Back to BlogTechnical

Use Claude & ChatGPT Without Leaking PII

A developer's guide to using AI assistants securely. Set up MCP Server integration for transparent PII protection in Claude Desktop, Cursor, and VS Code.

February 22, 20267 minute read
MCP ServerClaude DesktopCursor IDEsecure AIdeveloper tools

The Developer's Dilemma

You are debugging a production issue. The stack trace has customer email addresses in it. The fastest fix? Paste it into Claude and ask for help.

But that data is now:

  • Stored in Anthropic's systems
  • Possibly used for model training, depending on your plan
  • Visible to anyone who can access your chat history

77% of developers paste sensitive data into AI tools. Most do not notice the problem until later.

How the Proxy Fixes This

The Model Context Protocol (MCP) lets a server sit between you and any AI tool. The anonym.legal MCP server uses that position to strip PII before your text hits any model.

It works in four steps:

  1. You type a prompt as normal
  2. The proxy catches it before sending
  3. PII is found and swapped for reversible tokens
  4. The AI only sees clean, anonymized text

The AI's reply comes back with real values restored. Your workflow does not change.

Setting Up the Integration

What You Need

  • Node.js 18 or later
  • Claude Desktop, Cursor, or VS Code with the Claude extension
  • An anonym.legal API key — get one free

Step 1: Get Your API Key

  1. Sign up at anonym.legal/auth/signup
  2. Go to Settings → API Tokens
  3. Create a new token
  4. Copy it — you only see it once

Step 2: Configure Claude Desktop

Edit the config file for your OS:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

Add the anonym.legal server:

{
  "mcpServers": {
    "anonym-legal": {
      "command": "npx",
      "args": ["-y", "@anonym-legal/mcp-server"],
      "env": {
        "ANONYM_API_KEY": "your-api-key-here"
      }
    }
  }
}

Step 3: Restart Claude Desktop

Close and reopen the app. You will see "anonym-legal" listed under active servers.

Cursor IDE Setup

Cursor uses the same protocol. Add this to .cursor/mcp.json:

{
  "mcpServers": {
    "anonym-legal": {
      "url": "https://anonym.legal/mcp",
      "transport": "sse",
      "headers": {
        "Authorization": "Bearer your-api-key-here"
      }
    }
  }
}

What Gets Anonymized

The server catches 285+ entity types across 48 languages:

CategoryExamples
PersonalNames, emails, phone numbers, DOB
FinancialCredit cards, bank accounts, IBANs
GovernmentSSNs, passport numbers, driver's licenses
TechnicalIP addresses, API keys, tokens
HealthcarePatient IDs, insurance numbers
CorporateEmployee IDs, account numbers

Example Transformation

Your prompt:

Debug this error from user john.smith@acme.com:
Payment failed for card 4532-1234-5678-9012
Customer ID: CUST-12345, IP: 192.168.1.100

What the model sees:

Debug this error from user [EMAIL_1]:
Payment failed for card [CREDIT_CARD_1]
Customer ID: [CUSTOMER_ID_1], IP: [IP_ADDRESS_1]

The reply you see:

The error for john.smith@acme.com suggests card
4532-1234-5678-9012 may have low funds...

You see real values. The model only ever saw tokens.

Advanced Options

Custom patterns — add your own regex to the CUSTOM_PATTERNS env var:

"CUSTOM_PATTERNS": "JIRA-[0-9]+,TICKET-[A-Z0-9]+"

Allowlist — keep public names from being masked:

"ALLOWLIST": "Anthropic,Claude,anonym.legal"

Disable entity types — let certain categories pass through:

"DISABLED_ENTITIES": "PHONE_NUMBER,URL"

Where Processing Happens

ComponentLocation
MCP serverYour machine
PII detectionanonym.legal servers (Germany)
AI modelAnthropic / OpenAI servers

The proxy runs on your machine. Only the detection call goes to anonym.legal. Your prompts are not stored. See the privacy policy for details.

Pricing

The integration is included in all plans:

PlanTokens/cyclePrice
Free200€0
Basic1,000€3/month
Pro4,000€15/month
Business10,000€29/month

Most developers stay on Basic at €3/month.

Conclusion

AI tools are now part of daily dev work. They do not need to see your customers' data to be useful. The proxy handles that for you.

The integration:

  • Needs no workflow changes
  • Works with Claude Desktop, Cursor, and VS Code
  • Guards PII on every prompt, every time
  • Costs €3/month for most developers

Set it up once. Your data stays safe by default.

When This Approach Has Limits

An MCP proxy makes secure AI usage close to frictionless, but it changes where your trust sits rather than removing the need for it — and a few cases fall outside its protection.

Detection happens server-side and is not perfect. The proxy sends your prompt to a detection service before forwarding clean text to the model. That detection step can miss an unusual identifier or an identifier embedded in code or logs, and anything it misses reaches the AI provider in the clear. For highly sensitive material, sanity-check the masked output rather than trusting every prompt blindly.

The proxy only protects traffic that flows through it. A teammate who pastes directly into the web UI, uses an AI surface you have not wired through MCP, or disables the server for a "quick question" bypasses the safeguard entirely. Protection is a function of consistent configuration across every tool and every developer, not of installing it once.

Tokens are reversible, so key handling matters. Reversible tokenization is what lets the model's reply come back with real values restored — but that means the mapping exists and is sensitive. Under the GDPR, tokenized output is pseudonymized, not anonymized; treat it as personal data and protect the key accordingly.

You still trust the detection service and your own machine. The proxy keeps raw text away from the model vendor, but the detection call goes to anonym.legal, and the proxy runs locally with your API key. A compromised developer machine or a leaked key undermines the model regardless of how well the proxy works. Pair it with normal key hygiene and endpoint security.


Sources

Limitations / When this doesn't apply

Detection happens server-side and is not perfect: the proxy can miss an unusual identifier or one embedded in code or log output, and anything it misses reaches the AI provider in the clear — so for highly sensitive material, sanity-check the masked output rather than trusting every prompt blindly.

  • The proxy only protects traffic that flows through it. A teammate who pastes into the web UI directly, uses an AI surface not wired through MCP, or disables the server for a "quick question" bypasses it entirely; protection depends on consistent configuration across every tool and developer.
  • Tokens are reversible, so the mapping is sensitive. Under the GDPR, tokenized output is pseudonymized, not anonymized — treat it as personal data and protect the key accordingly.
  • You still trust the detection service and your own machine: the detection call goes to anonym.legal and the proxy runs locally with your API key, so a compromised machine or leaked key undermines the protection regardless of how well the proxy works.

Ready to protect your data?

Start anonymizing PII with 285+ entity types across 48 languages.

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our company HQ is in Saarbrücken, Germany. Our servers run in Hetzner's Falkenstein datacenter.

Hetzner holds ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.