Remove Word metadata.

Why Word documents leak so much

A .docx file isn't really one file — it's a ZIP archive containing dozens of XML documents and any embedded images. Microsoft's "Inspect Document" feature operates at the Word application layer, which means it cleans some of the well-known fields and leaves quite a lot of others behind.

Our tool unzips the archive, parses the XML directly, and scrubs metadata at every layer where it hides — including the layers Word doesn't expose to its own inspector.

What our tool removes from DOCX files

• Core properties (docProps/core.xml): creator, lastModifiedBy, lastPrinted, created, modified, revision, title, subject, description, keywords, category
• App properties (docProps/app.xml): Company, Manager, Template, TotalTime, Application, AppVersion, page/word/character counts
• Custom properties (docProps/custom.xml): CRM, DMS, and template-injected custom XML properties (the most overlooked metadata category in enterprise documents)
• Tracked changes: w:ins (insertions accepted), w:del (deletions removed), w:moveFrom/w:moveTo, w:rPrChange, w:pPrChange
• Comments: word/comments.xml, commentsExtended.xml, commentsIds.xml, and threaded discussion files
• Embedded image EXIF: every JPEG inside word/media/ gets its EXIF, IPTC, and XMP stripped

What Document Inspector misses

Microsoft Word's built-in Document Inspector is a good first pass but has known gaps:

• Embedded image metadata — Document Inspector does not strip EXIF from images inside the document. Our tool does.
• Custom XML parts — many CRM systems and document management platforms inject custom XML that survives Inspector.
• Template paths — the Template field in app.xml often contains a full filesystem path revealing your organization's network structure.
• Comment threads — Inspector usually catches comments, but in some configurations the extended comment files (containing reply threads) are left behind.

How to use this tool

1. Drop your .docx file in the box above
2. Review the inspector — see every field that's about to be removed
3. Pick a preset (Privacy is the default; Maximum Privacy also wipes embedded EXIF)
4. Download the cleaned file
5. Optionally download the audit report with SHA-256 verification

Important: This tool removes metadata. It does not redact visible text. If sensitive information is written into the body of the document, you'll need to remove or redact it separately before sharing.

The anatomy of a .docx file

A modern Word document is not a single binary blob — it is a ZIP archive (the Office Open XML, or OOXML, format) containing a small filesystem of XML parts. If you rename a .docx to .zip and open it, you will find a structure like this:

my-document.docx
├── [Content_Types].xml
├── _rels/
├── docProps/
│   ├── core.xml      ← author, dates, revision, title
│   ├── app.xml       ← company, template, editing time
│   └── custom.xml    ← CRM / DMS injected properties
└── word/
    ├── document.xml  ← the actual text + tracked changes
    ├── comments.xml  ← reviewer comments
    └── media/        ← embedded images (with their own EXIF)

Metadata is spread across several of these parts, which is exactly why a single "remove properties" action in Word does not catch all of it. Our cleaner unzips the archive in your browser, rewrites the relevant XML parts, scrubs the document body of revision markup, strips EXIF from any images in word/media/, then repacks the archive.

How tracked changes are stored — and why "Accept All" is not enough

When change tracking is on, Word does not simply edit the text. It wraps every change in markup. An inserted phrase is stored inside a <w:ins> element and a deleted phrase inside a <w:del> element, each carrying an author name and a timestamp:

<w:ins w:author="jane.doe" w:date="2025-09-14T10:32:00Z">
  <w:r><w:t>confidential figure</w:t></w:r>
</w:ins>

Clicking "Accept All Changes" resolves the visible text, but depending on configuration the document can retain related revision metadata — formatting-change records (<w:rPrChange>, <w:pPrChange>), move operations, and the author/date attributes themselves. Our cleaner explicitly walks word/document.xml and removes every revision element: it keeps the content of insertions (treating them as accepted), discards deletions, and deletes the change-tracking attributes entirely so no author or timestamp survives.

The verification math behind the audit report

After cleaning, the tool computes a SHA-256 hash of both the original and the cleaned file. SHA-256 reduces a file of any size to a fixed 256-bit fingerprint, written as 64 hexadecimal characters. Because the function exhibits the avalanche effect — flipping one input bit flips about half the output bits — the before and after hashes look entirely unrelated, which is visible proof the file changed. The chance of two distinct files producing the same hash is on the order of 1 / 2¹²⁸, which is treated as computationally impossible, so a matching hash reliably identifies a specific file.

A worked example: before and after

A .docx stores its core metadata in docProps/core.xml. Here is what that file looks like in a typical document straight out of Word, and what remains after the Privacy preset runs. The left side is what anyone can read by unzipping your document; the right side is what survives.

<cp:coreProperties>
  <dc:creator>Ama Mensah</dc:creator>
  <cp:lastModifiedBy>legal-review</cp:lastModifiedBy>
  <dcterms:created>2025-08-30T09:14:00Z</dcterms:created>
  <dcterms:modified>2025-09-14T17:04:00Z</dcterms:modified>
  <cp:revision>47</cp:revision>
  <dc:title>Settlement draft — confidential</dc:title>
</cp:coreProperties>

<cp:coreProperties>
  <dc:creator></dc:creator>
  <cp:lastModifiedBy></cp:lastModifiedBy>
  <dcterms:created>2000-01-01T00:00:00Z</dcterms:created>
  <dcterms:modified>2000-01-01T00:00:00Z</dcterms:modified>
</cp:coreProperties>

The "before" version names the original author, the account that performed the legal review, the full creation and modification timeline, a revision count revealing the document went through 47 saves, and a title marking it confidential. The revision count alone can be telling — 47 revisions on a one-page letter signals it was heavily negotiated. After cleaning, the creator and editor are blank and the timestamps are reset to a neutral placeholder date.

Complete Word metadata field reference

Word documents scatter metadata across several parts inside the ZIP. This table covers each location, what it exposes, and how the cleaner treats it.

How this has actually burned people

How Word's own "Inspect Document" compares

Microsoft Word includes a built-in tool at File → Info → Check for Issues → Inspect Document. It is genuinely useful and worth running, but it has real gaps that catch people out:

• It operates at the application layer, so it removes what Word's interface knows about — but it does not reliably strip EXIF from images embedded in word/media/.
• It can miss custom XML parts injected by third-party systems, which is exactly where enterprise tools store client and matter identifiers.
• It requires you to remember to run it every time, on every document, before every send — a manual step that is easy to skip under deadline pressure.
• The Template path in app.xml, which can expose your network structure, is not always cleared.

Our cleaner works on the file directly rather than through Word, so it catches the parts the application-level inspector leaves behind, and it does so the same way every time.

How to verify the file is clean

• In Word: open the cleaned file, go to File → Info, and confirm the Author, Last Modified By, and Company fields under Properties are blank.
• By unzipping: rename a copy of the file to .zip, open it, and inspect docProps/core.xml and docProps/app.xml in a text editor — the creator and company elements should be empty.
• Check for custom.xml: confirm docProps/custom.xml is no longer present in the archive.
• The audit report records a SHA-256 hash of the cleaned file as tamper-evident proof.

Frequently asked questions