A few months ago a friend sent me a link to a PDF merger she’d been using. She needed to combine some medical reports into one file for her insurance claim. I looked at the site and the first thing I noticed was the upload — her PDFs were going to some server in who knows where.
I asked her “you know your medical reports are sitting on their server right now, right?” She had no idea. She thought the tool worked like an app on her phone. She didn’t realize her files were being uploaded to a company she’d never heard of.
This is way more common than people think. And it’s not just shady websites — even the popular ones do it.
What actually happens when you use most online tools
When you go to most PDF or image editing websites and upload a file, here’s what happens behind the scenes:
Your file leaves your computer. It travels over the internet to their server. Their server processes it — merges it, compresses it, whatever. Then it sends the result back to you.
During that process your file is sitting on someone else’s computer. How long do they keep it? Do they delete it after? Do they look at it? Do they sell it? Do they use it to train AI models? Most privacy policies are 5000 words of legal language that basically say “we can do whatever we want.”
I’m not saying every website is stealing your data. Most probably delete your files after processing. But “probably” isn’t good enough when the file is your medical report, your CNIC scan, your financial documents, or your kid’s school application.
The files people upload without thinking
I’ve watched people upload some wild stuff to random online tools:
- CNIC and passport scans — front and back, full details visible
- Bank statements — to compress them before emailing to an accountant
- Medical reports — lab results, prescriptions, doctor notes
- Legal documents — property papers, contracts, court documents
- Company files — invoices, salary sheets, client data
- Personal photos — to crop or compress before posting
Every single one of these has sensitive information. And people upload them to the first Google result for “merge pdf free” without even checking who runs the website.
My friend with the medical reports? That website’s privacy policy said they keep uploaded files for “up to 24 hours for processing purposes.” 24 hours. Her medical reports were sitting on a server for a full day. She didn’t know until I showed her.
How to check if a tool is safe
Look for “client-side processing” or “browser-based.” This means your files don’t leave your device. The tool runs code in your browser that does the processing right there on your computer. Nothing uploads. This is the safest option.
Check the network tab. This is a bit technical but if you’re curious — open the developer tools in your browser (F12 on Chrome), go to the Network tab, and upload a file. If you see a big upload request going to their server, your file is leaving your device. If you don’t see any upload, it’s processing locally. I do this with new tools before I trust them.
Read the privacy policy. I know nobody does this. But at least search for keywords like “retain”, “store”, “delete”, “third party”, “share.” If the policy says anything about sharing data with third parties or retaining files, think twice.
Check if the tool works offline. Turn off your wifi and try the tool. If it still works, your files definitely aren’t being uploaded anywhere. This is the simplest test.
Why I built ConvertKr to work locally
When I started building ConvertKr, the number one decision was: files don’t leave the user’s device. Ever.
Every tool on ConvertKr — merging PDFs, compressing images, adding watermarks, all of it — runs entirely in your browser using JavaScript. Your files load into your browser’s memory, get processed there, and the result downloads directly to your device. At no point does anything go to a server.
You can test this yourself. Open any ConvertKr tool, turn off your wifi after the page loads, and use the tool. It works. Because there’s no server involved.
The desktop app takes this even further — it doesn’t even need the internet to load the page. Install it once and it works completely offline forever. No server, no internet, no cloud.
I built it this way because I use these tools for my own documents. My family’s CNIC scans, my financial stuff, documents for friends. I’m not going to upload those to some random server. And I don’t expect anyone else to either.
Common tools and whether they upload your files
I checked some popular tools. This isn’t meant to bash anyone — just want people to know:
iLovePDF — uploads your files to their server. They say files are deleted after 2 hours. Popular tool, probably fine, but your files do leave your device.
SmallPDF — same thing. Server-side processing. Files are uploaded. They have a paid desktop version that works offline.
Adobe Acrobat online — uploads to Adobe’s cloud. You need an Adobe account for most features.
ConvertKr — client-side. Nothing uploads. Works offline. I’m biased obviously since I built it, but you can verify it yourself with the wifi test.
The point isn’t that server-based tools are evil. They’re fine for non-sensitive stuff. But if you’re processing anything personal or confidential, using a client-side tool is just common sense.
Simple rules I follow
Sensitive documents → offline or client-side tools only. CNIC, passport, medical, financial, legal. No exceptions. I don’t care how popular the website is.
Regular photos and non-sensitive PDFs → whatever works. If I’m compressing a photo of my lunch for Instagram, I don’t care if it uploads to a server. It’s a photo of biryani. Nobody wants to steal that.
Work documents → ask yourself “would my boss be okay with this file sitting on a random server?” If the answer is no, use a local tool. I learned this one the hard way when a colleague uploaded a client’s salary sheet to an online PDF tool. Nothing bad happened but it could have.
When in doubt, turn off wifi and try. If the tool still works, you’re safe. If it doesn’t, your files are leaving your device.
FAQ
If my file doesn’t upload, how does the tool work?
Modern browsers are powerful. JavaScript running in your browser can read files, process them, and create new files — all without talking to any server. Libraries like pdf-lib can merge and edit PDFs right in the browser. It’s the same idea as a mobile app that works offline.
Is client-side processing slower?
Depends on the file and your device. For normal documents (under 20-30MB) you won’t notice any difference. For huge files, a powerful server might be faster — but then your file is on that server. It’s a tradeoff. For most people’s daily needs, browser processing is plenty fast.
How do I know ConvertKr isn’t secretly uploading?
Turn off your wifi after the page loads and use any tool. If it works, nothing is being uploaded. You can also open the browser network tab (F12 → Network) and watch — you’ll see zero upload requests during file processing. Don’t trust me, verify it yourself.
Want to try a privacy-first file tool? Open ConvertKr — all processing happens on your device.