Privacy

Plain language. What we record, what we do not, and how you can verify it.

Your file

The file you drop on FileForge never leaves your browser. There is no upload step. Static HTML, JavaScript, CSS, and the occasional WebAssembly binary stream from our CDN to your tab; the conversion happens there. The output is created in memory and saved to your file system through the File System Access API or a download link.

You can verify this. Open DevTools (F12), switch to the Network tab, drop a file, and watch the requests. The only traffic is for our own assets. Your file never appears in any outbound request. Our Content Security Policy makes this a hard rule: the browser would block an attempt to send your file to anyone else.

Analytics

We use Plausible Analytics, configured in cookieless mode. Plausible counts page views and a small number of custom events we define below. Plausible does not set cookies, does not follow you across sites, and does not collect personally identifying information. See Plausible's own data policy for their side of the story.

The events we send are:

conversion_started— which converter ran and the input size bucket ("small" < 1 MB, "medium" 1-50 MB, "large" > 50 MB). No filename, no hash, no content.
conversion_completed— converter id and a bucketed duration ("fast" < 1 s, "medium" 1-10 s, "slow" > 10 s).
conversion_failed — converter id and the error category (user_input, resource, codec, integrity, internal, cancelled). Never the error message itself.
pro_upgrade_viewed and pro_upgrade_clicked for the upcoming Pro tier. Not active yet.

We use buckets instead of raw values so that the events cannot be used to re-identify you by cross-referencing file size and time with other logs. The bucketing boundaries are documented in docs/analytics.md.

You can disable analytics with a standard "Do Not Track" signal or by blocking our Plausible script in your browser. If you do, the app still works; we simply do not count your visit.

Cookies

FileForge does not set cookies. We do not need them. We have no accounts, no shopping cart, no server-side session. If you see a cookie banner on this site, it is because a browser extension inserted it; talk to the extension.

Local storage

FileForge uses the Origin Private File System (OPFS) to cache verified WebAssembly binaries between sessions. This is local to your browser; it cannot be read by any other site or by us. It exists to save you from re-downloading a 30 MB ffmpeg core on every visit.

Third-party code

The only third-party code that runs on your device, beyond the browser itself, is:

The Plausible analytics script, served from our own origin.
WebAssembly codec modules (jSquash AVIF encoder, libheif, pdf.js worker, ffmpeg core). Every one of these is pinned by SHA-256 in our public Converter Manifest, and the runtime verifies the hash before instantiation. If the bytes change, the conversion refuses to run.

Data retention

We retain nothing about your files because we never see them. We retain Plausible analytics counts indefinitely, but those counts are aggregate; they cannot be reduced back to individual visits after the fact.

Children

FileForge has no account system and collects no personal data. There is nothing here for a child to give up.

Contact

If you spot a privacy leak or a claim on this page that does not match reality, open an issue on GitHub. Surfacing problems openly is how we stay honest.