I Tested What Happens When You Upload Files to Free Online Converters - Your Documents Are Not Private

# I Tested What Happens When You Upload Files to Free Online Converters - Your Documents Are Not Private

I spent a week auditing the network traffic, cookies, and tracking infrastructure of the most popular free online file converters. What I found was a surveillance apparatus that would make most people reconsider ever uploading a document again.

---

The Experiment

Here is what I did: I opened four of the most popular free online file converter websites in a clean browser profile - no extensions, no ad blockers, no prior browsing history. I monitored every network request, catalogued every cookie, read every privacy policy, and documented every third-party script that loaded.

The sites I tested:

1. ilovepdf.com - ~97M monthly visits
2. smallpdf.com - ~94M monthly visits
3. convertio.co - ~56M monthly visits
4. cloudconvert.com - ~12M monthly visits

These are not obscure tools. Hundreds of millions of people use these services every month. People upload tax returns, medical records, legal contracts, resumes with personal addresses and phone numbers, and confidential business documents.

I want to show you exactly what happens the moment you visit these sites - before you even click a single button.

---

ilovepdf.com: 637 Cookies Across 221 Domains

Let me start with the worst offender.

The Cookie Apocalypse

When you visit ilovepdf.com, your browser is immediately seeded with 637 cookies spanning 221 distinct domains. That is not a typo. Six hundred and thirty-seven cookies. To put that in perspective, a typical news website - already considered aggressive - sets around 50-80 cookies.

Here is a partial breakdown of the cookie domains I recorded:

The remaining cookies belong to various cookie-syncing services, identity resolution platforms, and supply-side ad platforms that exist solely to connect your identity across the web.

Consent? What Consent?

Here is the part that should concern anyone in the EU (or anyone who cares about consent): ilovepdf.com sets all consent defaults to "granted" before any user interaction occurs. The tracking starts the instant the page loads. The 637 cookies are already in your browser before you see any consent dialog.

And about that consent dialog - it is a single button that says "Got it!". There is no reject option. There is no granular control. There is no "manage preferences" link that leads to actual toggleable categories. It is a take-it-or-leave-it acknowledgment button disguised as consent.

This is not GDPR-compliant consent. GDPR requires that consent be:

• Freely given (a single "Got it!" button is not a free choice)
• Specific (blanket consent for 141 ad networks is not specific)
• Informed (most users have no idea what 221 cookie domains means)
• Unambiguous (the absence of a reject button makes this ambiguous by definition)

The Real-Time Ad Auction

Every single page load on ilovepdf.com triggers a programmatic real-time bidding (RTB) auction. This means that before you even see the page content, your browser fingerprint, approximate location, browsing history signals, and device information are broadcast to dozens of ad exchanges so they can bid on showing you an advertisement.

Here are the RTB participants I identified in the network waterfall:

I counted 13 direct or reseller ad relationships declared in their ads.txt file. But the actual number of companies receiving your data through the RTB cascade is far higher, because each exchange shares bid request data with dozens of demand-side platforms.

PubMatic's 22+ KRTBCOOKIE Variants

This deserves its own section because it is remarkable. PubMatic alone sets 22 or more KRTBCOOKIE variants - these are cookie-syncing mechanisms that map your PubMatic ID to your ID on other ad platforms. Each KRTBCOOKIE variant corresponds to a different ad tech partner. This single company is building a cross-platform identity map of you, and ilovepdf.com is enabling it.

Deprecated Google Ad Tags

I also noticed that ilovepdf.com is still loading deprecated Google ad tags (the legacy doubleclick.net/gampad format). This suggests their ad implementation has not been updated in years, yet continues to function as a data collection pipeline. Legacy ad code often has fewer privacy controls than modern implementations.

Your Files Go to Their Servers

And after all that tracking loads, when you actually use the tool - your files are uploaded to ilovepdf.com's servers for processing. Server-side. Your PDF, your Word document, your spreadsheet - it leaves your computer and lands on their infrastructure. The same infrastructure that is connected to 141 ad network domains.

For PDF operations that never upload your files, ToolBox's PDF Merge & Split processes everything in your browser. Your documents stay on your device.

---

smallpdf.com: "We Currently Sell Data to Google and Facebook"

Smallpdf is interesting because they are more transparent about what they do. Perhaps too transparent, because what they admit to in their own privacy policy is damning.

The Tracking Stack

On first visit, smallpdf.com loads the following third-party tracking services:

That is 16+ distinct tracking services loading on a file converter website.

Session Recording: They Watch Everything

Both Microsoft Clarity and Hotjar are session recording tools. This means that when you are on smallpdf.com, your mouse movements, your scrolling behavior, where you click, how long you hover over elements, what you type into form fields - all of it is being recorded and replayed as a video by their team.

If you type a filename into a search box, they see it. If you hesitate before clicking "upload," they see that too. If you navigate to the privacy policy and read it for two minutes, they have that recorded. Session recording is one of the most invasive tracking technologies in common use, and smallpdf.com runs two of them simultaneously.

The Privacy Policy Admission

Here is a direct quote from smallpdf.com's privacy policy:

> "We currently sell data to Google and Facebook via cookies."

Read that again. A file converter website - a place where people upload tax documents, legal contracts, medical forms, and personal records - explicitly admits to selling your data to Google and Facebook.

They do not hide it. It is right there in the privacy policy that almost nobody reads. They are selling the behavioral data generated by your visit - what you converted, when, how often, combined with all the cookie-synced identity data from the 16+ tracking services running on the page - to the two largest advertising companies on Earth.

Server-Side Processing on Hetzner

Smallpdf processes your files server-side. When you upload a document, it goes to servers hosted on Hetzner, a German hosting provider. While Hetzner itself is reputable, the point is that your files leave your browser, travel over the internet, and land on infrastructure controlled by a company that openly sells data to Google and Facebook.

Vague File Retention

For users without accounts, smallpdf.com's file retention policy is deliberately vague. They state files are deleted "after processing," but the specific timeline is unclear. The retention period for non-account users is not explicitly defined in the same concrete terms as for paid accounts. This means your uploaded contract, resume, or medical record exists in a gray area on their servers for an undefined period.

If "we sell data to Google and Facebook" is not the kind of privacy policy you want governing your documents, ToolBox's Image Compressor and Image Format Converter handle common file operations entirely in your browser - no uploads, no retention policies needed.

---

convertio.co: GDPR Violations and Browser Hijacking

Convertio managed to combine aggressive advertising with outright disregard for cookie consent laws.

13 Cookies Before Consent

When you load convertio.co in a clean browser, 13 cookies are set immediately - before any consent dialog appears. This is a straightforward GDPR violation. Under EU law, non-essential cookies require explicit consent before being placed. Convertio does not wait.

Here are the cookies I found set on first visit without consent:

Every single one of these is a non-essential tracking cookie. None of them are required for the file converter to function. All of them were set before I had any opportunity to consent or reject.

Dual Google Analytics Tracking

Convertio runs both the legacy Universal Analytics (UA) and the modern Google Analytics 4 (GA4) simultaneously. This is unusual - most sites have migrated from UA to GA4. Running both suggests either a chaotic analytics implementation or a deliberate choice to maximize data collection through two parallel tracking pipelines, each capturing slightly different data points.

Facebook SDK on Every Page

The Facebook JavaScript SDK loads on every single page of convertio.co. Not just pages with social sharing buttons. Not just the homepage. Every page. This means Facebook knows every page you visit on convertio.co, every tool you consider using, every file type you are working with - before you even initiate a conversion.

Redirect Advertising That Hijacks Your Browser

This was the most user-hostile behavior I encountered during my audit. Convertio employs aggressive redirect advertising that literally hijacks your browser tab. When you click certain elements on the page, instead of performing the expected action, your current tab is redirected to an advertisement. Your original page is gone. You have to hit the back button to return.

This is not a pop-up that you can close. This is not a new tab that opens. This is your active tab being stolen from under you and replaced with an ad. It is the digital equivalent of someone snatching a book out of your hands and replacing it with a flyer.

Cookie Syncing Network

Convertio participates in an extensive cookie-syncing network. I identified sync requests to:

The Yandex cookie sync is particularly notable. User browsing data from a file converter is being synced with a Russian advertising and search engine company. For users uploading sensitive documents, the implications of this data flowing to Yandex's infrastructure should give pause.

Custom Error Tracking Leaks Data

Convertio implements custom error tracking that sends your full User-Agent string to their servers whenever a JavaScript error occurs. The User-Agent string contains your browser name and version, your operating system and version, your device type, and sometimes your device model. Combined with other fingerprinting data, this is enough to uniquely identify most users.

---

cloudconvert.com: Proof That It Does Not Have to Be This Way

After auditing three sites that treat users as advertising inventory, I tested cloudconvert.com expecting more of the same. What I found was the complete opposite.

Zero Third-Party Scripts

When you load cloudconvert.com, the network tab shows zero third-party tracking scripts. None. No Google Analytics. No Facebook Pixel. No Criteo. No PubMatic. No session recording. Nothing.

The only analytics tool present is Plausible Analytics, and it is self-hosted on cloudconvert's own infrastructure. Plausible is an open-source, privacy-focused analytics platform that:

• Uses no cookies
• Collects no personal data
• Cannot track users across sites
• Is fully GDPR, CCPA, and PECR compliant without a consent banner

Zero Cookies on First Visit

I loaded cloudconvert.com in a clean browser and checked the cookie jar: zero cookies. Not a single one. No tracking cookies, no session cookies, no consent cookies - because when you do not track people, you do not need to ask for consent to track people. The cleanest cookie policy is no cookies at all.

No Cookie Consent Banner Needed

Because cloudconvert.com sets no cookies and runs no third-party tracking, they do not need a cookie consent banner. There is no pop-up interrupting your workflow. No "Got it!" button. No dark patterns. Just the tool you came to use.

Strict Content Security Policy

Cloudconvert implements a strict Content Security Policy (CSP) with nonce-based script allowlisting. This means:

• Only scripts explicitly approved by the server can execute
• Each page load generates a unique cryptographic nonce
• Injected scripts (from browser extensions, malware, or XSS attacks) are blocked
• Third-party scripts cannot piggyback on the page

This is a deliberate security architecture that makes it technically impossible for unauthorized tracking scripts to run.

ISO 27001 Certified

Cloudconvert holds ISO 27001 certification, an international standard for information security management. This requires regular external audits of their security practices, data handling procedures, and risk management processes. Among the four sites I tested, cloudconvert is the only one with this certification.

File Handling

• Files are processed in isolated containers - each conversion runs in its own sandboxed environment
• Files are deleted within 24 hours
• Processing infrastructure is clearly documented

The Comparison Table

---

What This Means for Your Documents

Let me spell out what is actually happening when you use most free file converters:

Step 1: You Visit the Site

Before you do anything, your browser is loaded with tracking cookies, your device is fingerprinted, and your visit is reported to dozens of advertising companies. A real-time auction broadcasts your data to ad exchanges. If you are a smallpdf.com user, your mouse movements are being recorded.

Step 2: You Upload Your File

Your document - which might contain your name, address, social security number, medical information, financial data, trade secrets, or attorney-client privileged communications - is uploaded to their servers. It leaves your computer and enters infrastructure that is connected to, at minimum, a dozen tracking and advertising services.

Step 3: You Get Your Converted File

You download the result and close the tab, thinking the transaction is complete. But it is not.

Step 4: The Data Lives On

Your file may persist on their servers for an undefined period. The tracking data - what you converted, when, what type of document, your device fingerprint, your approximate location - is now part of advertising profiles being sold and resold across the digital advertising ecosystem. That data is combined with other data points to build increasingly detailed profiles of who you are, what you do, and what you might buy.

The Scale of the Problem

Let me put numbers to this. If ilovepdf.com gets 97 million visits per month, and each visit triggers an RTB auction that broadcasts user data to 50+ ad tech companies, that is potentially 4.85 billion data transmissions per month from a single file converter website. Across all four sites in this audit (minus cloudconvert), we are looking at hundreds of billions of tracking events per year, generated by people who just wanted to merge two PDFs.

---

The Real Cost of "Free"

These file converter sites make money in three ways:

1. Advertising revenue - RTB auctions, display ads, native ads
2. Data sales - selling user behavior data to advertising platforms (smallpdf explicitly admits this)
3. Premium upsells - converting free users to paid plans

The first two revenue streams depend entirely on surveillance. The more they know about you, the more they can charge advertisers. Your uploaded documents are not just files being converted - they are signals about who you are. Someone converting a lease agreement is probably moving. Someone converting a resume is probably job hunting. Someone converting medical forms might have a health condition. These behavioral signals are gold to advertisers.

You are not the customer. You are the product. And your documents are the signal that reveals your life circumstances to the advertising industry.

---

A Different Approach: Client-Side Processing

Everything I have described above exists because these tools process files on their servers. The moment your file leaves your browser, you have lost control. But here is the thing: most file conversions do not need a server.

Modern browsers are extraordinarily powerful. The JavaScript engines in Chrome, Firefox, Safari, and Edge can handle PDF manipulation, image compression, format conversion, and dozens of other file operations directly in the browser, on your device, without uploading anything anywhere.

This is called client-side processing, and it eliminates the entire surveillance architecture by removing the need for it. If your file never leaves your browser:

• There is nothing to upload to a server
• There is nothing to retain
• There is nothing to delete "within 24 hours" or "after an undefined period"
• There is no server-side infrastructure to secure (or fail to secure)
• There is no financial incentive to track you, because there is no data to sell

ToolBox: Zero Tracking, Zero Uploads

I built ToolBox to prove that developer and productivity tools can exist without surveillance. ToolBox includes an image compressor, PDF tools, and 130+ other utilities - and every single one runs 100% in your browser.

Here is what happens when you use a file tool on ToolBox:

1. You select your file
2. Your browser processes it locally using JavaScript
3. You download the result
4. Nothing was ever uploaded. Nothing was ever tracked. No cookies were set.

There is no network request carrying your file to a remote server. There is no RTB auction. There are no 637 cookies. No session recordings. No data sales to Google and Facebook. Your files never leave your device.

This is not a technical limitation - it is a design choice. The same choice cloudconvert made with their tracking (zero third-party scripts), extended to the file processing itself.

---

How to Protect Yourself

If you take nothing else from this post, remember these guidelines:

1. Check for Client-Side Processing

Before uploading a file to any online tool, open your browser's Developer Tools (F12), go to the Network tab, and watch what happens when you process a file. If you see a large upload request going to a server, your file is being sent somewhere. If the processing happens with no network activity, it is client-side.

2. Use an Ad Blocker

If you must use server-side converters, use a content blocker like uBlock Origin. In my tests, uBlock Origin blocked 400+ of the 637 cookie domains on ilovepdf.com. It is not a complete solution - your file is still uploaded to their servers - but it significantly reduces the tracking surface.

3. Read the Privacy Policy

I know nobody does this. But smallpdf literally states "We currently sell data to Google and Facebook via cookies." If you had read that before uploading your tax return, you might have reconsidered.

4. Prefer Client-Side Tools

Tools like ToolBox (toolbox-kit.com) process everything in your browser. No upload, no tracking, no compromise. For common operations like image compression, PDF manipulation, and format conversion, there is no technical reason to use a server-side tool.

5. Use cloudconvert.com If You Need Server-Side

If you genuinely need server-side processing for a complex or uncommon format, cloudconvert.com demonstrated that it is possible to build a file converter without a surveillance apparatus. Zero third-party scripts, zero cookies, ISO 27001 certified, 24-hour file deletion. It is not perfect (your file still leaves your browser), but it is dramatically better than the alternatives.

---

Client-Side Alternatives

If you want to stop uploading your files to advertising companies, here are tools that process everything in your browser with zero tracking:

• PDF Merge & Split - merge, split, and manipulate PDFs without uploading them
• Image Compressor - compress images locally, no server involved
• Image Format Converter - convert between PNG, JPG, WebP, and more client-side
• CSV to JSON and JSON to CSV - convert data formats without sending your data anywhere

All available at toolbox-kit.com - zero cookies, zero file uploads, zero tracking.

---

Methodology

For transparency, here is exactly how I conducted this audit:

• Browser: Chromium-based, clean profile, no extensions
• Tools used: Chrome DevTools (Network tab, Application tab, Sources tab), custom cookie enumeration script
• Date of audit: February 2026
• What I measured: All HTTP requests on page load, all cookies set (name, domain, expiration, flags), all JavaScript files loaded, Content Security Policy headers, ads.txt files, privacy policy text
• What I did NOT do: I did not decompile mobile apps, test API endpoints beyond normal use, or attempt to access any systems I was not authorized to use. This audit covers only what is visible from normal browser usage.
• Limitations: Cookie counts can vary based on geographic location (I tested from a US IP), time of day (ad auction participants vary), and A/B testing variants. The numbers reported here are from my specific test sessions. Your results may differ slightly, but the order of magnitude will be consistent.

---

Final Thoughts

The online file converter industry has settled into a model where your documents subsidize an advertising surveillance machine. Hundreds of millions of people every month upload sensitive files to services that broadcast their visits to ad networks, sell their data to Google and Facebook, record their mouse movements, set hundreds of cookies without proper consent, and retain files on servers for undefined periods.

It does not have to be this way. Cloudconvert proved it by running a file converter with zero tracking. ToolBox proved it by eliminating the server entirely. The technology exists to convert files without surveillance. The question is whether users will demand it.

The next time you need to compress an image or convert a PDF, ask yourself: is this tool processing my file in my browser, or am I uploading my documents to an advertising company?

---

*All data in this post was collected through standard browser developer tools during normal site usage. No systems were accessed without authorization. If any of the sites mentioned in this post have updated their practices since this audit was conducted, I welcome corrections and will update accordingly.*

*Try ToolBox at toolbox-kit.com - 139 developer and productivity tools, zero tracking, zero file uploads. Your files never leave your browser.*