Three classes of privacy risk in image processing — and how browser-only tools address them
GPS leaks from EXIF metadata, sensitive face data and unreleased designs passing through servers, and the amplification of privacy exposure when multiple photos are combined — image tools carry distinct risk layers. Here is how NoSend Tools handles each class without sending data outside your browser.
Risk class 1 — GPS and capture metadata embedded in EXIF
JPEG files captured by smartphones carry an APP1 block beginning right after the SOI marker: it encodes GPS coordinates, capture timestamp, camera make and model, lens data, and sometimes a device serial number. None of this is visible when you look at the photo, but any tool that reads EXIF — including exiftool or most image viewers — can extract it in milliseconds. Sharing the original file on a social platform may or may not result in the platform stripping metadata before distribution; either way the unmodified binary has already passed through the upload path.
image-exif-strip reads the JPEG binary via the FileReader API and walks the APP segment chain in JavaScript, removing APP0 / APP1 / APP2 markers by adjusting byte offsets — no re-encode, so image quality is preserved exactly. exif-gps-strip takes the same approach but targets only the GPS sub-IFD (GPSLatitude, GPSLongitude, GPSAltitude, and related tags), leaving capture date and camera information intact. Both tools run the parsing logic in a Web Worker and never transmit the binary anywhere. A server-side equivalent writes the full binary to disk at least once and exposes it to CDN caches, reverse-proxy buffers, and error logs as a structural consequence of the network hop.
Risk class 2 — face data and unreleased visuals
Photographs of people contain biometric information. Facial geometry extracted during segmentation is classified as a special category of personal data under the EU GDPR, requiring explicit consent before it can be processed by a third party. Background-removal tools perform precisely that segmentation: if the computation runs server-side, the face travels over the network and enters the operator's infrastructure, regardless of stated retention policies.
image-bg-remove runs the BRIA RMBG-1.4 segmentation model inside your browser using transformers.js and ONNX Runtime Web. The model weights download once (approximately 170 MB) and are cached locally; from that point forward the tool works offline. Your input image is loaded into the browser's ArrayBuffer, processed by the ONNX session, and the resulting transparent PNG is written back to memory — nothing leaves the tab. image-watermark adds a different dimension: designs that need a watermark are often pre-release assets at their most sensitive. The Canvas API composites the overlay and toBlob writes the output locally. No draft design needs to reach an external server to get a watermark applied.
Risk class 3 — aggregation amplifies sensitivity
A single photograph may tell a modest story; several photographs combined can reveal far more than any one of them would alone. A travel collage drawn from photos taken at different locations lets someone correlate GPS tags into a movement pattern. A set that includes a conference room, a whiteboard, and the building exterior assembles a picture that none of the individual frames could provide by itself. The combined image is not three times as sensitive as one frame — it is qualitatively more revealing.
image-collage composites multiple images using the Canvas API (drawImage onto an OffscreenCanvas, then converted to PNG / JPEG / WebP via toBlob), entirely inside the browser. Neither the input files nor the merged output is sent anywhere. A server-side collage service requires uploading all source files simultaneously, which means every contributing photo's sensitivity converges on the same server. The browser-only design eliminates the aggregation risk at the architectural level, not as a policy promise.
Verify zero transmission with DevTools
All three risk classes share the same root: the question of where processing runs. NoSend Tools' image category is implemented with FileReader, Canvas, OffscreenCanvas, and transformers.js + ONNX Runtime Web — standard browser APIs and open-source libraries with no outbound fetch to any external endpoint.
To confirm this yourself, open DevTools on any image tool page, enable Preserve log in the Network tab, and run a full operation from file selection through download. The only requests you will see are the initial load of HTML, JS, CSS, and WASM assets. The full source is available at otomomik/nosend-tools on GitHub if you want to audit at the code level. EXIF parsing, background segmentation, collage generation — in each case your images do not leave your browser.