Privacy
Here's the deal: I'm one person building this tool. I literally cannot afford cloud storage to keep your files even if I wanted to.
The short version
Your files are deleted immediately after conversion. Image conversions happen entirely in your browser — those files never leave your device at all. Document and audio conversions go through a secure server, get converted, and the files are deleted right after.
What happens to your files
Image conversions (PNG, JPG, WEBP, HEIC, SVG, BMP, GIF) are processed 100% in your browser using JavaScript. Your files never touch a server. Nobody sees them. Not me, not anyone.
Document conversions (DOCX, PDF, PPTX) and audio conversions (MP3, WAV) are sent to a secure server for processing. The file is converted, sent back to you, and immediately deleted from the server. No copies are kept. No backups. Nothing.
Spreadsheet conversions (CSV, Excel, TSV) work in your browser using JavaScript, same as image conversions. Your spreadsheet never leaves your device. The conversion happens locally, and the result is downloaded directly to you.
Compression tools (PDF, image, DOCX, PPTX compression) are processed on a secure server. Your file is compressed, returned to you instantly, and deleted from the server immediately after. We never store compressed files, and we don't keep logs of what you compressed.
Security measures
All server connections use HTTPS encryption, so your files are protected in transit. File uploads are validated by file type and size — we reject anything larger than 50 MB and any file type that isn't on our supported list. This prevents abuse and keeps the system running efficiently for everyone. Server-side processing includes rate limiting to prevent someone from flooding the service with thousands of uploads or draining resources. Files are written to a temporary directory, converted, returned to you, and deleted immediately. Nothing is retained after the conversion completes. Each conversion is isolated in its own process to prevent any possibility of cross-contamination between different users' files.
Third-party services
OnlyFiles is hosted on Netlify (the public-facing website), and the conversion/compression backend runs on Railway (a cloud compute platform). These services see that you made a request and when, but they don't see the contents of your files — only metadata like file size and type. Netlify doesn't have access to your uploaded files. Railway processes them in isolated sandboxes that are destroyed after each job. Neither Netlify nor Railway stores your files or shares them with anyone. Both companies have standard data privacy agreements and security certifications.
Data retention
Zero retention. Files are deleted immediately after processing. Not "after 24 hours," not "after 30 days." Immediately. No automatic backups. No retention periods. No "we'll keep it for 30 days just in case." If your upload fails mid-transfer, the partial file is cleaned up within minutes. If you lose your internet connection, the file on the server times out and is deleted. We don't keep logs of what you uploaded, when you uploaded it, or what you converted it to. We don't create conversion records. The only thing stored is anonymized usage metrics (like "X conversions happened today") for monitoring service health — no personal data, no file details, no identifying information. That's it.
What I don't do
I don't create accounts or force you to sign up. I don't track what you convert or correlate conversions to IP addresses or identifiers. I don't sell data — not to advertisers, not to data brokers, not to anyone. I don't use analytics services that follow you around the internet (no Google Analytics, no Segment, no tracking pixels). There are no cookies to accept because there are no cookies. No session tracking, no behavioral profiling, no "enhance your experience" scripts. If you visit OnlyFiles, convert a file, and leave, there's no permanent record that "you" did anything. That's the whole point.
Feature requests
If you drop a file type we don't support yet, you can submit a request. That request includes only the file type you have and what you want it converted to — nothing else. No personal information, no file contents.
Why I'm being this direct
Most privacy pages are 4,000 words of legal text that nobody reads. I'd rather just tell you what actually happens. This keeps costs down for me and helps protect your privacy. Everybody wins.
Questions or concerns?
If you have privacy questions or you've found a security issue, reach out on Twitter: @kimtriestobuild. I respond to DMs. If you find a security vulnerability, please let me know directly before posting it publicly — I take security seriously and will address it quickly.
Last updated: March 2026. If this ever changes, I'll update this page.