Why Your Online Tools Might Be Stealing Your Data (And What to Do About It)

The Hidden Price of Free File Conversion

Every day, millions of people upload sensitive files to free online tools — PDFs containing contracts, photos of identity documents, financial statements, medical records, confidential business presentations. The implicit assumption is that after the conversion happens, the file disappears. In most cases, that assumption is dangerously wrong.

Cybersecurity researchers who analyzed dozens of popular free file conversion websites found that the majority retained uploaded files for at least 24 hours after the conversion. A significant portion had no clear privacy policy at all. Some were observed sharing data with third-party advertising networks.

This is not a niche concern for privacy advocates. It affects everyone who uses free online tools for everyday tasks: compressing a photo, merging PDFs, converting a Word document. Understanding what actually happens to your files when you click "Upload" is the first step to protecting yourself.

What Actually Happens When You Upload a File

When you click "Upload" on a typical online converter, your file is transmitted over HTTPS to a remote server — a computer in a data center somewhere in the world that you have no visibility into. That server may be located in a country with different data protection laws than yours. The company operating it may be headquartered elsewhere entirely.

Once your file reaches that server, what happens to it depends entirely on the company's internal practices and whatever their privacy policy says — assuming they have one. Some companies delete files immediately after conversion. Some retain them for hours or days. Some retain them indefinitely. Some use the content of uploaded files to train machine learning models or improve their algorithms.

Even companies with genuinely good intentions create a security risk simply by holding your files. File conversion services, precisely because they aggregate enormous quantities of sensitive documents, are high-value targets for hackers. A successful breach at such a service could expose passports, medical records, financial statements, and confidential contracts belonging to millions of users.

Types of Files at Risk

Not all files carry the same risk. Here is a breakdown of the categories where the privacy implications are most serious:

• Identity documents: Photos of passports, driver's licenses, national ID cards, and visas are commonly converted or compressed online. These are among the most valuable files for identity thieves. A scan of a passport is sufficient to open fraudulent financial accounts in many jurisdictions.
• Financial documents: Bank statements, tax returns, payslips, and investment statements contain account numbers, tax IDs, and income information. This data can be used for financial fraud or tax identity theft.
• Medical records: Health information is among the most sensitive data in existence. In many countries, medical data has special legal protections. Uploading it to an unvetted third-party service may violate those regulations — even if you are not the data controller.
• Legal and business documents: Contracts, NDAs, corporate filings, and business plans often contain information covered by confidentiality obligations. Uploading these to third-party services may violate contractual commitments or expose trade secrets.
• Personal photos: Photos of people — especially children — can be misused in ways that range from privacy violations to serious criminal exploitation.

How to Read a Privacy Policy (and What Red Flags to Look For)

Most people never read privacy policies. They are long, written in legal language, and easy to dismiss. But for file conversion tools specifically, a few key questions can be answered in under two minutes by searching the policy page:

How long are files stored? Look for terms like "file retention", "storage", or "deletion". A trustworthy service states a clear, short retention period — typically 1 hour or less. Vague phrases like "files may be retained for operational purposes" are red flags.

Are files shared with third parties? Search for "third party" or "partners". Some services share anonymized data or even full files with partners for analytics, advertising, or AI training. This should require explicit opt-in consent, not just disclosure buried in a policy.

Where are servers located? For users in the EU, GDPR requires that personal data processed on behalf of EU residents either stays within the EU or is transferred only to countries with adequate protections. If a service does not disclose server locations, that is a concern.

Is there a privacy policy at all? A missing or placeholder privacy policy is an immediate disqualifying red flag. Legitimate services always have a clear, specific privacy policy.

Browser-Based Processing: The Privacy-First Alternative

The most reliable way to protect your files is to use tools that process files entirely within your browser, without uploading anything to a server. This is technically possible for a surprisingly wide range of file operations thanks to modern browser APIs and JavaScript libraries.

Browser-based processing works as follows: when you open a file on a website like SiteConversor, the file is read directly from your disk by your browser's File API. The processing — compression, conversion, resizing, PDF rendering — happens using JavaScript code that runs inside your browser, on your own computer's processor and memory. The resulting file is made available for download from your browser's memory. At no point does your file traverse the internet or touch a remote server.

This is not a marketing claim — it is a technical fact that you can verify yourself. Open your browser's Network tab in DevTools (F12 in most browsers) while using SiteConversor, process a file, and watch the network requests. You will see requests to load the JavaScript libraries (which are public code from CDNs) but no request that contains your file content.

What Operations Can Be Done Locally in a Browser?

A common misconception is that browser-based tools are limited in capability compared to server-side tools. In practice, modern browsers are powerful computing environments that can handle a wide range of file operations entirely locally:

• Image compression and conversion: Compress JPG, PNG, WEBP, and AVIF images. Convert between formats. Resize to exact dimensions. All processed using the HTML5 Canvas API.
• PDF operations: Render PDF pages to images (using PDF.js by Mozilla). Merge multiple PDFs into one. Generate PDFs from images. All without uploading your document to any server.
• Background removal: Remove image backgrounds using neural networks that run directly in the browser via TensorFlow.js. The AI model is downloaded once and cached — your photos never leave your device.
• File format conversion: Convert HEIC photos from iPhones to JPG, convert SVG to PNG, encode and decode Base64, and dozens of other operations.
• Utility operations: Generate QR codes, create strong passwords, format JSON, extract color palettes from images — all without sending any data to a server.

SiteConversor provides all 48 of these operations for free, with all processing happening locally in your browser. No account is required, no files are uploaded, and no data is collected beyond standard analytics.

Practical Rules for Protecting Your Files Online

Even with the availability of browser-based tools, there are situations where you may need to use a server-based service. Here are practical rules for minimizing risk in those cases:

• For sensitive files, always prefer browser-based tools. For identity documents, financial records, and medical information, only use tools that explicitly state local processing.
• Check the privacy policy before uploading anything important. Look specifically for file retention period and third-party sharing clauses.
• Use desktop software for the most sensitive conversions. Applications like LibreOffice, GIMP, and Preview (macOS) process files entirely on your computer with no network activity.
• Avoid services that require registration for basic operations. If a tool asks you to create an account to convert a file, they are building a profile linked to your identity and your file activity.
• Be especially careful with photos of people. Facial recognition and image analysis technologies mean that photos have more embedded information than they appear to.

Conclusion: Privacy Should Be the Default, Not a Premium Feature

The fact that file conversion requires uploading to a third-party server is a historical artifact of when browser-based processing was not powerful enough to handle these tasks locally. That technical limitation no longer exists. Modern browsers can compress images, process PDFs, run neural networks, and perform dozens of other file operations without sending a single byte of your content to the internet.

The choice to process files server-side is now a business decision, not a technical one. Services that require uploads do so because it allows them to collect data, build user profiles, or use your content for their own purposes. Privacy-respecting browser-based tools represent a better model — one where the service provides genuine value without requiring access to your files.

The next time you need to compress an image, convert a PDF, or resize a photo, consider whether the tool you are using actually needs your file to do its job. In most cases, it does not.