keptlocal
· 7 min read · PrivacyPDF

Why Your PDF Tools Shouldn't Be Uploading Your Files

HM
Hiten Mahalwar
Founder, keptlocal · Technical Lead, Healthcare IT

The promise of free online PDF tools is appealing: no software to install, works on any device, done in seconds. But the word "free" obscures a real cost — your file leaves your device and ends up on a server you have no visibility into, operated by a company whose incentives do not necessarily align with your privacy.

This is not a fringe concern. PDFs are the default format for contracts, financial records, medical documents, legal filings, and internal business communications. Understanding what happens when you upload them — even briefly — matters.

The business model behind free PDF tools

Running servers costs money. Bandwidth costs money. Engineering costs money. Free services cover these costs one of several ways:

  • Advertising: the most straightforward model. Display ads generate revenue based on pageviews and clicks. Your file is irrelevant here — but it requires high traffic, which pushes tools to be as broadly useful as possible rather than private or specialised.
  • Freemium conversion: the free tier is designed to be useful enough to attract users but limited enough to push a fraction toward paid plans. File size limits, page count limits, and daily use limits are deliberate constraints, not technical ones.
  • Data: some services retain files, extract document structure, or use uploaded content to improve machine learning models. This may or may not be disclosed clearly in the privacy policy. "Improving our services" is a common catch-all clause that can cover a lot.
  • Selling the company: a tool with a large user base and a library of processed documents is an acquisition target. Your files may be an asset that transfers with the company.

None of these models require that your files be misused. But all of them create situations where your file exists on infrastructure you do not control, for purposes you did not fully consent to.

What actually happens when you click "upload"

The mechanics of a server-based PDF tool are straightforward:

  1. Your browser opens a connection to the tool's servers (HTTPS — encrypted in transit).
  2. Your PDF bytes are transmitted over that connection and written to a storage system — typically a cloud object store like Amazon S3 or Google Cloud Storage.
  3. A processing job runs: the PDF is read, the requested operation performed (merge, compress, convert), and the output written to another location.
  4. Your browser downloads the output file.
  5. The original and output are queued for deletion — at some point. "After one hour" is common. "After processing" is also common but less accountable.

Between steps 2 and 5, your file exists on a third-party system. The company's privacy policy governs what they do with it during that window — and privacy policies are legal documents written to protect the company, not the user.

What privacy policies actually say

We reviewed the privacy policies and terms of service of several major online PDF tools. Common patterns:

  • Retention windows are stated vaguely: "We delete your files after processing" or "within X hours" are the most common formulations. What counts as "processing" is not defined. Some policies distinguish between files retained in logs (longer) and files retained in storage (shorter).
  • Improvement clauses are broad: "We may use anonymised data to improve our services" appears in various forms. Whether PDF content counts as "data" that can be used this way is typically not clarified.
  • Third-party sharing is permitted: cloud hosting providers, payment processors, and analytics services are all named as entities that may receive data. Your file on their servers is also your file on Amazon Web Services' or Google's servers.
  • GDPR compliance is asserted but not detailed: "We comply with GDPR" appears frequently. The mechanism — data processing agreements, deletion schedules, cross-border transfer safeguards — is rarely described in user-facing documentation.

This is not an indictment of any specific company. It reflects the reality that "upload your file to us temporarily and we will process it" is a data handling arrangement that carries inherent risks, and privacy policies are written to acknowledge rather than eliminate those risks.

The compliance dimension

Beyond personal privacy preferences, uploading certain documents to third-party servers may create compliance problems:

  • HIPAA (US): protected health information cannot be transmitted to a third party without a Business Associate Agreement in place. Using a free PDF tool to merge medical records without checking whether the tool is a HIPAA-covered entity is a compliance violation regardless of intent.
  • GDPR (EU/UK): personal data of EU or UK residents cannot be transferred to third-party processors without appropriate safeguards. A US-based PDF tool with EU users and no data processing agreement is in a legally grey area at best.
  • Attorney-client privilege: privilege can be waived if confidential communications are shared with parties outside the attorney-client relationship. Uploading privileged documents to a third-party server may constitute such a disclosure in some jurisdictions.
  • NDA obligations: many NDAs restrict how confidential information is shared and stored. Uploading an NDA's subject matter to a third-party tool may breach the NDA itself.
  • Financial regulations: SOX, PCI-DSS, and other financial frameworks impose controls on where certain data can reside. A finance team using a free PDF tool to merge financial statements without IT approval may be violating their own policies.

Why browser-based tools are structurally different

A browser-based PDF tool processes your file using code that runs inside your browser tab, using your device's CPU and RAM. The file bytes are never transmitted over a network connection. This is not a policy choice — it is a technical fact of how the architecture works.

The practical consequences:

  • No third-party receives your file.
  • No server logs capture your document name or content.
  • No retention window to worry about.
  • No data processing agreement required.
  • No HIPAA, GDPR, or NDA implications from the processing step itself.
  • Processing continues even if you disconnect from the internet after the page loads.

The trade-off is computational: browser-based tools are limited by your device's RAM and CPU speed. For most everyday PDF operations — merging, splitting, rotating, watermarking, extracting pages — this is not a meaningful constraint. For very large files or batch automation, a server-based tool may be necessary, and you should choose one with a clear data handling policy.

How to verify a tool is truly local

Do not take any tool's privacy claims at face value. The Network tab in your browser's developer tools tells you the truth:

  1. Open DevTools with F12.
  2. Go to the Network tab.
  3. Filter by Fetch/XHR to show data requests only.
  4. Load your files into the tool and perform the operation.
  5. Watch the network panel during and after the operation.

If no outbound data requests appear during the file operation, the tool is genuinely local. If a POST or PUT request fires to an external URL when you trigger the operation, your file is being uploaded — regardless of what the tool's homepage claims.

keptlocal's tools make no outbound requests during file operations. You can verify this for every tool on the site using the steps above.

A practical recommendation

The simplest mental model: treat your PDFs the same way you treat your passwords. You would not type a password into a third-party website just because the site looked trustworthy. Apply the same reasoning to documents that contain personal, financial, legal, or confidential information.

For those documents, use a local tool: either a browser-based tool like the ones on keptlocal, or a desktop application that never connects to the internet for its core operation. For documents that are not sensitive — a PDF of publicly available spec sheets, a brochure, a published report — the risk of using a server-based tool is low.

The habit worth building is the habit of asking the question at all.

All keptlocal tools run entirely in your browser. Use the Network tab to verify — no upload requests, ever.