What counts as PII I should redact in a screenshot?

Anything that identifies a person or an account: full name, home address, date of birth, email, phone number, account and card numbers, sort or routing numbers, and reference or customer IDs. The catch is that a reference number can identify someone just as well as their name, so redact the quiet fields too, not only the obvious ones.

Is a black box over bank details safe enough to share?

Often not. A box you draw in a markup tool is usually a separate layer sitting on top of the image, so depending on how the file is saved it can be nudged aside or removed to reveal what is underneath. For financial details I would rather rewrite the pixels than cover them, because there is then nothing left to lift off.

Can a redacted account number be recovered later?

It depends how you hid it. A light blur or a movable box can sometimes be reversed. ScrubShot pixelates the area straight into the image and rewrites those pixels, and the replacement blocks are not computed from the number underneath, so a scrubbed account or card number cannot be un-scrubbed, brute-forced or recovered from the saved file.

Does redacting a screenshot make me GDPR compliant?

I would not frame it that way. Redaction is a practical step that reduces what you expose when you share an image, not a legal guarantee. What it does is keep the financial and personal detail off the copy that leaves your Mac, which is the part you control.

← Resources

The best way to redact bank details and PII in screenshots

Short answer: cover every field that identifies a person or an account, not just the obvious one, and do it in a way that cannot be undone. When you are sharing a statement, an invoice, a form or an account page, a draggable black box is the riskiest choice because it can be moved or peeled off to reveal what is underneath. Pixelating the sensitive areas straight into the image, on your own Mac, is the version I trust. This guide covers what to redact, why irreversibility matters most here, and the exact steps. If handling other people's money is your day job rather than a one-off, the guide for accountants and finance teams covers the working patterns around it.

What actually counts as sensitive

People tend to redact the one field that looks scary and leave the rest. With financial and personal data that is not enough, because the quieter fields often identify just as well. Before you share, look for all of these:

Account and card numbers, including the full card number, routing or sort number, and IBAN.
Name and address, including a partial address or zip code that narrows things down.
Date of birth, which is a classic identity-verification field.
Contact details like an email address or phone number sitting in a header or footer.
Reference, customer or invoice IDs, which can tie an image back to a specific person or account even when no name is visible.

The principle is to redact everything that identifies, not just the field labeled "account number". A reference ID on its own can be enough for someone to pull up the rest.

Why irreversible redaction matters more here

For most screenshots a sloppy redaction is embarrassing. For bank details it is the whole risk. If a card number can be recovered from the image you shared, you have not redacted it at all, you have just hidden it from a casual glance. So the test is not "does it look covered" but "can the original be brought back".

This is why a draggable black box is the wrong tool for this job. A box drawn in a markup app is generally a separate layer on top of the picture. Save it in the wrong format, or open it in an editor that understands the layers, and the box can be moved or deleted to show the number underneath. A light blur has the same flaw in a different shape: the original detail is still mathematically present, and short strings like account numbers have been recovered from weak blurs before. The same trade-offs, laid out method by method, are in the guide to redacting screenshots on a Mac.

The safe version rewrites the pixels. When you scrub an area into the image, the original detail is replaced with coarse blocks that are written into the file itself, and those blocks are not computed from the digits they cover, so there are no traces for depixelation software to work back from. There is no hidden layer and nothing left to reverse, which is exactly what you want for anything financial. The same standard, with even sharper edges, applies to crypto and trading screenshots, where a wallet address quietly links your entire on-chain history. If you are weighing blur against pixelation specifically, I go deeper on that in blurring versus pixelating screenshots.

What to redact, and what to do about it

Here is a quick map from the common field types to the action I take in ScrubShot.

Field	Why it matters	What to do in ScrubShot
Account / card number	The most directly abusable field; a recoverable number is a real loss	Scrub the full number into the image so it cannot be reversed
Name & address	Identifies the person and ties the account to them	Scrub it, or Crop the frame if it sits at the edge
Reference / customer ID	Quietly identifying; can pull up the rest of the record	Scrub it too, even when it looks harmless
Email	Links the image to an inbox and often to an account login	Scrub it, or Crop a header that contains nothing else you need

Step by step with ScrubShot

The point of a dedicated tool is to make the safe option the quick one, so the whole thing with ScrubShot is a single loop:

Open the statement, invoice or account page, then press the shortcut. ScrubShot captures the screen and the editor opens.
Drag the Scrub tool over each sensitive field in turn: the account or card number first, then the name, address, date of birth, email and any reference IDs.
Do one slow pass over the whole image before you share, checking corners and headers for an email or a number you missed. Undo and re-scrub anything you are unsure about.
If a sensitive area sits at the edge, Crop the frame to drop it entirely rather than scrubbing it.
Copy the cleaned image to the clipboard or let it save to the ScrubShot folder in your Pictures, then paste it where it needs to go.

All of this happens on your Mac. Screenshots never leave the machine to be processed, so the original, unredacted statement is never sitting on someone else's server. You can read exactly what the app does and does not send on the privacy page.

What redaction does and does not buy you

I want to be straight about this: redacting a screenshot is a practical step, not a legal shield. What it buys you is control over what you expose. The copy that leaves your Mac no longer carries the account number, the name or the reference ID, so anyone who sees the image sees only the part you meant to show.

What it does not do is reach back and clean up copies that already exist elsewhere, or make any promise about what regulations apply to your situation. Treat it as reducing your exposure on the thing you are about to send, which is genuinely worth doing, and keep your expectations there. When cropping would do the job better than scrubbing, the trade-off between the two is covered in redaction versus cropping.

FAQ

What counts as PII I should redact in a screenshot?: Anything that identifies a person or an account: full name, home address, date of birth, email, phone number, account and card numbers, sort or routing numbers, and reference or customer IDs. The catch is that a reference number can identify someone just as well as their name, so redact the quiet fields too, not only the obvious ones.
Is a black box over bank details safe enough to share?: Often not. A box you draw in a markup tool is usually a separate layer sitting on top of the image, so depending on how the file is saved it can be nudged aside or removed to reveal what is underneath. For financial details I would rather rewrite the pixels than cover them, because there is then nothing left to lift off.
Can a redacted account number be recovered later?: It depends how you hid it. A light blur or a movable box can sometimes be reversed. ScrubShot pixelates the area straight into the image and rewrites those pixels, and the replacement blocks are not computed from the number underneath, so a scrubbed account or card number cannot be un-scrubbed, brute-forced or recovered from the saved file.
Does redacting a screenshot make me GDPR compliant?: I would not frame it that way. Redaction is a practical step that reduces what you expose when you share an image, not a legal guarantee. What it does is keep the financial and personal detail off the copy that leaves your Mac, which is the part you control.

Try it

ScrubShot is a Mac app. Press the shortcut, scrub out the bank details and personal data, then copy or save; the cleaned screenshot is the only version that ever leaves your Mac. There is a free 7-day trial with no card required. After that it is $30 once, with lifetime updates and no subscription.

Try ScrubShot free →