In March 2025, the FBI Denver Field Office issued a warning that criminals are using free online file converter sites to distribute malware. Sites like docu-flex.com and pdfixers.com — sites that looked completely legitimate and actually performed the conversions — were silently installing info-stealers on users’ machines.
An FBI assistant special agent described the scam as “rampant” across the US. A public-sector entity in metro Denver was hit with ransomware within weeks of using one of these sites. CloudSEK found attackers cloning pdfcandy.com — a site with 2.8 million monthly visits — and tricking users into running malware that harvests browser credentials, crypto wallets, and personal data.
The advice from security researchers boiled down to: stop using free online file converters.
The “safe” ones aren’t great either
Even the established tools — iLovePDF, SmallPDF, PDF24, Sejda, PDF2Go — upload your files to their servers and run ad tracking on your document conversions. Your tax return, your medical records, your client contract. Processed on someone else’s infrastructure. Tracked by someone else’s analytics.
Their privacy policies range from “we delete files after a few hours” to “our employees may access your files for quality assurance.” For most people, that’s the quiet part nobody reads.
So we built something different
We shipped a set of free document tools — Word to PDF, Merge PDF, and Markdown to Word — that run entirely in your browser. Your files never leave your device. There is no server processing them. We couldn’t see your files even if we wanted to.
Here’s what we mean by that:
No uploads. The tools use your browser’s own processing power. JavaScript reads the file, converts it, and gives you the output. No network request is made. No data leaves your tab.
No analytics. No cookies. No tracking. We didn’t put Google Analytics on these pages. We didn’t add cookie banners because there are no cookies. We didn’t build an email gate or signup flow because there’s nothing to sign up for.
A strict Content Security Policy. We set a CSP on every tools page that blocks outbound network requests — no fetch, no XHR, no WebSocket, no form submissions, no image beacons, no iframes. A security researcher can inspect the page source and verify in about 10 seconds.
We don’t even use a PDF library for document conversion. When you convert a Word doc or Markdown file to PDF, your browser makes the PDF via its built-in print engine. We just make the document look good. That means the output has selectable text, proper fonts, and native rendering quality — no blurry screenshots masquerading as PDFs.
Why give this away
We’re Surmado. We build AI-powered marketing intelligence for agencies and small businesses. Our product, Scout, handles sensitive business data every day — competitive analysis, financial modeling, brand positioning. Our customers trust us with that data.
Building free tools that demonstrably respect user privacy isn’t charity. It’s the same principle we apply to every line of code we write. If you handle people’s data, you should respect it.
These tools are us putting that into practice before we ask anyone for a dollar.
Use them
- Word to PDF Converter — convert .docx files and images to PDF
- Merge PDF — combine multiple PDFs into one, drag to reorder
- Markdown to Word — convert Markdown to clean Word documents
If you like how we think, check out what we’re building.