Our Privacy Promise: Why Your Files Never Leave Your Device

Privacy policies are often ten pages of legalese that boil down to “we try.” We wanted something simpler for Ai2Done: a product architecture where most of your files cannot be collected—not because we resist temptation, but because they never traverse a path we control. This article explains what that means in practice, where the boundaries are, and how we think about trust in 2026.

The old bargain—and why we rejected it

Traditional online tools ask you to upload a file to “process” it. Even well-meaning companies then face breach risk, subpoenas, misconfigured buckets, and the slow drift of data retention policies. Users are left hoping everyone stayed perfect. We asked: what if the sensitive step did not require hope?

Local-first processing

For our core document, image, and video workflows, processing happens in your browser using WebAssembly and client-side runtimes. Your PDF merges, your trims, your ONNX-powered enhancements—the bytes stay on your machine while the CPU (or GPU) does the work. Our servers deliver HTML, CSS, JavaScript, and WASM binaries—the same way they deliver a static site—not your confidential attachments.

That design choice is not a gimmick; it is the backbone of Ai2Done’s relationship with users who handle HR files, medical paperwork, unreleased creative work, or anything they would not casually drop into a random cloud converter.

What still touches the server (and why)

No modern web app is 100% disconnected. You might authenticate, search our tool catalog, or load localized strings. Those interactions generate metadata—for example, that an account exists—not the contents of your merged PDFs. We keep that surface minimal and separate from transformation pipelines.

When we say “your files never leave your device” for a given tool, we mean the file bytes for that operation are not uploaded for processing. If a feature inherently required server-side work, we would label it loudly. Our defaults lean local.

Security is more than privacy

Privacy without safety is incomplete. We ship assets over HTTPS, sign in flows where applicable, and follow secure cookie practices. WASM modules are versioned and served from our embedded static bundle so you are not pulling mystery code from a dozen CDNs for core transforms.

Transparency beats marketing

We would rather explain a limitation—browser memory caps, codec support, or model size—than hide behind vague “enterprise-grade” adjectives. Users who understand the trade-offs make better decisions, and we sleep better at night.

A note on responsibility

Local processing shifts control to you: if malware is already on your machine, no architecture can magically fix that. We still recommend up-to-date browsers, sensible file hygiene, and OS-level protections. Our promise is about not adding a giant new attack surface called “upload everything to us.”

The human side

Behind Ai2Done are engineers who also have bank statements, family photos, and NDAs in their Downloads folders. We built the product we wanted to use: fast, capable, and quietly respectful of what “your data” really means.

Thank you for reading—and for holding us to the standard we set.