Every week, people paste contracts into online comparison tools, type candidate passwords into strength checkers, and upload private photos to compressors. Whether that is reckless or perfectly safe depends entirely on one architectural question: where does the processing happen? This article explains the difference in plain terms, how to check it yourself, and where the honest limits of "local" processing lie.
Two architectures, two trust models
A server-side tool works like a restaurant: you hand over your data, it goes to the kitchen, something comes back. The upload is the product. Your file exists, at least briefly, on someone else's machine, governed by their retention policy, their security practices, and their honesty about both. Even with the best intentions, a copy of your data has travelled, and travel creates logs, backups and breach surface.
A client-side tool works like a calculator you borrowed: the logic is delivered to your device once, as JavaScript, and then runs there. When a browser-based image compressor resizes your photo, the pixels move from one part of your device's memory to another. There is no upload because there is nothing to upload to... the code came to the data instead of the data going to the code. Close the tab and the work disappears with it.
The practical consequence is large. A password tested in a client-side strength checker never exists anywhere except your own RAM. A contract diffed locally was never readable by anyone else. The privacy is not a promise in a policy document; it is a property of the architecture, which is a far stronger guarantee, because policies change and architectures are checkable.
How to verify it yourself
You do not have to take any site's word for it, including this one. Open your browser's developer tools (F12 in most browsers), switch to the Network tab, and then use the tool: paste the text, convert the file, run the check. Watch the request list. A genuinely client-side tool produces no new network requests carrying your content... at most you will see analytics pings and ad requests, none of which contain your data. If a "local" tool fires a POST request the moment you drop a file in, the marketing was lying and the network tab just told you.
A second, blunter test: load the page, disconnect from the internet entirely, and try the tool. Client-side utilities keep working offline because everything they need already arrived. Server-dependent tools fail immediately. (A few legitimately need the network for their core function... a currency converter has to fetch live rates from somewhere... which brings us to the limits.)
The honest limits
Client-side is not a magic word, and some caution survives the architecture. First, some tasks inherently require a server: fetching exchange rates, looking up the geolocation of an IP address, or anything involving data that lives elsewhere. A trustworthy tool sends the minimum necessary for those features and nothing else.
Second, local storage is local in both the good and bad senses. Notes or settings a browser tool remembers are sitting in your browser profile: private from the internet, but readable by anyone who uses your unlocked computer, and gone if you clear site data. Local-first means you hold the data... and holding it is now your job.
Third, the page itself must be delivered honestly. A client-side tool served over plain HTTP could be tampered with in transit; HTTPS closes that gap, which is why it is non-negotiable even for sites that never receive your data. And a malicious page could of course include code that does upload... which is exactly why the network-tab check matters more than any badge or slogan.
Finally, client-side processing protects the data you put into the tool. It says nothing about the other trackers on the wider web, your browsing history, or what your extensions can see. It is one strong layer, not a force field.
A sensible rule of thumb
Match the sensitivity of the data to the verifiability of the tool. For anything genuinely sensitive... passwords, identity documents, unreleased business material... prefer tools whose local processing you can verify with the two checks above, or use offline software. For everything else, the question is proportionality, not paranoia. The encouraging news is that browsers have become powerful enough that an enormous range of everyday tasks (image work, text processing, calculations, even video trimming) no longer requires surrendering the data at all. The kitchen can come to you, and increasingly, it does.