Skip to main content
PNGful

What Your Photos Reveal: EXIF Metadata and Privacy

By the PNGful team · Published July 13, 2026 · 8 min read

Every photo from a modern camera or phone is really two things: the picture you see, and a hidden block of structured data describing when, where, and how it was taken. That data — EXIF metadata — travels with the file when you email it, post it to a forum, or attach it to a listing. Most of the time it is harmless. Sometimes it is a map to your front door.

What EXIF stores

EXIF (Exchangeable Image File Format) is a standard, maintained by the camera industry body CIPA, that defines how cameras embed metadata inside JPEG, TIFF, and related files. Modern formats like HEIC and WebP carry equivalent data. Typical fields include:

  • Date and time the photo was taken, often to the second, sometimes with a timezone offset.
  • Camera and lens details: manufacturer, model (which usually identifies your exact phone), lens, and a unique serial number on many dedicated cameras.
  • Capture settings: exposure, aperture, ISO, focal length, flash, and orientation.
  • GPS coordinates: latitude and longitude, frequently with altitude and the direction the camera was pointing.
  • Software history: the app or editor that last saved the file, which can reveal what tools you use.
  • Embedded thumbnails: a small preview generated at capture time. In rare cases an edited photo has shipped with an uneditedthumbnail still inside — famously undoing crops and redactions.

None of this is visible when you look at the image. It sits in the file structure, readable by anyone with the file and a free viewer.

The GPS problem

Location data is the field with real-world consequences. Phones embed GPS coordinates by default when location access is granted to the camera app, and the coordinates are precise enough to identify a specific building.

Some realistic scenarios, all of which have actually happened to people:

  • Selling items online:photos of a bike or laptop taken at home, with coordinates attached, tell a buyer exactly where the item — and you — live.
  • Sharing photos of children or pets:a picture “in the backyard” can pinpoint the backyard.
  • Escaping harassment or abuse: a single geotagged photo sent to the wrong person can reveal a new address.
  • Pattern building:a set of photos taken over weeks maps your home, workplace, gym, and school run — timestamps included.

The risk is not that metadata is exotic to read; it is that sharing it is invisible to the sender. You see a photo. The recipient can see an itinerary.

What platforms do with it

Major social networks generally re-encode images on upload — resizing and recompressing them — and in the process strip most EXIF data, including GPS coordinates, from the version other users can download. That is a genuine safety net, with three important caveats:

  1. Stripping happens after upload. The platform itself still receives the full metadata and may use it (location, device model) per its privacy policy, even if other users never see it.
  2. Not every channel re-encodes.Email attachments, cloud-drive shares, many forums and marketplaces, and messengers sending “original quality” files often pass the file through untouched, metadata and all.
  3. Behavior changes and varies. Policies differ between platforms and over time, so treat stripping-on-upload as a backstop, not a guarantee. The only version of the file you fully control is the one you share.

A good habit: assume metadata survives unless you removed it yourself. It costs seconds to verify.

Inspect your photos

Before worrying, look. Open a photo in PNGful’s metadata viewer and removerand you will see every embedded field — capture time, device, software, and a map-ready set of GPS coordinates if they exist. The inspection runs entirely in your browser; the photo is never uploaded anywhere, which matters when the whole point is privacy.

Things worth checking on your own library:

  • Whether your phone’s camera currently embeds GPS (take a fresh test photo and inspect it).
  • Whether photos exported from your editing app keep the original capture metadata.
  • Whether files you received from others — and might forward — carry someone else’s location.

You can also switch off geotagging at the source: both iOS and Android let you deny location access to the camera app, which stops coordinates from being embedded in new photos in the first place.

Remove metadata locally

When a photo is heading somewhere you do not fully control, strip the metadata before it leaves your machine:

  1. Open the file in the metadata remover and review what is present.
  2. Remove everything, or keep neutral fields (like orientation, which affects display) while dropping GPS, timestamps, and serial numbers.
  3. Download the cleaned copy and share that version. Your original stays intact.

For a folder of listing photos or a photo dump, the batch processorstrips metadata from the whole set in one pass — and since re-encoding drops EXIF as a side effect, running images through the compressor before publishing typically cleans them too. Whichever route you take, verify one output file in the viewer; trust, then check.

When to keep metadata

Metadata is not the enemy — unreviewed sharing is. There are good reasons to keep it:

  • Your own archive: timestamps and GPS make photo libraries searchable and let apps build timelines and maps. Strip copies you share, not originals you keep.
  • Photography work: copyright and creator fields are how you assert authorship; capture settings are how you learn.
  • Evidence and documentation: for insurance claims or incident reports, intact timestamps and coordinates can be exactly the point.

The rule that covers every case: decide per destination. Keep rich metadata on files you store, and send stripped copies to people and platforms you cannot vouch for. Once you have inspected a few of your own photos, the habit takes care of itself.

Sources