Behind the Build
Why 'Free' Online Tools Are Not Actually FreeBehind the Build
What Actually Happens To Your Files When You Use A Free Online Converter?
You need to compress a PDF or convert an image, so you find a free tool online, upload the file, and get your result. Simple. But most people never think about what happened to the file between those two steps. Where did it go? How long is it stored? Who has access to it? What does the tool's privacy policy actually say? This post is not meant to alarm you — it is meant to help you make informed decisions about which tools you trust with different kinds of files.
Where your file actually goes when you upload it #
When you upload a file to an online tool, it leaves your device and travels to a server — a computer owned or rented by the company running the tool. The server processes the file, produces your output, and serves the result back to you. At every step of that journey, your file exists somewhere other than on your device, and what happens to it after you download your result depends entirely on what the tool's operators have decided to do with it.
Most browser-based tools today process files server-side, meaning your entire original file is transmitted to and stored on a remote server during processing. Some newer tools use client-side processing — they run the conversion logic in your browser using JavaScript or WebAssembly, which means your file never leaves your device. Client-side processing is significantly better for privacy because the operator never has access to your file content at all.
The distinction matters most for sensitive files. A personal photo you want to resize is probably low-risk regardless of where it is processed. A contract containing business terms and the names of both parties is a different kind of file. Payslips, medical records, legal documents, and anything with personal identifying information all carry higher stakes. The right tool for a sensitive file is one where you understand what happens to it after processing.
Most people upload files without thinking about this at all — and most of the time, for most files, that is probably fine. But building the habit of thinking about file sensitivity before uploading takes about three seconds and can prevent genuinely bad outcomes in the cases where it matters.
What the privacy policy usually actually says #
Most free online tool providers have privacy policies that cover uploaded content somewhere in their terms. The language varies significantly. The most reassuring version says something like: files are deleted immediately after processing, or within a fixed window like 24 or 72 hours. The less reassuring version says files may be retained for product improvement, debugging, or quality assurance — without specifying how long or under what conditions access is granted.
A common clause that is easy to miss is one that grants the provider a license to use uploaded content for service improvement, training machine learning models, or analytics. This clause is often buried in the general terms of service rather than the privacy policy specifically, and it is usually written in language that sounds narrow but is legally quite broad. 'Aggregated and anonymized' data from your uploaded files can still contain information you would not want shared if the anonymization is imperfect.
Some tools are explicit and honest about their data practices, which is what you want. Short, plain-language privacy policies that explain file retention windows and data access in concrete terms are a positive signal. Long, vague policies filled with 'may' and 'in our discretion' are a warning sign. The quality of a privacy policy is itself a signal about how much the team behind the tool has thought about your interests as a user.
Worth noting: 'we do not sell your data' and 'we do not share your data' are different statements. A company can truthfully say they do not sell data while still sharing it with advertising partners, analytics providers, or cloud infrastructure vendors who process your files as part of the service. Read privacy policies looking for what is included, not just what is excluded.
The specific risks worth knowing about #
The most straightforward risk is data breach. If a tool stores your uploaded files and their servers are compromised, your files are part of whatever gets exposed. This is not a theoretical risk — file conversion services have been involved in data breaches before, and the attack surface of 'stores large amounts of uploaded user files' is genuinely attractive to bad actors. The less a tool retains, the smaller your exposure if something goes wrong.
A subtler risk is employee access. Most small tool providers do not have the kind of access controls that enterprise software companies maintain. In practice, uploaded files may be accessible to developers debugging a processing issue, customer support staff investigating a complaint, or anyone with access to the storage infrastructure. This is not inherently malicious — it is just the reality of how small operations work. It is worth knowing before you upload a document that contains personal or confidential information.
A third risk, specific to tools that monetize through advertising, is that your behavior on the platform — what files you upload, how often, what output formats you choose — may be tracked and used to build advertising profiles. The file content may be protected, but the metadata about how you use the service is often considered fair game under most privacy policies. Again, this is probably not worth worrying about for a casual image resize. For a pattern of uploads that reveals something about your work or personal life, it is worth being aware of.
Finally, there is the risk of what I would call accidental over-retention. Many services have data deletion policies on paper that are not always implemented consistently in practice. Backups, logs, and cached versions of files can persist beyond official retention windows if the deletion process is not rigorously automated. This is rarely intentional but it is common. If you are uploading truly sensitive material, the safest approach is always a tool where client-side processing means the file never leaves your device.
How to evaluate any tool before you upload #
Before uploading a file to any online tool, spend thirty seconds on three questions. First: is this a sensitive file? A personal photo is different from a contract, a payslip, or a medical document. If the file contains names, financial information, health information, or anything you would be uncomfortable having exposed publicly, it deserves more scrutiny than a generic image.
Second: does this tool process files in the browser or on a server? You can often tell from the network activity — if the file processes instantly without any visible upload progress, it is likely client-side. If there is a clear upload step, it is server-side. Some tools are explicit about this in their documentation or FAQ. Client-side processing is always the safer choice for sensitive files.
Third: what does the privacy policy say about file retention? Look specifically for how long files are stored and whether they can be used for anything beyond producing your output. A policy that says files are deleted immediately after download is the gold standard. A policy that says files are retained for 'a reasonable period' without defining that period is a warning sign.
For Codes of Hex specifically: most tools use server-side processing because operations like PDF compression and image conversion require server resources. Files are processed to produce your output and are not retained long-term. No accounts are required, which means no persistent user profile is being built. The privacy policy is written to be readable, not to obscure. If you have specific questions about how a particular tool handles your data, the contact page goes directly to me and I will answer them.
FAQ
Quick answers for common edge cases.
Is it safe to upload sensitive documents to free online tools?
It depends on the tool. For genuinely sensitive documents — contracts, medical records, payslips, anything with personal identifying information — look for tools that process files client-side (in your browser, never leaving your device) or have an explicit, short file retention policy. For non-sensitive files like a personal photo or a generic document, the practical risk from most reputable tools is low.
What does 'client-side processing' mean and why does it matter?
Client-side processing means the conversion or compression happens in your browser using JavaScript or WebAssembly. Your file never leaves your device and never reaches the tool provider's servers. This is the most privacy-preserving option because the operator has no access to your file content at all. Server-side processing means your file is sent to and processed on a remote server, which introduces the risks described in this post.
How do I read a privacy policy quickly to find what I need?
Search the page for keywords: 'file', 'upload', 'retain', 'delete', 'store', 'license', 'training'. The sections containing these words are the ones most relevant to what happens to your uploaded content. Look for specific retention windows (24 hours, 7 days, immediately after download) and avoid policies that use only vague language like 'reasonable period' or 'as necessary'. Short, plain-language policies are almost always a better sign than long, legal-heavy ones.
What happens to files I upload to Codes of Hex?
Files are processed on the server to produce your output and are not stored long-term. No user account is required, which means no persistent profile about your usage is being built. The privacy policy is written in plain language and covers file handling specifically. If you have a question about a specific tool's data handling, contact me directly via the contact page.
Should I be worried about using online tools for everyday tasks?
For most everyday files and most reputable tools, the practical risk is low. The goal of this post is not to create anxiety but to give you the information to make a calibrated decision. Know what kind of file you are uploading, understand whether client-side or server-side processing is involved, and read the relevant part of the privacy policy for sensitive documents. That level of awareness covers the vast majority of real-world risk.
Related guides
Continue with adjacent workflows.
