Blog

Where do your images go when you compress them online?

5 min read gdpr image compression webp privacy humor

Where do your images go when you compress them online?

You have a photo. It is too big. You Google "free image compressor online," click the first result, upload your file, download the compressed version, and move on with your life.

Totally normal. Completely fine. Nothing to worry about.

Except.

The Part Nobody Reads

Every one of these tools has a privacy policy. A long one. Written in the specific font of legal text designed to make your eyes glaze over before you reach the part that matters. And somewhere in that document, between the definitions section and the paragraph about "legitimate business interests," there is a sentence that says something approximately like this:

"Files uploaded to our service may be stored on our servers for up to 90 days for the purposes of service improvement, debugging, and analytics."

Service improvement.

Your photo of your cat, your client's unreleased product mockup, your company's new logo that isn't public yet, your passport scan that you were just going to quickly resize, all of it sitting on a server you have never heard of, in a data center in a country you are not entirely sure about, for ninety days, for the purposes of "service improvement."

What are they improving exactly? We may never know. But they are improving it. Vigorously.

The GDPR Was Supposed to Fix This

In 2018, Europe passed the General Data Protection Regulation, which is the law that gave you the right to know what happens to your data, the right to have it deleted, and the right to not have it sold to seventeen advertising partners in exchange for a free PDF compressor.

It is a genuinely good law. It has teeth. Companies have been fined hundreds of millions of euros for ignoring it.

And then you upload a PNG to a website run by an LLC registered in Delaware whose actual servers are somewhere else entirely and whose privacy policy was last updated in 2019 by someone who clearly copied it from a template and forgot to replace the placeholder company name in paragraph four.

The GDPR is watching. The GDPR is concerned. The GDPR is filing a report.

A Completely Hypothetical Scenario That Has Definitely Never Happened

Imagine you are a freelance designer. You are working on a rebrand for a client. The new logo is confidential, the launch is in two weeks, there is an NDA involved. You need to compress the PNG because the client's developer is complaining about file size again.

You upload it to the first image compressor that comes up in your search results.

Three weeks later, your client calls you. They have seen their new logo somewhere. Not on their own website. Somewhere else. They are not happy. They are using the word "legal." They are using it multiple times.

You are now explaining what an image compressor is to a lawyer.

This is hypothetical. This has definitely never happened. But you are thinking about it now, aren't you.

The Server Location Bingo Card

Here is a fun game you can play next time you use a random online tool. Open their privacy policy. Try to find out where your files are actually stored. Your options are usually:

A server described only as "third party cloud infrastructure." AWS, which is fine, but which region exactly. "Our trusted partners," named nowhere. A country mentioned once in passing in a subordinate clause. Silence. Just silence.

If you find an actual address, a real jurisdiction, a clear deletion policy written in human language, you have won something. It is rare. Treasure it.

img.lu Does Not Keep Your Images

This is the part where we tell you what we actually do, in plain language, without a subordinate clause in sight.

You upload your image. We compress it. You download it. We delete it. That is the entire transaction.

We do not store your files. We do not analyze them. We do not have a business model that involves knowing what is in your pictures. We are GDPR compliant not because we hired a lawyer to write a document that sounds compliant, but because we genuinely do not keep the thing you gave us.

It is a radical concept in the current landscape of the web, which is: you give us a file, we give you a smaller file back, and then the original is gone. Like a very efficient and slightly boring magic trick.

No 90 day retention. No service improvement that requires looking at your assets. No mysterious third party partners who are definitely not doing anything with your photos of next quarter's campaign.

Just compression. Just WebP. Just done.

You Should Probably Think About This More Than You Do

We are not trying to scare you. We are trying to gently suggest that the tools you use for small, fast, throwaway tasks are exactly the tools where you are least careful, and exactly where sensitive files tend to end up.

The big decisions get security reviews. The API integrations go through procurement. The design assets that need quick resizing before a call in ten minutes get uploaded to whatever loads fastest on a Tuesday afternoon.

That gap is where the interesting privacy questions live.

So the next time you compress an image, just spend four seconds asking where it goes. You might be fine. You are probably fine. But it is worth four seconds to know.

And if the answer is "a server somewhere, for up to 90 days, for the purposes of service improvement," maybe try something else.

We hear img.lu is pretty good.

Ready to shrink your images?

Browser-only · no upload · no account · GDPR safe

Compress Images — it's free