Image Compression & Privacy: Why You Should Never Upload Private Photos to Online Tools

Q: Does TinyPNG store my images?

TinyPNG uploads your images to their servers for processing and states it deletes them after a short period. However, your image data does traverse their infrastructure. For non-sensitive images this is generally acceptable, but for passport photos, medical images, or confidential documents, use a browser-only tool like ImgMin or Squoosh.

Q: Is it GDPR compliant to use online image compressors?

Using server-side compressors (TinyPNG, Compressor.io, etc.) for images containing personal data may raise GDPR compliance questions, especially if the servers are outside the EU and you haven't verified their data processing agreements. Browser-only tools (ImgMin, Squoosh) avoid this issue entirely since data never leaves the user's device.

Every day, millions of people drag photos into online compression tools without thinking about where those images actually go. The answer, for most popular tools, is: to someone else's server. For generic photos this may be acceptable. For private images, it's a risk you should consciously evaluate.

The key question to ask: "Does this tool process my image on my device, or does it upload it to a server?" Most popular compressors — including TinyPNG, Compressor.io, and iLoveIMG — upload your files. Only a few process locally.

What Actually Happens When You Use a Server-Side Compressor

Your image is uploaded via HTTPS to the tool's servers (or a third-party CDN)
The image is processed by their algorithm on their hardware
The compressed result is returned to your browser for download
The original and/or processed image is stored temporarily (duration varies by policy)
Depending on the tool, your image data may be logged, analyzed, or used for model training

Most reputable tools delete files within 1–24 hours. But "temporarily stored" still means your image existed on their infrastructure — subject to their security practices, their data residency, and their privacy policy.

Which Images Should You Never Upload to Online Tools?

🛂
Passport & ID photosBiometric data. Exposure can enable identity fraud. Use a local tool.
🏥
Medical images & health recordsMay be subject to HIPAA (US) or GDPR (EU). External processing raises compliance questions.
🏢
Unreleased product designs & mockupsProprietary IP. Your competitors don't need to see your next product before launch.
📋
Signed contracts & legal documentsOften contain confidential personal or business information.
💳
Financial statements & bank documentsAccount numbers, balances, PII — do not upload to third-party servers.
👤
Photos of childrenParental responsibility to control where minors' images are processed and stored.
🔐
Client deliverables & NDA-covered materialsYou may be contractually prohibited from processing client work on third-party tools.

Tool-by-Tool Privacy Comparison

Tool	Processing	Images Uploaded	Retention Policy	Safe for Private Photos
TinyPNG	Server-side	Yes (HTTPS)	Deleted after ~1 hour	Use with caution
Compressor.io	Server-side	Yes	Deleted after session	Use with caution
iLoveIMG	Server-side	Yes	2 hours (paid: 24 hours)	Use with caution
Squoosh	Browser (WASM)	No — local only	Never uploaded	Safe
ImgMin	Browser (Canvas API)	No — local only	Never uploaded	Safe

How to Verify a Tool Processes Locally

You don't have to take a tool's word for it. You can verify client-side processing yourself in under 30 seconds:

Open the image compression tool in your browser
Open DevTools (F12 or Cmd+Option+I on Mac)
Click the Network tab
Clear the log (🚫 button)
Drop or select an image to compress
Watch the Network tab — if any request shows your image being sent out, the tool uploads to a server

Test result on ImgMin: When you compress a file, you'll see zero upload requests in the Network tab. The only network activity is loading the page assets — your image data never leaves your browser.

GDPR and Image Compression

Under GDPR, images containing identifiable people — faces, names, ID numbers — are considered personal data. Uploading them to a third-party processing service (in any country) technically means you're transferring personal data to a data processor.

This doesn't mean all online tools violate GDPR — reputable tools have Data Processing Agreements and comply with transfer mechanisms like Standard Contractual Clauses. But it does mean:

You should check whether the tool has a DPA and where their servers are located
For GDPR-sensitive use cases (healthcare, legal, HR), prefer browser-only tools
Browser-only tools (ImgMin, Squoosh) sidestep GDPR concerns for image compression entirely, since no personal data ever leaves the device

Browser-Only Compression: How It Works

Tools like ImgMin use the browser's built-in Canvas API — the same technology that powers browser-based games and image editors. Here's the process:

Your image is loaded into a JavaScript Image object
It's drawn onto an HTML <canvas> element in memory
The canvas renders the image at the target quality level
The compressed result is exported as a Blob and offered as a download

At no point does any data leave your browser. The process is fast (sub-1 second for most images), works offline, and requires no server infrastructure — which is also why ImgMin can offer unlimited free compression without the costs that server-side tools must recoup.

Frequently Asked Questions

Does TinyPNG store my images?

TinyPNG uploads your images to their servers and states it deletes them after a short period. Your image data does traverse their infrastructure. For non-sensitive images this is generally fine; for passports, medical images, or confidential documents, use ImgMin or Squoosh instead.

What image compressors don't upload to servers?

ImgMin and Squoosh both process images entirely in your browser. No data is sent to any server. Verify yourself: open DevTools → Network tab → compress an image → you will see no upload requests.

Is it GDPR compliant to use online image compressors?

Using server-side compressors for images containing personal data may raise GDPR compliance questions if servers are outside the EU and you haven't verified their Data Processing Agreement. Browser-only tools (ImgMin, Squoosh) avoid this entirely since data never leaves the user's device.

Compress Images With Complete Privacy

Zero upload. Zero server. 100% local processing. Your images never leave your device.

Try ImgMin Free →

Last updated: April 2026. Privacy policies of third-party tools may change — always review the current policy before uploading sensitive images.