Why most free image converters upload your photos (and why that's a problem)

Search for "HEIC to JPG converter" and you'll find dozens of sites offering to do it for free. What most of them don't say on the front page is that "free" involves sending your photos to a server you've never heard of. Here's what actually happens — and why it matters.

How server-side converters work

The mechanics are straightforward. You pick a file, click "Convert", and your browser packages the image and sends it across the internet to the site's server. The server runs a conversion programme (usually a library like ImageMagick or libvips), produces the output file, and sends it back to you.

From a technical standpoint, this works fine. The problem isn't the conversion — it's everything that happens alongside it. Your file now exists on hardware you don't own, in a data centre you've never visited, operated by a company you know nothing about. How long does it stay there? Who else can access it? Is it logged? Indexed? Sold? Most privacy policies are vague enough that the honest answer is: you don't know.

The real risks

Your photos may contain more than you realise

EXIF metadata embedded in a photo can include the precise GPS location where it was taken, the date and time, your phone model, and sometimes even the serial number. A holiday photo is also a record of where you were and when. A photo you take at home pins your address. Most converters don't strip this metadata — they pass the whole file through.

Tracking and advertising

Free converter sites exist to make money, and the business model is often advertising. A widely-shared thread on Hacker News documented converter sites that load dozens of third-party tracking scripts on the conversion page — some of which fire before you even drop the file. Your visit, your behaviour, and details about the file you're converting are all potential data points for ad targeting.

Malware and supply-chain attacks

In January 2026, the FBI and several partner agencies issued a warning about malicious file-converter sites — tools that appeared to convert documents and images but bundled malware into the downloaded output, or installed it silently through the download process. The advisory specifically called out free online converters as a growing vector for credential theft and ransomware. The FBI's recommendation was direct: be very careful about which sites you use for file conversion, and keep your security software up to date.

This isn't a fringe concern. File conversion is one of the few tasks where users have a genuine reason to download something from a site they've never visited before — which makes it an obvious target. The FBI's warning wasn't theoretical; it came after confirmed cases.

Data breaches

Even a legitimate, well-intentioned converter site is a potential breach target. If they store uploaded files (even temporarily) and their server is compromised, your photos could be exfiltrated. Most small converter sites don't have the security infrastructure of a bank. They're running commodity cloud storage with default settings and a small team.

How in-browser conversion is different

Modern browsers are powerful enough to run image processing entirely on your own device, without sending anything anywhere. The conversion code is downloaded once (it's part of the page itself), and it runs locally using the same computing power your browser uses to play video or render complex graphics.

That's how imgAxe works. When you drop a photo, it never leaves your device. There's no server involved in the conversion, no file upload, and nothing to breach. The output file goes straight to your downloads folder from your own browser.

You can verify this with your browser's network inspector. Open it before you convert a file on imgAxe, then convert. You'll see the page's resources load on the first visit, and nothing else during or after conversion — because there's nothing to send.

A reasonable rule of thumb

For documents, photos of ID, medical images, anything that includes faces of people you know, or anything taken inside your home: only use tools that are explicit that conversion happens on your device. Look for language like "no upload" or "works in your browser" — and if you can't find it, assume the file is being uploaded.

For a random holiday photo you're sending to a relative, the risk is lower. But the habit of choosing privacy-respecting tools is worth building before you accidentally convert something sensitive.