The documents people convert online are often the most sensitive files they have. Tax returns. Employment contracts. Medical reports. Legal filings. Financial statements. Users upload these files to services they found through a search result, with no knowledge of where the files are stored, how long they are kept, or who has access to them. The privacy implications of this workflow are significant and routinely underexamined.
What happens to files after conversion
Most online converters do not publicly state how long they retain uploaded files. The default assumption for most users is that files are deleted immediately after download — this is the reasonable expectation for a conversion service. The reality varies considerably by platform.
Some platforms retain files for hours or days in temporary storage to allow users to access their converted output if they close the browser. Some retain anonymized versions for quality improvement or training purposes. Some retain files indefinitely on free tiers and offer immediate deletion only as a paid feature. Without reading the privacy policy carefully, users cannot know which category a given platform falls into.
The key questions are: when is the file deleted, what triggers deletion, who can access the file during the retention window, and what happens if the platform is acquired or its data is subpoenaed. A platform that answers these questions with specific, verifiable information is meaningfully different from one that answers with general statements about taking privacy seriously.
The risks of uploading sensitive documents
File conversion services are an attractive target for data collection because the documents they process are highly valuable. A service that processes ten thousand tax returns per day has access to extraordinarily sensitive financial information. A service that processes employment contracts has access to salary data, termination terms, and non-disclosure agreements across many organizations.
The risk is not necessarily that platforms are malicious — most are not. The risk is that files stored on any server are subject to the security of that server. Data breaches, insider threats, and inadvertent disclosure through misconfigured storage are all realistic vectors. The platform with the shortest retention window has the smallest attack surface.
For documents subject to legal confidentiality obligations — attorney-client privileged documents, protected health information, or documents covered by specific NDA terms — using a third-party conversion service may breach the confidentiality obligation regardless of the platform's privacy policy. In these cases, conversion should happen on the local device or on a platform with a documented compliance posture for the relevant regulation.
Evaluating a converter's privacy model
Look for specific statements, not general ones. 'We take your privacy seriously' is not a privacy policy — it is a sentence that says nothing. A useful privacy statement says: files are deleted N minutes after download, deletion is enforced at the storage infrastructure level, we do not process file content for any purpose other than the conversion requested, and we do not sell or share file data with third parties.
Look for technical enforcement, not policy statements. A platform that says files are automatically deleted by storage infrastructure — meaning the storage service itself enforces an expiry — is meaningfully more trustworthy on this point than a platform that says files are deleted by a scheduled cleanup job. Cleanup jobs can fail. Infrastructure-level TTLs do not.
Check whether the service stores file metadata separate from file content. Even if the file content is deleted promptly, a platform may retain metadata about what was converted, when, and from what IP address. For users with confidentiality obligations, file-level metadata can be nearly as sensitive as file content.
How Filum handles file privacy
Filum deletes every uploaded file 60 minutes after conversion. The deletion is enforced at three independent layers: the Supabase Storage infrastructure applies a 60-minute TTL at the storage level, an application cleanup job runs every five minutes as a secondary check, and files are deleted immediately when the user confirms their download. If the user downloads the file at minute two, the file is gone at minute two — not after the 60-minute window.
Filum logs the fact that a file was converted and deleted — timestamp, file type, page count bracket, and deletion reason. What Filum never logs: the file name, file content, user IP address, or any information that could identify the specific document or the individual who converted it. The audit log is append-only at the database level, meaning neither the platform nor anyone with access to the platform can alter or delete log entries retroactively.
The free tier operates without an account. Files converted without an account are not associated with any identity. There is no email address to associate with the conversion record, and the guest session token used to track conversion limits is stored only in the user's browser and expires within 24 hours.
When local conversion is the right answer
For documents with the highest confidentiality requirements — documents under attorney-client privilege, documents containing protected health information, or documents covered by government security classifications — local conversion is the right choice regardless of any platform's privacy model. LibreOffice is free, open-source, and available on Windows, Mac, and Linux. It converts most common format pairs, runs offline, and retains no files.
The trade-off is that local tools generally produce lower-quality conversion output than well-configured server-side tools, and they require installing software. For a single high-stakes conversion of an extremely sensitive document, the trade-off is worth making. For routine professional document conversion, a platform with a transparent and technically enforced privacy model is a practical and justifiable choice.