You do not need to become a forensics expert to protect yourself from metadata exposure. You need a habit. The same way you might glance in a mirror before leaving the house, a quick metadata check before you upload becomes second nature once you have done it a few times. This guide is that routine, organized by what you are about to share.
The one principle that covers everything
Before sharing any file with anyone outside your circle of trust, ask: what does this file know about me that the visible content does not show? If the answer is "I'm not sure," that is your cue to clean it. Metadata is, by definition, the part you cannot see by looking — so uncertainty is the normal state, and cleaning is the cheap insurance.
Before posting a photo
Photos are the highest-frequency risk because people share them constantly and casually.
- Strip GPS first and foremost. A photo taken at home or work pins you to that location. This is the single most important removal.
- Remove the device serial number. It links every photo from the same camera, allowing separate accounts or posts to be tied together.
- Remove timestamps if the timing of the photo is itself sensitive.
- Watch for the embedded thumbnail. If you cropped something out, confirm the thumbnail does not still show the original framing.
- Decide on copyright/credit. If you are a photographer who wants attribution to survive, use a preset that keeps IPTC and copyright while removing location and device data.
This applies equally to HEIC photos from an iPhone — see our HEIC guide — and to JPEGs, PNGs, and WebP images.
Before uploading a video or sharing audio
- Treat phone videos exactly like photos. They carry GPS, device, and timestamp metadata in the container. Most people forget this entirely.
- Check audio files for embedded identity. MP3s can carry the purchaser's name and the software used; professional WAV files can carry originator and date data.
- Our audio and video guide covers the formats in detail.
Before sending a document
Documents leak in ways that are slower to notice but often more consequential, because the metadata can include authorship and edit history.
- Word (.docx): remove author, company, and — critically — tracked changes and comments. "Accept All Changes" is not enough; the revision history can survive in the file structure. See our tracked changes guide.
- Excel (.xlsx): remove author and company, and check for defined names that contain network file paths, which can expose your internal server structure.
- PowerPoint (.pptx): remove author and company (which can reveal an agency built a client's deck), delete comments, and remember that presenter notes travel with the file unless you remove them.
- PDF: clear both the Info dictionary and the XMP packet — wiping one and leaving the other changes nothing. See why PDF metadata matters.
Separate the two jobs: metadata vs. redaction
This is the mistake that has embarrassed governments and corporations alike. Removing metadata and redacting visible content are two different tasks. Metadata removal strips the hidden descriptive layer; it does nothing to text you can see on the page. If your document contains a name, address, or figure written into the body, you must redact that separately — and redact it properly, by deleting the content, not by drawing a black box over text that remains selectable underneath. Do both jobs, in either order, but never assume one covers the other.
Do not rely on the platform
It is tempting to assume the site you upload to will clean your file for you. Some platforms do strip location from photos on upload; many do not, and the behaviour differs between services and changes over time. Smaller sites, forums, file-sharing links, and direct messages frequently preserve everything. The reliable strategy is to clean at the source, so your safety does not depend on a policy you cannot see and did not agree to.
Verify before you trust
After cleaning, confirm it worked rather than assuming:
- For images and documents, open the file's Properties on your computer and check that author and location fields are blank.
- For Office documents, you can rename a copy to
.zipand inspect the property XML directly. - If you use the audit report our tools generate, it records a SHA-256 hash of the cleaned file as tamper-evident proof of exactly what you are about to share.
The 30-second routine
Put together, the habit is short: identify the file type, drop it into a metadata cleaner, choose a preset that matches whether you need to keep copyright or notes, download the cleaned copy, and do a quick properties check. Done a few times, it takes under a minute and removes the overwhelming majority of accidental disclosures.
You can run every step of this checklist in your browser — images, audio, video, PDF, and Office files — starting with the image tool on our home page and the dedicated format pages. Nothing is uploaded; the cleaning happens on your device.