Privacy Proof
The privacy promise is narrow and testable: supported PDF editing workflows run in your browser, not on our API. Account, waitlist, billing, and technical service data are separate from document contents.
How the editor handles files
The editor opens PDFs through browser file APIs, processes pages with local JavaScript libraries, and creates downloads with browser blob URLs. The document file is not submitted to a server for merge, extract, reorder, rotate, delete, duplicate, or watermark operations.
Network boundaries
The editor route uses a stricter Content Security Policy than the marketing site, disables analytics on the editor page, and activates a document privacy guard after a PDF is opened. That guard blocks direct browser network APIs such as fetch, XMLHttpRequest, WebSocket, EventSource, and sendBeacon while a document session is active.
What still reaches servers
Login, registration, waitlist, billing, and Stripe subscription events use server endpoints. Those flows do not require PDF document contents, filenames, thumbnails, page text, file hashes, or document-derived metadata.
Verification
The codebase includes automated checks for missing document-upload API routes, local-only copy, editor privacy headers, export compatibility, and a browser no-network editor smoke test.