About ExifSweep

Metadata leaks were the recurring problem behind every "I shared a photo and it revealed something" story we read. Existing tools were either CLI-only (exiftool — powerful but unfriendly), platform-locked (ImageOptim, Mac-only), or uploaded files to a server (defeating the privacy point).

In 2025 we built the first version as an internal tool for our own photo-sharing workflow. The piexif-only JPEG strip leaked DeviceManufacturer fields we didn't expect, so we wrote our own XMP / ICC / IPTC / Adobe segment walker. That experience — finding the gap exiftool didn't document and the in-browser tools didn't close — became the product.

ExifSweep is what we wish had existed when we needed it: zero install, zero upload, every metadata field categorised by sensitivity, and a fair pricing model that pays for the bandwidth + cold storage of paid-tier server fallback.

ExifSweep is operated by VICTA DIGITAL s.r.o., a Czech limited-liability company registered in Prague. The founding team has shipped software in privacy, payments, and consumer web since 2018 — including data-residency platforms for European fintech and a payments stack handling € low-millions monthly.

We are a small team (under 10 people), self-funded, with no investor pressure to monetise user data. Our growth model is honest pricing — €3.49/month Pro, €4.79/month Plus — and that is the only money we ever take from a user. We do not sell aggregated data, run third-party advertising, or share file content with anyone.

Operationally we run on Vercel (compute), Supabase (auth + Postgres with RLS), Cloudflare (DNS + WAF + DDoS), Upstash (Redis rate-limit), Stripe (billing), and Resend (transactional email). Every secret is server-only; no third-party JavaScript runs on the user-facing pages.

Three rules: (1) Files never persist to durable storage unless a paid-tier user explicitly opts into the server-side fallback. (2) No file content is logged. Audit events store hashed actor keys (fp:sha256 for anonymous, user:auth_uuid for signed-in). (3) Anti-abuse uses HMAC-hashed browser fingerprints, never raw IP, with monthly salt rotation.

We are a GDPR data controller. Subject access, deletion, portability, and objection requests resolve within 30 days at [email protected]. See /data-requests for the full process. We act as a CCPA service provider for users in California.

Postgres has row-level security enabled on every user-owned table. The service-role key only runs on server functions. The publishable Stripe key and Supabase anon JWT are the only credentials that ever reach the browser.

Every product decision passes one test: does this preserve the user's ability to share a file without the file revealing more than they intended? Features that would weaken that — for example, a "free" tier funded by ads served via third-party JavaScript that gets access to filenames — get rejected on principle, even when the revenue is meaningful.

We publish a public roadmap, a public threat model (docs/SECURITY.md in our repo), and we keep the source of every metadata writer auditable. If you want to verify what we strip, look at src/lib/metadata/strip-* in the codebase.

General: [email protected].

Privacy and data-rights: [email protected] — staffed by the same person as general support, but logs and resolutions live in a separate ticketing track for compliance.

Security disclosures: [email protected]. PGP key on request. We do not currently run a paid bug bounty, but we respond to disclosed issues within 24 hours and credit responsible reporters on the website with permission.

Postal: VICTA DIGITAL s.r.o., Prague, Czech Republic. Full registered address available on request for legal correspondence.