Feature
PII Masking That Runs Before Data Leaves The Browser
A 12-category pattern validator + Luhn-validation pass in the SDK, plus an ONNX/WebGPU GLiNER deep-scan when the Relyv browser extension is installed. Credit cards, emails, and SSNs never reach our servers — or yours.
Why teams pick this
18 PII types out of the box
Cards, SSNs, emails, phone numbers, addresses, dates of birth, passports, drivers' licenses, IBANs, Bitcoin addresses, plus 8 more — all detected and masked by default.
GLiNER deep-scan (Relyv extension)
With the Relyv browser extension installed, an ONNX/WebGPU GLiNER model runs in an offscreen document to catch context-bound PII the regex pass would miss — zero round-trips, zero data leaving the browser. SDK-only customers get the regex + Luhn pass; the deep-scan tier ships with the extension.
Deep-scan opt-in
For HIPAA / fintech workloads, a heavier deep-scan pass adds another 14 categories — diagnoses, medications, account numbers — at the cost of ~10 ms per input event.
Audit log
Every mask decision is logged with a confidence score and the rule that fired. Compliance gets a CSV export; engineering gets a debug view.
How it works
- 1
SDK installs
No additional config. PII masking is on by default the moment Relyv loads. Custom rules and category toggles live in the workspace settings panel.
- 2
Validators scan inputs
Every form field, console log, and DOM mutation is run through the validator pass. Common PII shapes (Luhn-valid cards, RFC emails, US SSN format) are masked instantly.
- 3
GLiNER deep-scan (extension)
When the Relyv browser extension is installed, suspicious context — long strings near "ssn:" labels, free-text fields with name + DOB pairs — gets a second pass through an ONNX/WebGPU GLiNER model running in an offscreen document. Latency: under 10 ms. SDK-only customers stop after the regex/Luhn pass.
- 4
Masked data uploads
Only the masked stream leaves the browser. Mask tokens use a deterministic format (****-****-****-1234) so engineers can still match patterns without seeing values.
Under the hood
What gets masked by default
Credit / debit card numbers (Luhn-validated, all major networks), Social Security Numbers (US), email addresses (RFC 5322), phone numbers (E.164 + common national formats), street addresses (3-line composition heuristic), dates of birth (in proximity to name fields), passport numbers (8 country formats), drivers' license numbers (50 US states + EU), IBANs, SWIFT codes, Bitcoin / ETH addresses, and 8 more.
How the GLiNER deep-scan model stays small
GLiNER is a generalist NER model — small enough to ship as a quantised ONNX bundle (~50 MB int8) that the Relyv browser extension lazy-loads into an offscreen document, runs via onnxruntime-web with WebGPU acceleration where available, and falls back to WASM SIMD where not. SDK-only customers stop after the regex/Luhn pass — they never load the model.
Compliance posture
GDPR Article 25 ("data protection by design") is the design intent: PII never leaves the data subject's device. SOC 2 Type II is in progress. HIPAA: deep-scan mode is a Business / Enterprise feature; a signed BAA is available. EU data residency is offered on Enterprise.
Frequently asked
Can I disable masking on specific fields?
Yes. Per-selector allow-listing is supported, and there's a global allow-list for fields you control directly. The audit log records every override so compliance can review.
What's the performance overhead?
Validator pass: under 1 ms per event at p95 (SDK, in-browser). Deep-scan pass (Relyv extension only): under 10 ms at p95 — GLiNER runs via onnxruntime-web with WebGPU acceleration, falling back to WASM SIMD on browsers without WebGPU. Both run off the main thread; no UI jank.
Can I add custom PII types?
Yes. Custom regex rules ("internal-customer-id-\d{8}") plus custom LLM prompts ("anything that looks like a procedure code"). Both are workspace-level configs.
Where can I see what's been masked?
The session replay shows masked tokens inline (****@****.com). The audit log lists every mask decision with timestamp, rule, confidence, and original byte-length. The replay never reveals masked values, even to admins.
Is data residency supported?
Enterprise plans support EU residency (Frankfurt) and US residency (Iowa). Other regions on request. PII masking happens on the user's device regardless of residency, so the residency choice only affects masked-stream storage.
How is masking accelerated on modern hardware?
The deep-scan model runs in an offscreen document via onnxruntime-web with WebGPU acceleration when available (Chrome 113+ / Edge 113+ / Safari 18+), falling back to WASM elsewhere. WebGPU dispatch shifts the inference cost off the main thread entirely. Combined with the pattern-validator first pass, p95 deep-scan latency is under 10 ms even on a mid-tier Android device.
Does PII masking work on captured form-submit payloads?
Yes. The opt-in form-submit recorder (default off — payload capture is a separate privacy decision) routes every captured field value through the same redactPII pipeline before serialisation. Passwords, hidden, and `data-relyv-mask` fields are excluded outright; file inputs are reduced to a `[file:N]` placeholder.
Ready to try it?
A 12-category pattern validator + Luhn-validation pass in the SDK, plus an ONNX/WebGPU GLiNER deep-scan when the Relyv browser extension is installed. Credit cards, emails, and SSNs never reach our servers — or yours.