Metadata Privacy Linter

Paste base64 image bytes or a data URL and see what EXIF, XMP, or IPTC metadata would leak if the image were shared. Values are hidden by default so reports are safe to share.

Try:
Privacy report

About this tool

Metadata Privacy Linter checks an image for embedded metadata that can leak private information when you share a photo or screenshot. Paste base64 image bytes (or a data:image/...;base64,... URL) and it scans the container for EXIF/TIFF, XMP, and IPTC/IIM fields.

It flags common privacy risks:

Values are hidden by default so you can share the report without re-leaking the metadata you are trying to remove. Turn on Reveal concrete metadata values to show field values, decoded GPS coordinates, and an OpenStreetMap link.

Worked example

A PNG containing XMP creator and serial metadata:

image_base64 = iVBORw0KGgpwcmVmaXg8eDp4bXBtZXRh...
min_risk = all
reveal_values = false
output = report

The report lists high-risk creator/device fields without printing the actual name or serial number. Switch output to json when you need structured data for a pipeline.

FAQ

Is the image uploaded?

No. The scan runs in WebAssembly in your browser. The pasted base64/data URL is processed locally and never uploaded by this page.

Why does the tool ask for base64 instead of a file picker?

This gizza page model is text-input based, so base64/data URLs are the portable way to pass exact image bytes through the CLI, chat tool, and browser page. Use a local encoder or a previous tool output to provide the bytes.

What metadata formats are scanned?

The linter detects common image containers (JPEG, PNG, TIFF, WebP, HEIF, GIF) and scans EXIF/TIFF, XMP packets, and JPEG IPTC/IIM resources when those metadata blocks are present.

Does it remove the metadata?

No. It is a linter: it tells you what would leak and how risky each field is. Use an image metadata stripper or re-export workflow to remove the fields after you identify them.

Why are values hidden by default?

A privacy report can itself become sensitive if it prints GPS coordinates, serial numbers, or names. Hidden values let you share the report safely; reveal values only when you need exact coordinates or field contents.

Developer & Automation Access

Run it from the terminal

Same engine as this page, headless — via the gizza CLI:

gizza tool metadata-privacy-linter "iVBORw0KGgo... or data:image/jpeg;base64,..."

New to the CLI? Get gizza →

Open it by URL

Pre-fill and auto-run this tool with query parameters — the names match the API/CLI:

https://gizza.ai/tools/metadata-privacy-linter/?image_base64=iVBORw0KGgo...%20or%20data%3Aimage%2Fjpeg%3Bbase64%2C...&min_risk=all&reveal_values=true&output=report

Machine-readable descriptor: tool.json — title + parameters JSON Schema for agents.