Google Takeout: The Full Audit of What Google Actually Has On You

#The file you've never opened

I've been running engagements on this for a few years now. The shortcut you'd expect to exist doesn't.

Go to takeout.google.com right now. Scroll through the list of products Google will export. Count them.

If you've used Google for any meaningful length of time, the list is between 40 and 60 products. Each checkbox, when ticked, adds more of your life to the archive. A typical Google Takeout for a moderate Gmail user who's had an Android phone for five years will produce somewhere between 50 and 500 GB of exported data.

Most people never request this export. The ones who do. Often because they're leaving Google, or preparing for litigation discovery, or preparing a privacy audit. Tend to be surprised by what's in there.

This post walks through the major categories. The goal isn't to scare you out of using Google. It's to give you a complete picture of what Google's servers hold about you, so you can make informed decisions about what to keep, what to delete. And what to stop producing.

#The headline categories

What lives in a typical Takeout archive, organized by personal-exposure severity.

#Tier 1. Exhaustive life-history data

Google Maps Timeline / Location History

Every location your Android phone (or iPhone running Google Maps with Location History enabled) has recorded. If you've had the feature on for ten years, the archive contains ten years of where-you-went data at minute-level resolution.

What it looks like: JSON files broken down by month, with entries like "you were at Target at 2:34 PM for 47 minutes on October 14, 2016." Maps to specific addresses. Includes mode of transport (walking / driving / bicycling). Includes the speeds you traveled. Pairs with Photos to generate maps of every trip you've taken.

For many users this is the most revealing file in the archive. Affairs, job interviews you didn't tell your family about, medical appointments, political meetings, religious services, substance-use treatment, domestic abuse shelters. All of it's in there if you carried an Android phone with location history on.

As of July 2025, Google changed the default to on-device storage for newly-created accounts. Older accounts still have cloud-stored historical timeline data unless they've migrated.

Google Photos

Every photo you've ever taken while signed in to a Google account, including auto-backed-up photos from Android devices. Plus:

• Face groupings (Google identifies who's in each photo, even without you tagging)
• Location metadata (where each photo was taken, down to GPS coordinates)
• Album contents
• Sharing history (who you shared photos with, when)
• Machine-learning-extracted metadata (what objects are in the photos, activities detected, etc.)

Photos deleted from Google Photos are recoverable for 60 days and then, per Google's documented practice, purged. But Photos integrated into other services (shared albums, Drive, Slides embeddings) may persist elsewhere.

YouTube Watch History / Search History / Comments

Every YouTube video you've watched. Every search you've done on YouTube. Every comment you've left. Every channel you've subscribed to and when. Every video you've liked or disliked. Every playlist you've made.

For long-term YouTube users, this file can be tens of thousands of entries.

Google Search History

Every Google search you've made while signed in. Searchable, deduplicated, time-ordered.

The file that tends to surprise people the most. Searches from 2012 that you had completely forgotten. Searches you made when you were in crisis. About symptoms, about legal questions, about relationship problems. Work-related searches you made while employed somewhere you no longer work.

Google Assistant / Voice Commands

Every voice command you've ever issued to Google Assistant, Google Home, Nest devices, or Android devices with "OK Google" enabled. Stored as audio files plus transcriptions.

This includes the period when voice activation was less accurate and devices occasionally activated by mistake. Conversations happening in the same room as a Google Home device may have been captured as "accidental activations" and retained.

#Tier 2. Account and content data

Gmail

Your entire inbox, sent folder, drafts, and trash. If you've used Gmail since 2004, that's up to 22 years of personal correspondence, professional correspondence, receipts, account confirmations, password resets, newsletters, medical communications, legal communications, family communications. And everything in between.

Archived by default. Deletion requires explicit action. Purged emails are recoverable for 30 days before permanent deletion.

Google Drive

Every file in your Drive. Every Doc, Sheet, Slide, Form, Site. Including:

• Version history for every document (you can see who edited what, when. Including after you shared a doc)
• Comments on documents (including those on docs shared with you)
• Deleted file trash (30-day retention)
• Files you've shared with others and the access history

Google Contacts

Every contact in your address book, plus:

• Merged entries (Google automatically merges contacts from email, phone, Maps visits)
• Contact interactions (who you email most, frequency, recency)

Google Calendar

All events past and future. Includes:

• Events created by you
• Events you were invited to (even declined ones)
• Recurring events
• Event attachments
• Attendee lists
• RSVP history

Calendar data is particularly revealing in litigation contexts. Patterns of meetings, who you met with, when, where.

#Tier 3. Financial / transaction data

Google Pay / Google Wallet

Transaction history. Every purchase made with Google Pay. Every card stored. Every loyalty card scanned.

Google Play Store

Every app you've ever downloaded, even on devices you no longer use. Purchase history for apps, books, movies, music. Subscription history.

YouTube Premium, YouTube Music, Google One purchases

Subscription and billing history.

#Tier 4. Browser and device

Chrome Sync

Bookmarks, browsing history across devices, saved passwords (encrypted), autofill data, extensions installed, open tabs at various points in time.

Android device records

Every Android device you've signed into with your Google account. Device model, IMEI, setup dates, apps installed. For phones that also backed up SMS to Google, the SMS archive is here too.

Fitness data

If you've used Google Fit, every step count, heart rate reading, workout, weight entry. If you've used a Fitbit since Google's acquisition, that integrates too.

#Tier 5. Cross-product intelligence

My Activity (the big one)

Google's central activity log across all products. Aggregates Search, YouTube, Ads, Assistant, Maps, Play, and more into a unified timeline.

The file that connects everything. If any single file captures "the full Google picture of you," it's My Activity.

Ads and Personalization

Google's inferred interests about you. Demographics Google has guessed at. Your Google Ad ID. Topics Google thinks you're interested in advertising-wise. The ads you've seen and clicked.

Visit myadcenter.google.com for a live view. Often eye-opening.

Saved info / passwords / autofill

Passwords saved in Google Password Manager (encrypted, but retrievable if you authenticate). Addresses, payment methods, personal info cached for form autofill.

#What's typically NOT in Takeout

Things Google claims to retain or compute but doesn't include in standard Takeout exports:

• Server-side logs of every API call you made (HTTP access logs, app API calls). These exist for security and operational purposes but aren't user-facing.
• Anti-fraud and security signals. Google's risk-assessment data about your account.
• Advertising auction records. The specific RTB bids made against your profile in ad auctions.
• Internal cross-product aggregations. The higher-level derived data Google's systems compute for ranking, personalization, and fraud detection.
• Third-party data Google has purchased or integrated. Google buys data from brokers and uses it, but doesn't include purchased data in your export.
• Training data. If your content has been used in ML model training, the models and their weights aren't recoverable from Takeout.

So the Takeout archive, while massive, is still a subset. The Google-internal universe of data about you is larger than what's exportable.

#What to do with this

Step 1: request your Takeout. It takes Google a few hours to a day to assemble and email you a download link. Request it before you need it.

Step 2: audit the major categories. You don't need to open every file. Focus on:

• Maps Timeline JSON. Scroll through a year. See what comes up. Decide if you want historical location data retained.
• My Activity. Your cross-product timeline. This is the single most revealing file.
• YouTube Watch History. Surprising amount of information about your interests.
• Search History. You will find things you'd forgotten.
• Assistant voice recordings. Hear audio recordings of yourself.

Step 3: delete what you don't need.

#How to delete Google data

Most Google products have an auto-delete option that most users haven't turned on. Settings you should configure:

My Activity auto-delete:

myactivity.google.com → Web & App Activity → Auto-delete → 3 months, 18 months, or 36 months.

Same setting exists under Location History and YouTube History. The correct choice for most users is 3 months.

Google Maps Timeline:

As of 2025, on-device storage is default for new accounts. For old accounts: myaccount.google.com/activitycontrols → Location History → manage. You can delete all historical timeline data with one confirmation.

Gmail:

Archive → old mail gets moved out of the inbox but remains searchable. For deletion, use the search operators: older_than:5y to find email older than 5 years, select all, delete. Then empty trash.

Google Drive:

drive.google.com/drive/trash for trash. For audit, sort by "Last modified" and review old files.

Google Photos:

photos.google.com → deleted photos → empty trash for the permanent delete after 60 days.

Chrome sync history:

myaccount.google.com → Data and privacy → Delete Chrome sync data.

Ad personalization:

myadcenter.google.com → turn off ad personalization. Won't stop ads, but stops profile-based targeting.

#What to stop producing

Reducing ongoing data generation:

• Turn off Web & App Activity if you don't need Google's personalization features. Search still works; Google doesn't retain your history. Settings → Google → Data and privacy.
• Turn off Location History. Maps still works. Google doesn't keep the timeline.
• Turn off YouTube History if you don't care about recommendations based on watch history.
• Disable "Hey Google" hotword detection on Android and Google Home devices. Use manual activation only.
• Disable Chrome Sync or restrict it to specific categories (bookmarks yes, history no).
• Use Google Search in a signed-out browser for anything you'd not have in your logged-in history. Or use DuckDuckGo, Kagi, or Brave Search for sensitive searches.
• Use a different email provider for anything you don't want in Gmail's retention model. ProtonMail, Tutanota, Fastmail.

#Why this matters beyond "privacy"

The practical scenarios where Google's retention becomes an problem:

1. Account compromise. An attacker who takes over your Google account gets access to your entire life history in one place. This is the single most common identity theft vector. Enable hardware-key 2FA (Google Titan or YubiKey) on your Google account today.

2. Civil litigation. Subpoenas for Google account data in divorce, employment, and commercial litigation are routine. Google complies with valid legal process. Whatever is in your account is discoverable.

3. Insurance and employment disputes. Location history has been used by insurance companies to challenge claims and by employers to challenge wrongful-termination suits. Every location you've visited is on record.

4. Border crossings. US Customs and Border Protection (and many other nations' border agents) have claimed and exercised authority to demand access to phones at ports of entry. A Google account with 10 years of location, message, and photo history is considerable exposure to inspection.

5. Post-breach cascading disclosure. If another service you use gets breached and discloses your email address. And a threat actor takes over your email account, they inherit your Google history.

6. Relationship fallout. Partner access, shared devices, and post-breakup access disputes regularly involve Google account data. A spouse who has your Google password has access to your location history, search history, and message archive.

#The Advanced Protection Program

For high-risk users, Google offers Advanced Protection. Requires:

• Two hardware security keys (Titan, YubiKey, or equivalent)
• Blocks third-party apps from accessing most Google data
• Enhanced scanning of attachments
• Slower account recovery to prevent social engineering

Free. Designed for journalists, activists, executives, and politically exposed persons. Worth enabling for anyone whose Google account compromise would be catastrophic.

#The honest summary

Google's products are genuinely useful. The cost of that usefulness, for most users, is a detailed archive of their lives being held on Google's servers indefinitely. Unlike Apple's Advanced Data Protection, Google doesn't offer a one-click zero-knowledge mode for most of its services. Your only controls are retention settings, feature-level opt-outs, and ongoing discipline about what you put into the ecosystem.

The first step to controlling your Google data posture is knowing what's in it. Take an hour to download your Takeout archive, scroll through the major categories. And decide what you want the ongoing retention model to be.

It's not paranoid. It's an annual audit. Every financial advisor recommends you review your credit report once a year. The same logic applies to your Google account.

#What Valtik does in this space

Valtik's consumer privacy consultations include Google account hardening for individuals and executive-level data minimization reviews for high-risk professionals. We walk through the audit above, configure retention settings, enable Advanced Protection where appropriate. And produce a documented posture baseline.

For corporate executives whose personal Google account compromise would create material risk to their company, the one-hour consultation is an under-$500 investment with significant risk-reduction value. Reach out via https://valtikstudios.com.

#Sources

1. Google Takeout
2. My Google Activity
3. Google Ad Center
4. Google Privacy Checkup
5. Google Advanced Protection Program
6. Google Transparency Report
7. Google Privacy Policy
8. Updates to Location History and New Controls. Google Blog, July 2025
9. EFF Privacy Guide: Google Services
10. CNET Google Data Audit Guide