Skip to content

Basics

EXIF Metadata — What It Leaks and How to Strip It

Your photos probably contain GPS coordinates, camera serial numbers, and timestamps. Here's exactly what EXIF exposes and how to strip it safely.

Every photograph taken by a modern camera — phone, mirrorless, DSLR, action cam — carries a payload of metadata you can’t see when you look at the image. Most of it is harmless. Some of it tells the world exactly where you were standing, what hardware you used, and when, with the kind of precision that would be creepy coming from a stranger. This guide walks through what EXIF actually contains, when it matters, and how to strip it without breaking anything.

What EXIF is

EXIF (Exchangeable Image File Format) is a metadata standard that piggybacks on JPG, TIFF, HEIC, and some PNG files. It’s not a separate file — it’s embedded inside the image file itself, in a header section most viewers ignore.

Every time your phone takes a photo, it writes dozens of EXIF fields. The most common categories:

  • Camera info: make, model, serial number, firmware version.
  • Exposure settings: aperture, shutter speed, ISO, focal length, white balance.
  • Software info: the software that processed the file last (often the edit app).
  • Timestamp: date and time to the second, usually in the device’s local time zone.
  • GPS coordinates: latitude, longitude, altitude, sometimes direction of travel and speed.
  • Thumbnail: a small embedded preview that doesn’t always match the edited image.

The camera and exposure fields are useful for photographers and mostly harmless. The rest is where privacy problems live.

What a real EXIF block looks like

Here’s a sanitized example of EXIF pulled from a typical iPhone photo:

Make                            : Apple
Model                           : iPhone 15 Pro
Software                        : 17.2.1
DateTimeOriginal                : 2026:04:15 14:32:07
OffsetTimeOriginal              : +01:00
LensModel                       : iPhone 15 Pro back triple camera 6.86mm f/1.78
FNumber                         : 1.78
ExposureTime                    : 1/120
ISO                             : 100
GPSLatitude                     : 40 deg 24' 59.88"
GPSLatitudeRef                  : North
GPSLongitude                    : 3 deg 41' 12.48"
GPSLongitudeRef                 : West
GPSAltitude                     : 655.3 m
GPSDateStamp                    : 2026:04:15
HostComputer                    : iPhone 15 Pro

That GPS block reads as Madrid’s Puerta del Sol, accurate to about a meter. The timestamp with offset tells you the exact moment. The model and software version fingerprint the device. Any photo you’ve ever posted that went through a platform that didn’t strip EXIF is carrying this kind of data.

What can go wrong

The real-world problems fall into a few buckets:

Location disclosure. The most common and most serious. A real-estate listing photo with GPS coords reveals the exact property. A portrait shoot test photo taken in the photographer’s living room reveals their home address. A vacation photo posted during the trip reveals the house is currently empty. A dating profile photo taken at home reveals where the person lives. All of this has happened, and all of it has been written up in news stories.

Device fingerprinting. The camera make, model, serial number, and firmware version combine to identify a specific device. If the same serial number appears across multiple supposedly-anonymous accounts, that’s a correlation. Photojournalism and activism work in hostile environments has been deanonymized this way.

Timeline reconstruction. Timestamps across a batch of images let someone reconstruct your day, week, or year in detail. Combined with GPS, it’s a motion trail.

Embedded thumbnails that didn’t get updated. If you cropped sensitive content out of a photo but your software didn’t regenerate the thumbnail, the original (uncropped) version is still embedded inside the file. This has been a real exploit against people who thought they’d cropped out a visible computer screen or document.

Regulatory exposure. GDPR, CCPA, and similar privacy laws treat location data and device identifiers as personal data. If you’re publishing user-submitted photos on a B2B or B2C platform, you have obligations around what you store, what you publish, and what you allow downstream.

What platforms actually do

A common misconception is that “the platforms strip EXIF for you.” Some do. Many don’t. As of 2026:

  • Facebook, Instagram: strip GPS and some camera data on upload, keep timestamps.
  • Twitter/X: strips most EXIF on upload.
  • Discord, Slack: variable. Some channels preserve full EXIF.
  • WhatsApp, Telegram: strip EXIF on “photo” sends, preserve it on “document” sends.
  • Most CMSes (WordPress, Shopify, etc.): preserve EXIF by default unless a plugin strips it.
  • Email attachments: preserve everything.
  • Direct hosting (S3, GitHub, your own server): preserve everything. You ship what you upload.

The rule: never assume the platform is stripping for you. Strip at the source.

When to strip and when to keep

Strip EXIF when:

  • Publishing photos publicly on the web, social media, forums, or your own site.
  • Sharing portfolio images that include home-studio or on-location work.
  • Sending images to parties you don’t fully trust with metadata (new clients, anonymous recipients).
  • Uploading to any CMS you haven’t personally verified strips EXIF.
  • Posting real-estate photos, automotive listings, or anything where the physical location matters.
  • Submitting to stock photography marketplaces (they often require it anyway).

Keep EXIF when:

  • Archiving your own photography for personal use.
  • Submitting to photo competitions that require camera/lens info for verification.
  • Sharing between photographers where the settings are the point.
  • Providing evidence for insurance, news, or legal purposes where timestamp and GPS authenticity matter.
  • Delivering to clients who specifically need the full metadata (commercial shoots, photojournalism).

How to strip EXIF cleanly

The basic operation is simple: rewrite the image without the metadata. Three approaches:

  1. Export with “remove metadata” checked. Most photo editors have this option. Lightroom’s “Metadata: Copyright Only” export setting is a good example. Photoshop’s “Save for Web” strips most EXIF by default.
  2. Use a dedicated stripping tool. OpenImages’ Remove EXIF tool does exactly this, and because it runs in your browser, the photo never leaves your machine. That matters when the reason you’re stripping EXIF is that you don’t want the photo analyzed.
  3. Re-compress the image. Running a photo through a compressor usually strips most EXIF as a side effect, though not all — some compressors preserve EXIF by default and you have to explicitly opt out.

One detail to watch: some strippers remove EXIF but leave IPTC or XMP metadata (two other metadata containers that live alongside EXIF). A properly clean strip removes all three. Verify with a tool that shows all metadata blocks, not just EXIF.

A quick before/after

Here’s what a clean strip looks like in numbers. Same photograph:

  • Before: 2.8 MB JPG with full EXIF (camera info, GPS, timestamp, software, thumbnail).
  • After stripping: 2.78 MB JPG, no metadata blocks present.

The file size difference is tiny — EXIF is usually under 30 KB even with a thumbnail. The value isn’t space; it’s privacy.

A fuller pipeline for publishing:

  1. Edit the photo in your editor of choice.
  2. Export at the correct delivery size and quality.
  3. Strip EXIF with a dedicated tool.
  4. Verify the output contains no GPS, no camera serial, no full timestamp.
  5. Publish.

Step 4 is worth doing at least once per workflow — not every export, but once to confirm your export settings actually do what you think they do. A five-minute audit has saved people from years of accidental data leakage.

GDPR treats geolocation and device identifiers as personal data. If you operate a site that accepts user-uploaded images in the EU (or serves EU users — the scope is broad), you should:

  • Strip EXIF on upload by default, or ask for explicit consent to retain it.
  • Document what metadata you strip vs. store in your privacy notice.
  • Not re-serve user images with their original EXIF intact to third parties.

For CCPA and similar US state laws, the bar is lower but the direction is the same. Publishing someone else’s EXIF without their knowledge is increasingly a liability.

The short version: EXIF is useful when you want it and dangerous when you don’t. Make the choice deliberately, once, per workflow — and then verify you actually did what you intended.

Related tools

Remove EXIF
Remove metadata from images for privacy
Open →
Compress Image
Reduce image file size while maintaining quality
Open →

Frequently asked questions

What does EXIF metadata leak exactly?

A lot more than most people realize. A typical smartphone photo carries GPS latitude and longitude accurate to about a meter, altitude, timestamp down to the second with timezone offset, camera make and model, device serial number, firmware version, lens info, exposure settings, and sometimes an embedded thumbnail that wasn't regenerated after editing. Together, these allow location disclosure, device fingerprinting across supposedly anonymous accounts, and timeline reconstruction across batches of images.

Does Instagram strip EXIF when I upload?

Mostly, but not completely. As of 2026, Facebook and Instagram strip GPS and some camera data on upload but preserve timestamps. Twitter/X strips most EXIF. Discord and Slack vary by channel. WhatsApp and Telegram strip EXIF on photo sends but preserve it on document sends. WordPress, Shopify, and most CMSes preserve EXIF by default. Email attachments and direct hosting (S3, GitHub) preserve everything. The rule: never assume the platform strips for you — strip at the source before uploading.

Is stripping EXIF safe for professional photos?

Yes for publishing; sometimes no for specific professional uses. Stripping EXIF doesn't touch image pixels, so there's no quality cost. But photo competitions sometimes require camera and lens info for verification, commercial clients may want the full metadata for asset management, photojournalism evidence often needs authentic timestamps and GPS, and insurance or legal work can depend on provenance metadata. Keep a clean master with EXIF intact, then strip on export for public delivery.

Does re-compressing a JPG remove EXIF?

Usually most of it, but not always all. Some compressors strip EXIF as a side effect of re-encoding; others preserve it explicitly. Worse, tools that claim to strip EXIF sometimes leave IPTC or XMP metadata intact — two other metadata containers that live alongside EXIF and can carry similar location and copyright data. For a clean strip, use a dedicated tool and verify the output with a metadata viewer that shows all three containers, not just EXIF.

Does GDPR require stripping EXIF from user-uploaded photos?

GDPR treats geolocation and device identifiers as personal data, so if you accept user-uploaded images in the EU or serve EU users, you have obligations. The practical baseline: strip EXIF on upload by default or ask for explicit consent to retain it, document what you strip versus store in your privacy notice, and don't re-serve user images with original EXIF intact to third parties. CCPA and similar US state laws have a lower bar but point in the same direction.

Sponsored