Apple markets the iPhone as the privacy phone, and most of that reputation is deserved. But out of the box, your iPhone is leakier than the keynotes suggest. Apps still collect coarse location data, your photos still carry GPS coordinates, dozens of third-party SDKs fingerprint you across apps, and Mail loads remote pixels that tell senders exactly when and where you opened their message. The good news is that almost all of this can be shut down from a single app: Settings.
This is a complete walkthrough of the iPhone privacy settings that change real outcomes. The instructions reflect iOS 18 and 19, but the locations have been stable for years and the logic applies to anything from iOS 16 onward.
Start at Privacy & Security
Open Settings → Privacy & Security. This is the central control panel. Most of the toggles below live inside it. Before you change anything, scroll to the bottom and tap App Privacy Report. Turn it on if it is not already. The report logs which apps have accessed your location, camera, microphone, and contacts in the last seven days, and which domains they contacted. It is the cheapest audit tool you have.
Location Services
Inside Privacy & Security → Location Services, every app that has ever asked for your location is listed. Walk down the list with one question in mind: does this app need to know where I am to be useful? If the answer is no, set it to Never. If the answer is yes, choose While Using the App. Reserve Always for genuine background-location apps like Find My or a fitness tracker you trust.
Two settings here are easy to miss. Precise Location is a per-app toggle that determines whether the app gets your exact coordinates or a coarse city-level area. Most apps work fine with imprecise location, including weather, news, and shopping. Turn off Precise Location for everything except maps and ride-share.
Scroll to the bottom of Location Services and open System Services. These are the iOS internals that quietly use your location: Significant Locations learns the places you visit most, iPhone Analytics sends Apple aggregate movement data, and Routing & Traffic contributes anonymous data to Maps. Significant Locations in particular is worth reviewing. Tap it and you will see a list of every place you have been frequently in the past few months. Anyone with your unlocked phone can see it too. Turn it off, or at least clear the history, unless you actively use it.
Tracking
Back in Privacy & Security, open Tracking. This is App Tracking Transparency, the feature that forces apps to ask permission before tracking you across other apps and websites. Set the master toggle to off: Allow Apps to Request to Track. With this disabled, every app is automatically denied. You will not see the tracking prompt again, and apps cannot use the IDFA advertising identifier to follow you around the web.
When ATT launched in 2021, Facebook publicly stated the feature would cost the company billions in lost ad revenue. That money is the value of the tracking. Turning the toggle off keeps it in your pocket instead.
Photos, microphone, and camera
Open Privacy & Security → Photos. For each app, choose Selected Photos rather than Full Access. The app then only sees the specific photos you hand it. This is the right setting for almost everything except Apple Photos itself and a primary photo editor you trust. Repeat the same audit under Microphone, Camera, Contacts, Bluetooth, and Local Network. Most apps do not need persistent access to any of these, and a quick walkthrough usually flushes out a dozen permissions you forgot you granted.
Safari and Mail
Open Settings → Apps → Safari → Advanced. Confirm that Prevent Cross-Site Tracking is on. In Privacy & Security within Safari, turn on Hide IP Address from Trackers. If you subscribe to iCloud+, enable iCloud Private Relay in Settings → your name → iCloud → Private Relay. Private Relay routes Safari traffic through two relays so that neither Apple, your ISP, nor the site can see both your identity and the address you visited.
Open Settings → Apps → Mail → Privacy Protection and turn on Protect Mail Activity. This hides your IP address from senders and blocks the tracking pixels that let marketers know exactly when you opened an email. There is no downside.
iMessage, FaceTime, and Lockdown Mode
In Settings → Apps → Messages, turn on Filter Unknown Senders. Messages from numbers not in your contacts move to a separate inbox and stop interrupting you. If you communicate with sources or anyone worried about state-level threats, also enable Contact Key Verification, which surfaces a warning if an attacker tries to insert a hidden device into your conversation.
For users at elevated risk, including journalists, activists, executives, and people leaving abusive relationships, Apple offers Lockdown Mode under Privacy & Security. It is heavy-handed by design. Most attachments are blocked, link previews are disabled, FaceTime calls from new numbers are rejected, and complex web technologies are turned off. The tradeoff is convenience. The benefit is a dramatically smaller attack surface against the kind of exploits sold by commercial spyware vendors.
The one thing iPhone won't fix
Even with every toggle above flipped to the privacy-preserving setting, your iPhone still embeds GPS coordinates, camera model, serial number, and timestamps inside every photo you take. Disabling location for the Camera app prevents new tags from being written, but existing photos still contain them. And the moment you share a photo through iMessage, AirDrop, or email, the full metadata travels with it. iOS strips a handful of tags when you tick the Options → Location: Off toggle in the share sheet, but it does not strip serial numbers, software versions, or precise timestamps.
Strip every hidden tag in one tap
StripIt removes GPS, serial numbers, software versions, and 22+ other EXIF tags from your iPhone photos. Runs entirely on-device, never uploads anything.
Download StripItA 90-second monthly audit
Privacy is not a one-time setup. Every iOS update adds new prompts, every app update can re-request permissions, and your own habits drift. Once a month, open the App Privacy Report and skim the list. If an app you barely use has been quietly using your location 80 times a week, revoke its permission. If a domain in the contacted-domains list is one you do not recognize, find which app is calling it and decide whether you still want the app on your phone.
The iPhone gives you better privacy controls than any other consumer device. They just are not automatic. Twenty minutes of setup and ninety seconds a month is the difference between a phone that protects you and one that quietly informs on you.