Data Handling

Last updated: May 2026

This page describes exactly what happens when you upload an image to iloveimg.online for conversion. The framework: HTTPS upload, server-side conversion (no choice on this for the formats we support), auto-deletion within one hour, no human review of content, no analytics on your image content.

1. Why we have to be honest about server-side

A lot of online tools advertise "client-side" / "in your browser" privacy. When that's true (a Base64 encoder, a JSON formatter, a password generator), it's the right answer.

For an image converter that supports the formats we do, it's not technically possible. Browsers don't ship with native HEIC, RAW, EPS, PSD, or AVIF decoders that we can use from JavaScript. Some of these formats can be decoded by JavaScript libraries, but the decoders are large (multiple MB), slow on mobile, and behind on supported variants. The result: a useful image converter has to run server-side. We're being honest about that rather than handwaving.

The trade-off: your file briefly exists on our server. That's why the deletion-timer commitment matters.

2. The upload → convert → download → delete pipeline

Upload

  • Transport: HTTPS / TLS encrypted. Cloudflare fronts our domain; the connection is end-to-end TLS from your browser to our origin.
  • Limits: 50 MB per file, single file per request (batch is a future feature).
  • Where the file lands: a temporary directory on the conversion server, named with a random ID, accessible only by the application user.

Convert

  • Tool used: depends on the format pair.
    • JPEG / PNG / WebP / GIF / TIFF / BMP: ImageMagick or libvips.
    • HEIC / HEIF: libheif → intermediate → target format.
    • AVIF: libavif.
    • EPS / PDF: Ghostscript for rasterisation.
    • SVG: librsvg for raster output; SVG-to-SVG passes through.
    • PSD: ImageMagick (flattened to single image).
    • RAW (CR2 / NEF / ARW / etc.): libraw with default tone mapping.
  • Where conversion happens: in the same temporary directory; output written to the same isolated location.
  • Memory vs disk: small files processed in memory; very large files (TIFF, RAW, PSD) may use scratch disk space, cleaned up immediately after the conversion completes.
  • Time: 2–5 seconds for files under 5 MB; 10–20 seconds for large RAW or TIFF inputs.

Download

  • Once conversion completes, a download link is issued for the converted file.
  • Link is single-use, time-limited, and tied to your session. It expires within the retention window even if not used.
  • Download is HTTPS.

Delete

  • Original upload: deleted as soon as conversion completes successfully (or if conversion fails).
  • Converted output: deleted after you download, OR deleted at the next cron sweep (every few minutes), whichever comes first — AND in any case within one hour of upload.
  • Implementation: server-side cron job runs every few minutes and removes anything in the temporary directory older than the retention threshold.
  • Backups: our hosting provider takes infrastructure-level backups for disaster recovery. The temporary directory is excluded from these backups.

3. What we do NOT do with your uploads

  • We do not view your images. No human review. No moderation team scrolling through what people convert.
  • We do not analyse content. No AI safety scan, no facial-recognition pass, no image-classification on your content. Conversion engines decode the file format; they don't "look at" the image meaningfully.
  • We do not extract metadata for our use. EXIF metadata is preserved on output (or stripped, depending on conversion pair) per the format-fidelity rules — we don't read it for our purposes.
  • We do not retain copies. One-hour deletion, period.
  • We do not log image content. Server access logs include the URL of the conversion endpoint and your IP (standard for any web request); the file content is not in any log.
  • We do not share with third parties. Hosting provider has access to the underlying server (standard); no other party.
  • We do not use uploads to train AI. Per AI Policy: we do not train AI models on user uploads or use them as input data for any AI tooling.

4. What we DO log (and retain)

  • Server access logs: IP, user agent, requested URL, timestamp, HTTP response code. Retained 30 days. Used for security review and rate-limit enforcement.
  • Aggregate analytics: conversion-pair statistics (how many JPEG→PNG conversions in a period). Aggregate; not tied to specific users or images.
  • Error logs: if a conversion fails, the format pair and error type may be logged for debugging. The image content is not.
  • AdSense logs: handled by Google AdSense per their policy (out of our control).

5. Honest limits of this framework

Things you should know:

  • Your file briefly exists on our server. That's the technical floor for any online converter that handles the formats we do.
  • Network observability. Your ISP knows you connected to our domain; Cloudflare logs request metadata (URL, IP); our origin sees the same. Content of the file is HTTPS-encrypted in transit.
  • Hosting provider has technical access. Hosting.com has root on the underlying physical server (this is true of any hosted service). They have an obligation under their terms not to access customer data, but the technical access exists.
  • Browser extensions that read upload data could observe your file before it leaves your browser. Out of our control; this is a general web caveat.
  • Backup snapshots at the infrastructure level may briefly include the temporary directory contents, despite our exclusion config — this is a residual risk window of seconds-to-minutes.
  • If you suspect a compromise, assume that anything you uploaded was potentially exposed. The deletion-timer is a strong layer but not a cryptographic guarantee.

6. When you should NOT use iloveimg.online (and what to use instead)

For genuinely sensitive images, use local conversion:

  • Passports, IDs, official documents. Use ImageMagick command-line locally, GIMP, or Preview/Photos on macOS.
  • Medical imaging (DICOM, X-rays, scan output). Specific medical tools exist; general-purpose web converters are not the right channel.
  • Financial documents with personal data.
  • Anything subject to regulatory data-residency rules (GDPR, healthcare, legal-discovery). Server-side processing on a hosting provider in a specific jurisdiction may not satisfy your compliance regime.
  • Anything you wouldn't email to a stranger. If you wouldn't email it, don't upload it.

This is not a sales-pitch caveat. We mean it.

7. EU GDPR and Italian D.Lgs. 196/2003 framework

  • Data controller: Giovanni Picaro (operator).
  • Legal basis for upload processing: performance of the conversion service requested by you (contract / pre-contract).
  • Retention: file content ≤ 1 hour; access logs 30 days; correspondence 24-36 months.
  • Cross-border transfers: via Cloudflare and hosting infrastructure under standard contractual clauses.
  • Data subject rights: per Privacy Policy.
  • Italian DPA: Garante (gpdp.it) for unresolved concerns.

8. How to verify these claims

Some of the claims are observable; some are commitments:

  • HTTPS upload: verifiable in browser dev tools — you'll see the request to https://iloveimg.online with TLS.
  • One-hour deletion: commitment based on cron-job configuration; you can verify your specific output URL stops working after the hour.
  • No human review / no AI training: commitments based on operator policy.
  • Server-side conversion: verifiable — client-side libraries for HEIC/RAW/EPS at our scope don't exist; the conversion necessarily happens on a server.

9. Reporting concerns

If you observe behaviour inconsistent with this framework, email privacy [at] iloveimg [punto] online or abuse [at] iloveimg [punto] online. We investigate.

Related pages: Format Catalog · Privacy Policy · Responsible Use · Cookie Policy · About Us

Application offline!

Your experience on this site will improve by allowing cookies