Imagine you’re in an unfamiliar town and you need to make a copy of some important documents — a lease, a payslip, a medical summary. You find a copy shop down a side street. You hand your folder to the person at the counter. They take it to the back room. You wait. Five minutes later they return with your copies. You take them, pay, and leave.
You left your folder with a stranger in a back room. You have no idea what they did with it while you waited. You don’t know if they glanced at the contents, photographed anything, wrote down a number. You don’t know how many other people were in that back room. You’ll never find out. You just needed the copies, so you handed over the folder, and that was that.
This is what upload means.
The comparison isn’t paranoid — it’s structural. When you upload a file to a free online tool, the file travels to servers operated by a company whose name you may not have registered, whose privacy policy you almost certainly haven’t read, whose staff have access to whatever lands in the processing queue. This isn’t a dark web operation. These are ordinary companies, doing ordinary things. But “ordinary” includes the fact that servers create logs, logs contain metadata, storage systems run backups, and data that was supposed to be deleted has a way of persisting in unexpected places.
Think about the specific files people upload to free PDF tools. Not hypothetically — concretely. A solicitor uploads a draft contract. A nurse uploads a patient discharge summary to compress it before attaching it to an email. A job applicant uploads a CV and a covering letter and a copy of their degree certificate, combined into a single PDF, to send to an employer. A small business owner uploads six months of invoices merged into one file for an accountant. None of these people think of themselves as sharing sensitive information. They just need the file smaller.
The terms of service for most free tools are written to be defensible, not readable. They contain clauses that mean something specific in a legal context and something vague in a practical one. “We may use your data to improve our services” can mean almost anything. “Files are deleted within 24 hours” doesn’t account for backups, logs, or the gap between policy and implementation. “We do not sell your personal information” says nothing about document metadata, about what can be inferred from a file’s contents, or about what happens if the company is acquired.
None of this requires malice. The problem isn’t that these companies are bad actors — most of them are just trying to build sustainable products. The problem is that the data exists on their infrastructure, under their control, for a period of time, and you have no way of knowing what actually happens to it. Trust is the only mechanism available to you, and trust in a company’s terms of service is a thin instrument.
The alternative is a tool that never receives the file in the first place.
If the processing happens locally — in your browser, on your device — then the question of who has your file has a simple answer: you do. Nobody in a back room. No company you’ve never heard of. No server you can’t audit. The file exists where it already was, and the tool works on it there, and when it’s done the result stays on your machine. There’s no chain of custody to trace because there’s no transfer.
This is not a novel insight. It’s the obvious design, when you think about it from first principles. It just isn’t the default, because defaults aren’t built from first principles — they’re built from what was technically possible when the pattern was first established, and then they persist.
fwip has no idea what’s in your files. By design. Try it →