Trust
Security & architecture
MetaMarshal is built so you don't have to take our word for it. The engine that touches your photos is small, MIT-licensed, and runs where you can watch it. Here's exactly how, and how to check it yourself.
How it works
Consumer app
The browser app processes your photos entirely on your device. Reading metadata, running the deep scan, and re-encoding a clean copy all happen locally — your file never travels to a server.
Developer API
The API is zero-retention: it processes files in memory and forgets them. Nothing is written to durable storage, and content is never logged.
The auditable client engine
Everything that touches your photo in the browser lives in a handful of small, MIT-licensed files. You don't need to trust a privacy policy — you can read the code that runs.
lib/exif.tsReads metadata (location, capture, device, sensitive fields) straight out of the file with exifr — nothing is sent anywhere to be parsed.
lib/deep.tsByte-level scan for what plain EXIF parsing misses: Content Credentials (C2PA), invisible-watermark signal markers, embedded comments, and data appended after the image.
lib/scrub.tsStrips the metadata you choose and re-encodes the image on an in-browser canvas, orientation baked in, so the clean copy still looks right.
lib/heic.tsDecodes HEIC/HEIF (a format browsers can't read natively) locally via a WASM build of libheif, so iPhone photos never need a server round-trip just to preview.
The one network carve-out
Two actions send anything off your device, and both require an explicit tap:
- AI location estimate — sends a downscaled copy of the image (never the original file) to /api/estimate only after you tap to confirm a dialog that names exactly what it does.
- Reverse geocoding — sends only bare GPS coordinates, never the image, to resolve an address, what3words, and timezone.
Verify it yourself
No need to trust this page either. It takes under a minute to check:
- Open your browser's DevTools and switch to the Network tab.
- Go to /clean and drop in a photo, then reveal and export a cleaned copy.
- Watch the Network tab: no request carries your image or file bytes. Reading, scanning, and re-encoding all happen in memory, on-device.
- The only exceptions are opt-in and explicit: tapping “resolve address” sends bare coordinates to a geocoding service, and tapping to confirm the AI location estimate sends a downscaled copy to /api/estimate. Both are labelled at the point of action, and you'll see exactly those two requests — and nothing else — if you trigger them.
Telemetry
No third-party analytics ship by default. MetaMarshal exposes a single optional config knob, NEXT_PUBLIC_PLAUSIBLE_DOMAIN, for operators who choose to turn on privacy-respecting Plausible analytics (see .env.example). It is unset in this codebase — so unless an operator deliberately enables it, no analytics tag runs at all.
API data handling
Files sent to the developer API are processed in memory and never written to durable storage. Batch outputs live in transient storage behind short-lived, HMAC-signed URLs that expire — by default within an hour — after which the files are deleted. We log request counts, sizes, and timestamps for billing; never file contents or extracted metadata values.
More on how the API is priced and metered lives on pricing, and the full endpoint reference is on developers.