What your photos reveal: a practical guide to EXIF and metadata
A photo is never just the picture. Tucked inside almost every image file is a block of metadata describing how, when and often exactly where the shot was taken. Most of the time this is harmless, even useful — it is how your gallery app builds a map of your trips. But if you have ever posted a photo of something for sale, or shared a picture from home, that same data can say more than you meant to. Here is what is actually in there, and what to do about it.
What EXIF is, and what a phone really writes down
EXIF (Exchangeable Image File Format) is a standard for embedding structured data inside JPG, HEIC, TIFF and some other files. It dates back to 1995 and every camera and phone made since writes it automatically. Take one photo with a modern phone and it records, roughly:
- Device details — make, model, and often the exact lens (e.g. "Apple iPhone 15 Pro, back triple camera 6.86mm f/1.78").
- Camera settings — shutter speed, aperture, ISO, focal length, whether the flash fired, white balance, exposure mode.
- Timestamps — usually three of them: when the photo was taken, when it was digitized, and when the file was last modified, sometimes with time zone.
- GPS coordinates — latitude and longitude to several decimal places, plus altitude, and sometimes the direction the camera was pointing and the phone's speed.
- Software history — the OS version, or the name of the editing app that last saved it.
- Sometimes a small embedded thumbnail of the image — which, in some editing workflows, is not regenerated when the main image is cropped. There have been real cases of "cropped-out" content surviving in the thumbnail.
Five decimal places of latitude is about one metre of precision. The GPS block does not say "Seoul"; it says which side of your house you were standing on.
What GPS data in a shared photo actually gives away
The risk scales with how you share. Photos that go to strangers are where geotags matter: a listing on a secondhand marketplace photographed in your living room, a lost-pet poster shot in your yard, photos of your kids sent to a group of people you half know. Anyone who saves the original file can read the coordinates in seconds — no special skills, just "file info" on most systems.
Timestamps combine badly with location. A photo geotagged at your home at 9 a.m. on a weekday, posted alongside vacation photos geotagged abroad, is an announcement that the house is empty. This is not theoretical; police forces have warned about it for years, and there are well-documented cases of people being located from geotags — including a famous 2012 incident where a fugitive tech founder's position was exposed by the EXIF in a journalist's photo.
None of this means panic. Photos shared to big social platforms are mostly fine, for a reason covered next. The cases that deserve attention are original files sent directly to people you do not fully trust.
Which platforms strip metadata, and which do not
The major social networks — Facebook, Instagram, X, and similar — re-process every upload, and the image other users can download has the EXIF stripped, GPS included. (The platform itself typically reads the metadata before discarding it, which is a privacy question of a different kind, but at least other users cannot see it.) WhatsApp and most chat apps do the same for pictures sent the normal way, because they recompress images to save bandwidth.
The gaps are everywhere people deliberately preserve quality:
- Email attachments — the file arrives byte-for-byte identical, metadata and all.
- Cloud drive links — Google Drive, Dropbox, iCloud links share the original file untouched.
- Messengers in "document" or "file" mode — sending a photo "as a file" in WhatsApp or Telegram skips the recompression and keeps everything.
- Many forums, marketplaces and small websites — behavior varies and you should assume nothing is stripped.
Notice the irony: choosing the "full quality" sharing option is exactly what preserves the data you might want gone.
How to see what is inside your own photos
The quickest way to make this concrete is to look at one of your own files. Drop any photo into our image metadata viewer and it lists every EXIF field it finds — camera, settings, timestamps, and GPS coordinates if present. The check runs entirely in your browser; the photo is never uploaded anywhere, which matters rather a lot for a tool whose whole point is privacy. Try it with a photo taken by your phone camera and one saved from a social network, and you will see the difference immediately: the first is full of data, the second is nearly empty.
How to remove metadata before sharing
Both major phone platforms let you share without location: iOS has an "Options" toggle on the share sheet, Android's Google Photos can remove location on share. Those handle GPS but often keep the rest of the EXIF.
The blunt, reliable method is re-encoding: decode the image to raw pixels, then save a brand new file from those pixels. The new file contains what the encoder writes — which, for the tools on this site, is no EXIF at all. Practically, that means either running the photo through the image compressor (you get a smaller, metadata-free copy in one step) or converting it to another format, for example PNG to JPG or HEIC to JPG. Since everything here runs client-side, the original never leaves your machine during the process.
One caveat: removal only helps before sharing. Once an original file is out, its copy of the metadata is out with it.
The new metadata: AI generation info
A newer category is worth knowing about. Images made with AI tools often carry their own kind of metadata. Stable Diffusion interfaces such as AUTOMATIC1111 and ComfyUI write the full generation recipe — prompt, negative prompt, seed, sampler, model name — into text chunks of the output PNG. If someone shares a generated image as the original PNG, the exact prompt they typed rides along inside the file, which has embarrassed more than one person who prompted for something they would not say out loud.
Going the other direction, the industry is starting to add provenance on purpose. C2PA "Content Credentials", backed by Adobe, Microsoft, Google and camera makers, embeds a signed record of where an image came from and what edited it — some cameras now sign photos at capture, and tools like Photoshop and several AI generators attach credentials on export. The idea is to make "is this photo real?" answerable. Adoption is early and uneven, but these records are appearing in more files every year.
Our metadata viewer reads PNG text chunks and other embedded segments too, so it will surface an embedded Stable Diffusion prompt or flag C2PA-related data where present — a quick way to check what a downloaded image admits about its own origins.
The short version
- Every phone photo carries camera details, timestamps and usually precise GPS.
- Big social networks strip it; email, cloud links and "send as file" do not.
- Check any file in seconds with the metadata viewer.
- Re-encoding through the compressor or a format conversion produces a clean copy.
- AI images have metadata of their own — embedded prompts going out, content credentials coming in.