Technical

Image Metadata Privacy: What Your Photos Reveal About You

March 5, 20268 min read

What Is Image Metadata?

Every digital photo you take contains hidden information beyond the visible image. This metadata—also called EXIF data (Exchangeable Image File Format)—tells a detailed story about when, where, and how your photo was captured.

When you take a photo with a smartphone or digital camera, the device automatically embeds data into the image file:

GPS coordinates – Exact latitude and longitude where the photo was taken

Timestamps – Precise date and time of capture, often with timezone information

Camera model and serial number – Identifies your specific device

Lens information – Model of lens, focal length, aperture settings

Exposure settings – Shutter speed, ISO, white balance, flash status

Software information – Camera operating system, firmware version

Orientation data – Whether the phone was held horizontally or vertically

Editing history – What software modified the photo and when

Thumbnail preview – A small preview image embedded in the file

This metadata exists whether you know about it or not. Most people never see it—it's hidden from casual viewing. But it's absolutely there, embedded in the file itself.

The Privacy Risks of Metadata

The hidden nature of metadata creates significant privacy vulnerabilities. You might think you're sharing "just a photo," but you're actually transmitting detailed location history, device identification, and behavioral patterns.

Location Tracking

GPS coordinates are the most dangerous metadata element. If a photo includes GPS data, anyone with the image file knows exactly where it was taken.

This creates serious security risks:

Home location exposed: If you photograph something inside your house, the GPS coordinates reveal your residential address

Work location exposed: Business photos reveal your workplace address and schedule

Travel patterns: A series of photos with GPS data reveals where you travel, how often, and when

Routine patterns: Photos from recurring locations (gym, favorite restaurant, friend's house) establish predictable patterns that enable stalking or burglary

Identity breach: Combined with other information, location data enables identity theft, home invasion, or worse

The danger is compounded because metadata persists. A photo you took years ago, if shared today without removing metadata, still contains the GPS coordinates from when it was taken. Photos posted to social media are analyzed by bots that extract GPS data, building location databases.

Device Fingerprinting

Your camera or smartphone has unique identifiers embedded in every photo it takes. The camera model, serial number, and lens information allow anyone analyzing the photo to identify the specific device that took it.

This enables:

Connecting photos to the photographer: If you post photos with metadata showing your specific iPhone serial number, researchers can potentially connect those photos to your identity

Identifying patterns: Multiple photos with the same device ID reveal they were taken by the same person

Timeline reconstruction: The combination of device ID, timestamp, and location creates a detailed timeline of one person's movements and activities

Temporal Patterns

Timestamps reveal not just when a photo was taken, but establish patterns over time. If you share multiple photos with intact timestamps, someone can reconstruct:

Your daily schedule

When you're typically home vs away

Work hours and routines

Travel dates and duration

Sleep and wake patterns

This information is extremely valuable to potential attackers planning burglary, stalking, or other crimes.

Behavioral Profiling

Combined, metadata elements create a complete behavioral profile. Insurance companies, marketers, advertisers, and malicious actors can determine:

Your economic status (based on location and device)

Your daily routines and schedule

Your social network (from photos of other people at the same location)

Your health status (medical facilities you visit)

Your interests and hobbies (based on what you photograph and where)

This profiling is valuable to legitimate businesses (targeted advertising) and criminals (targeted attacks).

How Different Image Formats Handle Metadata

Not all image formats treat metadata the same way. Understanding these differences helps you make informed conversion choices.

HEIC Format

EXIF handling: HEIC files are taken by iPhones and embed complete EXIF data by default, including GPS coordinates, camera settings, and timestamps.

When converting HEIC to other formats: The metadata travels with the conversion. If you convert HEIC to JPG using a standard tool, the GPS data, timestamps, and device information transfer to the JPG file. The sensitive data doesn't disappear just because you changed formats.

JPEG Format

EXIF handling: JPEG is the original format designed to carry EXIF metadata. Every JPEG file can contain extensive metadata, and most digital cameras embed it by default.

Storage characteristic: EXIF data is stored in a specific section of the JPEG file. Some tools can strip this section, but the data remains recoverable through forensic techniques until it's completely overwritten.

PNG Format

EXIF handling: PNG technically can carry EXIF data (in an eXIf chunk), but many tools don't embed it by default. PNG screenshots typically contain minimal metadata.

Storage characteristic: When converting to PNG, metadata is often stripped, but not always. The conversion process determines whether metadata survives.

WebP Format

EXIF handling: WebP supports EXIF metadata, but it's optional. Some converters preserve metadata when converting to WebP; others strip it.

Storage characteristic: Metadata isn't required in WebP files, so some tools omit it entirely—which is good for privacy.

What Happens When You Upload to Online Converters

This is where the privacy equation becomes complicated. When you upload an image to an online converter to change formats, here's what should happen:

Ideal scenario: The converter extracts your image, processes it in the chosen format, preserves or strips metadata based on your settings, and returns the converted file. Nothing is stored or analyzed.

What actually happens with many converters:

Metadata extraction: The converter reads all EXIF data before conversion

Metadata storage: This data is saved to a database separate from the image

Analysis: The metadata is analyzed to extract location, device, and behavioral information

Analytics: Your data contributes to statistics about users, locations, and behaviors

Retention: Metadata is stored indefinitely, even if the image file is deleted

Secondary use: This data may be sold to data brokers, advertisers, or other parties

The worst part? You typically have no visibility into this process. The converter returns a converted image, and you assume that's all that happened. Meanwhile, your complete location history, device information, and behavioral data has been extracted, stored, and potentially monetized.

Even converters that don't deliberately harvest metadata often do so inadvertently through server logs. When you upload a file, the server records details about the request: your IP address (which reveals your location), your user-agent (which reveals your device and browser), the timestamp, and the file data. Combined, these logs create a profile of you.

Which Converters Strip vs Preserve Metadata

This varies significantly:

Converters that strip metadata: Some tools automatically remove all EXIF data during conversion. This is ideal for privacy. However, metadata removal doesn't prevent the converter from logging the data before stripping it.

Converters that preserve metadata: Many converters maintain EXIF data through the conversion process, meaning sensitive location and device data travels with your converted file.

Converters that don't address metadata: The majority of converters don't mention metadata handling at all. This typically means they preserve whatever metadata existed originally.

Converters that harvest metadata: Some converters explicitly extract and analyze metadata for analytics, profiling, or secondary use.

The problem is simple: you usually can't tell which category a converter falls into without detailed technical analysis. Privacy policies are vague. Marketing language is misleading. The only reliable way to verify is to test the converter yourself using developer tools.

How to Check Your Images for Metadata

Before sharing any photo online, check what metadata it contains:

On Windows:

Right-click the image file

Select "Properties"

Click the "Details" tab

Scroll through to view all metadata (look for GPS data, timestamps, camera model)

On Mac:

Right-click the image

Select "Get Info"

Expand the "More Info" section

Review metadata fields

Online (risky but reveals what's visible):

Use a web-based metadata viewer (though this uploads your file)

More privacy-safe: Download the image, check locally instead

Using command line (safest):

On Mac/Linux: `exiftool filename.jpg`

On Windows (with exiftool): `exiftool.exe filename.jpg`

This shows you exactly what metadata is embedded and whether it includes GPS, camera serial numbers, or other sensitive information.

How Browser-Based Converters Handle Metadata

Browser-based converters like PhotoFormatLab operate fundamentally differently from server-based converters:

No server upload: Since the conversion happens entirely in your browser, your image never leaves your device. The metadata never travels across the internet. No server stores it. No database logs it.

Metadata control: You decide whether to preserve or strip metadata. The choice is yours, executed locally on your device.

No tracking: Without server-side processing, there's no way to track what metadata you have or analyze it for profiling.

Instant verification: Open your browser's developer tools and verify no network requests transmit your image data. You'll see zero uploads because none occur.

This architectural difference is why browser-based conversion is fundamentally more private than server-based conversion, regardless of what the server-based converter claims.

Best Practices for Metadata Privacy

Before Sharing Any Photo

Check the metadata: Use the tools above to see what EXIF data exists in the image

Remove GPS coordinates: If the photo contains location data you don't want to share, remove it

Strip all metadata if sharing widely: For social media, use a tool that removes all EXIF data before posting

Keep originals separate: Maintain unmodified originals for archival; create stripped versions for sharing

When Converting Images

Use browser-based converters: Convert HEIC to JPG, JPG to PNG, or any format using browser-based tools like PhotoFormatLab where conversion happens on your device

Choose metadata stripping: Select options to remove EXIF data if sensitive information is present

Verify the converter: Use browser developer tools to confirm no file uploads occur during conversion

Never upload sensitive documents: Medical images, financial documents, or legal files should never be uploaded to any online converter—always use browser-based tools

For Sensitive Images

Medical records: Remove all metadata; use browser-based converters only

Financial documents: Remove all metadata; consider encrypting files separately

Work confidential material: Remove metadata; avoid uploading to any server

Personal documents (IDs, passports): Never include metadata; use client-side conversion only

Personal/intimate photos: Remove location data at minimum; consider removing all metadata

After Sharing

Metadata removal should happen *before* sharing. Once metadata is public, it's public. Don't assume that platforms remove it—some do, many don't, and none are transparent about it.

Frequently Asked Questions

What personal information is in photo metadata?

At minimum: location (GPS), timestamps, and camera model. Often also: lens information, exposure settings, device serial number, software version, thumbnail preview, and editing history. Combined, this data creates a complete profile of when and where you were, what camera you used, and how you edited your images.

Do image converters remove metadata?

Some do automatically. Many don't. Most don't specify either way. Server-based converters often extract metadata before conversion for analytics or profiling purposes. Only browser-based converters eliminate the risk entirely because nothing is uploaded to a server.

Can someone find my location from a photo?

Yes, if the photo contains GPS metadata. GPS coordinates are precise to within feet or meters. Anyone with the image file can see exactly where it was taken. This is why removing GPS data before sharing photos is critical for privacy and security.

Does converting HEIC to JPG remove GPS data?

No. Converting from one format to another preserves metadata by default. Your GPS coordinates, timestamps, and camera information travel with the file through conversion. Only when you specifically choose to strip metadata does it get removed. Use PhotoFormatLab's HEIC to JPG converter and enable metadata stripping to safely convert while removing sensitive data.

How do I remove metadata from photos?

Methods vary by device:

iPhone/Mac: Use Apple's "Photos" app or third-party tools like Exifr

Windows: Use Windows Photos (built-in), or free tools like ExifTool

Online (risky): Web-based metadata removers exist but require uploading your file

Safest approach: Use a browser-based converter that can convert and strip metadata in one step while keeping everything on your device

Try These Conversions

HEIC → JPG JPG → PNG PNG → JPG HEIC → PNG

HEIC vs JPEG: What's the Difference? A Complete Comparison

4 min read

Edit, Protect, and Remove Photo Metadata: A Professional Workflow

11 min read

What is HEIC? Everything You Need to Know in 2026

5 min read