You need to compress a PDF. You Google “compress pdf free.” You click the first result. You upload your bank statement. The tool compresses it. You download the smaller version. Done.
But where did your bank statement go during those 10 seconds? Which server processed it? Who has access to that server? Is your file still sitting there?
Most people never think about this. They upload sensitive documents — tax returns, contracts, salary slips, medical records, ID cards — to random websites without checking where the file actually goes. And honestly, for most documents it doesn’t matter. But for some, it really does.
How online PDF tools actually work
There are two fundamentally different ways an online tool can process your file. Understanding the difference takes 30 seconds and changes how you think about every tool you use.
Server-side processing. You upload the file. It travels over the internet to the tool’s server. The server processes it (compresses, merges, converts, whatever). The processed file gets sent back to you. Your original file sits on their server until they delete it.
This is how most tools work. iLovePDF, SmallPDF, Adobe Acrobat Online, Zamzar, Soda PDF — they all upload your file to their servers.
Client-side processing (browser-based). The tool runs entirely in your web browser using JavaScript. Your file never leaves your computer. The processing happens locally — on your device, using your processor and memory. When you close the browser tab, everything is gone.
This is how tools like ConvertKr and PDF24 (for some operations) work. There’s no upload, no server, no copy of your file anywhere.
How to check which type a tool uses
You don’t need to be technical to figure this out. Here are three easy ways:
1. Watch the progress indicator. If you see “Uploading… 45%… 67%… 100%” with a progress bar that takes time (especially for large files) — the file is being uploaded to a server. If the tool starts processing immediately after you select the file with no upload progress — it’s likely browser-based.
2. Check if it works offline. Turn off your WiFi after the tool page has loaded. Try processing a file. If it works without internet — it’s browser-based. If it fails — it needs a server.
3. Open your browser’s Network tab. Right-click on the page, click “Inspect,” go to the “Network” tab. Upload a file and watch. If you see a large file being sent to a server (a big upload in the list) — server-side. If the only network activity is small JavaScript files — browser-based.
What happens to your file on their server
When a tool processes your file server-side, your document exists on their infrastructure for some period of time. What happens to it depends on the company.
iLovePDF: States that files are deleted from their servers after 2 hours. Encrypted during transfer and storage. Based in Barcelona, subject to EU GDPR.
SmallPDF: States that files are deleted after 1 hour. Based in Switzerland, subject to Swiss privacy law and GDPR. Offers a “Pro” feature for extended storage.
Adobe Acrobat Online: Files processed through Adobe’s cloud. Subject to Adobe’s privacy policy, which covers many products and services. Files are processed for the requested operation and Adobe states they don’t use them for other purposes.
Zamzar: Files stored for 24 hours on free tier. Paid plans offer longer storage. Based in the UK.
ConvertKr: Files never leave your device. No server upload. No storage. No deletion policy needed because there’s nothing to delete.
Most reputable tools do delete your files after a stated period. The question is whether you trust the statement, and whether “deleted after 2 hours” is acceptable for your specific document.
When server-side processing is fine
For most everyday documents, uploading to a reputable tool is perfectly safe. Specifically:
Marketing materials. Brochures, flyers, presentations meant for public distribution. There’s no sensitive information — anyone could see these.
Public documents. Research papers, published reports, publicly available forms. Nothing confidential.
Personal photos being converted or compressed. Vacation photos, social media images. Not sensitive.
Already-public PDFs. Documents downloaded from public websites. The information is already available to everyone.
For these, use whatever tool is most convenient. Server-side or browser-based — it doesn’t matter.
When you should care about privacy
For certain documents, where your file goes matters a lot:
Tax returns and financial documents. W-2s, 1099s, tax returns, bank statements. These contain your Social Security Number, income details, bank account numbers. Uploading these to a server means a copy of your financial identity exists on someone else’s infrastructure, even if only for an hour.
Medical records. Health information is protected under HIPAA in the US. Uploading medical PDFs to a non-HIPAA-compliant tool could technically be a violation for healthcare providers. For individuals, it’s a personal privacy risk.
Legal contracts and agreements. NDAs, employment contracts, settlement agreements. These often contain confidential terms that parties agreed to keep private. Uploading to a third-party server introduces a point of exposure.
ID documents. Passports, driver’s licenses, Social Security cards, national IDs. These are the building blocks of identity theft. A copy of your passport on someone’s server — even temporarily — is a risk.
Client documents. If you’re a lawyer, accountant, doctor, or consultant handling client documents, uploading them to a free online tool may violate your professional confidentiality obligations.
Business-sensitive documents. Trade secrets, proprietary information, internal reports, financial projections. These could damage your business if exposed.
The “they delete it after 1 hour” argument
Most server-side tools promise to delete your file within 1-2 hours. This is probably true. Reputable companies have automated deletion systems and legal obligations (especially under GDPR) to follow through.
But consider:
Your file existed on their server for up to 2 hours. During that window, it was theoretically accessible — to their system administrators, to anyone who breaches their security, or to any government that issues a data request.
Server backups might capture your file before deletion. Many servers run hourly or daily backups. Your “deleted” file might exist in a backup archive that’s retained for weeks or months.
“Deleted” on a server often means “marked as deleted” — the actual data might still be on the disk until it’s overwritten. True deletion (secure erasure) is rare for temporary files.
None of this is likely to cause you harm for a random flyer or brochure. For your tax return or medical records? The calculation changes.
What about tool apps on your phone?
PDF apps from the App Store or Play Store have the same server vs. local distinction. Many popular PDF apps upload your files to their cloud for processing — read the privacy policy before uploading sensitive documents.
Some apps process locally on your phone. Adobe Acrobat Reader (the free viewer) processes locally for basic operations. But many “free PDF editor” apps with millions of downloads upload your files to their servers without making it obvious.
The App Store and Play Store don’t distinguish between local-processing and server-processing apps. You have to check each app individually.
A practical approach
You don’t need to be paranoid about every file. Here’s a simple framework:
Contains SSN, bank details, medical info, or ID numbers? Use a browser-based tool (ConvertKr, PDF24 local mode) or desktop software (Preview on Mac, Adobe Reader). Don’t upload to any server.
Contains business-confidential or legal content? Use a browser-based tool or desktop software. If you must use a server-side tool, choose one with clear GDPR compliance and a stated deletion policy.
Contains nothing sensitive? Use whatever is most convenient. iLovePDF, SmallPDF, Adobe — all fine.
Free tools that process locally (browser-based)
These tools process your files entirely in your browser — no server upload:
ConvertKr — 30+ PDF and image tools. All browser-based. Merge, split, compress, rotate, sign, highlight, redact, crop, convert, and more. Open source JavaScript libraries (PDF.js, pdf-lib). Verifiable by checking the Network tab.
PDF24 (some tools) — offers both online (server) and desktop (local) versions. The desktop app processes locally. The online tools are server-based.
Preview (Mac) — built into macOS. Handles merge, split, rotate, annotate, sign, and basic editing. Fully offline. No uploads.
Microsoft Edge / Chrome — built-in PDF viewers can fill forms and do basic annotations. Local processing.
Red flags to watch for
No privacy policy. If the tool’s website doesn’t have a privacy policy page — don’t use it for sensitive documents.
“We may use your uploaded content to improve our services.” This means they might analyze or retain your files beyond the immediate processing. Read the privacy policy carefully for this language.
Required account creation for basic operations. If a tool requires you to create an account before you can compress a PDF, they’re tracking your usage and associating your files with your identity. Not necessarily malicious, but more data collection than necessary.
Unclear about where processing happens. If the tool doesn’t say whether processing is local or server-based, assume server-based.
Excessive permissions (mobile apps). A PDF editor that asks for access to your contacts, location, or camera is collecting more data than it needs.
What about browser extensions?
PDF browser extensions have broad access to your browsing data. A “PDF converter” extension can potentially read every page you visit. Be very selective about which extensions you install, and prefer website-based tools over extensions when possible.
The bottom line
Free online PDF tools are generally safe for non-sensitive documents. For sensitive documents — financial, medical, legal, identification — use a tool that processes locally in your browser or use desktop software. It takes the same amount of time and removes the risk entirely.
The 30 seconds it takes to check whether a tool uploads your file or processes it locally is worth it for documents that contain your most personal information.
FAQ
Can free PDF tools steal my data?
Reputable tools (iLovePDF, SmallPDF, Adobe, ConvertKr) don’t intentionally steal data. The risk is with unknown, no-name tools that have no privacy policy and no reputation. Stick to established tools and you’re fine for non-sensitive documents. For sensitive documents, use browser-based tools.
Is iLovePDF safe?
For non-sensitive documents, yes. iLovePDF is a reputable company based in Barcelona, compliant with GDPR, and states they delete files after 2 hours. For tax returns or medical records, a browser-based alternative is safer since no upload occurs.
Is SmallPDF safe?
Same answer as iLovePDF. Reputable, Swiss-based, GDPR compliant, deletes files after 1 hour. Safe for most documents. Use a local tool for highly sensitive files.
Can my employer see what I upload to online tools?
If you’re on a corporate network, your IT department can see which websites you visit and potentially monitor uploads. Using a browser-based tool that doesn’t upload files avoids this since there’s nothing to intercept on the network.
Are PDF tools HIPAA compliant?
Most free online PDF tools are not HIPAA compliant. If you handle protected health information (PHI) professionally, use a HIPAA-compliant solution or a browser-based tool that never uploads the file.
Is it safe to upload my passport to an online tool?
For a reputable tool with a clear privacy policy and deletion timeline — the risk is low. But for maximum safety, use a browser-based tool or desktop software. Your passport photo is biometric data that you ideally don’t want on any server.
How do I know if a tool is processing locally?
The easiest test: turn off your internet after the page loads and try processing a file. If it works without internet — it’s local. If it fails — it needs a server. You can also check the browser’s Network tab for upload activity.
Should I pay for a PDF tool instead of using free ones?
Paid tools aren’t inherently safer than free ones. Adobe Acrobat Pro ($23/month) still processes through Adobe’s cloud for some features. The payment doesn’t guarantee privacy — the processing method does. A free browser-based tool can be safer than a paid cloud-based tool.
Need to work with sensitive PDFs? Use tools that process locally in your browser — ConvertKr handles 30+ operations without ever uploading your files. Or use Preview on Mac for basic tasks.