Privacy and Data Security
FileBender processes your files in the browser. Row data does not leave your device during normal flow execution. This guide covers exactly what crosses the network boundary, what stays local, and how to verify it for any given transform.
The default: local-only
Section titled “The default: local-only”When you drop a file on an Input node, the file is parsed by JavaScript running in the browser tab. The parsed rows live in browser memory. Each subsequent transform runs in the same tab, reads rows from the previous step, and yields rows to the next. The Output node assembles the final rows back into a file format and offers it as a download.
At no point in this default pipeline are row contents sent to a server.
The transforms that ship today and run entirely locally:
- All Input transforms: CSV, JSON, XLSX.
- All Output transforms: CSV, JSON, XLSX.
- All transform/aggregation transforms except Currency Convert: Add Column, Formula, Filter Rows, Format Dates, Stack Rows, Rename Columns, Reorder Columns, Select Columns, Replace Values, Change Type, Split Column, Sort Rows, Deduplicate, Group By, Pivot, Unpivot, Lookup.
The privacy badge on each transform’s docs page (and on the node itself in the canvas) reflects this. Local transforms show the Local badge; the network-touching transform shows an External badge with the service name.
The exception: Currency Convert
Section titled “The exception: Currency Convert”Currency Convert is the only built-in transform that performs a network request during flow execution. It fetches current exchange rates from frankfurter.dev (a free, public European Central Bank rates API). The request includes the source and target currency codes you configured — for example, USD and EUR. It does not include row data.
The fetched rates come back as numbers. Currency Convert applies them to the relevant column in your row stream entirely in the browser. Your row data does not leave the browser.
You can confirm this by opening the browser’s developer tools, switching to the Network tab, and running a flow that contains Currency Convert. The only outbound request that touches a non-FileBender domain will be to api.frankfurter.dev, with no body and no row data in the URL.
If a future transform sends data externally, it will declare that in its privacyPolicy and surface a different badge variant. The privacyPolicy field on every transform definition is the source of truth — see packages/domain/src/transform-catalog/value-objects/privacy-policy.ts for the four possible categories.
What FileBender’s own server sees
Section titled “What FileBender’s own server sees”The browser does talk to FileBender’s server, but only for application concerns — not for data processing:
- Authentication. Sign-in, sign-out, session refresh.
- Flow metadata persistence. Flow names, node positions, node configurations (the parameters you set, like a Filter Rows condition or a Formula expression). The configuration is stored server-side so you can open the same flow on another device.
- Subscription and billing state. Tier, usage, payment method.
Notably absent from this list: the contents of the files you process. The Input file you drop on a CSV Input node is not uploaded. The intermediate row data flowing between nodes is not uploaded. The Output file you download was assembled in the browser.
Browser storage
Section titled “Browser storage”FileBender uses your browser’s IndexedDB to persist a few things between sessions:
- Cached input files. When you drop a file on an Input node, FileBender keeps a reference to it so you can run the flow again without re-uploading. This file lives in your browser’s IndexedDB; it is not uploaded.
- Cached execution data. The output of each node from the most recent run, so the data preview is available immediately when you reopen the flow.
- Cached fetches. Exchange rates from Currency Convert are cached for a short window so consecutive runs don’t re-hit the rates API.
To clear this storage, open your browser’s site settings for filebender.com and clear site data. You can also clear specific items from the developer tools’ Application panel under IndexedDB.
Shared flows
Section titled “Shared flows”When you share a flow link with someone else, the person opening the link runs the flow in their browser. The flow definition (nodes, edges, configurations) is loaded from FileBender’s server; the input file they choose stays in their browser; the output file is built in their browser.
In other words, sharing a flow shares the recipe, not the data.
Verifying for a specific transform
Section titled “Verifying for a specific transform”Two ways:
- Check the badge. Every transform’s docs page and every transform node on the canvas displays a privacy badge. Local-only transforms show Local; the only external one today is Currency Convert (External — frankfurter.dev).
- Read the source. Each transform’s
privacyPolicylives inpackages/domain/src/transform-catalog/built-in/<name>.ts. The four kinds are:local(no network),fetchExternal(HTTP GET),sendToApi(sends to FileBender),sendExternal(sends to a third party). Today only the first two are used by built-in transforms.
Compliance notes
Section titled “Compliance notes”FileBender is suitable for processing data subject to GDPR, HIPAA, and similar regulations insofar as the data does not leave the browser. Because rows stay client-side during processing, FileBender is not acting as a data processor for that data.
The application data that does cross the boundary (auth, flow metadata, billing) is handled under FileBender’s standard terms — see filebender.com/legal for the privacy policy and terms of service.
Where to next
Section titled “Where to next”- Core Concepts — the privacy model section covers the same ideas in shorter form.
- The Currency Convert transform reference — the only transform with a non-local privacy policy.
- Working with Large Files — local processing means file size is bounded by the browser, not the network.