery, medical record access requests, regulatory audit — all sometimes require de-anonymization by the authorized party and only by them. Irreversible methods make this impossible.
  • //The user's session key never leaves their device — not our servers, not any cloud, not any subprocessor. The right to reverse anonymization belongs to the user, not to us.
Free → €3 → €15 → €29 PricingCompliance for every budget
  • //A solo practitioner faces the same GDPR right-to-erasure obligation as a global bank — but without a compliance department or a €500K/year enterprise software budget
  • //764 EU organizations sit simultaneously under investigation for right-to-erasure failures. Not because they intended to violate. Because the tools to comply were priced beyond their reach.
DifferentiatorThe only product in the ecosystem with a browser extension that intercepts PII before it reaches AI models. The most accessible entry point — free tier with no credit card, scaling to enterprise.
anonym.plus

Desktop-First · 100% Local Processing · 7 Document Formats + OCR · One-Time License

100% Local Processing — Presidio SidecarData never leaves the device
  • //300% increase in cloud-based data breaches between 2022 and 2024 — data that never enters the cloud cannot be exposed in a cloud breach
  • //CLOUD Act + FISA render US-hosted processing legally uncertain for EU organizations — local processing eliminates the entire cross-border transfer problem by ensuring no transfer occurs
7 Document Formats + Tesseract OCRPDF · DOCX · XLSX · TXT · CSV · JSON · XML · Images
  • //Format fragmentation forces organizations to maintain multiple tools — each tool creates a separate detection policy, a separate audit record, a separate failure mode
  • //Log files are the neglected PII surface. Developers focus on databases, but logs contain API keys, user IDs, IP addresses. CSV and JSON ship as native formats alongside structured documents.
Ed25519 Machine-Bound LicensingOffline after activation · 5 machines
  • //Air-gapped production environments cannot tolerate a license check that requires network access. Examples: manufacturing floors, government secure facilities, research labs. One-time activation followed by fully offline operation is the only viable architecture.
  • //Perpetual licenses with no recurring SaaS dependency: the user owns their installation; a vendor subscription cancellation cannot disable a tool at a critical processing moment
Batch Processing · Encrypted Vault · History1–5,000 files · AES-256-GCM
  • //dbt pipeline rebuilds destroy masking policies on CSV/JSON data. EDPB 2024 clarifies that this violates GDPR Art. 5(1)(a). Vault storage with encrypted history gives every processed file an auditable, recoverable record.
  • //Organizations processing thousands of legacy documents for GDPR right-to-erasure compliance need batch capability — not a 5-file-per-day SaaS limit that makes the task operationally impossible
DifferentiatorOne-time purchase, perpetual license, full offline operation. For organizations where data sovereignty is an absolute requirement and cloud dependency is architecturally unacceptable.

The Scale of the Problem

€5.65BGDPR fines since 2018 — €1.2B in 2024 alone, accelerating
€530MSingle enforcement action, cross-border transfer violations (2025)
764EU organizations simultaneously under right-to-erasure investigation
77%Employees sharing sensitive work data with AI tools weekly, without authorization
70%Document redactions that fail — protected text remains technically accessible
300%Increase in cloud-based data breaches between 2022 and 2024
$10.22MAverage data breach cost in healthcare — highest of any sector, rising 15 years
69%PII miss rate in non-English text — while the law makes no distinction by language

These are not outlier failures. They are systemic outcomes of a compliance environment that has outpaced its own infrastructure.

← Back to About

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.