Facepalm: Partiful, the fast-growing social event planning app that has increasingly replaced Facebook among younger users, left sensitive location data exposed in user profile photos until this past weekend. The flaw allowed anyone with basic technical knowledge to extract the precise coordinates of where a photo was taken, potentially revealing users' home or work addresses.
Founded in 2022 by former Palantir engineers Shreya Murthy and Joy Tao, Partiful lets hosts create invitation pages styled after early internet aesthetics and track RSVPs through the platform. The app now ranks among the top 10 in the iOS Lifestyle category, and Google named it the Best App of 2024, further cementing its mainstream appeal. However, as the platform's popularity has surged, questions about its data practices – and its founders' backgrounds – have followed.
Some users began expressing concern earlier this year after discovering the company's ties to Palantir, the analytics firm known for supplying data systems to US immigration authorities. A New York party promoter publicly announced a boycott, citing discomfort with the app's connections to a company associated with government surveillance.
Partiful's rapid growth has also transformed it from a simple event tool into a social network with a full data graph, linking users by friendships and revealing where and with whom they spend time. That extensive mapping capability makes any security lapses particularly consequential.
When TechCrunch created a test account to examine the app's technical behavior, it found that profile photos uploaded to Partiful retained their original metadata – information embedded in nearly all digital files, including details such as the file creator, timestamp, and location. On photos taken by smartphones, this often includes latitude and longitude coordinates accurate to within a few feet.
The test revealed that this data remained intact even after images were uploaded to Partiful's servers, which are hosted on Google's Firebase platform. Using a browser's developer tools, reporters were able to access the original, unmodified photos. If a user uploaded an image taken at home, anyone with basic web knowledge could have viewed that location information.
To verify the issue, TechCrunch uploaded a photo of its own taken outside San Francisco's Moscone West Convention Center; the version stored on Partiful's backend still contained the precise coordinates of the site. This contradicted standard industry practice, as platforms like Instagram and TikTok automatically strip metadata from uploaded images to prevent such privacy exposures.
TechCrunch contacted Partiful's founders after confirming the vulnerability, sending them a link to a photo that revealed the real-world location of a Manhattan address. Murthy and Tao did not have a dedicated channel for reporting security issues, so the outlet reached them directly via email.
Tao acknowledged the problem, saying it was "already on our team's radar" and that engineers had prioritized a fix. Partiful initially said the issue would be resolved within a week, but after TechCrunch requested a faster response due to the sensitivity of the data, the company accelerated its efforts. By Saturday, Partiful confirmed that user photos were being reprocessed to remove location data, and TechCrunch verified that its own test image had been scrubbed of metadata.
On October 1, 2025, we identified a vulnerability that exposed users' photo location data. While our image processing provider strips this data, a recent privacy review revealed that raw image files containing location data were still inadvertently accessible.
– Partiful (@partiful) October 4, 2025
We immediately…
Shortly before publication, Partiful posted a statement on X announcing that the flaw had been fixed.
When asked whether the company could determine if anyone had accessed or downloaded user photos before the patch, spokesperson Jess Eames said an internal review was underway but that no evidence of abuse had been found so far. She added that Partiful conducts regular external security reviews "with experts in the field," though the company declined to name the experts or confirm whether such an audit had been completed prior to the product's public launch.
Image credit: TechCrunch
Event planning platform Partiful failed to strip location data from user-uploaded photos
