Reproducible privacy check
Verify local image conversion with the Network panel
“Runs in your browser” should be testable. Browser developer tools can show whether selecting and converting a file causes an upload, while also revealing ordinary page assets and privacy-safe product analytics.
Network verification, step by step
Open a fresh private window
This reduces interference from extensions and existing tabs. Load the converter before choosing a sensitive file.
Open developer tools → Network
Enable Preserve log, clear the list, and keep the panel open. Do not disable the network yet; first observe normal behavior.
Choose a harmless test image
Use a synthetic or public fixture, not a private photo, for the first check. Note its file size and give it a distinctive local filename.
Convert and download
Watch requests created after selection, during conversion, and when downloading. Inspect request method, domain, type, size, headers, and payload.
Search for private values
Search request URLs and payloads for the distinctive filename. File bytes, data URLs, blob contents, and exact private dimensions should not appear.
Repeat while offline
After the page and required decoder assets are loaded, switch DevTools to Offline and retry. A successful run is strong evidence that conversion itself is local, though first-load assets may still require a network.
What you may still see
Normal page traffic
- HTML, JavaScript, CSS, fonts, icons, and decoder/WASM assets.
- Coarse page-view or interaction events with no filename, file bytes, content, or exact private dimensions.
- Navigation requests when you deliberately move to another page.
Evidence of an upload
- A POST/PUT request whose payload size tracks the chosen file.
- Multipart form data, base64, binary request bodies, blob content, or a file storage URL.
- The local filename or exact private dimensions in analytics or error payloads.
UnHeic’s stated boundary
Converter file bytes are intended to stay inside the browser tab. The site may measure coarse events such as a detector success, unknown result, conversion completion, cancellation, output switch, or download. Those events must not include filenames, file content, raw bytes, data URLs, object URLs, exact private dimensions, EXIF values, or GPS data.
A browser crash report or extension can create a separate boundary. Use a current browser, review extensions, and avoid treating any web tool as an absolute privacy guarantee.