Original Research
State of Online File Privacy 2026
Published July 15, 2026 · 8 min read · By the LoveMyFile team
We audited 12 of the most popular online PDF and image tools to answer one question: do they upload your files to a server, or do they process them locally in your browser?The answer matters because PDFs and photos carry some of our most sensitive information — contracts, tax returns, medical records, ID scans — and an upload-based tool sends that data to a server you do not control.
The findings are stark: 8 of the 10 upload-based tools we tested send your file to a remote server for processing, and none offer a verifiable deletion guarantee. Only 2 of the 12 tools audited (Squoosh and LoveMyFile) process files entirely in the browser with zero upload. This report documents the methodology, the full findings, and what you can do about it.
Key findings at a glance
8 of 10
upload-based tools
process your files on a remote server you do not control.
0
upload-based tools
offer a verifiable, cryptographic guarantee that your file was deleted. All rely on policy promises.
5 hours
to "deleted after processing"
Retention windows range from 2 hours (Sejda) to indefinite (Adobe Document Cloud). Several tools do not specify a window at all.
2 tools
out of 12
audited (Squoosh and LoveMyFile) process files entirely in the browser with zero upload.
Why this matters
When you upload a PDF to an online tool, the file exists on a server you do not control. The server may be in a data center in a different country, operated under different privacy laws. The tool's privacy policy may promise deletion after a few hours, but you cannot verify it — you are trusting the company's word. And if the server is breached during that window, your document is exposed.
For most people this is an abstract risk. But for anyone handling sensitive documents— lawyers, doctors, accountants, HR teams, journalists, or anyone with a tax return or medical record — the risk is concrete. GDPR, HIPAA, and attorney-client privilege all impose obligations on how sensitive documents are handled, and uploading to an uncertified third-party server may violate them.
The alternative — client-side processing— removes the trust requirement entirely. The file is read into the browser, processed with JavaScript, and written back to your device. No server ever sees it. You can verify this yourself in 30 seconds with the browser's Developer Tools.
Methodology
Each tool was tested in June 2026 using the following procedure:
- 1Each tool was tested in a Chromium-based browser with Developer Tools open to the Network tab.
- 2A representative file (a 2-page PDF containing text and one embedded image) was processed through each tool's primary function (merge, compress, or convert).
- 3Network traffic was inspected for any request carrying file data (multipart/form-data POST requests with payload sizes matching the test file).
- 4If file-data upload was observed, the tool was classified as "upload-based." If no file-data upload occurred and processing completed locally, the tool was classified as "client-side."
- 5Retention claims, account requirements, daily limits, and watermark policies were recorded from each tool's published privacy policy and help documentation as of June 2026.
- 6Open-source status was verified by checking for a public source repository under the tool's name or parent company.
Note: This audit reflects the behavior of each tool's web version as of June 2026. Tools may change their architecture over time. We recommend re-verifying with Developer Tools before trusting any tool with sensitive files.
Full audit results
The table below summarizes the privacy-relevant characteristics of each audited tool. Tools are listed in order of popularity (by estimated monthly visits).
| Tool | Uploads files? | Retention claim | Free daily limit | Works offline |
|---|---|---|---|---|
| iLovePDF | Yes | Files deleted from servers "within 24 hours" | Unlimited with account; limited without | No |
| Smallpdf | Yes | Files deleted "after processing" (duration undefined) | 2 tasks/day | No |
| PDF24OSS | Yes | Files deleted "after processing" (duration undefined) | Unlimited | No |
| Sejda | Yes | Files deleted after 2 hours | 3 tasks/day, max 200 pages or 50 MB | No |
| PDF Candy | Yes | Files deleted "after 5 hours" | Unlimited (with size restrictions) | No |
| Foxit Online | Yes | Not clearly stated | Limited | No |
| Adobe Acrobat Online | Yes | Files stored in Adobe Document Cloud (user-managed deletion) | Limited features | No |
| Hipdf | Yes | Files deleted "after processing" (duration undefined) | Limited | No |
| ILoveIMG | Yes | Files deleted "within 24 hours" | Unlimited with account | No |
| SquooshOSS | No | N/A — files never leave the browser | Unlimited | Yes (after first load) |
| LoveMyFile | No | N/A — files never leave the browser | Unlimited | Yes (after page load) |
| Browser built-in (Print to PDF)OSS | No | N/A | Unlimited | Yes |
Detailed notes by tool
iLovePDF
Upload-based- Account:
- Optional (free tier without account)
- Watermark:
- No
Most popular online PDF tool. Files are uploaded to European servers for processing.
Smallpdf
Upload-based- Account:
- Required after 2 free tasks per day
- Watermark:
- No
Freemium model with strict daily limits. All processing happens server-side.
PDF24
Upload-based- Account:
- No
- Watermark:
- No
Desktop version available (Windows) that is truly local. Web version uploads files.
Sejda
Upload-based- Account:
- No (with limits)
- Watermark:
- No
Clear 2-hour retention window. Strict free-tier size limits.
PDF Candy
Upload-based- Account:
- No (with limits)
- Watermark:
- No
Icecream Apps product. 5-hour retention window is stated clearly.
Foxit Online
Upload-based- Account:
- Yes
- Watermark:
- No
Enterprise-focused. Retention policy is ambiguous in public documentation.
Adobe Acrobat Online
Upload-based- Account:
- Yes (Adobe ID)
- Watermark:
- No
Files persist in Adobe Document Cloud until the user manually deletes them.
Hipdf
Upload-based- Account:
- Required for batch / large files
- Watermark:
- No
Wondershare product. Web-based processing with server-side file handling.
ILoveIMG
Upload-based- Account:
- Optional
- Watermark:
- No
Sister product to iLovePDF. Same upload-based architecture for image tools.
Squoosh
Client-side- Account:
- No
- Watermark:
- No
Google-funded image compressor. Fully client-side. Limited to image compression only.
LoveMyFile
Client-side- Account:
- No
- Watermark:
- No
31 PDF and image tools, all client-side. AI models run locally via TensorFlow.js.
Browser built-in (Print to PDF)
Client-side- Account:
- No
- Watermark:
- No
Every modern browser can save a page as PDF. Extremely limited — no merge/split/compress.
The retention problem
Every upload-based tool in this audit claims to delete files after processing. But the details reveal a wide range of practices:
- Sejda specifies a clear 2-hour window — the shortest in the audit.
- PDF Candy states 5 hours.
- iLovePDF and ILoveIMG say “within 24 hours.”
- Smallpdf, Hipdf, and PDF24 say “after processing” without specifying a duration.
- Adobe Acrobat Online stores files in Document Cloud until the user manually deletes them — potentially indefinitely.
- Foxit Online does not clearly state a retention policy in its public documentation.
Crucially, none of these promises are verifiable. You cannot confirm that a file was deleted from a server, from backups, or from CDN caches. A client-side tool sidesteps the entire problem — the file was never on a server to begin with.
How to verify any tool yourself
You do not need to trust this report. You can verify any tool's upload behavior in about 30 seconds using the browser's built-in Developer Tools:
- 1Open the tool in your browser and press F12 to open Developer Tools.
- 2Switch to the Network tab.
- 3Upload or select your file in the tool and start processing.
- 4Watch the Network tab. If you see large upload requests (megabytes going to a server), the tool is upload-based. If the only traffic is the initial page load, the tool is client-side.
For a deeper walkthrough, see our guide to private PDF tools and how to verify them.
Limitations of this study
This audit has several limitations that readers should keep in mind:
- The audit tested only the web version of each tool. Some tools (PDF24, Adobe) offer desktop applications that process files locally.
- Tool architectures may change over time. A tool that is upload-based today could add a client-side mode, or vice versa.
- The audit covers 12 tools and is not exhaustive. Many smaller tools exist that were not tested.
- Retention claims are based on published policies as of June 2026. Policies may have changed since publication.
- LoveMyFile (the publisher of this report) is itself a client-side tool. This is a conflict of interest we disclose openly: we benefit when users choose client-side tools. The methodology and findings are reproducible by anyone with a browser.
Cite this research
If you would like to reference this audit in your own work, please cite it as:
LoveMyFile Team. (2026, July 15). State of Online File Privacy 2026.https://lovemyfile.com/research/state-of-online-file-privacy-2026/
What you can do now
Read: Private PDF Tools
A full guide to client-side PDF processing, including how to verify any tool's upload behavior.
Try: Compress PDF (no upload)
See client-side processing in action. Open Developer Tools and confirm your file never leaves your device.
Have feedback or a correction? This research is maintained by the LoveMyFile team. Last updated: July 15, 2026.