anonym.legal

STATEMENT OF THE FOUNDER

Why I Initiated This Ecosystem — A Professional Conviction After 28 Years

George Curta·curta.solutions·est. 1998·26 countries·March 2026
// core principle

Your data. Your keys. Your rules.

Every product in this ecosystem is built on a single architectural commitment: your data, your keys, your control. Your password never leaves your device. Your documents are never stored. Your encryption key is yours alone. No US cloud law, no vendor subpoena, no data broker — can reach what was never shared.

Zero-Knowledge AuthLocal-First ProcessingUser Holds the KeysOffline-CapableNo Vendor Lock-InEU Jurisdiction OnlyAir-Gap CompatibleReversible — By You

Background

For 28 years I have worked at the intersection of technology, security, and organizational compliance. I founded curta.solutions in 1998. Since then I have served regulated organizations across 26 countries — in financial services, healthcare, legal, government, manufacturing, and technology — as their partner in IT architecture, security, digital transformation, and compliance.

Systems Architect — enterprise infrastructure for sensitive dataSecurity Consultant — ISO 27001 programs, penetration testing, security architectureData Protection Advisor — alongside DPOs, legal teams, compliance officersAI Integration Specialist — deploying AI in regulated, data-governance-critical environmentsFounder & Initiator — identifying the gap, defining the vision, assembling the team to build what the market lacked

What I have observed over 28 years is not a slow evolution. It is a crisis in slow motion — one that reached a breaking point with the arrival of generative AI and the global proliferation of overlapping privacy regulation.

My Conviction

I believe that every person, organization, and institution has the right to share information selectively — to disclose to a regulator only what a regulator is entitled to see, to collaborate with a partner only over data that has been explicitly authorized, to participate in commercial and public life without surrendering what must remain private.

I believe this right must be practically exercisable by everyone — not only by organizations with compliance departments and enterprise software budgets. Privacy cannot be a privilege of scale.

I believe that in a world where US law can reach any data held by any US company anywhere on earth, and where 77% of employees feed sensitive data into AI tools they do not control, the only architecture that can deliver a meaningful privacy guarantee is one where the data never leaves the user's control in the first place. Not contractual guarantees. Not privacy policies. Technical architecture.

Zero-knowledge authentication. Local-first processing. Reversible encryption where the key belongs to the user. Offline-capable operation. EU jurisdiction, no exceptions. These are not product features. They are the minimum standard for any tool that claims to protect personal data.

And I believe that 28 years of working inside the organizations that handle the world's most sensitive information — 28 years of watching the gap between regulatory intent and technical reality widen — has given me both the understanding and the responsibility to initiate what the ecosystem still lacks. To define the vision, assemble the right team, and ensure it gets built to the standard the problem demands.

The right to anonymize personal information is not a technical feature. It is a fundamental right. And a right that cannot be practically exercised is no right at all.

// That is what anonymize.solutions is.
// That is why it exists.
// That is why it cannot wait.
George Curta — Founder & Initiator
curta.solutionsanonymize.solutionscloak.businessanonym.legalanonym.plusanonymize.today

The Problems I Have Observed

01

Regulatory Fragmentation: Too Many Rules, No Common Language

A mid-sized organization operating globally must simultaneously navigate 48+ national and regional privacy laws — GDPR, UK GDPR, CCPA, LGPD, PDPA, PIPL, DPDPA, APPI, PIPEDA and dozens more. 24 national DPAs in the EU alone issue binding guidance that is consistent in principle and divergent in practice. What satisfies the German BfDI does not automatically satisfy the French CNIL, the Irish DPC, or the Dutch AP. Sector-specific layering — HIPAA, PCI-DSS, NIS2, the AI Act — adds requirements rarely harmonized with each other.

The result is not a compliance framework. It is a moving target with 48 different bullseyes.

02

The Paper Monster: Agreements Nobody Reads, Controls Nobody Verifies

Organizations maintain data processing agreements with hundreds of subprocessors, Standard Contractual Clauses running to 30+ pages per transfer relationship, Records of Processing Activities, DPIAs, TIAs, LIAs — each requiring technical input that most legal teams cannot independently verify. In practice: organizations sign what they must sign, file what they must file, and hope the technical reality matches the contractual description. The paper monster generates the appearance of compliance. It rarely generates the substance of it.

03

Technical Inadequacy: The Tools Do Not Match the Obligation

// Probabilistic AI Recognition

Generative AI-based PII detection is non-deterministic. The same document processed twice produces different results. Fundamentally incompatible with compliance — where you must demonstrate, reproducibly and verifiably, that specific data was detected and handled correctly.

// DIY Deterministic Systems

Microsoft Presidio, spaCy, Stanza — engineering platforms, not compliance tools. Deploying to production requires writing custom recognizers for every entity type and language, building pre/post-processing pipelines, integrating with document formats, maintaining everything as regulations evolve. Typically 30–80 hours of specialist engineering time before a single document is processed. Most organizations do not have that expertise in-house.

// Language and Document Recognition

A personnummer in a Swedish employment contract, a Steuer-ID in a German tax form, a PESEL in a Polish insurance document, a Codice Fiscale in an Italian invoice — each requires not just language detection but document-type-aware entity recognition. Language models trained predominantly on English produce a 69% PII miss rate in non-English text. The law makes no distinction by language.

// Big IT Players: High Cost, No Guaranteed Compliance

Microsoft Purview, AWS Macie, Google Cloud DLP — expensive, require cloud connectivity, lock organizations in. More critically: all are US-headquartered. The CLOUD Act of 2018 obligates them to disclose data anywhere in the world on a valid US government request. FISA Section 702 enables intelligence collection without individual warrants. Schrems II invalidated the EU-US Privacy Shield for exactly this reason. A six-figure annual contract with a US cloud provider does not produce GDPR-compliant data processing.

04

The Uncontrolled AI Problem: The Market Has No Answer

77% of employees share sensitive work information with AI tools at least weekly. 34.8% of all AI tool inputs contain information qualifying as sensitive under at least one privacy framework. Employees use ChatGPT, Copilot, Claude, Gemini to draft contracts, summarize notes, analyze spreadsheets — constantly, automatically, without awareness of what they are pasting into a prompt.

Traditional DLP systems cannot understand the semantic content of a natural-language prompt. They cannot distinguish a developer asking an AI to explain a code pattern from a developer pasting a 50,000-record production database into the same window. The AI models process everything. They offer no protection, no warnings, no audit trail a DPO can rely upon.

What is missing is the technical layer that makes policy enforceable in practice. That layer does not exist in the market at any price point a mid-sized organization can afford, in any form that works across the AI tools employees actually use. This is one of the gaps this ecosystem was built to close.

05

The Accessibility Gap: Compliance as a Privilege of Scale

A solo practitioner, a community organization, a small public authority, a research institution — each subject to the same GDPR, the same right to erasure, the same breach notification obligation as a global bank — but without the legal team, the engineering resources, or the enterprise software budget to implement them properly. The compliance ecosystem has served large organizations adequately, if expensively. It has served everyone else with a mandate and no practical means of satisfying it.

The Ecosystem Response — One Platform, Multiple Expressions

anonymize.solutions

The umbrella platform and primary access point. Hybrid dual-layer PII detection (260+ entities, 48 languages, 121 compliance presets) across all deployment models — SaaS, managed private cloud, and self-managed. All derived products share the same detection engine and the same founding principle: power in the user's hands.

cloak.business

Enterprise air-gapped edition. 390+ entities, 317 custom regex patterns, 100% offline processing, image OCR in 37 languages. Zero cloud dependency — the data never leaves the device.

anonym.legal

Cloud-first PII platform with the widest access. Chrome Extension for real-time AI interception, MCP Server, Office Add-in, reversible encryption. Free to €29/month — compliance for every budget.

anonym.plus

Desktop-first, fully local. Presidio sidecar on-device, 7 document formats + OCR, batch processing, encrypted vault. One-time perpetual license — no subscriptions, no cloud, fully offline after activation.

anonymize.today

Instant public demo platform. No account required — paste text, anonymize immediately, see the engine in action. The fastest way to experience what the ecosystem does.

anonymize.solutions

Umbrella Platform — SaaS · Managed Private · Self-Managed · 3 deployment models

Hybrid Dual-Layer Detection260+ entities · 48 languages
  • //Organizations report 67% of developers have accidentally exposed secrets in code — deterministic regex catches what NLP misses and vice versa
  • //General-purpose AI detection achieves 69% miss rate in non-English text — dual-layer with spaCy + XLM-RoBERTa closes the gap across all 48 languages
121 Compliance PresetsGDPR · HIPAA · FERPA · PCI-DSS
  • //Inconsistent redaction across teams is the #1 cited ICO and DPA audit finding — presets enforce identical detection behavior across every user, every session
  • //95% of 2024 data breaches tied to human error — shared presets eliminate the per-person configuration decisions that create variance
6 Integration PointsAPI · MCP · Office · Desktop · Extension · Air-gap
  • //Multi-vendor PII stacks create audit trail gaps — 60%+ of organizations using 3+ PII tools report reconciliation failures between tools
  • //Format fragmentation: organizations process PDF, DOCX, XLSX, CSV, JSON simultaneously — each format previously required a separate approach, a separate tool, a separate audit record
3 Deployment Models + EU Hosting100% EU · Hetzner Germany · ISO 27001
  • //Enterprise PII tools cost $50,000–$500,000/year — organizations with cost constraints have historically had no option at all
  • //CLOUD Act + FISA Section 702 mean US-hosted "GDPR-compliant" processing is a contractual fiction — EU-only hosting removes this exposure entirely
DifferentiatorUnified platform across all deployment models. One detection engine, one API, one audit trail — whether processing is SaaS, private cloud, or fully self-managed on your own infrastructure.
cloak.business

Enterprise Air-Gapped — 390+ entities · 317 custom regex · 100% offline · Image OCR

390+ Entities · 317 Custom RegexHighest coverage in ecosystem
  • //Industry-specific PII — nuclear facility codes, military service numbers, proprietary internal IDs — not covered by any commercial tool; custom recognizers require weeks of specialist engineering in raw Presidio
  • //Coverage incompleteness is the detection ceiling: no general tool covers all PII types, all languages, all formats — 317 curated patterns close the gaps that out-of-the-box frameworks miss
100% Offline — Zero Cloud DependencyNo data leaves the device
  • //The vendor paradox: to protect PII you must share it with a vendor. Cloud processing requires trusting the processor — an architectural contradiction for organizations handling the most sensitive data
  • //Air-gapped environments (defense, intelligence, critical infrastructure, research labs) cannot use cloud-dependent tools at any price — offline-first removes the architectural barrier entirely
Image OCR — Text PII in Images37 OCR language packs
  • //Microsoft Purview explicitly cannot scan JPEG/PNG — text PII in screenshots is completely invisible to the enterprise DLP stack by design
  • //SparkCat malware (iOS/Android, Dec 2025) used OCR to steal crypto wallet recovery phrases from screenshots — image-based text PII is an active attack target, not a theoretical risk
Zero-Knowledge Auth · AES-256-GCM VaultPassword never leaves device
  • //300% increase in cloud-based data breaches between 2022 and 2024 — zero-knowledge means a breach of our servers exposes nothing, because nothing is stored
  • //ISO 27001:2022 certified with regular full-stack pentesting — the security posture that regulated procurement requires is documented, verified, and independently audited
DifferentiatorThe only product in the ecosystem where data processing is guaranteed to never leave the local device. Zero cloud dependency, zero trust required in any third party. The user holds every key.
anonym.legal

Cloud PII Platform — Free to €29/mo · Chrome Extension · MCP Server · Office Add-in

Chrome Extension — Real-Time AI InterceptionChatGPT · Claude · Gemini · Copilot
  • //8.5% of all LLM prompts contain PII — real-time interception before submission is the only prevention that works; post-hoc detection misses the only window that matters
  • //Traditional DLP fires after the data has left the organization — the Chrome Extension intercepts at the point of input, before any model receives or processes sensitive content
3-Layer Hybrid Detection (Presidio + NLP + Stance)95.5% accuracy · 42/44 tests
  • //Generative AI detection is non-deterministic — the same document produces different results on different runs; no probabilistic system can form the basis of a regulatory defense
  • //Presidio alone misses context-dependent entities; XLM-RoBERTa alone generates false positives in formal legal language — a third stance-classification layer eliminates the false positives that make compliance teams distrust automated tools
Reversible Encryption (AES-256-GCM)Only the user can decrypt
  • //Legal discovery, medical record access requests, regulatory audit — anonymized data must sometimes be de-anonymized by the authorized party and only by them; irreversible methods make this impossible
  • //The user's session key never leaves their device — not our servers, not any cloud, not any subprocessor. The right to reverse anonymization belongs to the user, not to us.
Free → €3 → €15 → €29 PricingCompliance for every budget
  • //A solo practitioner faces the same GDPR right-to-erasure obligation as a global bank — but without a compliance department or a €500K/year enterprise software budget
  • //764 EU organizations are simultaneously under investigation for right-to-erasure failures — not because they intended to violate; because the tools to comply were priced beyond their reach
DifferentiatorThe only product in the ecosystem with a browser extension that intercepts PII before it reaches AI models. The most accessible entry point — free tier with no credit card, scaling to enterprise.
anonym.plus

Desktop-First · 100% Local Processing · 7 Document Formats + OCR · One-Time License

100% Local Processing — Presidio SidecarData never leaves the device
  • //300% increase in cloud-based data breaches between 2022 and 2024 — data that never enters the cloud cannot be exposed in a cloud breach
  • //CLOUD Act + FISA render US-hosted processing legally uncertain for EU organizations — local processing eliminates the entire cross-border transfer problem by ensuring no transfer occurs
7 Document Formats + Tesseract OCRPDF · DOCX · XLSX · TXT · CSV · JSON · XML · Images
  • //Format fragmentation forces organizations to maintain multiple tools — each tool creates a separate detection policy, a separate audit record, a separate failure mode
  • //Log files are the neglected PII surface — developers focus on databases but logs contain API keys, user IDs, IP addresses; CSV and JSON are natively supported alongside structured documents
Ed25519 Machine-Bound LicensingOffline after activation · 5 machines
  • //Air-gapped production environments — manufacturing floors, government secure facilities, research labs — cannot tolerate a license check that requires network access; one-time activation then fully offline operation is the only viable architecture
  • //Perpetual licenses with no recurring SaaS dependency: the user owns their installation; a vendor subscription cancellation cannot disable a tool at a critical processing moment
Batch Processing · Encrypted Vault · History1–5,000 files · AES-256-GCM
  • //dbt pipeline rebuilds destroy masking policies on CSV/JSON data — EDPB 2024 clarifies this violates GDPR Art. 5(1)(a); vault storage with encrypted history means every processed file has an auditable, recoverable record
  • //Organizations processing thousands of legacy documents for GDPR right-to-erasure compliance need batch capability — not a 5-file-per-day SaaS limit that makes the task operationally impossible
DifferentiatorOne-time purchase, perpetual license, full offline operation. For organizations where data sovereignty is an absolute requirement and cloud dependency is architecturally unacceptable.

The Scale of the Problem

€5.65BGDPR fines since 2018 — €1.2B in 2024 alone, accelerating
€530MSingle enforcement action, cross-border transfer violations (2025)
764EU organizations simultaneously under right-to-erasure investigation
77%Employees sharing sensitive work data with AI tools weekly, without authorization
70%Document redactions that fail — protected text remains technically accessible
300%Increase in cloud-based data breaches between 2022 and 2024
$10.22MAverage data breach cost in healthcare — highest of any sector, rising 15 years
69%PII miss rate in non-English text — while the law makes no distinction by language

These are not outlier failures. They are systemic outcomes of a compliance environment that has outpaced its own infrastructure.

← Back to About