A redaction tool that runs on your Mac, never on a server. Forty-page depositions in a minute. Patient records in ninety seconds. Your files never leave the laptop they came from. Not even to us.
REVIEW · 23 SPANS · LOCALHOST ONLY
If two of these are you, the rest of this page is worth four minutes.
One real PDF. One real Mac. The wifi is off the whole time. Watch the file get redacted, exported, and ready to share.
Recorded in airplane mode. No edits, no cuts.
The moment privileged text reaches a third-party server, the privilege is waived.
If a redaction tool uploads your document to its own server before redacting it, you have already made a choice.
RedactLocal on an M2 MacBook Air vs. a careful human in Preview, redacting category-by-category. Your mileage will vary; the order of magnitude will not.
RedactLocal times observed on an M2 MacBook Air against the production app on representative documents (12-page text PDFs run ~15 sec end-to-end; OCR-required scans add a few seconds per page). Manual times measured against an experienced paralegal working in Preview with the redaction tool, not Sharpie-and-scan.
I do this on filings every week. By the second deposition it had paid for the year. The part I didn't expect: I stopped feeling that little knot when I share a PDF with a client.
Sixty seconds vs. forty-five minutes. You can test that on your next filing.
Download for Mac · FreeFor the bar, your compliance officer, and your client. Same redaction, three different conversations.
Every redaction writes a line to an audit log that exports alongside the PDF: what was removed, where, by whom, when. Attach it to the filing or hand it to opposing counsel. The technical posture (on-device, no telemetry, no third-party transit) is designed to survive the question.
Because RedactLocal runs entirely on your machine and we never receive your data, there is no business-associate relationship under HIPAA §164.502(e). No PHI transmitted, no breach-notification surface added. The Security Rule's transmission requirements (§164.312(e)) don't apply because there is no transmission.
The most common question a careful client asks now is some version of did anyone else's computer touch this? The answer here is no. You can show them the network log. You can show them the audit trail. You can hand them a redacted copy and prove the original text is gone, not hidden under a black box.
Or: less than your malpractice carrier's deductible. Or: the cost of one paralegal hour at most firms. We are not the line item that ends the year.
For occasional redaction. 5 docs a month, on the house.
For active practice. Unlimited docs, full pages, priority support.
Pro features unlock with a license. Purchase coming soon. Install today and you'll be ready.
“I built RedactLocal after trying to redact my own tax return in Preview and giving up an hour in. A lawyer friend saw the early version and pointed me at the Heppner ruling. Turns out on-device redaction solves a much bigger problem than tax forms.”
No. Your documents are processed entirely on your Mac. No upload, no cloud round-trip, no telemetry, no usage tracking. The app makes exactly two kinds of network calls in its lifetime: a one-time download of its on-device AI model the first time you open it, and a periodic check for app updates that sends only the version number. Both are documented and can be blocked at the firewall without breaking redaction. You can verify it on your own Mac with any network monitor (Little Snitch, Wireshark, or the built-in nettop) while you redact. You'll see zero outbound traffic.
Actually gone. RedactLocal permanently removes the underlying text and PDF objects, then strips document metadata. If you open the redacted PDF in any viewer, copy-paste, search, or run forensic recovery tools against it, the original text isn't there to find. Every redaction also writes a line to a redaction log that exports alongside the PDF, so you can show a judge or opposing counsel exactly what was removed.
Yes. The design goal is exactly this. Nothing about the document or its contents reaches us or any third party. The redaction log gives you an exportable audit trail to attach to any filing or share with opposing counsel. You should still confirm it satisfies your jurisdiction's specific rules and your firm's policy. We can't certify compliance on your behalf, but the technical posture (on-device, air-gappable, no telemetry) is designed to make that confirmation easy.
Yes, sometimes. No automated PII detector catches every name in every document. That's exactly why the Review step is mandatory before you can export. Every detection appears in the sidebar, color-coded by category, and you can accept it, dismiss it as a false positive, or add a manual redaction the AI didn't catch. We tune toward catching too much rather than too little, because for legal work missing a name is worse than flagging an extra one.
RedactLocal needs Apple Silicon (M1 or newer) and at least 8 GB of RAM. While it's processing a document the AI uses one CPU core fully and ~3–4 GB of RAM; when it's idle it sits at zero. Most users don't notice the fan even on long batches. Intel Macs aren't supported. The on-device model isn't fast enough on them to be useful.
Read access to the PDFs you drop on it. That's it. No Full Disk Access, no Accessibility, no microphone, no camera, no contacts. The app does need network access on first launch to download its AI model (~3 GB, one time). After that, it never needs the network again to do its job.
No. RedactLocal is signed with an Apple Developer ID and notarized by Apple, which means macOS has already verified the binary hasn't been tampered with. Double-click the DMG, drag the app to Applications, and open it. It just launches. If you ever do see a Gatekeeper warning, don't install it. Email sunil@redactlocal.com immediately so we can investigate.
Drag RedactLocal from Applications to the Trash. The app stores its preferences in ~/Library/Preferences/com.redactlocal.RedactLocal.plist and the downloaded AI model in ~/Library/Application Support/RedactLocal/; delete those folders and nothing about RedactLocal remains on your Mac. No login items, no daemons, no kernel extensions, no leftover processes.
Yes. The free tier gives you five documents per month, up to ten pages each, with every PII category and the full review-and-export flow. No watermarks, no crippled features. If five documents a month is enough, you never need to pay. Pro is for higher volume.
Free forever for up to five documents a month. Pro is $19/month for unlimited documents, with in-app subscription and a 30-day refund window from first purchase. If you cancel Pro, you keep using the Free tier. Nothing locks down, no documents become unreviewable. Pricing is the whole pricing page; there are no add-ons, seat fees, or enterprise upsells inside the app.
Built by Sunil Pandey in San Francisco; the email in the footer goes to a real inbox. RedactLocal works offline forever. The AI model is already on your Mac after first launch, and the app doesn't expire, doesn't phone home, and doesn't validate against a license server during normal use. If the company ever shuts down, we'll publish a final build with the license-server dependency removed so existing Pro users aren't stranded.
Mac-only today. Team workspaces with shared review queues, a SOC 2 attestation for firms that need it, and Windows are all on the roadmap, no firm dates. iPad and Linux are not on the near-term roadmap. We'd rather ship one polished tier well than four half-broken ones.