Stop Uploading PDFs to Online Tools — Here's What to Do Instead
Most popular online PDF tools quietly store your files on their servers. Here's how to spot them and what a real client-side tool looks like in your browser's network tab.
I wrote a small audit script last weekend that opens each of the top ten PDF tools that come up when you search 'merge pdf' and watches what they do with the file you drop in. Eight of the ten upload it. Two of those eight don't even mention upload in their landing copy — they just say 'fast and secure', and most users never check.
The word 'secure' is doing a lot of unearned work here. Secure transport (HTTPS) is not the same as secure processing. Once your file is on their server, it sits in a temporary directory that you have no visibility into. The provider's privacy policy might say 'deleted after one hour'. You can't verify that. You can't verify their backups don't keep a copy for 30 days. You can't verify a misconfigured S3 bucket isn't quietly indexing your contract.
The fix is to look for tools that do their work in your browser using WebAssembly and the File API. These tools don't have a server doing PDF work — there is no server doing PDF work. Your file is read into memory by JavaScript, manipulated, and handed back to you as a download. That's the whole loop.
How do you tell which is which? Open DevTools, go to the Network tab, and drop a small PDF into the tool. If you see a POST request with your file as the body, it's a server tool. If the only network traffic is the initial page assets and maybe a WASM blob loading once, it's client-side. This takes about ten seconds and is the most useful single check you can do for any online tool.
The ones I trust on my own machine right now: pdf-lib (used under the hood by most browser PDF tools, including ours), pdf.js for rendering, and ONNX Runtime Web when something needs an ML model. These are mature, audited libraries. They don't phone home.
If a tool you rely on turns out to be a server tool, you have two reasonable options. Use a desktop tool (Preview on macOS, qpdf on Linux, the free version of PDF24 on Windows). Or use a client-side web tool. There is rarely a good reason to pick the upload path for a file you'd hesitate to email a stranger.