A law firm found out their paralegal had been using a free online tool to convert court documents to PDF for almost a year.
The tool worked well. The UI was clean. It converted files fast. The paralegal had no reason to question it. The problem surfaced during a routine I.T. review when we looked at what cloud tools were being used and pulled up the free tool’s terms of service.
The terms stated that by uploading content, users granted the company a broad license to use that content for product improvement, which in practice meant the documents were being processed on servers in a country with no meaningful data privacy laws, retained for an unspecified period, and potentially accessible to company employees.
Court documents. With client names, case details, legal strategy, and opposing counsel’s confidential filings.
The firm was not aware this was happening. The paralegal was not trying to do anything wrong. The tool was free, easy to use, and nobody had told her there was an approved alternative.
This scenario plays out in small businesses across every industry, every day. The tools are different, free PDF converters, free AI assistants, free file-sharing sites, free transcription services, free project trackers. The pattern is the same. An employee finds a free tool that solves a real problem. They use it. The data they put in is handled in ways the business never agreed to, never reviewed, and in many cases never knew about.
Free is a business model, not a gift
The business model behind most free software is not charity. It is data. Consumer-facing free tools typically monetize through advertising, which requires profiling users. Enterprise-targeting free tools often use free tiers as a funnel to upsell paid plans, but they also collect usage data and content samples to improve their product. AI tools have added a new category: free plans where your inputs become training data for their models.
None of this is hidden. It is in the terms of service. The problem is that terms of service documents are written by lawyers to be legally comprehensive, not to be read by users. The average terms of service document exceeds 5,000 words. Almost nobody reads them. Almost nobody has the time.
This is a compliance problem, not just privacy
For a business, this is not just a privacy concern. It has legal and compliance dimensions.
Healthcare businesses subject to HIPAA cannot share protected health information with third parties that have not signed a business associate agreement (BAA). A free tool that processes patient records does not have a BAA with you. Using it is a HIPAA violation regardless of whether the tool ever misuses the data.
Businesses that handle credit card data under PCI DSS have similar restrictions on what third-party tools can process payment-related information.
More broadly, many state privacy laws, including California’s CCPA and Illinois’s BIPA, impose obligations on businesses that share personal data with vendors. A free tool that your employee uses to process customer data is, in legal terms, a vendor. You may have disclosure and contractual obligations you are not meeting.
Beyond compliance, there is the client trust dimension. If a client found out that their confidential documents were being processed by a free online tool your company adopted because it was convenient, how would they respond? The answer is usually not well.
What to do instead
The practical approach is not to ban all free tools. Many free tools are legitimate and appropriate for non-sensitive tasks. Checking a weather API, running a quick calculation, using a free design tool for public-facing graphics, the stakes are different when the content is not sensitive.
The approach is to establish a simple category system. High-sensitivity content, client data, financial records, legal documents, employee information, internal strategy, goes only into approved, paid, business-grade tools with proper data terms. For tasks in that category, free is not an option regardless of how good the tool is.
For everything else, a quick review of the terms before adopting a new tool takes ten minutes. The questions to answer: Does this tool store my content? For how long? Does it share it with third parties? Does it claim any license over what I upload? Does it have a paid business version with different terms?
If the tool’s website does not clearly answer those questions, and most free tools do not, the answer is to pay for a version that does, or find a different tool that is transparent about its data handling.
At CIO Landing, we do not allow users to install software that is not approved by management, but user education is key to preventing them from making the wrong call.
The law firm moved to Adobe Acrobat for PDF work. It costs $15 per user per month. They had been saving that $15 for almost a year while sending court documents to a server they knew nothing about. The math of that trade-off, once they could see it, was obvious.