Every photo your phone takes stores more than just the image. Embedded are GPS coordinates, device model, lens settings, date and time, sometimes even your name. Anyone who reads this data knows where and when you were. What's hidden in your images, which platforms remove it, and which don't.
What are EXIF, IPTC and XMP?
Image files contain three kinds of metadata that accompany the actual picture:
- EXIF (Exchangeable Image File Format) is written automatically by the camera: GPS position, device model, focal length, aperture, ISO, exposure time, exact timestamp.
- IPTC covers manually maintained fields like caption, author, copyright, keywords.
- XMP is a more modern, extensible format that encompasses both worlds and is used, for example, by image-editing software.
The most sensitive part is EXIF, specifically the GPS coordinates. A single photo you took at home can reveal your address to within a few meters, without you ever entering an address.
The dangerous misconception: "Social networks strip that out, don't they?"
Half right, and dangerous precisely because of that. The big platforms remove sensitive metadata from the version other users can download. But most people overlook two things:
- The platform receives your original photo including all metadata on upload. It only removes it from the public copy. Internally the location is often stored and analyzed. Facebook, for instance, has stripped EXIF from the public image since 2012, but reads the location data server-side for ad targeting. With Instagram it's the same logic: GPS disappears from the download but is retained internally.
- The behavior depends heavily on the platform, the feature and the upload path. What gets removed in the public feed can be retained in direct messages or in higher-quality uploads.
And even when the GPS data is gone: platforms can still infer your location from your IP address, app telemetry, manual location tags or simply the image content itself.
Who removes it, who doesn't (as of 2026)
| Service | Behavior |
|---|---|
| Instagram, Facebook, X, LinkedIn | public downloads are cleaned, internally data is partly stored |
| TikTok | re-encodes everything, GPS disappears as a side effect |
| WhatsApp (photo mode) | removes GPS and most EXIF data |
| WhatsApp (document mode) | ⚠️ keeps all metadata: GPS, device, timestamp |
| Telegram (photo mode) | compresses the image and strips EXIF as a side effect |
| Telegram (send as file) | ⚠️ keeps full EXIF data including GPS |
| iMessage | keeps full metadata |
| Signal | removes everything before sending |
The trap is the file or document mode: many people send photos "as a file" to avoid quality loss, and thereby unknowingly transmit the complete original including GPS. Among messengers, Signal is the gold standard because it consistently removes metadata before sending and stores nothing on its servers.
The GDPR dimension
For businesses this is no niche topic. GPS coordinates and device identifiers in photos are personal data in the sense of the GDPR. Anyone who processes user photos, publishes them on a website or passes them on potentially drags location and device profiles along, often without knowing it. Anyone publishing images of employees, customers or events should remove EXIF data as a fixed step in the workflow, not as an afterthought.
The only reliable solution: remove it beforehand
The takeaway from every test is unambiguous: don't rely on the platform to remove your metadata. The behavior changes without notice, differs depending on the upload path, and in every case the platform has already received your original.
The only method that works independently of the platform is removing it before uploading or sharing.
A practical side effect of an image conversion: when a photo is re-encoded in a browser-based converter (for example by canvas re-encoding from HEIC to JPG or from JPG to PNG), the EXIF data usually drops out. The resulting image contains only the pixels, no longer the capture metadata. When this happens locally in the browser, your original doesn't even leave your device.
Quick checklist
- Remove before sharing, don't trust the platform.
- Never send as a "document" when privacy matters.
- For sensitive photos (home, children, workplace) always clean them.
- In a company plan EXIF removal as a fixed step before every publication.
Clean images locally with wandlio
When you convert a photo with wandlio, the image conversion runs locally in your browser. The original is not uploaded, and the re-encoded image no longer carries the capture metadata:
- HEIC → JPG: make iPhone photos compatible and clean
- JPG → PNG: re-encode losslessly
- PNG → JPG: reduce file size
- JPG → WebP: optimize for the web
No account, no upload, and the file is always deleted.