NoTrace+

Three privacy tools in one. Strip photo metadata, clean tracking parameters from URLs, and search privately. Runs entirely in your browser — we never receive your files or URLs.

Open source
Local processing only
No uploads

Drop your photos here

Drag from Mac, Windows, or tap to browse on iPhone & Android

JPEG PNG HEIC WEBP TIFF GIF BMP AVIF

HEIC: if your browser can’t open it, convert/export to JPEG first

How it works
Technically enforced — not just a promise.
Verified
01
Files are read via the Web File API Your browser reads the image directly from disk into memory. No network request is made. The file bytes never touch a server.
02
Metadata is stripped by re-rendering through Canvas The image is drawn onto an HTML Canvas element and re-exported. The Canvas API only copies pixel data — all EXIF, XMP, IPTC, and ICC metadata is discarded.
03
The clean file is generated in-memory canvas.toBlob() creates a new Blob entirely in browser memory. It is handed directly to a download link — never transmitted anywhere.
04
CSP headers block all outbound connections The server sends connect-src 'none' — even if malicious code were injected, it cannot make network requests. Your images are physically unable to leave your browser.
!
EXIF removal is one layer — not a complete anonymity solution Stripped images still carry visual content. Faces, landmarks, vehicle plates, and background details can identify location and identity regardless of metadata. If the image itself is sensitive, consider whether sharing it at all is appropriate.
10+ metadata categories stripped
All metadata fields removed from the output file.
GPS Coordinates
Lat/long, altitude, bearing, speed
Device Model
iPhone 16 Pro, Samsung S24, etc.
Date & Time
When the photo was taken
Camera Settings
ISO, shutter speed, aperture, focal length
Author & Copyright
Name, owner, rights info
Software Tag
Photoshop, Lightroom, iOS Camera
XMP & IPTC Data
Editorial tags, keywords, categories
Maker Notes
Proprietary Apple/Samsung/Canon data
Thumbnail Preview
Embedded EXIF preview image
ICC Color Profile
Display calibration metadata
Device Serial Number
Unique hardware identifier
Comments & Notes
User-added captions, descriptions
Clean URL
Removed parameters
How it works
Client-side only — the URL never leaves your browser.
Verified
01
URL is parsed entirely in JavaScript No fetch, no XHR, no server. The URL string is parsed with the browser's built-in URL() API — no network request is made.
02
190+ known tracking parameters are matched and removed The parameter list covers Google, Meta, UTM, Microsoft, Twitter/X, TikTok, YouTube, LinkedIn, HubSpot, Mailchimp, and 20+ other platforms.
03
Non-tracking parameters are preserved exactly Only known tracking keys are removed. Query parameters that affect page content (search terms, filters, product IDs) are left intact.
04
CSP connect-src 'none' enforces zero transmission Even if malicious code were injected, the browser blocks all outbound network connections. Your URLs cannot leave the page.
!
Tracking parameters are one layer — not the whole picture Trackers also use first-party cookies, browser fingerprinting, server-side logging, and IP-based identification — none of which are visible in the URL. Stripping tracking parameters reduces one signal. For broader protection, combine this with a content blocker such as uBlock Origin and a privacy-respecting DNS resolver.
190+ tracking parameters covered
All major ad networks, email platforms, and analytics vendors.
Google
gclid, dclid, srsltid, _ga, ved…
Meta / Facebook
fbclid, fb_action_ids, fbp…
UTM (all platforms)
utm_source, utm_medium, utm_campaign…
Twitter / X
twclid, twsrc, twgr, twcamp…
Microsoft
msclkid
LinkedIn
li_fat_id, trackingId, trk…
YouTube
si, pp, ab_channel, feature…
Email platforms
HubSpot, Mailchimp, Klaviyo, Marketo…
TikTok, Pinterest, Snap
ttclid, epik, sccid…
Instagram
igshid, ig_mid, ig_rid…
Amazon
tag, linkCode, pf_rd_p, ref_…
Yandex, Adobe, Piwik
yclid, s_kwcid, pk_campaign…

Searches open in a new tab at duckduckgo.com with safe search off and strict privacy parameters enforced in the URL. DuckDuckGo does not store search history or build user profiles. NoTrace+ does not log, store, or transmit your search terms — they are only ever passed directly to DuckDuckGo as a URL parameter when you press search.

How it works
DuckDuckGo opens in a new tab only after you click search.
Your search terms are not logged here NoTrace+ does not store, transmit, or log what you type. The search term leaves your browser only when you press search, passed directly to DuckDuckGo as a URL query parameter.
DuckDuckGo does not build user profiles DuckDuckGo's stated policy is that they do not store personal information or search history tied to your IP address. They make money through contextual ads based on search terms, not user profiling.
Strict privacy parameters enforced in the URL kp=-2 disables safe search filtering. No affiliate IDs, referrer tokens, or tracking parameters are added to the query.
!
DuckDuckGo still receives your search term and IP address This is an inherent limitation of any web-based search engine. NoTrace+ cannot change this. To prevent your IP from being seen by the search engine, route your traffic through Tor Browser or a trusted VPN such as Mullvad before searching. Mullvad accepts anonymous payment (cash, Monero) and keeps no logs.
Privacy this page can't do alone
Your IP, trackers outside the browser, fingerprints, and secure messaging — each needs its own tools. Practical tips below.
1
Hide your IP address — use Tor Browser or a VPN Every request you make reveals your IP to the destination server. Tor Browser routes your traffic through three relays so no single party knows both who you are and what you requested. Mullvad VPN is a well-audited alternative — no accounts, no logs, accepts anonymous payment.
2
Block trackers at the network level — use a DNS resolver Mullvad DNS and NextDNS block tracking domains before a connection is made — covering ads, telemetry, and malware domains across all apps on your device, not just in the browser.
3
Prevent browser fingerprinting — use Tor Browser or Firefox with arkenfox Even without cookies, browsers leak a unique fingerprint through screen size, fonts, canvas rendering, and dozens of other signals. Tor Browser standardises these values across all users. arkenfox user.js hardens Firefox towards the same goal.
4
Encrypted email — use Proton Mail or Tuta Proton Mail and Tuta store mail encrypted at rest. Neither can read your messages. Both are open source and independently audited. Note that encryption only applies end-to-end when both sender and recipient use a compatible provider.
5
Encrypted messaging — use Signal Signal uses end-to-end encryption by default for all messages and calls. The Signal Protocol is open source and has been independently audited. Signal collects no message content, no metadata about who you message, and no call logs.
Security headers
Enforced server-side on every response via vercel.json.
Content-Security-Policy connect-src 'none' — all outbound network connections blocked at browser level
Permissions-Policy camera=(), microphone=(), geolocation=() — hardware access denied
Referrer-Policy no-referrer — nothing leaked to external resources
Strict-Transport-Security max-age=63072000; includeSubDomains; preload — HTTPS only, 2 years
Cross-Origin-Embedder-Policy require-corp — prevents cross-origin data leakage
Cross-Origin-Opener-Policy same-origin — isolates browsing context
X-Frame-Options DENY — cannot be iframed or clickjacked
X-Content-Type-Options nosniff — MIME type cannot be overridden