Security, in plain language
The most secure upload is the one that never happens.
On-device by default
All free tools — merge, split, compress, convert, OCR, sign, edit, redact, crop, forms, compare — run entirely in your browser using local processing engines. Your files are never uploaded, so there is nothing on a server to breach, leak or subpoena. The AI companion also reads and understands your document on your device, sending only your question and the few passages needed to answer it.
Consent-first servers
A few premium features (HD conversions, whole-document Deep Research) run on our servers because browsers physically can't do them. Every one of them shows a consent screen before anything is uploaded, states the exact price, processes over HTTPS, and deletes the file right after the job. Deep Research indexes are deleted when you close the document and expire automatically within 24 hours.
Accounts & payments
Login is handled by Supabase (Google, Apple or one-time email codes — we never see a password). Payments are processed by Razorpay, a PCI-DSS compliant provider; card details never touch our systems. Balances and usage are stored per-account with row-level security.
Transport & headers
Everything is served over HTTPS with HSTS, strict referrer policy and content-type protections, via Cloudflare's global network.
Report a concern
Found a vulnerability or something that worries you? Please contact us — security reports are read first and answered fast.