Every security page on the internet says "we take your privacy seriously." This one is different: every claim below can be checked from your chair, in about a minute, without believing a word we say.
Conventional PDF tools ask you to upload your document, promise to handle it carefully, and promise to delete it later. Their trust page is a stack of certificates attesting that they probably keep those promises.
BlackoutPDF removes the promises by removing the server. Our pages are static files. When one loads, your browser does all the work — opening, rendering, redacting, signing, rebuilding — in the memory of your own tab. The exported file goes from that memory straight to your Downloads folder.
We could not retain your documents if we wanted to. The code to receive them does not exist, and the Content-Security-Policy on every page instructs your browser to refuse to send them anywhere.
Open DevTools (F12) → Network. Load a PDF, redact it, export it. Watch the request list: zero requests carry your document. What you'll see instead: fonts, libraries, nothing else.
Load any tool page, then disconnect from the internet entirely. Keep working — load, redact, export. An upload-based tool dies instantly. This one doesn't notice. The badge in our header turns green when you're offline.
View source on any page and read the Content-Security-Policy tag. It's an instruction to your browser — not a promise from us — listing the only places this page may connect. Your document isn't allowed out.
default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' data: blob:; connect-src 'self' https://cdnjs.cloudflare.com; worker-src blob: https://cdnjs.cloudflare.com; form-action 'none'; base-uri 'self'
The two bold directives are the lock: connect-src means scripts may only fetch from this site and the library CDN — no third-party destination can receive data. form-action 'none' means no form on this page can submit anywhere. Enforced by Chrome, Firefox, Safari, and Edge — not by us.
| Destination | When | What's in the request | Your document? |
|---|---|---|---|
| fonts.googleapis.com fonts.gstatic.com |
Page load | A request for the two typefaces you're reading. Standard headers only. | Never |
| cdnjs.cloudflare.com | Page load | Fetches the open-source PDF libraries (pdf.js, pdf-lib, jsPDF, JSZip) that do the processing — locally, after download. | Never |
| /api/verify | Only when activating or re-checking a license | One string: your Stripe checkout session ID (cs_…, ~66 characters). It is the only thing our one serverless function ever receives. | Never |
| buy.stripe.com | Only if you click a Buy button | You leave our site for Stripe's hosted checkout. Payment details go to Stripe directly; we never see them. | Never |
| vercel.app | Page load | Serving you the page itself, plus standard access logs (IP, user agent) that all web hosts keep. | Never |
That's the entire list. A sixth destination is not possible — the Content-Security-Policy above forbids it, and your browser enforces the prohibition. No analytics, no trackers, no pixels, no session recording. We genuinely don't know how many people use this.
| Data | Where it lives | Details |
|---|---|---|
| Your documents | Your device only | Exist in your tab's memory while you work; gone when you close the tab. Never transmitted, so never stored, scanned, or retained by anyone. |
| Your license | Your device only | One localStorage entry (bpdf_license_v1) holding your Stripe session ID. No account, no password, no email on file with us. |
| Payment details | Stripe | Card numbers, name, and billing email are collected and held by Stripe (PCI DSS Level 1). We see receipt-level data in the Stripe dashboard — never card numbers. |
| Cookies | None | This site sets zero cookies. There is no cookie banner because there is nothing to consent to. |
| Analytics & trackers | None | No Google Analytics, no Meta pixel, no fingerprinting, no A/B tooling. The CSP would block them anyway. |
| Accounts | None | There is no user database. Your license key is your receipt; losing it is recoverable from your Stripe email. |
"Subprocessor" is a generous word here — none of these companies process your documents, because your documents are never transmitted. They handle the things around the edges:
| Vendor | Role | Their certifications | Sees your documents? |
|---|---|---|---|
| Vercel | Static hosting + the one license-check function | SOC 2 Type II, ISO 27001 | Never |
| Stripe | Payments and subscriptions | PCI DSS Level 1 | Never |
| Cloudflare (cdnjs) | Serves the open-source PDF libraries | SOC 2 Type II, ISO 27001 | Never |
| Google Fonts | Serves two typefaces | ISO 27001 | Never |
This list changes rarely, and this page is the changelog. Last reviewed: June 10, 2026.
Shown in full above. The browser-enforced rule that keeps your data in the tab.
No site can embed BlackoutPDF in an iframe — rules out clickjacking overlays on the redaction workspace.
The browser won't reinterpret files as a different type than declared.
If you click an external link, the destination isn't told you came from here. Even our outbound links don't gossip.
If you find a way to make any page here exfiltrate document data, we want to know immediately and will credit you: schwarzfish98@gmail.com with subject "SECURITY".
Our approach is data minimization in its most literal form: documents never transmitted, no accounts, no cookies, no analytics. The only personal data in the system is payment information, which is collected and held by Stripe. You can't leak, sell, or be subpoenaed for data you never collected. Details — all one page of them — are in the privacy policy.
No, and here's the honest version: a SOC 2 audit attests to how a company handles customer data on its servers. Our architecture removes the servers from the document path entirely — there's no document-handling infrastructure to audit. The vendors that do touch data around the edges are certified: Vercel holds SOC 2 Type II for hosting, Stripe is PCI DSS Level 1 for payments. The browser-enforced CSP you can read above is checkable today, by you — an annual auditor's letter is not.
Documents processed here are never transmitted to or stored by any third party — processing happens entirely on your own device, like a desktop application. Many compliance frameworks treat local-only processing very differently from cloud upload (there's no Business Associate receiving anything). That said, we can't make compliance determinations for your organization: run the one-minute verification above, then check with your compliance team.
You don't have to — that's the point of verifiable architecture. The DevTools test and the Wi-Fi-off test work every session, on the code actually running that day. Verify on the day you use it. Trust that must be re-earned every session is the only kind worth offering.
Because there are no cookies. The banner laws regulate tracking; the simplest compliance strategy is to not track anyone.