The “free” online tools that are silently uploading your files

We tested 20 of the most popular "free online file tools" — the ones that come up first when you search for things like "compress PDF free" or "convert MP4 online." The results were uncomfortable.

17 out of 20 uploaded files to a remote server. Of those, 9 offered no clear information about how long files were retained. 4 had privacy policies that explicitly allowed using uploaded content for "service improvement."

How we tested them

The method was simple: open DevTools, go to the Network tab, upload a test file, and watch what gets sent where. For each tool we recorded:

Does any file data leave the browser?
What server/domain receives it?
Is the server in the same jurisdiction as the company?
What does the privacy policy say about file retention?

What we found

The pattern was consistent across nearly all of them. Here's what the typical upload looks like in DevTools:

Network Request (what other tools do)

POST https://api.somefreetool.com/upload
Content-Type: multipart/form-data

# Your entire file being sent to their server
------WebKitFormBoundaryXYZ
Content-Disposition: form-data; name="file"; filename="my-contract.pdf"
Content-Type: application/pdf

# [Your file data here, now on their server]

One popular PDF tool — which we won't name — uploaded files to an S3 bucket in a region with no GDPR protections and retained them for 24 hours. Their homepage said "your files are deleted immediately after conversion."

The privacy policy fine print

Several sites had language in their privacy policies that was alarming once you actually read it:

"We may use anonymised content to improve our services"
"Files are stored on secure servers and deleted after 2 hours" — but what happens in those 2 hours?
"By uploading, you grant us a non-exclusive licence to use your content" — for a file tool?

None of these statements are necessarily malicious — but they illustrate that "free" tools often have data economics baked in.

Three tools that didn't upload

In fairness, 3 of the 20 tools we tested processed files locally. All three were open-source projects. The commercial tools in our sample all used server-side processing.

Browser-based processing is harder to build and doesn't give the operator visibility into what users are processing — which removes a potential data asset. It's not commercially incentivised, which is why few companies do it.

How to check any tool yourself

Open DevTools Network tab

F12 → Network → clear existing entries → enable recording.

Upload a dummy file

Use a non-sensitive test file — a blank document or a public image.

Look for POST or PUT requests

Filter by XHR/Fetch. Any POST with a multipart body containing your file is an upload.

Check the request payload

Click the request → Payload tab. If you see your file data, the tool just uploaded it.

Use tools that work locally

EazyStudio's 50+ tools process everything in your browser. Open DevTools and verify it yourself.

Browse local tools