Social event planning app Partiful, which calls itself \u201cFacebook events for hot people,\u201d has firmly replaced Facebook as the go-to platform for sending party invitations. But what Partiful also has in common with Facebook is that it\u2019s collecting a tsunami of user data, and Partiful could have done better at keeping that data secure.<\/p>\n
On Partiful, hosts can create online invitations with a retro, maximalist vibe, allowing guests to RSVP to events with the ease of ordering a salad on a touch-screen. Partiful aims to be user-friendly and trendy, propelling the app to #9 on the iOS App Store\u2019s Lifestyle charts. Google called Partiful the \u201cbest app<\/a>\u201d of 2024.\u00a0<\/p>\n Now, Partiful has evolved into a powerful Facebook-like social graph, easily mapping who your friends are and who your friends\u2019 friends are, what you do, where you go, and all of your phone numbers.<\/p>\n As Partiful grew more popular, some users became skeptical of the company\u2019s origins. One New York City promoter announced that it was boycotting Partiful<\/a> because its founders and some staff are former employees of Palantir<\/a>, Peter Thiel\u2019s data mining company, which produces the software that powers ICE\u2019s master database<\/a> for the Trump administration\u2019s deportation crackdown<\/a>.<\/p>\n Given some of the speculation around the app, TechCrunch set up a new account and tested Partiful. We soon found that the app was not stripping the location data of user-uploaded images, including public profile photos.<\/p>\n TechCrunch found it was possible for anyone, using only the developer tools in a web browser, to access raw user profile photos stored in Partiful\u2019s backend database hosted on Google Firebase. If the user\u2019s photo contained the precise real-world location of where it was taken, anyone else could have also viewed the precise coordinates of where that photo was taken.<\/p>\n Almost all digital files, like the pictures you take on a smartphone, contain metadata<\/a>, which includes information like the file size, when it was created, and by whom. In the case of photos and videos, metadata can include information about the kind of camera used and its settings, as well as the precise latitude and longitude coordinates of where the image was captured.<\/p>\n The security flaw is problematic because anyone using Partiful could have revealed the location of where a person\u2019s profile photo was snapped. Some Partiful user profile photos contained highly granular location data that could be used to identify the person\u2019s home or work, particularly in rural areas where individual homes are easier to distinguish on a map.<\/p>\n It\u2019s common practice for companies that host user images and videos to automatically remove metadata upon upload to prevent privacy lapses like this.\u00a0<\/p>\n TechCrunch verified the bug ourselves by uploading a new Partiful profile photo that we had previously captured from outside of the Moscone West Convention Center in San Francisco, which contained the photo\u2019s precise location. When we checked the metadata of the photo stored on Partiful\u2019s server, it still contained the exact coordinates of where the image was taken down to a few feet.<\/p>\n After discovering the security flaw, TechCrunch alerted Partiful co-founders Shreya Murthy and Joy Tao by email, as Partiful does not have a public means for reporting security flaws. TechCrunch shared a link to a Partiful user\u2019s raw profile photo containing that user\u2019s real-world location at the time the photo was taken, a residential address in Manhattan.<\/p>\n Tao told TechCrunch on Friday that the vulnerability was \u201calready on our team\u2019s radar, and was recently prioritized as an upcoming fix.\u201d\u00a0<\/p>\n Partiful initially provided a timeline to fix the flaw by \u201cnext week,\u201d but given the sensitivity of the data involved, Partiful fixed the bug by Saturday at TechCrunch\u2019s request.<\/p>\n TechCrunch confirmed Saturday that metadata was removed from existing user-uploaded photos. The profile photo that we uploaded with our real-world location also had the metadata removed.\u00a0<\/p>\n![\"a](\"https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/10\/san-francisco-map-moscone-partiful.jpg)