Skip to content
hushvert

How to convert sensitive documents safely

The safest way to convert a sensitive document is to use a converter that runs entirely in your browser, so the file never leaves your device, and to confirm it with the airplane-mode test (load the page, go offline, and convert). Image, HEIC, audio, archive, and PDF page conversions (merge, rasterize to JPG or PNG, and PDF to text) all run locally this way and are verifiable. The honest exception: turning an office document like Word or Excel into a PDF, converting a PDF back to Word, and very large video genuinely cannot run in a browser, so those upload to a clearly labeled, encrypted server lane. For those, either accept that trade or use trusted offline desktop software on your own machine instead.

Why "convert it online" is riskier for sensitive files

A tax return, a medical scan, a signed contract, a passport photo, a bank statement: these are exactly the files you most want to convert and exactly the ones you least want to hand to a stranger's server. The problem with most online converters is structural, not about any one company being shady. To convert your file, a server-based tool has to upload it to a machine you do not control, and from that moment you are trusting a policy you cannot see rather than checking a fact you can.

This stopped being theoretical in March 2025, when an FBI field office issued a public advisory warning that some free online file-converter sites are used to deliver malware (in some cases leading to ransomware) and to scrape uploaded files for sensitive data. That is not a reason to panic, and it is not a claim that every converter is malicious. The point that matters for high-stakes files is simpler: a malicious converter still converts your file correctly, so it is genuinely hard to tell apart from a legitimate one from the outside. "Trust us, we delete it" is not good enough for your tax forms. The good standard is a tool that tells you clearly which conversions touch a server and which do not, and lets you verify the ones that claim to stay on your device.

The two-bucket rule for any sensitive conversion

Before you upload anything, sort the task into one of two buckets. This single distinction does more for your safety than any privacy policy.

Bucket 1, stays on your device (verifiable, no upload). These conversions can run entirely in your browser using WebAssembly, so the file bytes never leave your computer. There is nothing to upload, retain, breach, or subpoena. This covers image conversions (JPG, PNG, WebP, AVIF, BMP, TIFF, SVG, JXL, ICO), decoding HEIC photos to JPG, PNG, WebP or AVIF, audio conversions across formats like MP3, WAV, FLAC, OGG, M4A, AAC, AIFF and WMA, repackaging archives (ZIP, TAR, TGZ), and the common PDF page operations: merging PDFs, rasterizing a PDF to JPG or PNG, pulling plain text out of a PDF, and turning images or text into a PDF. Small video re-encoding runs locally too.

Bucket 2, genuinely has to upload. A browser cannot host the software needed for a few jobs. Turning an office document into a PDF (DOCX, DOC, XLS, XLSX, PPT, PPTX, ODT, ODS, ODP, RTF, HTML to PDF), converting a PDF back into an editable Word file (PDF to DOCX), and processing very large video all require a real server. There is no in-browser shortcut for these, and any tool that claims one is doing the same upload behind a friendlier label.

The trap to avoid: do not assume a document conversion is local just because it feels lightweight. Turning a sensitive Word contract into a PDF does upload the file. It is a Bucket 2 task, full stop.

How to prove the local conversions never upload (60-second test)

You do not have to take anyone's word, including ours. For any Bucket 1 conversion, you can confirm with your own eyes that the file stayed on your device. Two tests, both free, both work on any converter.

The airplane-mode test (the decisive one). Open the converter and let the page load fully while online (this downloads the page and, once, the conversion engine). Now turn on airplane mode or disconnect Wi-Fi, and confirm you are actually offline by trying to load any other site. Then convert your file. If it completes while you are offline, the work happened on your device and the file never left it, because there was nowhere to send it. If it hangs or errors, the tool needs a server and is uploading. hushvert ships a live version of exactly this test on its /privacy-proof page: it loads the codec, invites you to disconnect, converts a locally drawn image, and counts every network request the conversion makes.

The Network-tab test (watch the bytes). Open your browser developer tools (F12, or right-click and choose Inspect), click the Network tab, enable "Preserve log", then run the conversion. Look for any outbound request whose body is roughly the size of your file. A real upload is a large POST or PUT proportional to your file; page assets are downloads, and an analytics ping is a tiny fixed blob under a couple of kilobytes that does not grow when your file gets bigger. Convert a 4MB scan and see nothing close to 4MB leave: your file was not uploaded. A full step-by-step is on the how-to-verify-converter-no-upload guide.

Tax documents: returns, W-2s, 1099s, statements

Tax season is peak "I need to convert something private right now" time. Most of it stays on your device.

Merging several PDFs into one filing packet, splitting a scanned return into page images, pulling the text out of a 1099, or turning a photo of a receipt into a PDF are all Bucket 1, in-browser operations. Combine your supporting documents with the merge-pdf tool, rasterize a page to an image, or extract text locally, and none of it uploads. You can run the airplane-mode test on any of these and watch them work offline.

The one common tax task that does upload: turning a spreadsheet of figures (XLSX or XLS) or a Word-format statement (DOCX or RTF) into a PDF. That is an office-document-to-PDF conversion, which a browser cannot perform, so it goes through the server lane. If the spreadsheet contains your full financial picture and you would rather not upload it at all, the privacy-maximal move is to export to PDF directly from the application that made it: Excel, Numbers, Google Sheets, LibreOffice, and Word all have a built-in "Save as PDF" or "Export to PDF" that never touches a third party. Use the online server lane when that is inconvenient; reach for the built-in export when the file is especially sensitive.

Medical records: scans, lab results, imaging

Medical files are some of the most sensitive documents a person handles, and most of what people need to do with them is local.

Converting a HEIC photo of a paper result into a JPG or PNG, turning a stack of scan images into a single PDF, rasterizing a PDF report into images to share one page, or extracting the text from a results PDF are all in-browser, no-upload conversions. HEIC is especially relevant here because iPhones save photos in HEIC by default, and many portals will not accept it; converting HEIC to JPG with heic-to-jpg runs entirely on your device, and for patent reasons hushvert never sends HEIC to a server. There is a focused walkthrough at convert-heic-to-jpg-without-uploading.

What uploads: if your record arrives as a Word document and you need a PDF, or you need to turn a PDF back into an editable Word file, those use the server lane. For records governed by formal privacy obligations, prefer keeping the file local: do the format change with a Bucket 1 tool where you can, or export to PDF straight from the app that opened the document. The honest framing is that an in-browser conversion removes the upload question entirely, while the server lane is a reasonable, encrypted, short-lived path when no local route exists.

Contracts and IDs: signed agreements, NDAs, passports

"Is it safe to convert a contract online?" depends entirely on which conversion you need.

Merging a signed agreement with its exhibits, flattening a contract PDF into page images, extracting the text of an NDA, or turning a photo of an ID into a PDF are all local, verifiable operations that never upload. A passport or driver's-license photo converted from HEIC or PNG to JPG stays on your device, which is precisely what you want for an identity document.

The conversion people most often mean by "convert a contract" is the one that does upload: turning a Word contract into a PDF, or a PDF contract back into editable Word. Those are Bucket 2. If the contract is confidential, the safest path is to export to PDF from Word itself (Word's "Save as PDF" produces a clean PDF with no upload), or use trusted offline desktop software. If you do use the online server lane, know that the upload is encrypted in transit, the input file is deleted immediately after the conversion finishes, and the output is deleted within about an hour, with no cookies and no file retention beyond that window. That is a real, bounded trade, not a hidden one.

What the server lane actually does (and the honest tradeoff)

hushvert does not pretend everything is local. A short, clearly labeled server lane exists for the conversions a browser cannot perform: office documents to PDF, PDF to Word (pdf-to-docx), and large video. The dropzone tells you which lane a conversion uses before you start, so you are never surprised by an upload.

When a file does go through that lane, here is exactly what happens. It is uploaded over an encrypted (HTTPS) connection. The input file is deleted immediately after the conversion completes. The output file is deleted within about an hour so you have time to download it. There are no cookies, and the file is not kept, sold, or scraped. That is a genuinely different posture from a converter that uploads everything by default and asks you to trust a vague deletion promise, but it is still an upload, and we say so plainly.

The honest tradeoff: for a truly sensitive office document, the strongest option is to not upload at all. Every major office app (Word, Excel, PowerPoint, LibreOffice, Apple's Pages and Numbers, Google's editors) can export to PDF directly, on your own machine, with no third party involved. ffmpeg handles audio and video conversions offline; Audacity handles audio; 7-Zip handles archives; macOS Preview and Windows Photos export images. Use the server lane when it saves you real friction and the file is not high-stakes; use built-in offline export when the document is the kind you would never email to a stranger.

A safety checklist before you convert anything private

Run this list once and it becomes second nature.

1. Sort the task. Is it an image, HEIC, audio, archive, or PDF page operation? That is Bucket 1 and can stay on your device. Is it an office document to PDF, a PDF to Word, or large video? That is Bucket 2 and will upload.

2. For Bucket 1, verify. Run the airplane-mode test: load the page, go offline, convert. If it works offline, you are done and nothing left your machine. The how-to-verify-converter-no-upload guide has the full method, and how-hushvert-privacy-works explains the three layers of proof (the live demo, the CI test that fails the build if a byte leaks, and the open-source MIT engine).

3. For Bucket 2, decide consciously. If the file is not especially sensitive, the encrypted, short-lived server lane is a reasonable choice. If it is highly sensitive, export to PDF directly from the source app, or use trusted offline desktop software, so it never uploads.

4. Match the format honestly. Converting to a lossy target (JPG, MP3, lossy WebP) re-encodes and loses some data; PNG to JPG also drops transparency. For archival copies of records, prefer lossless targets (PNG, TIFF, WAV, FLAC). hushvert does no hidden extra re-compression on the conversions that run on your device.

5. Prefer a tool you can audit. A passing airplane-mode test plus an open-source engine you can read beats any privacy policy you cannot check.

Convert a file privatelyVerify it yourself

Keep reading

Common questions

What is the safest way to convert a sensitive document?
Use a converter that runs entirely in your browser so the file never uploads, and confirm it with the airplane-mode test: load the page, turn on airplane mode, and convert. If it works offline, the file stayed on your device. Image, HEIC, audio, archive, and PDF page conversions all work this way. For office-document-to-PDF, PDF-to-Word, or large video, which cannot run in a browser, either use a clearly labeled encrypted server lane or export to PDF directly from the source app so nothing uploads.
Is it safe to convert a contract online?
It depends on the conversion. Merging a contract PDF, turning it into page images, or extracting its text runs in your browser and never uploads, so it is safe to verify and do online. Turning a Word contract into a PDF, or a PDF back into Word, genuinely uploads to a server. For a confidential contract, the safest route is to export to PDF directly from Word (its built-in Save as PDF), or use trusted offline software, so the file never leaves your machine.
How do I convert medical records without uploading them?
Most medical-record conversions can stay on your device. Converting a HEIC photo of a result to JPG or PNG, combining scan images into one PDF, rasterizing a report to images, or extracting text from a PDF all run in your browser with no upload, and you can prove it with the airplane-mode test. Only office-document-to-PDF and PDF-to-Word need a server; for those, export to PDF directly from the application that holds the record to keep it local.
Can I convert my tax return without it leaving my computer?
Yes for most tasks. Merging PDFs, splitting a return into page images, extracting text, and turning receipt photos into a PDF all run locally in your browser and never upload. The exception is turning a spreadsheet (XLSX) or a Word document into a PDF, which requires a server. For a sensitive financial file, export to PDF straight from Excel, Sheets, or Word so it never uploads, or use the encrypted server lane if convenience matters more.
Which conversions stay on my device and which upload?
Stays local (verifiable, no upload): all image conversions, HEIC decoding to JPG/PNG/WebP/AVIF, audio conversions, archives (ZIP, TAR, TGZ), and PDF page operations (merge, PDF to JPG or PNG, PDF to text, images or text to PDF), plus small video. Uploads (clearly labeled server lane): office documents to PDF (Word, Excel, PowerPoint, and similar), PDF to Word, and large video. The dropzone tells you which lane applies before you start.
Does converting a Word document to PDF upload my file?
Yes. A browser cannot run the software that renders an office document into a PDF, so DOCX, DOC, RTF, and similar conversions to PDF go through a server. Any online tool that offers this is uploading your file, regardless of how the page is worded. For a sensitive document, the privacy-maximal option is Word's own built-in Save as PDF or Export to PDF, which runs on your machine with no third party involved.
How can I verify a converter is not uploading my sensitive file?
Run the airplane-mode test. Load the converter fully while online, then turn on airplane mode or disconnect, confirm you are offline, and convert. If it still works, your file was not uploaded because there was nowhere to send it. For more detail, open developer tools, go to the Network tab, and watch for any large outbound request the size of your file during the conversion. Both tests are free and work on any converter.
Did the FBI ban online file converters?
No. In March 2025 an FBI field office issued a public advisory warning that some free online file-converter sites deliver malware, sometimes leading to ransomware, and scrape uploaded files for sensitive data. It recommended caution and reputable tools, not a ban. The deeper lesson is that once a file is on someone else's server you are trusting them, which is why a converter you can verify as local is safer for high-stakes documents.
Is it safer to use offline desktop software instead?
For the conversions that must upload, often yes. Trusted offline software keeps the file on your machine: most office apps (Word, Excel, LibreOffice, Pages, Numbers) export to PDF directly, ffmpeg handles audio and video, Audacity handles audio, 7-Zip handles archives, and macOS Preview or Windows Photos export images. For image, HEIC, audio, archive, and PDF page tasks, an in-browser converter is just as local and needs no install, and you can verify it with the airplane-mode test.
What happens to my file if I do use the server lane?
It is uploaded over an encrypted HTTPS connection, the input file is deleted immediately after the conversion finishes, and the output is deleted within about an hour so you have time to download it. There are no cookies, and the file is not retained, sold, or scraped. This is a bounded, disclosed trade, but it is still an upload, so for the most sensitive documents prefer a local conversion or a built-in offline export instead.
Is converting a passport or ID photo safe online?
Yes if you use an in-browser image converter. Converting an ID photo from HEIC or PNG to JPG runs entirely on your device and never uploads, and you can confirm it with the airplane-mode test. HEIC in particular is never sent to a server here. Avoid any converter that requires uploading an identity document unless you have verified it stays local, since an ID is exactly the kind of file you do not want sitting on a stranger's server.
Does an in-browser conversion lose quality on a scanned document?
Only if you convert to a lossy target. Converting to JPG, lossy WebP, or AVIF re-encodes the image and discards some detail, and PNG to JPG also drops transparency. For an archival copy of a record you want to preserve exactly, convert to a lossless format like PNG or TIFF. Lossless-to-lossless conversions preserve the data exactly, and there is no hidden extra re-compression on conversions that run on your device.
Why is HEIC never sent to a server here?
HEIC decoding runs entirely in your browser on purpose, for both privacy and patent reasons, so every HEIC conversion stays on your device. That is ideal for sensitive photos of documents, since an iPhone saves images as HEIC by default and you can convert them to JPG or PNG without any upload. You can verify it with the airplane-mode test, and there is a dedicated walkthrough for converting iPhone photos without uploading.
Can I merge several private PDFs without uploading them?
Yes. Merging PDFs runs entirely in your browser, so the documents never leave your device, and the airplane-mode test will confirm it. This is useful for combining a tax packet, a set of medical scans, or a contract with its exhibits into one file without trusting a server. Splitting or reordering pages is not offered here, but merging, rasterizing to images, and extracting text are all local operations.
Are big-name converter sites safe for sensitive files?
Established services are real companies with published privacy policies, but they are server-based, which means using them requires uploading your file and trusting their handling of it. That can be fine for non-sensitive files. For a tax form, medical record, contract, or ID, an in-browser converter removes the upload and the trust question entirely, and a passing airplane-mode test plus an open-source engine you can read is stronger than any policy you cannot check.
What is the privacy-maximal way to turn a spreadsheet into a PDF?
Export to PDF directly from the spreadsheet application. Excel, Google Sheets, Numbers, and LibreOffice Calc all have a built-in Save as PDF or Export to PDF that runs on your own machine and never sends the file to a third party. Online spreadsheet-to-PDF conversion does upload, because a browser cannot render the document. Use the built-in export when the financial data is sensitive, and the online server lane only when convenience outweighs the upload.
How do I know hushvert is actually telling the truth about no uploads?
Three layers of proof, plus your own test. The /privacy-proof page runs a live airplane-mode demo that counts every network request a conversion makes. A CI test runs on every code change and fails the build if any file byte leaves the browser during a client conversion, so the guarantee cannot quietly regress. The conversion engine is open source under the MIT license, so you can read what runs in your tab. And you can run the airplane-mode test yourself in under a minute.
Is this free, and do I need an account for sensitive conversions?
All in-browser conversions are free and unlimited with no account, which covers image, HEIC, audio, archive, and PDF page operations, exactly the conversions that stay on your device. The server lane (office documents to PDF, PDF to Word, large video) allows a couple of conversions a day anonymously, then a free email account raises the limit, and heavier use is paid with no subscription required. Pricing details are on the pricing page.
What should I do with a sensitive document if no local conversion exists?
First try to keep it local anyway: most apps can export to PDF directly, and offline tools like ffmpeg, Audacity, and 7-Zip handle audio, video, and archives on your own machine. If you must use an online server lane, choose one that labels the upload clearly, encrypts it, and deletes files quickly, and avoid uploading the most sensitive identity or financial files when a built-in offline export is available.