Transparency Report
Last updated: May 22, 2026
QuillPDF is in open beta. This page exists so anyone — a curious user, a competitor, a future auditor — can see exactly what works today, what does not, and what we're deliberately not claiming. If the marketing copy ever contradicts this page, the marketing copy is wrong. Email us if you catch one.
What runs in your browser (no file upload)
These tools never send your PDF to a server. They load pdf-lib and pdfjs-dist into your browser tab and manipulate the bytes locally. If you lose network after the page loads, they still work:
- Merge PDF
- Split PDF
- Rotate PDF
- Watermark PDF
- Clean PDF Metadata (previously “Compress”)
- PDF to Image (PNG)
- Image to PDF (JPG / PNG)
What sends data to a server
Nothing about your PDFs. Every tool listed above runs entirely in your browser. The server that hosts this site does not receive your file bytes, your extracted text, or anything you do inside the workspace. If your network drops after the page loads, the tools keep working.
The one thing the server doesreceive is a tiny per-page-load “beacon” used for the aggregate counters described under Privacy below. The beacon body is just the path you visited — no file content, no fingerprint.
Things we have deliberately removed or renamed
“Compress PDF” rebuilt as real compression (May 2026)
The original “Compress PDF” only stripped metadata and re-serialized via pdf-lib — no image re-encoding, so size savings were trivial. We renamed it to Clean PDF Metadata in May 2026, then implemented actual compression and brought “Compress PDF” back as a separate tool. Both ship today: Compress re-encodes embedded images via the browser's native canvas at a chosen JPEG quality (Aggressive q=50 / Balanced q=70 default / Light q=85 / Custom 50-90); Clean Metadata still does just the metadata strip. Transparency, CMYK, Indexed-palette, and signed PDFs are skipped or refused; users see the skip-bucket counts and an off-ramp banner when a PDF can't be meaningfully compressed.
“Edit PDF” tool
The home grid had an “Edit PDF” card that redirected to the workspace. That's not a tool — it's a shortcut. Gone.
AI helpers (sidebar + selection menu)
The workspace previously had a chat-with-document sidebar and a right-click menu with Rewrite / Simplify / Summarize actions. They sent the highlighted text (or the full extracted document text, for the sidebar) to AWS Bedrock. Removed 2026-05-21 — they contradicted the “your PDFs never leave your browser” positioning. May return as a client-side (in-browser) AI feature, or as a clearly-opt-in upload feature with a different brand wrapper. Not coming back as-was.
Delete-text button in the workspace
The workspace had a ✕ “Delete text” button that drew a white rectangle over the text in the exported PDF. The original text was still in the PDF stream and recoverable by any text extractor. That is notredaction and we won't ship it as if it were. Real redaction is on the roadmap.
Silent encryption stripping
Previously, we loaded every PDF with ignoreEncryption: true, which quietly unlocked password-protected PDFs. Now we refuse encrypted PDFs with a clear error.
jsDelivr CDN fetch
The pdfjs worker used to be fetched from cdn.jsdelivr.net. Every PDF you opened leaked a request to a third party. We now host the worker on our own origin.
Things that don't exist yet (but old copy implied they did)
- User accounts. No signup, no login, no email list.
- Pro tier.The pricing page mentions numbers indicatively, but there's no Stripe flow wired to a real account system. “Join waitlist” is a mailto link.
- Usage limits.There's no per-user limit on the PDF tools today. Same access for everyone, no gate. We may add a real auth-backed limit later if abuse forces it.
- BAA / HIPAA. We are not HIPAA compliant. Do not use QuillPDF for PHI.
- OCR. No text OCR pipeline yet.
- Real redaction. See above.
- Files above 50 MB per file. Hard client-side limit today.
Privacy, explicitly
First-party aggregate analytics, counter-only. We run our own page-counter on this site. It exists because we needed a single honest data point — “are people actually using this tool?” — to decide what to build next. It is not third-party, not cookie-based, and not a fingerprint.
- What it counts — for each UTC day: number of hits per page route, distribution by country (two-letter code), and a count of distinct visitors. Nothing else.
- How “distinct visitor” is computed — the server hashes a daily-rotating random salt together with your country code, the first three octets of your IP (the
/24network), and your User-Agent string. Only that hash is held in memory for the current day, and only to deduplicate the visitor count. At midnight UTC the salt is rotated and the hash set is dropped — so day-to-day correlation of the same visitor is structurally impossible, not just policy. - What it does not count — your raw IP, your User-Agent string, your referrer, your screen size, your language, any session identifier, any cross-page journey, anything inside your PDF.
- Where the data lives — a single JSON file on the same server that serves the site. Nothing leaves our infrastructure.
- Do Not Track is honoured. If your browser sends
DNT: 1, the beacon does not fire. You won't appear in the counters at all.
- No tracking cookies. No cross-site pixels. No localStorage fingerprint.
- Cloudflare edge logs.This site is fronted by Cloudflare as a DNS proxy in front of a self-hosted server. Cloudflare's edge captures standard request metadata (timestamp, IP, status code) per their own policy. We don't run a separate application-log pipeline on top beyond the aggregate counter above.
Roadmap (not promises)
- Real redaction (remove content stream objects, not rectangles).
- Client-side OCR via Tesseract.js.
- Form filling (AcroForm).
- Auth-backed usage gate and Pro tier.
- BAA / HIPAA track as a separate product offering.
- Self-hostable Docker image for enterprises.
If any of these matter to you, email us and tell us which one. That's how we decide what to build next.
TRANSPARENCY.md file in the repository.