obtaining privacy sensitive data;

identifying a privacy restriction of the privacy sensitive data;

authorizing code for use with the privacy sensitive data by reviewing the code before the code is authorized to determine whether the code logs or displays with the privacy sensitive data in violation of the privacy restriction, wherein the code comprises executable code for processing the privacy sensitive data;

receiving parameters for identifying the privacy sensitive data;

identifying the privacy sensitive data from one or more databases based on the parameters;

retrieving the privacy sensitive data from the one or more databases based on the parameters;

storing references to the privacy sensitive data in a temporary database for use within a protected computing environment;

providing aggregate information about the privacy sensitive data to a user within the protected computing environment;

verifying, by the protected computing environment, that the authorized code for use with the privacy sensitive data does not violate the privacy restriction and is authorized for execution within the protected computing environment;

executing the authorized code within the protected computing environment to process the privacy sensitive data based on the verification without violating the privacy restriction;

determining a time limit for the temporary database based on a privacy policy; and

deleting the temporary database based on the time limit.