iSavePDF

Security & Privacy

Files never leave your browser. Here’s the proof.

Most online PDF tools upload your file to a server, process it there, and ask you to trust that the copy is gone afterward. iSavePDF doesn't have that trust problem because it doesn't have that upload step.

100% client-side processing

Every PDF tool on this site runs entirely in your browser. The libraries doing the work — pdf-lib, PDF.js, jsPDF — execute as JavaScript on your device. Files never reach our servers.

We don't have a file server

There is no API endpoint, no S3 bucket, no Lambda, no “temporary processing queue.” Our backend doesn't have a file-handling code path because the architecture removes the option entirely.

We never see your file names

We don't log them. We don't analyse them. The names you see in the file picker are only ever in your browser's memory — they never get sent anywhere we control.

How a tool actually runs

When you click Merge PDF and pick two files, here’s every step that happens, in order:

  • The browser hands the files to JavaScript running on the page — specifically, to the conversion function in lib/pdf/merge.ts.
  • That function dynamically imports pdf-libthe first time it’s needed. The library is downloaded as a regular static asset from our CDN, the same way the rest of the page is.
  • pdf-libreads each file from your browser’s memory, combines them into a new PDF document, and writes that document back to a memory buffer.
  • We wrap that buffer in a Blob and call file-saver, which triggers a normal browser download. The file lands in your downloads folder.
  • When you close the tab, every byte of every file you picked is garbage-collected. Nothing is persisted. Nothing was uploaded.

That’s the entire data flow for every tool on this site. The other eleven tools follow exactly the same pattern, with different libraries for different jobs (PDF.js for rendering, jsPDF for some generation cases). None of them include a network call that touches your file.

How to verify this yourself

You don’t have to take our word for it. Open your browser’s developer tools (F12 on most browsers, or right-click → Inspect), switch to the Network tab, and use any tool on this site.

You’ll see the page assets load — the HTML, the CSS, the JavaScript bundles, the AdSense scripts, the Google Fonts. You won’t see any outbound request that contains your PDF, because there isn’t one. If you ever do, that’s a serious bug we want to know about — see the responsible disclosure section below.

What we do collect

We’d be misleading you if we said we collected nothing. Here’s the real picture:

  • Anonymous analytics.We use Google Analytics 4 with IP anonymisation enabled and Vercel Analytics for performance. These tell us things like “people visited the merge page” — never which file they merged or what was in it.
  • Ad cookies (with consent). Google AdSense places cookies for ad personalisation. We show a consent banner the first time you visit. If you decline or live in a region where consent is required, the ads are still shown but in non-personalised form.
  • Standard server logs. Like every website, our host (Vercel) logs basic request data — IP, user-agent, URL, timestamp — for security and debugging. These rotate out within 30 days.
  • Errors via Sentry. If a tool crashes, we get a stack trace and the rough shape of what went wrong. We explicitly do not capture the file name, file content, or any input data.

For the legal-grade version, the privacy policy and cookie policy spell this out in detail.

What we don’t collect

  • Your PDF file content
  • Your PDF file name
  • The number of pages in your PDF
  • Your email address (we don’t have signup)
  • Your IP address with personally identifying detail
  • Any cross-site tracking identifier we set ourselves (third-party ad cookies are a separate matter, controlled by the consent banner)

Our threat model

The honest version: client-side processing protects you from usseeing your file. It doesn’t protect you from a compromised browser, a malicious extension, or someone shoulder-surfing your screen. If your PDF is genuinely sensitive — a passport scan, a medical record, an unredacted legal exhibit — handle it on a trusted device with up-to-date software.

For most use cases, the bar we’re clearing is significantly higherthan “upload it to a free PDF converter run by a stranger.” That’s the realistic comparison.

If you don’t want to trust us at all

That’s a legitimate stance. Two options:

  • Install iSavePDF as a PWA. Once installed, you can turn off your network connection and every tool still works, including offline. Verify yourself by going airplane mode and merging a PDF.
  • Use a desktop app. If even running JavaScript from our domain feels like too much, native desktop tools like macOS Preview, Adobe Acrobat, or open-source projects like PDFsam handle most of the same operations.

We’d rather you used the right tool for your trust level than feel bullied into using ours.

Responsible disclosure

If you find a security issue — anything from an XSS in our UI to an outbound network call we don’t document above — please email hello@isavepdf.com with details and a reproduction. We’ll acknowledge inside two business days, fix critical issues fast, and credit you publicly if you’d like. We don’t currently run a paid bug bounty, but we’d like to.