All 27 conversion tools available — files never leave your browser
HarborConvert
Security & Privacyabout 1 month ago

How HarborConvert Protects Your Data (Spoiler: By Never Touching It)

The most secure approach to handling sensitive data is to never handle it at all. Here's the architecture behind HarborConvert's privacy guarantee.

By HarborConvert Team

The Core Design Decision

Most software security conversations are about encryption, access controls, and breach response. HarborConvert's approach is different: the most secure way to protect your file data is to never possess it.

This wasn't a privacy feature added after the fact. It's the foundational architectural decision behind the service. Every converter — from PDF merge to JSON-to-XML to image resize — was built to run entirely in your browser.

How Local Processing Works

When you visit a HarborConvert converter page:

  1. Library loading: The browser downloads the conversion library (e.g., pdf-lib for PDF operations, SheetJS for spreadsheets). This is code, not data — there's nothing sensitive about it.
  2. File reading: You drop a file. The browser's File API reads it into memory inside your browser tab. It goes no further.
  3. Processing: The conversion library runs inside your browser's JavaScript engine, transforming the in-memory representation of your file.
  4. Download: The result is written to your downloads folder via a Blob URL. The browser creates a temporary object URL, your download starts, and the blob is released from memory.

At no point does a network request carry your file data. You can verify this independently.

How to Verify It Yourself

  1. Open any HarborConvert converter
  2. Press F12 to open Developer Tools
  3. Click the Network tab
  4. Filter by Fetch/XHR to show only data requests
  5. Drop a file and start a conversion
  6. Watch the network log

You'll see requests for the JavaScript libraries and static assets. You will not see any request containing your file. The network tab is ground truth — it cannot lie about what your browser transmitted.

What We Do Store

We're transparent about what we collect:

  • Account data: Your email and name if you sign up
  • Conversion metadata (Pro/Business only): File name, size, format, timestamp. Never file contents.
  • Billing data: Managed by Stripe. We store only your subscription status.

The Broader Security Model

Because your files never touch our infrastructure, the attack surface for a data breach is dramatically smaller than conventional SaaS. An attacker who compromised our servers would find:

  • User account records (email addresses, hashed passwords)
  • Conversion metadata (file names and sizes)
  • No file content whatsoever

This is the privacy guarantee we can make with confidence — not because we have excellent security controls (though we do), but because the sensitive data is never in our possession.

Back to blog