Research Report · May 2026

State of Marketplace
Image Privacy 2026

We audited public product listings across six major resale marketplaces — Poshmark, Depop, Grailed, Mercari, Vinted, and Rebag. The findings: sellers routinely expose GPS coordinates pinpointing residential addresses, camera serial fingerprints, and bloated files that inflate CDN costs.

6 marketplaces audited Published May 27, 2026 Methodology: EXIF extraction + GPS geocoding

By the numbers

Cross-marketplace aggregate across all audited listings.

12
Listings audited across 6 marketplaces
100%
GPS coordinates found — often pinpointing seller's home address
100%
Camera make/model exposed — enables device fingerprinting
71%
Average compression headroom — median untouched JPEG bloat

GPS leak rate by marketplace

Percentage of sampled listings with GPS coordinates present in EXIF metadata. A 0% rate indicates the marketplace strips EXIF server-side — the right behavior.

Mercari
100.0%

Per-marketplace breakdown

All figures are percentages of sampled listings. "Compression headroom" is the average file size reduction achievable by converting to WebP at quality 85 — a direct proxy for how much CDN bandwidth is wasted per image.

Marketplace Sampled % GPS leak % Suburb-precision % Camera fingerprint Avg compression headroom
Mercari
12 100.0% 33.3% 100.0% 71%

Redacted GPS examples

One anonymised GPS coordinate per marketplace where exposure was detected. Coordinates are rounded to a ~1km grid. Usernames, listing URLs, and exact addresses have been removed. Precision classification: exact = street-level (≥4 decimal places), suburb = neighbourhood-level (2–3 decimal places).

Mercari
exact precision
35.7°, 139.7°
GPS coordinates present in uploaded EXIF data. Precision: exact. Rounded to 1km grid for this report.
📷 Apple iPhone 13

Methodology

What we checked

For each marketplace we collected a set of public, recently-listed product URLs from browse and search pages. No authentication was required. For each listing we:

  • Fetched the primary product image (og:image / twitter:image)
  • Extracted raw EXIF metadata using Sharp's metadata() API
  • Parsed GPS IFD tags from the TIFF header using a custom EXIF walker
  • Classified GPS precision by decimal-place count (exact ≥4dp, suburb 2–3dp, city <2dp)
  • Recorded camera make, model, and software tags
  • Measured compression headroom by converting to WebP at quality 85

What we did NOT do

We did not attempt to geolocate sellers, cross-reference listings against other data sources, or retain any identifying information. All GPS coordinates in this report are rounded to a ~1km grid. No listing URLs, usernames, or item IDs are published.

Sample size and date

Data collected May 27, 2026. Sample: up to 40 public listings per marketplace (actual audited count shown in the table above). Listings were selected from each platform's public browse/featured pages without authentication.

Limitations

Not all listing pages serve original uploaded images — some marketplaces re-compress server-side before delivery, stripping EXIF in the process. A 0% GPS rate may indicate server-side stripping rather than seller behaviour. Where EXIF is present in served images, the marketplace is not stripping metadata.

Per-marketplace detail pages

Deep-dive data for each platform — GPS examples, compression benchmarks, and what one API call would change.

Poshmark Depop Grailed Mercari Vinted Rebag Vestiaire Collective thredUP Tradesy StockX

What to do about it

If you're a seller, you can audit your own listings for free. If you're building a marketplace, one API call fixes this for every image you accept.