Skip to content Omitly is launching soon — join the waitlist →

Privacy comparison · checked against vendors' own documentation, 5 July 2026

Where does your PDF actually go?

Every redaction tool says it's secure. Fewer say where your document — or its extracted text — travels while they work. We read the privacy notices, security pages and whitepapers so you can compare what the vendors themselves disclose.

What each vendor says happens to your document

Summarised from each vendor's own public documentation as of 5 July 2026 — follow the source links and check for yourself. Policies change; if you spot something out of date, tell us and we'll correct it.

Smallpdf (web)

— Uploaded to Smallpdf's servers for processing.

Smallpdf's privacy notice (updated July 2025) describes files processed on Hetzner servers in the EU, with Cloudflare servers in the United States or Europe temporarily holding US visitors' uploads. Retention depends on how you use it: files from logged-in users are deleted within one hour unless saved to storage, saved files are deleted about 14 days after you delete them, and files from users without an account are kept for “a reasonable period of time after the last time they were opened”.

Source: Smallpdf Privacy Notice

iLovePDF (web)

— Uploaded to iLovePDF's servers for processing.

iLovePDF's security page describes upload-based processing with processed files automatically deleted within two hours. Signed documents are the exception — its security page says those are retained for up to five years.

Source: iLovePDF security page

PDF24 online tools

— Uploaded to servers in EU data centres.

PDF24's FAQ says all processing servers sit in EU data centres (its individual tool pages say Germany), with uploaded files automatically deleted after one hour. Its “files never leave your PC” promise applies to the separate PDF24 Creator desktop app — which its own FAQ says is Windows-only.

Source: PDF24 FAQ

Adobe Acrobat online tools

— Processed in Adobe's cloud; redaction requires an Acrobat Pro subscription.

Adobe's free online PDF tools are cloud services, and the tool list includes no redact tool. Redaction requires Acrobat Pro, and Adobe's help documents it as a desktop Acrobat Pro feature.

Source: Adobe Acrobat redaction docs

Nitro Smart Redact

— Documents processed in Nitro's cloud workspace.

Nitro describes AI redaction with “temporary session processing” and “no storage or data retention” — a retention promise about its cloud service, not on-device processing. Its own deep-dive describes each document as “encrypted in transit and at rest” while its service processes it, and none of its pages claim local processing.

Source: Nitro Smart Redact

SafeRedact

— File parsed in your browser — but the extracted text is sent to a cloud AI API.

SafeRedact's own security documentation states that while the file binary stays in the browser, extracted text strings (with position coordinates) are sent to its API and processed by Anthropic's Claude — an API its security page notes is hosted in the United States. For a confidential document, the text is the confidential part.

Source: SafeRedact security page

Redactable

— Uploaded to Redactable's cloud platform.

Redactable is a browser-based cloud service with document-storage integrations, and its security page says customer data is stored in US private clouds on AWS. It advertises SOC 2 Type 2 and HIPAA compliance, with reports available through its trust centre — the trade-off is that your documents are processed and handled on its infrastructure.

Source: Redactable security page

RedactProof

— Standard engine runs client-side; an optional mode sends extracted text to a cloud AI service.

RedactProof's security docs describe a WebAssembly engine that processes files in the browser, plus an optional “Precision Engine” that routes extracted text — not the file — through Cloudflare Workers AI. Its tamper-evident certificates are gated to its paid Pro tier and above (US$99/month or US$990/year, 2026 pricing).

Source: RedactProof security docs

Apple Preview

— Stays on your Mac.

Preview's Redact tool (added in macOS Big Sur, 2020) is local, and Apple's guide warns the marked content is permanently removed once you close the document. It is manual-only: no pattern search, no handling of scanned pages or hidden text layers, no metadata sanitisation, and no way to verify or prove what was removed — independent testing has found letter fragments at redaction edges and hidden text left behind.

Source: Apple Preview User Guide

Omitly

— Stays on your Mac — documents are processed entirely on-device.

Redaction, OCR, detection and verification all run locally. The app's network activity is limited to checking for signed updates, sending a support message if you type one, and — only if you enable a trusted timestamp when applying a digital signature — a timestamp request carrying a cryptographic digest, never the document. Your documents never leave your device, and every redaction ships with a verifiable, signed audit seal.

Source: How Omitly verification works

Method: we read each vendor's public privacy notice, security page or product documentation on 5 July 2026 and summarised only what those pages state. Where a vendor's claim is architectural (“client-side”, “no uploads”) we report the claim as theirs — we have not network-tested every tool. Retention windows and pricing change; the linked source is authoritative.

Don't take anyone's word for it — including ours

Four ways to test any tool's "local" claim in a few minutes.

Open the network tab

In any browser tool: open Developer Tools → Network before you drop in a file. If you see requests carrying your file or its text after you load a document, it isn't local. Watch for API calls during “analysing” or “detecting” phases — that's when extracted text typically leaves.

Go offline and try again

Switch Developer Tools to offline mode (or turn off Wi‑Fi) and run the same job. A genuinely local tool keeps working. A cloud tool — or a “browser-based” tool that calls a cloud AI — fails at the exact step that isn't local.

Read the security page, not the headline

Marketing says “files stay in your browser”; the security page says “only extracted text leaves”. Both can be technically true at once. The question to answer from the vendor's own words: does the document's content — bytes or text — ever reach their servers?

For desktop apps, use an outbound firewall

Tools like Little Snitch or LuLu show every connection a Mac app makes. Run a redaction job and watch. We publish exactly what Omitly sends (update checks and typed support messages — never document data), and you can confirm it yourself.

A retention policy is a promise. Local is an architecture.

Every cloud tool's privacy story is a commitment about what happens after your document reaches their servers. Omitly's is simpler: it never gets one. Redaction, OCR, detection and verification run on your Mac, and the result carries a signed seal anyone can verify offline.

Where your document travels is one of the three questions that make a redaction defensible — the other two are covered in our plain-English definition of defensible redaction.

Frequently asked questions

Does “browser-based” mean nothing leaves my browser?

No. Several tools genuinely parse the PDF file in your browser but then send the extracted text to a cloud AI service for detection — their own security pages say so. For a confidential document the text is the sensitive part, so read past the headline: the claim that matters is whether the document's content, in any form, reaches the vendor's servers.

Is it safe to upload client or confidential documents to free PDF websites?

That depends on obligations only you can assess. What the vendors themselves disclose: the big free web tools process your file on their servers, with retention windows ranging from one hour to considerably longer depending on the tool and whether you have an account. If you're a lawyer, ABA Model Rule 1.6(c) obliges you to make “reasonable efforts” to safeguard client information, and bar ethics opinions in some 30 US states say that when a cloud vendor will hold client data, those efforts mean vetting the provider's security, reviewing its terms and monitoring it over time — a due-diligence exercise that never arises for a tool that never receives the document. (General information, not legal advice.)

The tool deletes my file after an hour. Isn't that enough?

A short retention window is better than indefinite storage, but it's a promise about what happens after your document has already left your control — it was transmitted, decrypted and processed on someone else's infrastructure, subject to their security, their subpoenas and their mistakes. A retention policy is not the same thing as the document never leaving your machine.

What network requests does Omitly itself make?

Three kinds, none involving your document's content: the auto-updater fetches a signed release manifest to check for updates; the in-app support form sends the message you type (plus app version and OS string) if you choose to contact us; and if you enable a trusted timestamp when applying a digital signature, the app requests one from the timestamp authority you configure — a request that carries a cryptographic digest of the signature, never the document. Document processing — redaction, OCR, detection, verification — happens entirely on your Mac. You can verify this with an outbound firewall like Little Snitch.

How do I verify a redaction actually removed the text?

Try to select and copy text where the black box is, run the file through a checker like our free redaction leak checker, and check document metadata. Omitly goes further: it re-extracts the document's text after redaction to check that removed content is gone, and seals the result with a signature you — or anyone you send the file to — can verify offline.

Sources

Last updated 5 July 2026. Legal references are general information, not legal advice. Think we've got a vendor's policy wrong? Tell us and we'll correct it.