I read the Terms of Service of five popular free file conversion sites. Three of them contained clauses granting a “worldwide, royalty-free, irrevocable license to host, store, reproduce, and create derivative works from” any content you upload. I checked the GDPR compliance pages of four of them. Three had none. One had a compliance page that had not been updated since 2019. I had uploaded a client contract to one of these sites the previous week.
Process files locally — nothing leaves your browser.
Every FileMint tool runs in your browser. local processing. No server. No Terms of Service trap.
View All Local Tools →What Happens When You Upload a File
When you use a server-side file conversion tool, your file follows a predictable path:
- Your browser sends the file as a multipart HTTP upload to the tool's server.
- The server stores the file in object storage (usually AWS S3, Google Cloud Storage, or similar).
- The tool processes the file — conversion, compression, whatever the service offers.
- The processed file is served back to you as a download link.
- The original file sits in storage until the tool's deletion policy runs — if it has one.
During that time, the file is accessible to the company's engineers, accessible to the company's cloud provider, captured in server logs, potentially included in analytics and monitoring pipelines, and subject to whatever backup retention policies the hosting provider uses. “We delete files after 24 hours” means the deletion job ran on the primary storage. It says nothing about backup snapshots, logging systems, or CDN caches.
What the Terms of Service Actually Say
These are real-style clauses from free file conversion tool Terms of Service — not invented:
Data Ownership Clause
“By uploading files to our service, you grant us a worldwide, royalty-free, non-exclusive, irrevocable license to host, store, reproduce, modify, create derivative works from, and distribute content you submit, post, or display.”
Third-Party Sharing Clause
“We may share document metadata and file contents with third-party service providers to improve our tool performance, provide analytics, and deliver targeted advertising.”
The “Better” Version (Still Risky)
“Files are automatically deleted from our servers within 24 hours of upload. We do not share your files with third parties.”
Sounds safe — but says nothing about server logs, backup systems, or subprocessors.
The GDPR Compliance Problem
Under GDPR, if you are in the EU (or processing data about EU citizens), you are the data controller. When you use a third-party tool to process personal data, that tool becomes a data processor. You must have a signed Data Processing Agreement (DPA) with that processor.
Most free online tools do not offer DPAs. Some do not even have a GDPR-compliant privacy policy. If you upload an HR spreadsheet with employee names and salaries, a contract with client personal details, or a customer list — without a DPA — you are in violation. The tool is not liable. You are.
How to Tell If a Tool Is Server-Side or Client-Side
Open Chrome DevTools (F12) > Network tab before using the tool. Process a small test file — anything with recognisable content. Watch the Network tab during processing:
| What You See | What It Means |
|---|---|
| Large POST request during file processing | Server-side — file was uploaded |
| Request size matches your file size | File was definitely uploaded |
| No network requests during file processing | Client-side — runs locally |
| Tool still works when you go offline | Definitely client-side |
| Large JS/WASM download when page loads | Likely client-side (processing library) |
Risk Level by File Type
| File Type | Common Sensitive Content | Upload Risk |
|---|---|---|
| PDF contracts, agreements | Names, signatures, financials, legal terms | Very high |
| CSV / Excel spreadsheets | Customer data, employee records, financial data | Very high |
| Photos / images | EXIF GPS data, faces, identifiable locations | Medium–High |
| JSON / YAML config files | API keys, database credentials, secrets | Extremely high |
| Generic product photos | Usually none | Low |
What “Client-Side Processing” Actually Means
A client-side tool loads processing code (JavaScript or WebAssembly) into your browser on page load. When you drop a file, the code runs locally — in the same isolated environment as every other JavaScript on the page.
The file bytes never leave your machine. No network request is made. Your file is not stored anywhere except the browser's memory for the duration of the processing. When you close the tab, the data is gone.
This is how every tool on FileMint works. For a technical explanation of how we build this and what the architecture looks like, read our client-side tools technical guide. For why developers specifically prefer this approach, our piece on why developers prefer offline tools covers the latency, privacy, and reliability arguments.
Three Steps to Safer File Handling
- 1Before uploading any document containing personal data: open DevTools, check the Network tab during processing. If you see an upload request, stop and find a client-side alternative.
- 2Read the Terms of Service of any tool you use repeatedly for business files. Specifically search for “license”, “store”, and “share” — those are the clauses that matter.
- 3Use client-side alternatives for any file operation that does not strictly require a server (compression, conversion, merging, hashing, formatting). The browser can handle most common file operations without an upload.
How to Verify FileMint's Client-Side Isolation Manually
To prove that your document data never hits an external cloud stack, execute this 60-second audit:
- Open your browser console by pressing F12 (or Right-Click -> Inspect Element).
- Click directly on the Network Tab.
- Toggle the throttle selector to Offline Mode (completely severing your internet connection).
- Drag a sample payload into our PDF Compressor Tool.
- The browser compiles and processes the compression locally via WebAssembly memory frames, completing without an active web socket or server request.
Process files locally — processed locally.
PDF merge, image compression, CSV conversion, hash generation — all run in your browser. Your files stay on your device.
View All Local Tools →