Most "free online redactors" ask you to upload the exact document you're trying to protect. There are two ways to avoid that — desktop software, or a tool that runs entirely in your browser. This page covers both, walks the in-browser method step by step, and shows you how to prove nothing left your machine.
Search "redact PDF online" and almost every result works the same way: drag your file in, it travels to a server, gets processed, and a result comes back. For a flyer or a meeting agenda, that's fine. But the documents people actually redact are contracts, medical records, bank statements, IDs, and litigation discovery sets — and for those, the upload is the whole problem.
The moment your file lands on someone else's server, a copy of the exact thing you were trying to protect now exists outside your control. You're trusting a deletion policy you can't audit. That copy can be breached, retained longer than promised, logged, or subpoenaed. "We delete files after an hour" is a promise, not a guarantee — and it's a strange promise to lean on for a document whose sensitivity is the only reason you're redacting it in the first place.
The fix is simple in principle: don't let the file leave your machine. Redact it where it already is.
The long-standing benchmark. Acrobat Pro processes files locally on your computer and its Redact tool does true redaction — content is removed, not hidden — with a separate "Sanitize Document" step to strip metadata.
The cost is friction: it's a desktop install, requires an Adobe account, and runs $19.99/month (≈$240/year). If you also need full text editing, form authoring, or certificate-based signatures, that's money well spent. If you just need to black something out once, it's a lot of overhead.
Here the web page itself is the application. Your PDF opens in the browser's memory — the same way a desktop app opens a file — and is never transmitted. There's no processing server, no database, and no file retention, because there's nothing to retain.
That means no upload, no install, and no account. It's free for documents up to 3 pages; unlimited use is $19/year (or a one-time $49 lifetime). And because the work happens in the tab, you can verify the privacy claim yourself — covered just below.
Go to the redactor and choose your file. It loads locally, like a desktop app — the page renders it with the browser's own PDF engine. Nothing is sent anywhere; you're just looking at your own file in your own tab.
Draw boxes over anything you want gone — names, account numbers, signatures, whole paragraphs. For routine PII, Auto-Redact (Pro) finds SSNs, emails, and phone numbers for you, and built-in OCR handles scanned, image-only PDFs. Review every box either way; OCR can misread.
Hit export. Each page is re-rendered to flat pixels with the black boxes burned in, then rebuilt into a new PDF. The text underneath is destroyed — not covered — and the original document's metadata is stripped in the process. The finished file downloads straight to your device.
This is the part a cloud tool can't offer. With a client-side tool you can confirm, in under a minute, that your file never left the browser. Pick any of these:
Open your browser's DevTools → Network tab, then load and redact your file. A cloud tool shows a request carrying megabytes out. A client-side tool shows zero requests carrying your document — the bytes never move.
The bluntest proof: load the page, then turn off Wi-Fi (or use airplane mode) and redact anyway. If it still works with no connection, the work is happening entirely on your machine — there's nowhere for the file to go.
Every page ships a Content-Security-Policy that tells the browser itself to refuse connections that could carry your file out. View source and read it — it's a machine-enforced rule, not a marketing line.
Keeping the file local protects it in transit — but it says nothing about whether the redaction itself actually worked. A black rectangle drawn over live text is the classic failure: the words are still in the file, and anyone can select, copy, and paste them out from under the box. Privacy and true redaction are two separate requirements, and you need both. A real redactor destroys the underlying content rather than hiding it. Here's what true redaction actually means and how to check yours holds up.
Free for documents up to 3 pages. No account, no install, no upload — your file opens in the tab and the redacted copy downloads straight back to your device.
Use a tool that processes the file on your own machine instead of a server. Two options: desktop software like Adobe Acrobat Pro (local processing, true redaction, $19.99/month plus an account and install), or a client-side web tool like BlackoutPDF, which opens the PDF in your browser and redacts it there — no upload, no install, no account, free for documents up to 3 pages. Avoid any "online redactor" that shows an upload progress bar; that means your document is already on someone else's server.
Open your browser's DevTools, go to the Network tab, then load and redact your document. If you see a request carrying megabytes out of the browser, the file was uploaded. The simpler, stricter test: load the page, turn off Wi-Fi, and try to redact anyway — a genuinely client-side tool keeps working offline because everything happens in the tab, while a cloud tool stops cold. You can also view the page source and read its Content-Security-Policy, which spells out exactly where the page is and isn't allowed to send data.
It depends entirely on the architecture. A cloud redactor uploads the file, so a copy of your sensitive document lives on a third-party server under a deletion policy you can't audit — that's a poor fit for medical records, legal discovery, or anything privileged. A client-side tool like BlackoutPDF never transmits the file, so there's no server copy to breach, retain, or subpoena, and you can verify that with the offline test above. Two cautions either way: make sure the redaction is true (content destroyed, not just covered), and follow your organization's specific compliance requirements before sending.
Not with a client-side web tool. BlackoutPDF runs in any modern browser with no install and no account — you open the page, load your PDF, redact, and download. The desktop alternative, Acrobat Pro, does require an install and an Adobe account. Both keep your file local; the browser tool just skips the setup.