How Uvelia works

The short version: your file never leaves your device. Here's the long version.

What “100% in your browser” really means

When you use Uvelia, your file is loaded into memory inside your browser tab. Every operation — merging PDFs, compressing images, decoding a JWT — runs on JavaScript executing on your own CPU. The result blob is created in the same tab and offered as a download.

Uvelia's server is involved only for two things: serving you the HTML/JS of the page (the static site itself), and running account/Stripe logic if you've signed up for Pro. Files are never uploaded to it, even briefly. There is no “temporary storage”, no “encrypted-in-transit-then-decrypted”, no Lambda that processes your file and deletes it 5 minutes later. It just doesn't exist.

Why this is possible in 2026

Browsers picked up four key capabilities in the last decade that made client-side tooling viable:

  • WebAssembly — runs native-speed code in the browser. PDF libraries that used to need a server now run locally.
  • Canvas API — full image processing (resize, crop, watermark, format conversion) with no server.
  • Web Crypto — cryptographically secure random numbers, real SHA hashes, no extra dependencies.
  • File API — drag and drop, file pickers, blob downloads, all without uploading.

The exact libraries Uvelia uses

Every one of these is open source. You can read the code, audit them, or use them yourself.

pdf-lib
PDF creation, merging, splitting, signing, watermarking, forms.
pdfjs-dist
Mozilla's PDF renderer — used for text extraction and bookmarks.
mammoth
DOCX → HTML / text conversion. No Microsoft Word needed.
JSZip
Reading .docx (which are ZIP files) and bundling output ZIPs.
qrcode-generator
QR code generation, drawn to a canvas.
DOMPurify
Sanitizes HTML output from Word documents before rendering.
file-saver
Triggers downloads from in-memory blobs.
Web Crypto API
SHA-1/256/384/512, secure random for passwords and UUIDs.

What we DO store on the server

To be transparent, Uvelia's backend stores:

  • Your email, a bcrypt-hashed password, and a username — only if you create an account.
  • Your Stripe customer ID and Pro subscription status — only if you subscribe.
  • Refresh-token hashes so you can stay signed in across devices — deleted on logout.

That's it. We never store anything about which tools you used, which files you processed, or how often you visit. There's no analytics database to query.

What about offline?

Once a tool page has loaded once, it will keep working even if you lose your internet connection — the processing happens in your browser, not on a server. You can install Uvelia as a PWA from your browser's address bar to make this seamless: it becomes an installable app icon on your desktop or home screen.

Anything Uvelia can't do client-side?

A few things, which is why they're not on the roadmap as free tools:

  • Deep image re-compression (like TinyPNG) — needs heavyweight server-side encoders.
  • OCR on scanned PDFs — Tesseract.js works but the WebAssembly bundle is ~30 MB, which would hurt every other page's load time.
  • Conversion between Word and PDF with full fidelity — needs server-side LibreOffice or similar.

We'd rather not have these than break the privacy guarantee.