Last Updated: March 31, 2026

Privacy Policy

We don't just promise privacy. We architecturally guarantee it. Your files never leave your device—verifiable, enforceable, and technically impossible to circumvent.

1 Quick Summary

LocalPDFs is architecturally incapable of accessing your files. We use client-side processing: your PDFs are handled entirely within your browser using JavaScript libraries. No upload. No server processing. No data transmission.

Zero Upload Architecture Verifiable Privacy GDPR/CCPA Compliant by Design

We Do

  • Process files in your browser
  • Store temporary data locally
  • Collect anonymized analytics
  • Store Pro waitlist emails

We Never

  • Upload files to servers
  • Process PDFs on our infrastructure
  • Sell or share your data
  • Use tracking cookies

2 Technical Privacy Guarantee

Client-Side Processing Architecture

Cryptographically verifiable privacy

LocalPDFs operates on a zero-trust, zero-upload architecture. When you use our tools:

  1. 1Your file is loaded into your browser's memory (RAM) via the File API
  2. 2JavaScript libraries (pdf-lib, PDF.js) process the file locally
  3. 3Result is generated in-browser and offered as a download
  4. 4Data is cleared when you close the tab (or stored locally if you choose)

How to Verify This Yourself

Open your browser's Developer Tools (F12) → Network tab → upload any file. You will observe zero network requests during PDF processing. All activity occurs within the browser's local execution context.

3 What We Collect (Minimal)

Advanced Waitlist Emails

When you join the advanced waitlist, we collect:

  • Email address (voluntarily provided)
  • Tool you were using
  • Limit type encountered (size/pages)
  • Timestamp

Purpose: Notify you when Advanced launches.

Privacy-Respecting Analytics

We use Plausible Analytics (no cookies, no personal data):

  • Page views (anonymized)
  • Referrer domain (e.g., "google.com")
  • Device type (desktop/mobile)
  • Country (IP anonymized, not stored)

No: Cookies, fingerprinting, cross-site tracking, or individual user profiles.

Server Logs (Minimal)

Vercel (our hosting provider) maintains temporary logs for security: IP address (anonymized), request path, timestamp. Retained for 30 days, then deleted automatically. We do not process or analyze these logs.

4 What We Never Touch

PDF Content

We cannot see text, images, or metadata in your files. Technically impossible.

File Uploads

No server endpoint exists to receive files. Architecture prevents it.

Tracking Cookies

No Google Analytics, Facebook pixels, or ad trackers.

Browser Fingerprinting

No Canvas/WebGL fingerprinting. No unique ID assignment.

Personal Identification

No names, addresses, phone numbers, or ID documents requested.

Payment Data

No payments processed yet. When Pro launches, handled by Stripe (PCI compliant).

5 Technical Processing Details

Data Flow Architecture

Your Device

File selection, processing, and download occur entirely here. Data never transmitted.

Our Servers

No file processing endpoint exists. Static HTML/CSS/JS files only.

Technical verification: Our source code is available for audit. The absence of upload endpoints can be verified by inspecting network requests.

6 Storage & Retention

Temporary Session Data

While using tools, files exist in:

  • RAM (Memory): Active processing. Cleared on tab close.

Retention Periods

Data TypeLocationRetention
PDF filesYour browserUntil tab closes
Advanced waitlist emailsSupabaseuntil unsub
AnalyticsVercelIndefinite (anonymized)
Server logsVercel30 days

7 Third-Party Services

Vercel

Hosting

Serves static HTML/CSS/JS files. No file processing. Server logs anonymized after 30 days. Their Privacy Policy →

Supabase

Form Handling

Receives Advanced waitlist emails only. No file attachments possible. Their Privacy Policy →

CDN Libraries

unpkg, cdnjs

Delivers open-source libraries (React, pdf-lib, etc.). No tracking. Subresource Integrity (SRI) hashes prevent tampering.

8 Security Measures

HTTPS Everywhere

TLS 1.3 encryption for all connections. HSTS enabled.

No Attack Surface

Static site = no database, no server-side code, no injection vectors.

Subresource Integrity

CDN libraries hashed. Tampering detected and blocked.

No Persistent Storage

Files never written to disk server-side. Memory-only processing.

9 Your Rights (GDPR/CCPA)

Under applicable privacy laws, you have the right to:

Access

Request copy of data we hold about you (email, analytics).

Deletion

Remove your email from waitlist. Analytics data anonymized.

Correction

Update email address or preferences.

Objection

Opt-out of analytics or email communications anytime.

To exercise rights: Contact Us