imageupload.io
← Blog
2026-04-08

Privacy by default, not as an upsell

Privacy by default, not as an upsell

Most image hosts treat privacy as a line item. You get "enhanced privacy" if you pay. You get a checkbox for "strip EXIF" buried three menus deep. You get a cookie wall that asks seventeen "partners" to read your IP address.

We don't do that. Here's what "privacy by default" means on imageupload.io, in specifics.

1. EXIF and metadata are always stripped

Every image that lands on our servers goes through sharp. Before we write anything to disk or to R2, we call:

sharp(buffer).rotate().withMetadata({ exif: {}, icc: undefined }).toBuffer()

That strips:

  • GPS coordinates (EXIF.GPSLatitude, EXIF.GPSLongitude)
  • Camera make, model, and serial number
  • Thumbnail previews embedded in the original file
  • Lens info, exposure, ISO - the lot
  • User comments people sometimes leave in files

We keep orientation (so portraits don't end up sideways) and then discard everything else. You can verify it yourself: upload a photo and then download the direct link - any EXIF viewer will show an empty metadata block.

2. We don't use third-party analytics

No Google Analytics. No Plausible. No Cloudflare Insights. No Segment. No Matomo. No pixel trackers. No Facebook conversion tags. Our server logs contain the minimum we need to prevent abuse and are deleted after 90 days.

3. Cookies are three, all first-party

  1. sid - your login session, HTTP-only, signed, 30-day expiry.
  2. cookie_choice - remembers whether you clicked Essential or Accept-all on the banner so we don't bother you twice.
  3. pw_:slug - if you unlock a password-protected image, we set this so you don't have to retype the password for an hour.

That's it. No third parties. No "partners".

4. Fingerprinting is for abuse prevention, not for tracking

When an anonymous visitor uploads an image, we compute a SHA-256 over IP | User-Agent | Accept-Language and store the first 32 characters in the image record. Admins use this to block abusers without having to block entire IP ranges. The fingerprint is not linkable to your identity, and we do not share it with anyone.

5. Your data, your call

Go to /dashboard/profile and click "Delete account". We run a single transaction:

  1. Delete every image you uploaded (from local disk or R2, as applicable).
  2. Delete every view log that references your images.
  3. Delete your payments.
  4. Delete your session cookies.
  5. Delete your user row.

No "soft delete". No 30-day grace period. It's gone.

Why it matters

A photo has more context than most people realize. A screenshot can leak an auth token. A selfie can leak a home address. A product shot can leak a camera serial number linked to a different account elsewhere. Image hosting that treats privacy as a premium feature is image hosting that doesn't respect you.

We're small enough to be boring about this - and we'd like to stay that way.