What we process
Only the files you choose for conversion and the selected tool options are processed for the temporary job.
Privacy
SecretConvert is private by architecture, not just by policy. Files are processed locally inside the confidential compute environment, exposed only through temporary signed downloads, and deleted after conversion or session expiry.
SecretConvert avoids the public converter pattern where files, names, metadata, and business context are handed to third-party processing APIs.
Only the files you choose for conversion and the selected tool options are processed for the temporary job.
SecretConvert does not send documents, images, filenames, or metadata to external converter platforms.
Uploads are stored under a random UUID job folder, renamed to random safe filenames, and removed after conversion or TTL expiry.
Strip author names, device data, GPS metadata, and software history where local tooling can remove it.
SecretConvert does not use uploaded documents, images, extracted text, or metadata to train models.
Files are not sold, shared with data brokers, or routed to third-party file conversion services.
The app is prepared to run behind Traefik on SecretVM, where workloads and temporary files stay inside the protected VM boundary.
Production operators should publish a support contact for privacy, security, and deletion questions.
Privacy commitments
The application does not add Google Analytics, tracking pixels, external CDN JavaScript, public upload directories, or remote conversion APIs. The server code avoids logging original filenames, file contents, extracted text, and embedded metadata.
Confidential computing protects the backend workload boundary, temporary files, process memory, and deployment secrets. It does not make already-public files invisible, revoke files shared elsewhere, or replace endpoint security on the device that uploads or downloads a document.
SecretConvert does not keep original filenames, document text, image metadata, or conversion inputs after the job completes. Outputs are available only through signed temporary links until the configured retention window expires.
Files are automatically deleted after conversion or session expiry. The default retention window is ten minutes and can be changed with FILE_TTL_MINUTES.