TL;DR: Mostly, but only for one field on one file type. In May 2020 Slack began stripping EXIF metadata — GPS coordinates specifically — from images uploaded through its apps, after reporting showed the locations of activists and journalists could be read straight off shared photos. That scrub is real but narrow. It targets the GPS IFD inside JPEGs, while the camera Make and Model, the DateTimeOriginal timestamp, PNG text chunks (tEXt, iTXt, zTXt) and XMP/IPTC packets can survive. Security researchers have since pulled EXIF back out of files stored on Slack through certain clients and upload paths. Videos carrying moov/udta atoms, audio ID3 tags and documents are not run through the image scrub at all. The dependable fix is to strip the file before Slack ever receives it.
Does Slack remove photo metadata?
For the ordinary case — you drag a phone photo into a channel and hit send — Slack does remove the location data, and it does so on purpose. In May 2020 the company began stripping EXIF metadata, including GPS coordinates, from images uploaded to its apps. The change followed pointed reporting that Slack was not cleaning image metadata, which meant a photo shared in a workspace could quietly carry the exact latitude and longitude where it was taken — a real exposure for journalists, activists and anyone whose location is sensitive. Slack added the scrub in response, and by every account it does drop the GPS tags from a standard JPEG.
The important detail is what "the scrub" actually touches, because the original file does not simply vanish. When you add a file to Slack, the platform stores it and serves it back through a private download link, alongside the smaller thumbnail versions it generates for inline display. Those thumbnails are re-encoded and naturally carry no metadata, but the thumbnail is not the file. The copy behind the download link is the one that matters for privacy, and whether that copy is fully clean depends on which field, which format, and which client did the uploading. If the EXIF field names here are unfamiliar, our primer on what EXIF data actually is walks through what a camera writes into every frame.
What does Slack strip, and what survives?
The honest version is that Slack's stripping is tuned for one target — GPS geolocation in JPEG images — and everything outside that lane is inconsistent. On a normal phone photo, the coordinates in the GPS IFD are what Slack reliably removes. That is the field people worry about most, so the scrub covers the highest-stakes case. But EXIF is not one tag; it is a block of dozens, and the rest of them are not the point of a geolocation scrub.
The camera Make and Model, the DateTimeOriginal and DateTimeDigitized timestamps, exposure and lens settings, and — on many devices — a serial number can remain in the file after the coordinates are gone. None of those pin a map location, but together they fingerprint a specific device and a specific moment, which is often enough to link a "clean" photo back to its source. Strip the GPS and leave the body serial, and you have narrowed the world to one camera.
Photo by Matheus Bertelli on Pexels.
PNG is the clearer exception. PNG does not store EXIF the way JPEG does; it holds text in dedicated tEXt, zTXt and iTXt chunks, and editing and AI tools love to write software names, prompts, provenance and sometimes coordinates into them. A GPS-in-JPEG scrub is not looking for those chunks. XMP and IPTC packets — the records that hold captions, copyright, keywords and, on many cameras, a second copy of the location — sit outside the EXIF GPS IFD as well, so they can survive on formats the pass handles more gently. The result is a file that reads as "location removed" if you only check the EXIF GPS tags, while an XMP field still names the place. We pull this thread further in what metadata scrubbing actually removes, because "stripped" is a verb that hides a lot of detail about which fields.
Why do some upload paths keep everything?
This is where Slack stops being predictable. The scrub is a server-side step applied to images, but security researchers testing Slack have found metadata surviving depending on how the file was uploaded — through the desktop app, the web client, or a direct API call — and demonstrated proof-of-concept tools that read EXIF straight back out of files shared in a workspace. The takeaway is not that any single path is guaranteed to leak, but that the behavior is not uniform, and Slack has never published a help article documenting exactly which uploads get scrubbed and which do not.
Photo by RDNE Stock project on Pexels.
The practical trap is the same one that catches people on other platforms: sending an image as a file rather than as an inline picture. Slack treats everything you share as a file under the hood, but the moment you are handing it an arbitrary attachment — a raw export, a document, a bundle — you are relying on the image pipeline having inspected it, and a general file host's default is to store what you give it byte-for-byte. When a behavior is undocumented and varies by client, the safe assumption is that it might not run, not that it always will. The GPS tag is the stubbornest field of the set, which is why we gave it its own explainer on how GPS coordinates get embedded in photos — it survives more handling paths than any other piece of EXIF.
Does Slack strip metadata from videos and other files?
No, and this is the gap that surprises people most. Slack's scrub is an image step; it does not run video through the EXIF-geolocation pass. An MP4 or MOV recorded on your phone keeps its container metadata — the moov/udta atoms that hold the recording timestamp, the device make and model, and, if location services were on when you filmed, the GPS coordinates the camera app baked in. Drop that clip into a channel and all of it rides along. A phone video is often more revealing than a still, because it records the same location across a longer stretch of time.
The same logic extends to everything that is not an inline image. Audio files keep their ID3 tags — artist, software, sometimes recording location. Documents keep their author and revision history. Design exports keep their originating-application fingerprints. Slack is, at its core, a general-purpose file host wrapped around a chat client, and a file host stores what it is handed. The pass that tidies GPS out of your JPEGs simply was not built to inspect an .mp4, an .mp3 or a .png for embedded identifiers, so it does not. If you want to see how much the container format alone decides, our breakdown of HEIC versus JPEG metadata shows how differently two image formats can behave with the exact same photo inside.
What does Slack's stripping still not protect?
Even on the happy path — an inline JPEG whose GPS Slack does remove — two limits are worth stating plainly. The first is that removing the coordinates is not the same as removing the identity of the file. As covered above, the device make, model, capture time and often a serial number can remain, and those fields quietly answer "which camera and when" even after "where" is gone. Anonymity is not one tag; it is the whole block.
The second limit is subtler and applies to the pixels, not the metadata. Re-encoded previews and downscaled thumbnails have, in documented cases, leaked information the uploader thought was gone — a blurred or cropped region shared through a chat platform can sometimes be partially reconstructed, because a smaller copy is still derived from the full original. Metadata stripping is a field-level fix; the image content carries its own risks. The broader point, which the EFF's work on privacy makes well, is that metadata is a category — GPS, timestamps, device serials, captions, software fingerprints — and clearing one member of that category while the rest survive is not privacy. Slack's own security posture is aimed at protecting data in transit and at rest across a workspace; it is not a promise that every file you share has been scrubbed of what it was carrying when you made it.
How do you remove photo metadata before uploading to Slack?
The dependable fix is to clean the file on your own machine, before it ever reaches Slack's servers, so none of the path-by-path inconsistencies above can matter. Metadata Cleaner does this in the browser: you drop in a photo or a video, and it rewrites the file without its EXIF block, GPS IFD, XMP and IPTC records, PNG text chunks and embedded thumbnail, then hands you back a clean copy. Because it handles video as well as images — and audio, with its ID3 tags — it closes the exact gaps Slack leaves open: the phone clip Slack never inspects, the PNG chunk the JPEG scrub ignores, the device fingerprint the geolocation pass leaves behind. The processing happens locally and the file is never uploaded to us.
Once you have the stripped copy, share that instead of the original, and it no longer matters whether Slack scrubs your upload, half-scrubs it, or skips it because you sent a file — there is nothing left to expose either way. If you want the longer walkthrough across desktop and phone, our guide on how to strip EXIF data from a photo covers the platform-by-platform steps, and our piece on whether Discord removes photo metadata shows how differently two chat apps handle the very same file.
Slack removes some photo metadata, some of the time, on some file types — a fair description of a workplace chat tool and a poor foundation for a privacy decision. Strip the file yourself and the question stops mattering. Try Metadata Cleaner free and share the clean copy.