The documents people convert online are often the most sensitive files they have. Tax returns. Employment contracts. Medical reports. Legal filings. Financial statements. Users upload these files to services they found through a search result, with no knowledge of where the files are stored, how long they are kept, or who has access to them. The privacy implications of this workflow are significant and routinely underexamined.
What happens to files after conversion
Most online converters do not publicly state how long they retain uploaded files. The default assumption for most users is that files are deleted immediately after download — this is the reasonable expectation for a conversion service. The reality varies considerably by platform.
Some platforms retain files for hours or days in temporary storage to allow users to access their converted output if they close the browser. Some retain anonymized versions for quality improvement or training purposes. Some retain files indefinitely on free tiers and offer immediate deletion only as a paid feature. Without reading the privacy policy carefully, users cannot know which category a given platform falls into.
The key questions are: when is the file deleted, what triggers deletion, who can access the file during the retention window, and what happens if the platform is acquired or its data is subpoenaed. A platform that answers these questions with specific, verifiable information is meaningfully different from one that answers with general statements about taking privacy seriously.
The risks of uploading sensitive documents
File conversion services are an attractive target for data collection because the documents they process are highly valuable. A service that processes ten thousand tax returns per day has access to extraordinarily sensitive financial information. A service that processes employment contracts has access to salary data, termination terms, and non-disclosure agreements across many organizations.
The risk is not necessarily that platforms are malicious — most are not. The risk is that files stored on any server are subject to the security of that server. Data breaches, insider threats, and inadvertent disclosure through misconfigured storage are all realistic vectors. The platform with the shortest retention window has the smallest attack surface.
For documents subject to legal confidentiality obligations — attorney-client privileged documents, protected health information, or documents covered by specific NDA terms — using a third-party conversion service may breach the confidentiality obligation regardless of the platform's privacy policy. In these cases, conversion should happen on the local device or on a platform with a documented compliance posture for the relevant regulation.
Evaluating a converter's privacy model
Look for specific statements, not general ones. 'We take your privacy seriously' is not a privacy policy — it is a sentence that says nothing. A useful privacy statement says: files are deleted N minutes after download, deletion is enforced at the storage infrastructure level, we do not process file content for any purpose other than the conversion requested, and we do not sell or share file data with third parties.
Look for technical enforcement, not policy statements. A platform that says files are automatically deleted by storage infrastructure — meaning the storage service itself enforces an expiry — is meaningfully more trustworthy on this point than a platform that says files are deleted by a scheduled cleanup job. Cleanup jobs can fail. Infrastructure-level TTLs do not.
Check whether the service stores file metadata separate from file content. Even if the file content is deleted promptly, a platform may retain metadata about what was converted, when, and from what IP address. For users with confidentiality obligations, file-level metadata can be nearly as sensitive as file content.
How Filum handles file privacy
Filum's answer to the retention question is structural rather than procedural: every tool runs entirely in your browser, so no file is ever uploaded in the first place. There is nothing to retain, nothing to delete on a schedule, and nothing for a breach or a subpoena to reach. The strongest possible answer to 'when is my file deleted from your server' is 'it never arrives'.
Because conversions happen on your device, Filum's servers see nothing about them — no file name, no content, no page count, not even a record that a conversion happened. The only data the site handles is described in its privacy policy: consent-gated anonymous analytics and error reports, neither of which can contain your document.
The free tier operates without an account. Files converted without an account are not associated with any identity. There is no email address to associate with the conversion record, and the guest session token used to track conversion limits is stored only in the user's browser and expires within 24 hours.
Browser-based conversion as the strongest privacy guarantee
Browser-based conversion is the strongest privacy guarantee available short of fully offline tools. When conversion runs entirely in JavaScript inside the user's browser tab, the file never leaves the user's device. No upload happens. No network request is made during the conversion itself.
The technical guarantee is verifiable: open the browser's network developer tools while running the conversion. If the only network activity is the initial page load and the conversion produces output without any request that includes the file content, the conversion is genuinely client-side. This is a property that can be checked in real time, not just claimed in a privacy policy.
The limitation of browser-based conversion is capability. Complex format conversions — PDF to Word, PDF to Excel, document layout reconstruction — require document-rendering engines that are too large to run efficiently in a browser tab. The conversions that can run in-browser are simpler operations: PDF merge, PDF split, text extraction, image format conversion, basic compression.
Filum runs every tool it offers — split, merge, rotate, organize, images to PDF, page numbers, and watermark — entirely in the browser. There is no server-side conversion path. Each tool ships with an automated browser test that captures network traffic during a real run and fails if any request carries file data, so the zero-upload claim is enforced by a test suite, not just stated in a policy.
The verification habit is worth building once. The first time you use any new converter, open the network inspector before clicking convert. If you see no requests carrying file content in the request body — only the page resources that loaded earlier — the platform is being honest about its client-side claims. If you see a large upload immediately after clicking convert, the file is being uploaded regardless of any 'private' or 'secure' language on the page. This takes one minute and turns a marketing claim into a verifiable fact.
When local conversion is the right answer
For documents with the highest confidentiality requirements — documents under attorney-client privilege, documents containing protected health information, or documents covered by government security classifications — local conversion is the right choice regardless of any platform's privacy model. LibreOffice is free, open-source, and available on Windows, Mac, and Linux. It converts most common format pairs, runs offline, and retains no files.
The trade-off is that local tools generally produce lower-quality conversion output than well-configured server-side tools, and they require installing software. For a single high-stakes conversion of an extremely sensitive document, the trade-off is worth making. For routine professional document conversion, a platform with a transparent and technically enforced privacy model is a practical and justifiable choice.