Transparency
Last updated: June 22, 2026
This page is the plain-language record of what QuillPDF actually does with your files: what runs in your browser, what our server can and cannot see, and the honest limits of the product. If anything on the site ever contradicts this page, this page wins — email us if you catch a contradiction.
Every tool runs in your browser
All eleven tools — Merge, Split, Rotate, Watermark, Compress, Clean Metadata, Redact, Bates Numbering, PDF to Image, Image to PDF, and OCR — process your file entirely inside your browser tab, on your own hardware. The processing engines (pdf-lib, pdfjs, Tesseract.js) and the OCR language data are served from our own origin, so once a page has loaded, nothing leaves your tab. If you disconnect from the network after the page loads, the tools keep working.
You don't have to take our word for it: open your browser's DevTools, watch the Network tab, and run any tool. Zero uploads.
What our server can see
Not your files. The server never receives your file bytes, your extracted text, your edits, or anything you do inside the editor. Every editing and conversion tool runs fully in your browser.
The one thing it does receive is a tiny per-page-load “beacon” whose body is just the path you visited — no file content, no fingerprint. That feeds the aggregate counters described next.
Privacy, explicitly
We run a first-party, counter-only page counter. It is not third-party, not cookie-based, and not a fingerprint.
- What it counts — for each UTC day: hits per page route, country distribution (two-letter code), and a count of distinct visitors. Nothing else.
- How “distinct visitor” works — the server hashes a daily-rotating random salt with coarse request metadata, keeps only that hash in memory for the current day to deduplicate the count, then drops the salt and the hash set at midnight UTC. Day-to-day correlation of the same visitor is structurally impossible, not just policy.
- What it never stores — your raw IP, your User-Agent, your referrer, your screen size, your language, any session identifier, any cross-page journey, anything inside your PDF.
- Do Not Track is honoured. If your browser sends
DNT: 1, the beacon does not fire and you don't appear in the counters at all. - No tracking cookies, no cross-site pixels, no localStorage fingerprint.
- Cloudflare edge. The site is fronted by Cloudflare as a DNS proxy. Their edge captures standard request metadata (timestamp, IP, status code) under their own policy; we run no application-level logging beyond the counter above.
Honest limits
- Everything is free. No account, no login, no usage gate, and no paid tier. Optional donations are on the support page.
- No BAA — by design, not by omission.QuillPDF isn't a “HIPAA-certified” service, and it isn't your business associate: your file never reaches our servers, so we never receive, store, or transmit anything inside it. The protection is architectural, not a paper certification — which for sensitive documents is the stronger guarantee, because there's no server copy for anyone to leak, log, or subpoena. Compliance for regulated data still rests with your own device and organizational controls; there's simply no third party in the loop to add risk.
- 50 MB per file.Hard client-side limit — your browser's memory is the processing environment.
- Redaction flattens the pages you mark.The Redact tool removes content for real by rasterizing each marked page and burning the boxes into the pixels — so a page you redact becomes an image and is no longer text-selectable or searchable. Pages you don't mark are left untouched. That tradeoff is deliberate: on a privacy tool, guaranteed removal beats a selectable-but-leaky page.
- Encrypted PDFs are refused with a clear error rather than silently unlocked.
Honesty changelog
Changes we made specifically because a feature didn't live up to its name:
- May 2026 — Compress PDF rebuilt as real compression. The original only stripped metadata, so savings were trivial. It was renamed Clean PDF Metadata (still available), and Compress returned as true in-browser image re-encoding with quality presets. PDFs that can't be meaningfully compressed say so instead of pretending.
- May 2026 — fake “delete text” removed; real redaction shipped. The old button drew a white rectangle while the text stayed recoverable in the PDF stream. That isn't redaction, so it's gone — replaced by a real Redact tool that rasterizes each marked page and burns the boxes into the pixels, so the underlying content is genuinely removed (at the cost of that page becoming an image).
- May 2026 — AI helpers removed.They sent selected text to a cloud model, contradicting the “nothing leaves your tab” promise. Any future AI feature must run in-browser or be unmistakably opt-in.
- May 2026 — third-party CDN dropped. The PDF engine used to load from a public CDN, leaking a request per visit. All engines and OCR data are now served from our origin.
- May 2026 — silent encryption stripping ended. Password-protected PDFs were being quietly unlocked; now they are refused.
What's next
The roadmap is driven by what users ask for. Email us what you need — requests are how features get prioritized.