Privacy Policy

1. Our Privacy Commitment

Delete Metadata is a fully client-side metadata removal engine deployed as a static HTML5 web application. We do not collect, store, transmit, or process any user data on remote servers. Every image you load into the scrubber, every GPS coordinate eliminated from its EXIF directory, every AI provenance label stripped from its XMP packet, and every C2PA Content Credential erased from its file architecture stays entirely within your browser’s sandboxed JavaScript runtime and volatile RAM. This privacy commitment is not a policy statement subject to change — it is an architectural guarantee enforced by the technical design of our application at the code level.

Delete Metadata was deliberately engineered as a zero-server application because we recognize that metadata removal tools, by the nature of their function, handle some of the most sensitive data a user can possess: GPS-tagged photographs that reveal home addresses and movement patterns, images with smartphone hardware serial numbers that uniquely identify the user’s device, and files containing C2PA Content Credentials that document the complete editing and generation history of the asset. A server-based metadata scrubber would inevitably create a centralized repository of precisely the private information users seek to protect — a high-value target for malicious actors, a single point of failure for data breaches, and a compelling destination for legal process and insider threats. By ensuring that no image data, no pixel value, and no metadata record ever leaves your device, we make it mathematically and architecturally impossible for us or any third party to access, leak, or surrender your information.

2. No Data Collection

Delete Metadata does not collect, request, or retain any of the following categories of user information under any circumstances:

• Personal information — names, email addresses, telephone numbers, physical mailing addresses, government-issued identification numbers, or any other form of personally identifiable information as defined by GDPR Article 4(1), CCPA §1798.140(o), and analogous international regulations.
• Image files and image contents — the photographs, digital art, screenshots, and visual assets you drop into the scrubber interface are read exclusively and transiently by your browser’s FileReader API into volatile JavaScript memory. No pixel data, no RGBA channel value, no file-level binary segment, and no visual preview thumbnail is ever transmitted to any server, logged to any storage device, or accessible to any process outside your browser’s sandbox.
• Stripped metadata records — the GPS coordinates, camera serial numbers, capture timestamps, device firmware identifiers, XMP generative AI labeling trees, C2PA Content Credential manifests, ICC color profiles, IPTC copyright fields, and all other metadata structures eliminated by the Canvas re-rendering pipeline exist only as transient bit patterns in your browser’s memory. We never record, log, aggregate, or analyze which metadata was present or what was removed.
• Browser fingerprints — we do not deploy canvas fingerprinting, WebGL fingerprinting, font enumeration, WebRTC local IP detection, AudioContext oscillation analysis, or any other passive or active device identification technique that could be used to re-identify users across sessions or correlate tool usage with other browsing activity.
• Behavioral interaction telemetry — we do not track which buttons you click, which interface elements you interact with, how many images you load into the batch queue, how long the processing pipeline takes to complete, how many batches you process per session, what file formats you favor, or any other interaction-level behavioral metric.
• IP addresses and geolocation — our web server access logs are configured with IP anonymization enabled. We do not use the browser Geolocation API (navigator.geolocation), any IP-to-location mapping database, or any third-party geolocation service to approximate or infer user location.

3. Client-Side Execution Model — Technical Verification

Every metadata scrubbing operation in Delete Metadata executes exclusively through standardized, open-specification browser APIs that operate on your local device hardware without network access of any kind:

• File Ingestion: The FileReader API (FileReader.readAsDataURL()) reads user-selected image files from the local file system and produces data URIs that exist solely in the current JavaScript execution context’s heap memory. No file descriptor handle, no file system path, and no file content is transmitted to any external endpoint, WebSocket, or background worker at any point in this process.
• Image Rasterization & Metadata Elimination: The HTML5 Canvas API creates an offscreen rendering surface. When ctx.drawImage() is called, the browser’s native image codec (libpng, libjpeg, libwebp, or the AVIF decoder depending on the input format and browser engine) decompresses the compressed pixel stream into a raw RGBA bitmap. Every non-pixel binary structure attached to the source file — EXIF TIFF directories, XMP XML packet wrappers, C2PA JUMBF manifest boxes, ICC color profile chunks — is consumed by the codec during decompression and permanently discarded. This elimination is not an active step our code performs; it is the default and intended behavior of the HTML5 Canvas API and has been since the specification was ratified. The Canvas element is never appended to the DOM tree and its pixel buffer is never serialized for network transmission.
• LSB Steganography Payload Neutralization: Following metadata stripping via Canvas re-rendering, our engine applies a pixel-level sanitization pass that zeroes out the least significant bit (LSB) of every Red, Green, and Blue color channel across the entire image. This operation destroys any pixel-level encoded data payloads — including LSB steganography, covert channel markers, and forensic watermark residues — without producing any human-perceptible visual change (maximum deviation of ±1 per channel on a 0–255 scale, approximately 0.4% per channel).
• PNG Export: Canvas.toBlob(‘image/png’) serializes the cleaned RGBA pixel matrix into a downloadable binary object. The browser’s PNG encoder constructs an entirely new file from primitive structural components: a PNG signature, an IHDR chunk (image dimensions and bit depth), compressed IDAT pixel data, and an IEND file terminator. No EXIF IFD chunk, no XMP text chunk, no C2PA proprietary chunk, no ICC profile chunk, and no ancillary chunk of any kind is written by the encoder. The output is structurally, provably metadata-free.

You can independently verify this architecture at any time without relying on our claims. Load Delete Metadata in your browser, open the Developer Tools panel (F12 or Ctrl+Shift+I in most environments), navigate to the Network tab, and perform any metadata scrubbing operation — opening the file picker, loading images into the queue, triggering processing and download. The only network activity observable will be the initial HTTP requests for static assets (HTML, CSS, JavaScript, font files, and the Google Analytics script) plus the GA4 page_view event beacons described in Section 6. No file content, pixel data, metadata record, or interaction telemetry is visible in any network request. As a further verification, disconnect your internet connection entirely after the page finishes loading — all metadata scrubbing, batch processing, and sequential download functions will continue to operate without interruption, confirming that no server round-trip is required for core tool functionality.

4. Temporary Browser Memory — Data Lifecycle

All user data processed by Delete Metadata exists exclusively within volatile browser memory (Random Access Memory allocated to the browser process by your operating system) for the duration of a single page session. No data persists across sessions or survives navigation events:

• No persistent storage mechanisms utilized: Delete Metadata does not write to localStorage, sessionStorage, the IndexedDB API, the Cache Storage API (Service Worker caches), the File System Access API persistent handles, or any other browser-provided persistence interface. The application maintains zero persistent state across page loads. Refreshing the page, closing the tab, or navigating away terminates all data without possibility of recovery.
• No local file system write operations: The application does not request or utilize the File System Access API (showOpenFilePicker, showSaveFilePicker, or FileSystemDirectoryHandle). All file input is handled through standard <input type=“file”> form elements with multiple attribute for batch selection. All output is delivered through standard transient anchor-click download mechanics. The application writes nothing to your device’s file system at any point beyond the explicit, user-initiated PNG file downloads.
• Automatic memory release via garbage collection: When the Delete Metadata page is closed or refreshed, the browser’s JavaScript engine immediately marks all Canvas objects, Image objects, ArrayBuffer allocations, Blob references, FileReader result buffers, and object URL references as unreachable. The engine’s garbage collector (typically a generational mark-and-sweep collector in V8, SpiderMonkey, or JavaScriptCore) reclaims the allocated memory pages within seconds and returns them to the operating system.
• Ephemeral thumbnail object URLs: Image thumbnail previews rendered in the batch file list are created using the URL.createObjectURL() API, which generates temporary blob: protocol URLs bound to the document’s lifetime. All such URLs are programmatically revoked by calling URL.revokeObjectURL() when individual files are removed from the queue, when the queue is cleared via the “Clear All” button, or when the processing batch completes and the file list is reset.

5. Cookies and Local Tracking

The Delete Metadata metadata scrubber engine does not set, read, require, or reference any browser cookies, HTTP cookies, or equivalent client-side storage tokens. The tool operates in an entirely stateless mode: there is no user account session, no authentication token, no persistent preference storage, no localization cookie, and no tracking identifier of any kind associated with use of the metadata removal functionality.

The only cookies that may be present in your browser when accessing Delete Metadata are first-party HTTP cookies set by the Google Analytics 4 (GA4) measurement script (specifically cookies with the _ga and _ga_* naming prefixes in the deletemetadata.com domain scope). These cookies are used exclusively for anonymous aggregate traffic measurement and session differentiation as described in Section 6. They are governed by Google LLC’s privacy policy, not by Delete Metadata’s. You retain full control: you may block all Google Analytics cookies through your browser’s privacy settings, through any reputable ad-blocking or tracker-blocking browser extension, or through Google’s official Analytics opt-out browser add-on (available at tools.google.com). Blocking these cookies has zero impact on any metadata scrubbing functionality — the core tool continues to operate at full capacity regardless of cookie consent state.

6. Google Analytics 4 (GA4)

Delete Metadata employs Google Analytics 4 (GA4) for lightweight, de-identified aggregate site traffic measurement. Our GA4 implementation adheres to the following constraints:

• Data collected by GA4: Page view event counts (the standard page_view event), approximate session duration aggregates, country-level geographic distribution (derived from anonymized IP prefixes, not full IP addresses), browser type and major version identifier, device category classification (desktop / mobile / tablet), and traffic referral source categorization (organic search, direct navigation, social media referral, referring domain).
• Data explicitly excluded from GA4 transmission: No image file content, no pixel data, no metadata record, no file name, no file size, no image format identifier, no batch queue count, no processing duration metric, and no tool interaction signal of any kind is transmitted to GA4. Our implementation uses exclusively the default, zero-parameter gtag(‘config’, ‘MEASUREMENT_ID’) call with no custom dimensions, no custom metrics, no event parameters, no user properties, and no enhanced measurement features that could inadvertently capture form field inputs or file interaction data.
• IP address handling: GA4 applies IP anonymization by default for all properties. The full client IP address is never written to disk, persisted in reports, or surfaced in the GA4 user interface. Only truncated, anonymized IP prefixes are used for coarse geographic aggregation.
• Data retention period: GA4 user-level and event-level data retention is configured to the minimum allowable duration under Google’s platform constraints, which is 14 months for standard GA4 properties. Data older than this window is automatically purged from Google’s servers on a rolling monthly basis.
• User opt-out mechanisms: You may opt out of GA4 data collection entirely through any of the following methods: installing Google’s official Analytics Opt-out Browser Add-on (compatible with Chrome, Firefox, Safari, Edge, and Opera), configuring your browser or network-level ad blocker to deny requests to the googletagmanager.com and google-analytics.com domains, or enabling the Global Privacy Control (GPC) signal in a compatible browser, which we honor for analytics data collection.

7. Third-Party Services and External Dependencies

The Delete Metadata core metadata scrubbing engine has zero runtime dependencies on external APIs, third-party libraries, or remote services. The entire pipeline is implemented in approximately 430 lines of framework-free, dependency-free vanilla JavaScript (ES5-compatible for broad browser support) using only standardized, W3C-specification browser APIs. No external API endpoint — REST, GraphQL, WebSocket, Server-Sent Events, or XMLHttpRequest — is called during any scrub operation.

The following external resources are loaded during initial page construction only. None of them receive any image data, metadata records, pixel values, file identifiers, or behavioral signals from the metadata removal tool:

• Google Fonts (served from fonts.googleapis.com): Delivers the Inter, JetBrains Mono, and Sora typeface files and associated CSS @font-face declarations used for typographic rendering of the page’s informational content. Google Fonts requests include only the font family and weight parameters specified in our stylesheet links — no file content or user interaction data is embedded in or transmitted alongside font requests.
• Google Material Symbols (served from fonts.googleapis.com as an icon font): Delivers the Material Symbols variable icon font file used for interface iconography (upload cloud icon, download icon, delete icon, navigation arrows, etc.). Font requests contain no user data.
• Google Tag Manager / GA4 measurement script (served from googletagmanager.com): Delivers the gtag.js analytics library that implements the anonymous traffic measurement described in Section 6. No image content, metadata, or tool interaction data is passed to or through this script.

We do not employ any Content Delivery Network (CDN) resources for JavaScript libraries, CSS framework files, polyfill services, or image assets beyond the three services listed above. All application logic, including the metadata scrubbing engine and the complete Tailwind CSS utility framework (served as a single, statically minified CSS file), is delivered directly from our origin server and hosted within our infrastructure.

8. Transport Security and Integrity

Delete Metadata is served exclusively over the HTTPS protocol (HTTP over Transport Layer Security) with HTTP Strict Transport Security (HSTS) header enforcement, which instructs compatible browsers to refuse any plaintext HTTP connection to the domain for a defined max-age period. While the metadata scrubber engine transmits zero user data over the network — making transport-layer encryption less operationally critical than for a traditional data-processing web application — HTTPS provides essential additional guarantees:

• Static asset integrity assurance: The HTML, CSS, and JavaScript files that collectively constitute the Delete Metadata application are delivered to your browser without tampering, modification, or injection by intermediate network nodes. This prevents man-in-the-middle attackers from injecting malicious JavaScript that could intercept FileReader output, exfiltrate Canvas pixel data, or alter the metadata scrubbing logic.
• TLS certificate domain validation: Your browser cryptographically verifies, via the public Certificate Authority infrastructure, that it is communicating with the authentic Delete Metadata origin server and not an imposter domain serving a compromised or instrumented version of the application.
• Encryption of all data in transit: Every byte transferred between our server and your browser — HTML markup, CSS stylesheets, JavaScript source, image assets, and font files — is encrypted under the negotiated TLS cipher suite. Network observers on intermediate infrastructure (ISP routers, corporate proxies, public Wi-Fi access points) cannot determine which specific pages or resources you are accessing on the Delete Metadata domain.

For users requiring the highest level of assurance, we recommend verifying the integrity of served assets by independently computing and comparing file hashes (SHA-256) of the delivered JavaScript and comparing them against published reference hashes, or employing browser extensions that enforce Subresource Integrity (SRI) digest verification for externally loaded resources where applicable.

9. Metadata Removal — Specific Security & Integrity Considerations

Because Delete Metadata is a privacy-enhancing tool that processes potentially sensitive image assets, users should be aware of the following considerations that extend beyond the application’s runtime environment into the broader digital ecosystem:

• Downloaded PNG file handling: The cleaned, metadata-free PNG files you download from Delete Metadata are regular files on your device’s local file system. Once downloaded, they exist independently of our application and are subject to your operating system’s file access control lists (ACLs), automated cloud synchronization services (iCloud Photos, Google Drive, OneDrive, Dropbox), automated backup systems, and any file-system-level security threats present on your device (malware, unauthorized access, physical device seizure). Delete Metadata exercises no control over, and accepts no responsibility for, the storage, transfer, editing, or disposal of these files after the download event completes.
• Visual output integrity and pixel fidelity: Delete Metadata explicitly disables Canvas image smoothing (imageSmoothingEnabled = false) as well as its vendor-prefixed equivalents (webkitImageSmoothingEnabled, mozImageSmoothingEnabled) to prevent anti-aliasing interpolation that could introduce sub-pixel color shifts at image boundaries. The two-stage cleaning pipeline — Canvas re-rendering followed by LSB zero-out — produces an output image whose visual appearance is functionally indistinguishable from the source image under normal viewing conditions. The LSB sanitization pass neither compresses any pixel nor applies any filtering or transformation; it exclusively clears the least significant bit, producing a maximum per-channel deviation of ±1 on a 0–255 scale, which falls well below the established human visual discrimination threshold. However, if a user subsequently opens the cleaned PNG in an image editing application that applies resampling, rotation with interpolation, lossy re-compression to a non-PNG format, or content-aware adjustments, those downstream operations may introduce visual changes that are independent of Delete Metadata’s processing pipeline.
• Lossless output encoding guarantee: All output images are encoded as PNG (Portable Network Graphics) using the browser’s native DEFLATE compression implementation. PNG compression is mathematically lossless: the decompressed pixel matrix is bit-for-bit identical to the pre-compression source. No pixel values are altered, quantized, or approximated by the PNG encoder. The output file’s visual content is structurally pixel-identical to the Canvas pixel matrix from which it was encoded. The sole difference between the source image and the output image is the structural absence of all metadata containers and the zeroed least significant bit plane — both changes that produce no human-perceptible visual difference.
• Re-metadata injection by downstream tools: Any image editor, content management system, social media platform, or file transfer service that receives the cleaned PNG may choose to inject its own metadata into the file — for example, by adding new EXIF tags documenting the software that performed the re-save, by attaching new XMP edit-history entries, or by embedding new C2PA Content Credentials asserting platform-level provenance. Delete Metadata cannot prevent downstream tools from adding new metadata to files after they leave our pipeline. Users who require persistent metadata-free files should treat the cleaned PNG as their definitive archive copy and exercise caution when subsequently opening or editing the file in metadata-injecting applications.

10. Children’s Privacy and COPPA Compliance

Delete Metadata does not collect, solicit, or process personal information from any user, regardless of chronological age. The application maintains no user accounts, presents no data entry forms beyond the file upload interface (which processes files locally and transmits nothing), and exposes no communication channel through which a user of any age could voluntarily or inadvertently submit personal information to us. Because we collect zero personal data, our service is inherently and unconditionally compliant with the United States Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506) and the Federal Trade Commission’s COPPA Rule (16 CFR Part 312), as well as analogous child privacy regulatory frameworks in other jurisdictions including the United Kingdom’s Age Appropriate Design Code (Information Commissioner’s Office) and the GDPR-K provisions of the EU General Data Protection Regulation.

11. International Data Protection Compliance

Because Delete Metadata collects, stores, and processes zero personal data of any category, it operates outside the substantive scope of the world’s major data protection regulatory frameworks. Specifically:

• GDPR (EU General Data Protection Regulation, Regulation (EU) 2016/679): Delete Metadata does not meet the definition of a data controller (Article 4(7)) or data processor (Article 4(8)) under the GDPR because no personal data (Article 4(1)) is collected, stored, or processed by our infrastructure. The tool’s exclusively client-side execution model means that any personal data potentially present in user-supplied images — such as GPS coordinates, device identifiers, and facial imagery — is processed entirely on the user’s own device within their browser’s isolated runtime and is never accessed, received, or retained by Delete Metadata’s server infrastructure. The GDPR’s substantive obligations regarding data subject rights (Articles 12–23), data protection impact assessments (Article 35), data breach notification (Articles 33–34), and cross-border transfer safeguards (Articles 44–49) do not apply to data that never enters our control in the first instance.
• CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act, Cal. Civ. Code §§ 1798.100–1798.199.100): Delete Metadata does not collect, sell, share, or disclose for a business purpose any personal information as defined by the CCPA/CPRA, and does not engage in cross-context behavioral advertising or automated decision-making. The CCPA’s obligations regarding notice at collection (§1798.100), consumer rights to know/delete/correct (§§1798.110, 1798.105, 1798.106), and opt-out of sale/sharing (§1798.120) have no operative target data to which they could apply.
• LGPD (Brazilian Lei Geral de Proteção de Dados Pessoais, Law No. 13,709/2018), PIPEDA (Canadian Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5), and PDPA (Singapore Personal Data Protection Act 2012, Act 26 of 2012): These statutes all regulate the collection, use, and disclosure of personal data by organizations. Since Delete Metadata conducts none of these activities with respect to any personal data, these regulations impose zero operational compliance requirements on our service.

Our privacy posture is rooted not in regulatory interpretation or legal argumentation, but in a simpler, verifiable technical fact: the Delete Metadata application, by architectural design, never receives any personal data from any user at any time. Where no data enters our infrastructure, no data protection obligation arises.

12. Changes to This Privacy Policy

We reserve the right to update, amend, or replace this privacy policy at any time to reflect changes in our technical architecture, our operational practices, our external service dependencies, or the evolving legal and regulatory environment in which we operate. The effective date of the current version is indicated by the “Last updated” timestamp at the bottom of this page.

We encourage users to review this policy periodically, particularly after any announced service updates or external dependency changes. Your continued use of the Delete Metadata website after modifications to this privacy policy are published constitutes your acknowledgment of the updated terms and your acceptance of those terms. In the specific event that a material change introduces any form of data collection, processing, or transmission where none previously existed, we commit to providing prominent, conspicuous notice on the Delete Metadata homepage and on this page for a minimum of thirty (30) calendar days before the change takes operational effect, and to providing a reasonable mechanism for users to understand and respond to the change.

13. Contact

For questions regarding this privacy policy, for requests for technical clarification about our client-side execution model, the Canvas-based metadata stripping pipeline, or the LSB sanitization process, for reports of potential security vulnerabilities in our application code or infrastructure configuration, or for any other matter related to data protection and user privacy at Delete Metadata, please contact us at the following address:

Email: [email protected]

We endeavor to acknowledge all privacy-related inquiries within five (5) business days of receipt and to provide a substantive response within fourteen (14) business days.