Every PDF quietly carries data you never typed: your name, your software, when you created and last touched the file, hidden layers, and — for scans and photos — EXIF and GPS coordinates baked into the embedded images. Deleting "document properties" in a viewer rarely removes all of it. Here's what's actually in there, and how to remove it locally, without uploading the file anywhere.
Open a PDF and it looks like just the visible content. Underneath, the file format stores a stack of invisible fields — some written by you, most written automatically by whatever software produced it. Any one of these can leak your identity, your organization, your edit history, or your physical location to anyone who opens the file in the right tool.
When you open Document Properties in a typical viewer and clear the author and title, most tools only edit the document-info dictionary — the one set of fields that happens to be shown in that dialog.
That leaves the XMP metadata stream untouched, so the same author and software identifiers are still readable a layer down. It leaves hidden layers and embedded thumbnails in place. And it does nothing to the EXIF and GPS data inside embedded images — the dialog never looked at the pictures at all.
The result is a file that looks clean in the properties panel while still carrying most of what you wanted gone.
The cloud "metadata remover" tools that do strip more thoroughly have a different cost: you upload the document to their servers for processing. To remove data you consider sensitive, you first hand the whole file — sensitive data and all — to a third party.
For a contract, a medical record, a bank statement, or a leaked-photo investigation, that upload creates a copy outside your control that can be retained, breached, or subpoenaed. Their privacy promise is a deletion policy, not a guarantee.
The right answer is a tool that strips everything without the file ever leaving your machine.
BlackoutPDF runs entirely in your browser — there's no processing server and nothing is uploaded. The mechanism that strips metadata is a side effect of how every export works: each tool builds a brand-new PDF from scratch in your tab. Because the output is a fresh file, the original author info, producer string, timestamps, edit history, hidden layers, and XMP stream are simply not in it — there's nothing to carry over.
The redactor re-renders every page to flat pixels and rebuilds the document. Beyond destroying redacted text, this leaves no place for the original metadata, layers, or text-layer artifacts to survive.
The converter draws your images onto fresh PDF pages, so the EXIF and GPS data from the source photos — camera model, timestamps, coordinates — does not get embedded in the result.
Signing, merging, and compressing also write out a newly constructed PDF, so the document-info and XMP metadata of the originals don't ride along into the export.
Because all of this happens in your tab, nothing is uploaded — you can confirm it by opening DevTools → Network and watching zero requests carry your file, or by loading the page and switching off Wi-Fi: the tools keep working with no connection at all.
Go to the relevant tool and open your PDF (or your images, for the converter). The file loads into the browser's memory only — it is never sent anywhere.
Run whichever operation fits — redact, convert images to PDF, or any other export. Each one rebuilds the document from scratch, dropping the original metadata in the process. If you don't need to change anything, just opening and re-exporting through a tool is enough to produce a clean copy.
The downloaded PDF carries none of the original author, timestamp, software, layer, or image EXIF data. Honest trade-off: redact and compress output is rasterized (pages become images, so text is no longer selectable — usually exactly what you want for a sensitive document), while sign and merge are lossless — the visible text layer survives, and the originals' metadata still doesn't.
Metadata removal is easy to confirm yourself. First: open the cleaned PDF in any reader and look at File → Document Properties (or Get Info) — the author, producer, and dates should be blank or generic. Second, the thorough check: inspect the file with a tool that reads the deeper layers — a desktop utility like exiftool reports XMP metadata and any embedded-image EXIF/GPS, so you can confirm those streams are gone too, not just the surface properties dialog. And to confirm nothing was uploaded: open DevTools → Network before running the tool and watch for requests carrying your file — there are none — or simply turn off Wi-Fi and use the tool offline.
A PDF stores a document-info dictionary (author, creator, producer software, plus creation and modification timestamps), a separate XMP metadata stream (titles, keywords, copyright, tool identifiers, and sometimes edit history), optional hidden layers and embedded page thumbnails, and — when the PDF was built from photos or scans — the EXIF data inside those embedded images, which can include the camera or phone model and the GPS coordinates of where each photo was taken. Most of this is written automatically and is invisible when you simply view the document.
Use a tool that processes the file on your own machine rather than on a server. BlackoutPDF runs entirely in your browser: open your PDF and export it through any tool — redact or convert is the most thorough — and the result is a brand-new file that doesn't carry the original author, timestamps, software, hidden layers, or image EXIF/GPS data. Nothing is uploaded, which you can verify by watching the DevTools Network tab show zero file transfers, or by turning off Wi-Fi and using the tool offline.
Usually not. Editing the Document Properties dialog in most viewers only blanks the document-info dictionary — the one set of fields shown in that dialog. The XMP metadata stream, hidden layers, embedded thumbnails, and the EXIF/GPS data inside any embedded images typically survive that step, so the file can still leak your identity, software, edit history, or location. Rebuilding the PDF from scratch, the way BlackoutPDF does on every export, removes all of those streams at once because they're never copied into the new file.
The visible content is preserved. The trade-off is in the export type: redact and compress rasterize the pages (they become images, so text is no longer selectable — generally what you want for a sensitive document), while sign and merge are lossless and keep the original text layer intact. In every case the originals' metadata is dropped, because the output is a freshly constructed file rather than an edited copy of the source.