How I Built a Privacy-First PDF Tool Using pdf-lib and the Canvas API

James — Wed, 22 Apr 2026 16:50:48 +0000

A few weeks ago I got frustrated with online PDF tools. Not with their functionality — iLovePDF and Smallpdf are genuinely useful. What frustrated me was what happens to your files after you click upload.
I read the privacy policies. Files retained for 24 hours. Cloud processing on remote servers. Advertising tracking on tool pages. For a tool handling potentially sensitive documents — contracts, financial records, medical paperwork — this felt like an unacceptable trade-off.
So I built PrivyFiles. Here's exactly how the privacy architecture works and the technical decisions I made along the way.
The Core Privacy Problem With Cloud PDF Tools
When you upload a file to a typical online PDF tool, this is what happens:

Your file travels from your browser to a remote server over HTTPS
The server processes the file
The processed file sits on that server waiting for you to download it
The server retains your file for a defined retention period — sometimes hours, sometimes days

During step 4, your file exists on infrastructure you have no control over. It is subject to that company's security practices, their employees' access controls, and their legal obligations to respond to government requests.
For most files this is fine. For a contract containing your client's personal data, a financial statement, or a document with sensitive business information — it is not fine.
The solution is obvious in theory: process the file in the browser so it never leaves the device.
The Browser-Based Architecture
PrivyFiles uses two main technologies for client-side processing:
pdf-lib for PDF manipulation
Canvas API for image processing
Using pdf-lib for PDF Metadata Removal
pdf-lib is a JavaScript library that allows you to create and modify PDF documents entirely in the browser. For metadata removal specifically, it works like this:

async function removeMetadata(file) {
const arrayBuffer = await file.arrayBuffer();
const pdfDoc = await PDFLib.PDFDocument.load(arrayBuffer);

pdfDoc.setTitle('');
pdfDoc.setAuthor('');
pdfDoc.setSubject('');
pdfDoc.setKeywords([]);
pdfDoc.setProducer('');
pdfDoc.setCreator('');
pdfDoc.setCreationDate(new Date(0));
pdfDoc.setModificationDate(new Date(0));

const pdfBytes = await pdfDoc.save();
const blob = new Blob([pdfBytes], { type: 'application/pdf' });
const url = URL.createObjectURL(blob);

const link = document.createElement('a');
link.href = url;
link.download = 'cleaned_' + file.name;
document.body.appendChild(link);
link.click();
document.body.removeChild(link);
URL.revokeObjectURL(url);
}

The entire operation happens in memory. The file never touches a network request. From a privacy standpoint this is as good as it gets — we literally cannot see the file because it never reaches us.
Using pdf-lib for PDF Rotation
Rotation is another operation that works beautifully client-side:

async function rotatePDF(file, degrees) {
const arrayBuffer = await file.arrayBuffer();
const pdfDoc = await PDFLib.PDFDocument.load(arrayBuffer);
const pages = pdfDoc.getPages();

pages.forEach(page => {
const currentRotation = page.getRotation().angle;
page.setRotation(PDFLib.degrees(currentRotation + degrees));
});

const pdfBytes = await pdfDoc.save();
const blob = new Blob([pdfBytes], { type: 'application/pdf' });
const url = URL.createObjectURL(blob);

const link = document.createElement('a');
link.href = url;
link.download = 'rotated_' + file.name;
document.body.appendChild(link);
link.click();
document.body.removeChild(link);
URL.revokeObjectURL(url);
}

Pass 90 for clockwise, 180 for a full flip, 270 for anticlockwise. Clean and simple.
Using Canvas API for Image EXIF Removal
JPEG images contain EXIF metadata — camera model, GPS coordinates, timestamp, and more. Stripping this data using the Canvas API is elegant:

async function removeExif(file) {
const img = new Image();
const objectUrl = URL.createObjectURL(file);
img.src = objectUrl;

await new Promise(resolve => img.onload = resolve);

const canvas = document.createElement('canvas');
canvas.width = img.width;
canvas.height = img.height;

const ctx = canvas.getContext('2d');
ctx.drawImage(img, 0, 0);
URL.revokeObjectURL(objectUrl);

canvas.toBlob((blob) => {
const link = document.createElement('a');
link.href = URL.createObjectURL(blob);
link.download = 'cleaned_' + file.name;
document.body.appendChild(link);
link.click();
document.body.removeChild(link);
}, file.type, 1.0);
}

When you draw an image to a canvas and export it back as a blob, the browser strips all EXIF data automatically. The pixel data is preserved perfectly. The metadata is gone.
This works because the Canvas API only understands pixel data — it has no concept of EXIF metadata, so it simply does not include it in the output.
The Hybrid Approach — When Server-Side Is Unavoidable
Some conversions simply cannot be done client-side at a quality level users expect. PDF to Word conversion, for example, requires complex document parsing that is not yet practical in the browser.
For these tools, PrivyFiles uses ConvertAPI with a strict 60 second auto-deletion policy. The API call looks like this:

async function convertFile(file, fromFormat, toFormat) {
const base64 = await toBase64(file);

const response = await fetch(
https://v2.convertapi.com/convert/${fromFormat}/to/${toFormat},
{
method: 'POST',
headers: {
'Authorization': 'Bearer YOUR_TOKEN',
'Content-Type': 'application/json'
},
body: JSON.stringify({
Parameters: [{
Name: 'File',
FileValue: {
Name: file.name,
Data: base64
}
}]
})
}
);

const result = await response.json();

if (result.Files && result.Files.length > 0) {
const link = document.createElement('a');
link.href = 'data:application/octet-stream;base64,' +
result.Files[0].FileData;
link.download = result.Files[0].FileName;
document.body.appendChild(link);
link.click();
document.body.removeChild(link);
}
}

function toBase64(file) {
return new Promise((resolve, reject) => {
const reader = new FileReader();
reader.readAsDataURL(file);
reader.onload = () => resolve(reader.result.split(',')[1]);
reader.onerror = reject;
});
}

The privacy trade-off here is clear and disclosed to users. For metadata removal, EXIF stripping, and rotation — fully local. For complex format conversion — server-side with immediate deletion.
The Image Compression Approach
For image compression, the Canvas API again does the heavy lifting:

async function compressImage(file, quality = 0.7) {
const img = new Image();
const objectUrl = URL.createObjectURL(file);
img.src = objectUrl;

await new Promise(resolve => img.onload = resolve);

const canvas = document.createElement('canvas');
canvas.width = img.width;
canvas.height = img.height;

const ctx = canvas.getContext('2d');
ctx.drawImage(img, 0, 0);
URL.revokeObjectURL(objectUrl);

canvas.toBlob((blob) => {
const link = document.createElement('a');
link.href = URL.createObjectURL(blob);
link.download = 'compressed_' + file.name;
document.body.appendChild(link);
link.click();
document.body.removeChild(link);
}, file.type, quality);
}

The quality parameter accepts a value between 0 and 1. We give users three options — Low (0.5), Medium (0.7), and High (0.9) — mapped to a simple dropdown.
What I Learned About Browser-Based File Processing
Memory management matters. For large files, loading everything into memory simultaneously can crash mobile browsers. Always use URL.revokeObjectURL() immediately after use and avoid holding multiple large ArrayBuffers simultaneously.
pdf-lib has limitations. It cannot reorder pages in complex PDFs with cross-references, and some encrypted PDFs refuse to load. Always handle errors gracefully and fall back to a clear error message.
The Canvas approach has a quality trade-off. Drawing to canvas and exporting as JPEG always applies some compression even at quality 1.0. For lossless PNG output use image/png as the MIME type in toBlob().
Users trust architecture more than policy. Telling users "we delete your files" is a policy claim. Showing them that the file never leaves their browser is an architectural guarantee. The difference matters to privacy-conscious users.
The Result
PrivyFiles launched 4 days ago with zero paid promotion and has already received 473 organic visitors — almost entirely from people searching for privacy-focused PDF tools. The privacy angle resonates strongly with users who have grown frustrated with mainstream tools.
The site is at privyfiles.com if you want to check it out. All feedback welcome — especially from developers who spot ways to improve the client-side architecture.
The metadata removal, EXIF stripping, rotation, and image compression tools are all fully client-side. Give them a try and check your browser's network tab — you will see zero file upload requests.
That is the privacy guarantee that no policy document can match.

DEV Community: James

How I Built a Privacy-First PDF Tool Using pdf-lib and the Canvas API