Can You Stop Phone Photos of Confidential Documents? (And What Actually Works)
Co-founder and CEO at Peony. I built the data room platform with a background in document security, file systems, and AI. Founded Peony in 2021 in San Francisco.
Quick answer: No software can stop someone from taking a phone photo of a screen — a camera pointed at a display is the "analog hole," and it defeats every data room, DRM system, and screenshot blocker ever built. But you can make that photo worthless as an anonymous leak. A per-viewer dynamic watermark stamps each viewer's email, IP, and timestamp across every page, so a phone photo captures the leaker's own identity along with your content. The play isn't prevention (impossible) — it's deterrence plus attribution: block the easy digital capture vectors with screenshot protection, and turn the one vector you can't block into a traceable, signed confession.
I'm Deqian Jia, co-founder of Peony. I built Peony's watermarking engine, and the single most common security question I hear from founders isn't about encryption or SOC 2 — it's some version of "What stops an investor from just photographing my screen with their phone?"
It's the right question, and most vendors answer it dishonestly. They'll sell you "screenshot protection" and let you believe it covers everything. It doesn't, and pretending otherwise gets founders burned. So here's the honest version: what you can actually block, what you can't, and what to do about the part you can't.
Can you actually stop someone from taking a phone photo of your screen?
No. There is no software — anywhere, at any price — that can stop a separate camera from photographing a screen. This is known as the analog hole: the moment information is rendered for a human to see, a second device can capture that rendering, and your software has no reach into the world outside the browser. A data room runs in the viewer's browser; the phone in their other hand does not.
This is not a Peony limitation or a competitor's failing — it's a law of the medium. Anyone who tells you their product "prevents phone photos" is either confused or selling you something. Our own dynamic watermarking guide says it plainly: no browser-based tool can fully prevent a camera pointed at a screen.
So if prevention is off the table, the question isn't "how do I stop the photo?" It's "how do I make the photo not matter?" That reframe is the entire game, and the rest of this post is the answer.
So is screenshot-blocking just security theater if a phone camera can capture everything?
No — and this is where a lot of smart founders talk themselves into doing nothing. The logic goes: "a determined person can always photograph the screen, so why bother with any protection?" That's like refusing to lock your front door because a window exists.
Here's what screenshot protection actually does. It blocks operating-system screenshot shortcuts, screen-recording tools, and screen-capture browser extensions, at the browser level, across Chrome, Safari, Edge, and Firefox. Those are the vectors behind the vast majority of real-world leaks — not an elaborate second-phone-on-a-tripod operation, but a reflexive Cmd+Shift+4 and a drag into an email. Screenshot protection removes the one-click leak. Peony also layers Screenshield for advanced screen-recording blocking on top.
What it can't do is reach the phone in someone's hand. That's the residual 5-10% the watermark exists to handle. The mistake is treating "can't stop the camera" as "can't stop anything." You close every door you can, then you make the one open window self-incriminating.
What actually protects a document you can't stop being photographed?
When prevention has a hard ceiling, you stop spending on prevention and start spending on deterrence and attribution. I call the full map of capture methods the Capture Chain, and sorting it into what's blockable versus what's only traceable is the most useful thing a founder can do before sharing anything sensitive.
The chain runs from easiest to hardest to stop:
- Copy/paste text — digital, blockable (view-only rendering disables selection).
- Download the file — digital, blockable (no-download mode; the original never reaches the device).
- Print — digital, blockable (disable print; watermark prints anyway).
- Screenshot via OS shortcut — digital, blockable (screenshot protection).
- Screen recording — digital, blockable (Screenshield).
- Capture browser extension — digital, blockable (screenshot protection).
- Phone photo of the screen — analog, NOT blockable — only deterrable and traceable.
- Retype or OCR the content — analog, not blockable — only deterrable.
- Photograph a printout — analog, not blockable — controlled by disabling print upstream.
Everything above the phone-photo line, you block. Everything from the phone photo down, you can't block — so you make it carry the leaker's name. That dividing line is the whole strategy in one picture, and it's why the next section matters more than any "blocking" feature.
Can a per-viewer watermark turn a phone photo into a signed confession?
Yes — that's the move that flips the whole problem. A dynamic, per-viewer watermark stamps each individual viewer's identity — their email address, IP, and the exact timestamp — across every page of the document, at the moment they open it. Not a generic "CONFIDENTIAL" stamp that's identical for everyone, but a unique fingerprint tied to one person and one session.
Here's the mechanism that makes the analog hole work for you instead of against you: the watermark is part of the rendered page, not a separate file layer. So when an investor points their phone at the screen, whatever's legible in their photo also contains the diagonal email-and-timestamp overlay sitting on top of it. Photographing the screen doesn't escape the watermark — it records it. The act of leaking captures the evidence of who leaked.
A few design details make this robust, all of which I built into Peony's watermarking engine:
- Rendered server-side. The viewer's email, IP, and timestamp are baked into every frame on our servers. The original unmarked document never leaves Peony — so there's no clean copy on the viewer's device to strip a watermark from.
- Repeated, not cornered. The overlay repeats across the page rather than sitting in one corner, so a photo cropped tight enough to remove the watermark also crops out the content. You can't have the numbers without the name.
- Tied to the access log. Every watermark maps to a logged session, so the identity in a leaked image isn't just a deterrent — it's a lookup key into your audit trail.
This is also why static watermarks are nearly useless for this: the same text on every copy tells a founder with 40 investors absolutely nothing about which of them leaked. Per-viewer is the entire point.
If your deck leaks, can you actually prove which investor did it?
Yes — provided you shared it with per-viewer watermarks and access logging before the leak. This is the part founders most often get wrong: attribution can't be retro-fitted. You cannot, after a page surfaces on a competitor's desk, reach back and figure out who leaked a deck you emailed around unprotected. The forensic trail has to exist before the breach.
When you do share correctly, the workflow is simple. A leaked page appears. You read the watermark — the email and timestamp embedded in it. You match it to the session in your page-level analytics that accessed that exact page at that exact moment. Now you know who, when, and from which device and location. That's the difference between "someone leaked this" and "Partner X at Fund Y opened this page at 2:14pm Tuesday and it's their watermark on the image."
I've watched this play out with M&A advisors running competitive auctions across multiple bidders — the moment bidders know every page carries their identity, the leak behavior changes before anyone even tests it. Attribution is a deterrent precisely because it's credible.
Screenshot blocking vs. dynamic watermarking — which should you rely on?
Both, layered — they solve different halves of the problem:
| Screenshot protection | Dynamic per-viewer watermark | |
|---|---|---|
| What it is | Prevention | Deterrence + attribution |
| Stops digital capture? | Yes (screenshots, recording, extensions) | No |
| Stops a phone photo? | No | No — but makes it traceable |
| Covers which vectors? | Digital only | Every vector, including the camera |
| Best at | Removing the one-click leak | Identifying the leaker + deterring the leak |
If you could only have one, choose the watermark — attribution covers every vector including the phone photo, while screenshot blocking covers only the digital ones. But this is a false choice with a real data room: on Peony, screenshot protection and per-viewer watermarks run together on the same plan, alongside download controls and link expiry. You block what you can and trace what you can't, from one place.
What else closes the gap beyond watermarks and screenshot blocking?
Watermarking and screenshot blocking are two layers. A real defensive setup adds three more, and none of them require a phone camera to be stoppable to work:
- View-only, no-download. If the viewer never receives the file — only a rendered page in the browser — there's nothing to forward, re-upload, or strip. This single setting eliminates the entire "download the file" branch of the capture chain. (See how to share a pitch deck with investors for the founder workflow.)
- NDA gating before the first page. Make the viewer accept terms before they see anything. A Simple NDA logs an acknowledgement; an Advanced NDA has them digitally sign with a countersigned PDF delivered to both sides. The NDA doesn't stop the leak in the moment — it makes the leak legally costly, and your watermark supplies the proof that makes the NDA enforceable.
- Instant revocation + expiry. When an investor passes, kill their access so they keep nothing — and set links to expire by default. Combined with per-investor access controls, this means a "no" doesn't leave a live copy of your numbers floating in someone's inbox.
Then there's the cheapest control of all: share less. Not every document needs to go to every investor on day one. Which brings us to the framework.
How should you share a deck with 30 investors when you can't stop the camera?
Stop thinking about blocking and start thinking about an Exposure Budget — for each document, decide how much damage a leak would do, and match the control to that number:
- Low exposure (the teaser deck). Share freely with watermark + screenshot protection on. The point is reach; a leak costs little.
- Medium exposure (full deck, metrics). View-only, no-download, watermarked, NDA-gated. Most of your raise lives here.
- High exposure (cap table, detailed financials, IP, customer contracts). Stage it — don't release until an investor shows real interest or a term sheet is near. Watermark, no-download, NDA, and consider redacting the most sensitive figures until diligence. (See data room for investors for structuring multi-party access.)
- Extreme exposure (the one number that defines your company). Consider showing it only in a live screen-share you control, never as standalone access.
The realistic threat model matters here. Most leaks are casual — a forward, a "have you seen this," a deck shown to a portfolio company in your space — not corporate espionage. A visible per-viewer watermark stops the casual 90% outright and makes the determined 10% attributable. You are not trying to beat an unbeatable adversary photographing your screen in a vault; you're trying to make ordinary forwarding personally risky. That's a problem you can actually solve.
How Peony handles the capture chain
I run Peony, a data room company used by 5,900+ teams, and we built it around exactly this honest model rather than the "we block everything" fiction:
- Block the digital vectors: screenshot protection across Chrome, Safari, Edge, and Firefox, plus Screenshield for screen-recording, plus no-download and disable-print.
- Trace the analog one: per-viewer dynamic watermarks — email, IP, and timestamp rendered server-side into every page, repeated to resist cropping, mapped to your page-level analytics.
- Control access: NDA gating, link expiry, instant revocation, and granular per-viewer permissions.
- Prove it later: every view logged at the page level with viewer identity, so a leaked image resolves to a named session.
We're SOC 2 Type II certified, and you can start free to see the watermarking on your own deck before you decide. If a page ever leaks, you won't be guessing — you'll be reading a name. For the deeper mechanics, our dynamic watermarking guide walks through the engine, and what to do after a deck leak covers the response playbook.
The takeaway is simple: you cannot stop a phone photo, and any vendor who says otherwise is lying to you. What you can do — and what 5,900+ teams use Peony to do — is block every digital shortcut and turn the one capture you can't prevent into the evidence that identifies whoever used it.
Frequently asked questions
I'm about to send my deck to 30 investors — can anything actually stop one of them from taking a phone photo of the screen?
No. A camera pointed at a screen is the one capture vector no software can block — it's called the analog hole, and it's true of every data room, DRM, and screenshot tool on the market. What you can do is make a phone photo useless as an anonymous leak: a per-viewer watermark stamps that investor's email and the timestamp across every page, so the photo they take carries their own identity. If you're sending to 30 investors, that turns "someone leaked my deck" into "this exact person leaked my deck at 2:14pm on Tuesday." On Peony, every page is watermarked with the viewer's email, IP, and timestamp automatically — so the camera becomes your attribution channel instead of your weakness.
If a phone camera can capture everything anyway, is screenshot-blocking on my data room just security theater?
No — it closes the easy vectors, just not the hardest one. Screenshot protection blocks OS screenshot shortcuts, screen-recording tools, and capture browser extensions across Chrome, Safari, Edge, and Firefox, which is how the overwhelming majority of casual leaks actually happen (a quick Cmd+Shift+4, not a deliberate second-phone setup). Calling it theater is like calling a door lock theater because a window exists. For a founder sharing a deck, screenshot blocking removes the one-click leak; the per-viewer watermark then handles the phone-photo case it can't physically stop. On Peony both run together on the same plan, so you're not choosing between them.
Screenshot blocking vs. dynamic watermarking — which actually protects a confidential pitch deck?
They protect against different things, so the right answer is both, layered. Screenshot blocking is prevention — it stops digital capture (screenshots, screen recording, extensions). Dynamic watermarking is deterrence plus attribution — it can't stop a capture, but it makes every captured page traceable to one viewer and discourages the leak in the first place. If you only get one, choose dynamic watermarking, because attribution covers every vector including the phone photo, whereas screenshot blocking covers only the digital ones. On Peony you don't have to pick: screenshot protection and per-viewer watermarks are part of the same data room, alongside download controls and link expiry.
Will a per-viewer watermark really deter an investor from leaking, or do people just crop it out?
It deters far more than founders expect, and cropping doesn't save the leaker the way they think. The deterrent is psychological: when an investor sees their own email and timestamp on every page, casual forwarding drops sharply — nobody wants to be the obvious source. As for cropping, a well-designed watermark repeats across the page (not just one corner), so a usable photo of the content also contains the identity. Peony renders the viewer's email, IP, and timestamp into every page server-side, repeated and diagonal, so the original unmarked file never exists on the viewer's device to crop from in the first place.
If someone photographs my screen, does the watermark survive the photo clearly enough to identify them?
Yes — a phone photo captures the watermark along with the content, because the watermark is part of the rendered page, not a separate file layer. When an investor points a camera at the screen, whatever's readable in their photo includes the diagonal email-and-timestamp overlay sitting on top of it. That's the core insight: photographing the screen doesn't escape the watermark, it records it. Peony's watermark is rendered into every frame the viewer sees, so it appears in screenshots, screen recordings, prints, and phone photos alike — and ties back to the exact session in your access logs.
My deck leaked and I don't know who did it — can a data room actually prove which investor leaked it?
Yes, if you shared it with per-viewer watermarks and access logging turned on before the leak. When a leaked page surfaces, you read the watermark — the email and timestamp baked into it — and match it to the session in your audit trail that accessed that page at that moment. A generic "CONFIDENTIAL" stamp can't do this because it's identical for everyone; only a per-viewer watermark makes a leak attributable. On Peony, every view is logged at the page level with the viewer's identity, so "we have no idea who leaked this" becomes "we know who, when, and from which session." The catch: you have to share it this way from the start — you can't retro-fit attribution after the leak.
How do I make my deck view-only and revoke an investor's access the moment they pass?
Use a sharing platform with view-only rendering, download/print controls, and instant revocation — not an email attachment or a public link, both of which are uncontrollable the second they leave your outbox. View-only means investors see a rendered page in the browser and never receive the underlying file; revocation means the link goes dead on your command, even mid-process. For a founder, the move is: share the deck no-download, set link expiry, and kill access for any investor who passes so they keep nothing. Peony does all three from one dashboard — disable download, set an expiry, and revoke a specific viewer instantly, with the audit trail showing exactly what they saw before you cut them off.
NDA vs. technical controls like watermarking and access expiry — which actually stops a leak?
They do different jobs and you want both: an NDA makes a leak legally costly, technical controls make it operationally hard and personally attributable. An NDA alone deters nothing in the moment — it's an after-the-fact remedy that depends on you proving who leaked, which is exactly what watermarking gives you. So the strongest setup is an NDA gate that the viewer accepts before seeing a page, combined with per-viewer watermarks, no-download, and expiry. On Peony you can require a Simple NDA acknowledgement before access, or a full Advanced NDA where the viewer digitally signs and both sides get a countersigned PDF — and either way every page is watermarked, so your legal claim comes with forensic proof attached.
DocSend vs. a real data room for sharing a deck investors might photograph or leak — what's the difference?
A link-tracking tool tells you a deck was viewed; a real data room controls how it's viewed and makes a leak traceable. For a single pitch deck going to a few people, link tracking is fine. But once you're sharing financials, a cap table, and IP with 20-40 investors or competing bidders, you need per-viewer watermarks, screenshot protection, NDA gating, granular permissions, and instant revocation in one place — capabilities link-trackers either lack or gate behind their top tier. Peony was built as a data room with these layers standard, used by 5,900+ teams, so a founder gets attribution and access control without assembling three separate tools. Credit where due: for purely tracking a deck open rate, a tool like DocSend is simpler — it's the leak-control layer where a data room pulls ahead.
How much does a data room with watermarking and leak tracking cost, and is it worth it for a seed round?
Modern data rooms with per-viewer watermarking and page-level tracking are priced per admin per month, not per deal — a fraction of the $5,000-$25,000-per-project legacy VDRs charge, and easily justified the first time you can answer "who leaked this?" For a seed-stage founder, the cost of the tool is trivial next to the cost of your numbers circulating to a competitor-aligned investor with no way to trace it. The honest test isn't price, it's exposure: if your deck leaking would genuinely hurt you, watermarking pays for itself. See Peony's current plans on the pricing page; a typical founder-side raise runs on one to three admins, and you can start free to see the watermarking before you pay.
Am I being paranoid that a VC who passed will circulate my deck to a competitor?
You're not paranoid — it's common enough that experienced founders share defensively by default. Decks get forwarded inside firms, shown to portfolio companies in your space, and used as market intel far more often than anyone admits, usually casually rather than maliciously. The fix isn't to stop fundraising or to distrust everyone; it's to share in a way where a forward is both deterred and attributable, so the cost of leaking lands on the leaker. Watermark every page with the viewer's identity, gate access behind an NDA, disable download, and revoke when an investor passes — then you can share confidently because a leak points back to its source instead of leaving you guessing.