CensorGPT

Extension activates upon user pressing enter
Extension asks user if they still want to send the prompt

Inspiration

As ChatGPT is so ingrained into our daily lives as students and programmers, there is always a risk of data leaks via unsuspecting users who unknowingly give their PII to LLM providers through prompts. As such, we wanted to create something convenient and easy to use to help users like ourselves protect our data against carelessness.

What it does

CensorGPT-Extension is a privacy-focused Chrome extension paired with a lightweight FastAPI backend. Its goal is to alert users when their prompts contain Personally Identifiable Information (PII) before sending them to Generative AI systems like ChatGPT. This prevents unintentional leakage of sensitive data to cloud-hosted LLM providers, while leaving the final decision in the user’s hands.

How we built it

We first decided to split our team into 2 groups, one to work on the browser extension side and one to work on the AI side of the project. As our team was inexperience on both sides of the project, we had to do a lot of research by using documentation and AI in order to put together the project in such a short amount of time. We worked together on call for many hours in order to debug and design the user experience of the extension, ensuring that it not only works but is convenient and efficient to use. Through livestreaming our bugs to each other, we managed to collaborate and debug each other's issues which led to more productivity and less frustration.

Challenges we ran into

We faced several challenges while building CensorGPT. Firstly, the models we chose to implement were too inaccurate or too slow, making it unsuitable for this application. After trying many more models, we finally settled on gemma3:4b (via Ollama + LangChain) that had a good balance of accuracy and speed for our needs. Secondly, we also ran into many bugs and issues when working on the extension as none of us were very familiar with front-end programming, and building the extension was definitely new to us. We ended up debugging it by following the endless number of function calls to try and determine where the issue was, and implementing a suitable fix.

Accomplishments that we're proud of

We are proud that we managed to accomplish this project in such a short amount of time that works decently well and helps to protect the PII of users in a practical way that is also convenient, despite being previously unfamiliar with many of the technologies used. We are also proud that we managed to work together efficiently and cooperatively to finish the project.

What we learned

We learned how to design and build Chrome Extensions and how to incorporate AI to protect data and privacy. Along the way, we picked up these key lessons:

Product & UX

Non-blocking beats blocking: We moved from alert() popups to a small, dismissible PII banner above the textbox—clearer, less disruptive.
Right feedback, right time: Debounced checks (~250 ms) balanced responsiveness with CPU; showing concise chips + count avoided banner fatigue.
Don’t auto-edit user text: Alerting (not censoring) gives users control and preserves intent.

Privacy & Ethics

Local-first by design: Prompts stay on-device; no cloud transmission. Logging disabled by default; no re-identification attempts, aligning with the rules.
Configurable & transparent: Users can point the extension at a local backend, see what’s flagged, and decide how to proceed.

Process

Ship the simple path first: Validate the loop end-to-end, then refine UI/UX.
Cross-site testing matters: Different chat UIs behave differently; generic selectors and fallbacks were essential.
Repo hygiene: Cloning (not zips) kept VS Code and GitHub in sync and sped up iteration.

What's next for CensorGPT

To improve performance, we will next incorporate regex to make detect obvious PII quickly. We will also use a stronger model instead of gemma because of our own hardware limitations. A feature we would also want to implement is the anonymization of the PII instead of removal so that the user can send an equivalent prompt that does not reveal their own PII, but still gets a result that is desired.