ForgeMyFile
← All articles

How to convert HEIC to JPG without uploading the file

2026-04-29 · Most HEIC converters upload your photos to a server. Here's how to do it locally — and why it matters more than you'd think.

If you've ever tried to share a photo from an iPhone with a Windows user, you've already met HEIC. The recipient gets a file their software doesn't open, asks you to "send it as a JPG," and you discover that the polite way to do this — emailing a photo from your phone — somehow doesn't have an obvious answer.

The most-recommended answer on Google is "use an online HEIC to JPG converter." If you click the top result and read what's actually happening, you'll find the conversion runs on a server somewhere: your photo gets uploaded, processed, and then a JPG is sent back. That's how nearly every result on the first page works. It's also why most of those pages have a "We delete files after 1 hour" line in the privacy policy — because they're holding your file long enough to need to reassure you.

There's a different way to do it, and it's faster, safer, and free.

What HEIC is, briefly

HEIC (High Efficiency Image Container) is Apple's default photo format on iPhones since iOS 11. It uses the HEVC codec to compress images at roughly half the size of JPG with the same visual quality. That's a real engineering win — your phone's storage lasts longer, photos upload faster — but it comes with one social cost: HEIC is poorly supported outside Apple's ecosystem. Windows 10 needs an extension. Most browsers don't render it inline. Many enterprise document systems reject it outright.

So when you go to share an iPhone photo with someone on a non-Apple device, you have to convert it.

Why "online HEIC to JPG converter" is the wrong default

Try the experiment yourself: take any iPhone photo of someone — your kid, a friend, a passport scan — and run it through one of the top three online HEIC converters. Open your browser's developer tools (F12 → Network tab) before you click Convert, and watch what happens. You'll see your file uploaded to a third-party server. The same server processes it, holds it briefly, and serves you back the converted version.

This is fine for a screenshot of a meme. It's not fine for:

  • Government documents. Passport scans, driver's licenses, social security cards, immigration paperwork.
  • Medical records. Prescription images, lab results, photos of injuries for insurance.
  • Children. Family photos with kids in them.
  • Anything containing GPS metadata. HEIC files routinely embed exact GPS coordinates of where the photo was taken. A casual upload tells a third-party server where you live, where you work, where your kids go to school.
  • Anything you're being paid to keep confidential. Contracts in progress, unreleased product photography, investigative journalism source material.

The privacy policies of these converters typically read like this: "Files are automatically deleted from our servers within 1 hour." That sentence has the unspoken assumption that your file was on their server. The 1-hour window is enough time for an indexer to crawl it, an attacker to grab it, or a subpoena to compel disclosure.

How to convert HEIC locally in your browser

The technical fact most people don't know is that modern browsers can decode HEIC entirely on your device, using JavaScript and a WebAssembly library called libheif. There's no upload step. The file is read from your disk into your browser's memory, decoded, re-encoded as JPG (or PNG, or WebP), and saved straight back to your downloads folder. The whole transaction takes about a second per photo and never touches the network.

Here's what local HEIC conversion looks like, in concrete terms:

  1. You drop a HEIC file onto a converter page.
  2. Your browser decodes the HEIC using a JavaScript/WASM library that's already loaded.
  3. A <canvas> element in your browser re-renders the decoded pixels.
  4. The canvas exports the pixels as JPG via the standard canvas.toBlob("image/jpeg") API.
  5. The JPG saves to your downloads folder via the same browser API that handles any other download.

At no point is there an HTTP request that contains your file's contents. You can verify this yourself: open DevTools → Network tab, click Convert, and watch — you'll see the JS library load on first page-load, but zero requests carrying your photo.

What to look for in a local-first converter

Not all "private" converters are local. Some claim privacy but still upload (they just promise to delete quickly). To verify a converter is genuinely client-side:

  • DevTools test. Open Network tab before clicking Convert. If there are zero new requests with your file's content, it's local.
  • Offline test. Disconnect your Wi-Fi after the page loads. If conversion still works, it's local.
  • Source check. Right-click → View Source. If the conversion code is right there, you can read it. Server-side converters keep their logic on the server you can't see.
  • No "max file size" cap from the service. Local conversion is bounded by your device's RAM, not by a server's free-tier limit. If a converter caps you at 5 MB, that's a server-side tell.

Why HEIC support matters for the broader privacy story

The HEIC issue is small in any one instance — one photo, one share — but adds up. If you're an iPhone user on a Windows-using team, you probably convert HEIC files dozens of times a year. Each conversion through a server-side tool is one more company holding one more photo, briefly, somewhere. The aggregate risk over a few years is meaningful.

The encouraging part is that this entire category of "small file conversion" — HEIC, AVIF, WebP, JPG-to-PNG, image resizing, EXIF stripping — can run locally now. The browser is fast enough, the libraries are mature, and the trust gain over server-side tools is large. The only reason most converters still upload is that they were built before the libraries were good, and nobody bothered to switch.

A short list of things to do today

If you take HEIC privacy seriously, here's the practical checklist:

  1. Stop using whatever HEIC converter you currently use if you haven't verified it's local.
  2. Bookmark a local-first converter. ForgeMyFile's image-format tool handles HEIC → JPG/PNG/WebP entirely in-browser. There are others; the test is the DevTools check above.
  3. Strip EXIF before sharing. Most local converters do this automatically when they re-encode through canvas. If yours doesn't, run the file through an EXIF stripper too.
  4. Tell your iPhone to capture JPG instead of HEIC if you regularly share with non-Apple users: Settings → Camera → Formats → Most Compatible. You'll lose a bit of compression efficiency, but you'll never have to convert again.

The HEIC format isn't the problem. The problem is that the most-recommended way to deal with it sends your photos to a third party. The fix is small, free, and lives in your browser. Use it.

Need a privacy-first file converter? All 13 ForgeMyFile tools run entirely in your browser — files never leave your device.