Security & Data Handling
A technical explanation of how each tool category processes your data, which browser APIs are used, and what leaves your device.
Summary for security-conscious users
No tool on this site uploads your files to a server. All conversion operations run in your browser tab using standard browser APIs. When you close the tab, the file data is cleared from memory. The only network requests this site makes are: loading the page itself, loading open-source JavaScript libraries from CDN, and Google Analytics page view events (no file data included).
The one exception is the Audio to Transcript tool in Chrome, which uses the browser's Web Speech API — this streams audio to Google's speech recognition service during transcription. See below for details.
Processing by tool category
PDF tools
| Operation | Library / API | Data transmitted |
|---|---|---|
| PDF reading & page extraction | PDF.js (Mozilla, open source) | ✓ None |
| PDF creation from images/HTML | jsPDF (open source) | ✓ None |
| PDF merging & splitting | PDF.js + custom JS | ✓ None |
| PDF compression | PDF.js + re-rendering | ✓ None |
| PDF to image | PDF.js + Canvas API | ✓ None |
PDF.js is loaded from cdnjs.cloudflare.com. The CDN receives a library load request — not your PDF content.
Image tools
| Operation | API | Data transmitted |
|---|---|---|
| Format conversion (JPG, PNG, WebP, HEIC) | Canvas API + browser codec | ✓ None |
| Image resize | Canvas API | ✓ None |
| Image compression | Canvas API (quality parameter) | ✓ None |
| GIF creation | gif.js library | ✓ None |
Images are drawn to an off-screen Canvas element and exported as a Blob — a browser memory buffer. The Blob is offered as a download via a temporary object URL that never reaches a server.
Video & audio tools
| Operation | API / Library | Data transmitted |
|---|---|---|
| Video conversion (MOV to MP4, compression) | FFmpeg.wasm (WebAssembly) | ✓ None |
| Video to GIF | Canvas API frame extraction | ✓ None |
| Audio conversion (WAV, M4A, OGG → MP3) | Web Audio API | ✓ None |
| Audio trimming | Web Audio API | ✓ None |
| Voice recording | MediaRecorder API | ✓ None |
| Audio transcription (Chrome) | Web Speech API → Google | ⚠ Audio stream during transcription |
FFmpeg.wasm note: FFmpeg is compiled to WebAssembly and runs entirely in the browser. The WASM binary (~25 MB) is loaded from a CDN — the CDN receives a library request, not your video file.
Web Speech API note: Chrome's speech recognition sends the active audio stream to Google's servers for processing. This is the browser's own API behaviour, not something we control. Firefox uses an on-device model. For sensitive audio, use Firefox or a locally-installed transcription tool.
Developer tools
| Tool | Processing | Data transmitted |
|---|---|---|
| JSON Formatter / Validator | JSON.parse() — native JS | ✓ None |
| XML to JSON / JSON to XML | DOMParser API — native | ✓ None |
| JWT Decoder | atob() Base64 decode — native | ✓ None |
| Hash Generator (SHA-256/512) | Web Crypto API — native | ✓ None |
| Password Generator | crypto.getRandomValues() — native | ✓ None |
| Base64 Encoder/Decoder | btoa() / atob() — native | ✓ None |
| Regex Tester | RegExp — native JS | ✓ None |
| SQL Formatter | Custom JS parser | ✓ None |
| CSV ↔ JSON conversion | Native JS parsing | ✓ None |
| URL Encoder/Decoder | encodeURIComponent() — native | ✓ None |
Developer tools are particularly sensitive: JWT tokens are authentication credentials, JSON may contain API keys or PII, CSV files may contain customer records. All developer tools use native browser APIs with zero network transmission — this is not a policy, it is the technical implementation.
Currency conversion
The currency converter fetches exchange rates from a public rates API. The rate request contains no user data — only a request for the current rate table. Your specific conversion amount is calculated locally in JavaScript after the rates are fetched.
Network requests made by this site
| Request | Destination | Contains user data? |
|---|---|---|
| Page load | Bluehost hosting server | ✓ No |
| Google Analytics | google-analytics.com | Page URL, browser metadata only |
| PDF.js library | cdnjs.cloudflare.com | ✓ No — library load only |
| FFmpeg.wasm | CDN | ✓ No — library load only |
| Currency rates API | Exchange rates API | ✓ No — rate request only |
| Web Speech API (Chrome, transcription only) | Google speech servers | ⚠ Audio stream during active transcription |
Responsible disclosure
If you discover a security vulnerability in this site — a way to access data you shouldn't, inject content, or otherwise compromise the site or its users — please report it via our contact form with "Security" as the subject. We take security reports seriously and respond within 2 business days.
Because all processing is browser-local, the attack surface is limited primarily to XSS, content injection, and supply chain issues in the JavaScript libraries we use. We review library versions regularly and update to patched versions promptly.
HTTPS
This site is served exclusively over HTTPS with a valid TLS certificate. All HTTP requests are redirected to HTTPS. This ensures that the JavaScript libraries loaded by this site cannot be tampered with in transit by a network-level attacker.