// Trust & Security Report
Prisma Labs, Inc.
Lensa — a consumer photo editing mobile app with AI-powered features including Magic Avatars, Art Styles, portrait retouching, background replacement, and effects. Owned by Prisma Labs, Inc. (Sunnyvale, CA).
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on legal.lensa.app“Lensa addresses GDPR requirements for EU/UK users, including rights to access, rectification, erasure, and portability. The company implements 'Standard Contractual Clauses' for data transfers outside the EEA and uses 'UK Addendum to the EU Standard Contractual Clauses' for UK transfers.”
> Show 8 unconfirmed / not-held certifications
source: legal.lensa.appNo public evidence of SOC 2 certification found on vendor-domain sources (legal.lensa.app, lensa.app, prisma-ai.com).
source: legal.lensa.appNo public evidence of ISO 27001 certification found on vendor-domain sources.
source: legal.lensa.appNot applicable. Lensa is a consumer photo editing app with no healthcare data processing or HIPAA scope.
source: legal.lensa.appNo public evidence of PCI DSS certification found on vendor-domain sources.
source: legal.lensa.appNo public evidence of ISO 27017 certification found on vendor-domain sources.
source: legal.lensa.appNo public evidence of ISO 27018 certification found on vendor-domain sources.
source: legal.lensa.appNo public evidence of ISO 42001 certification found on vendor-domain sources.
source: legal.lensa.appNo public evidence of CSA STAR certification found on vendor-domain sources.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States (AWS, Google Cloud). Standard Contractual Clauses for EEA/UK data transfers.
Official privacy policy states: 'We do not use your Personal Data to train and/or create separate artificial intelligence/products.' However, Lensa does train custom per-user models on uploaded face data to generate personalized Magic Avatars and effects; these custom models are not retained after generation. Historical reports and external sources (2022-2023) suggested broader data use for model training, but current official policy explicitly prohibits this. Photos for Magic Avatars are deleted immediately after generation; Art Styles photos retained max 24 hours on AWS; AI-Assistant features use OpenAI which retains photos up to 30 days.
// Security controls
Data Protection
Lensa employs 'reasonable and appropriate information security safeguards' but acknowledges limitations: 'we cannot guarantee the security of the collected information transmitted to or through Lensa.' The company notes 'there is no ideal technology or measure to maintain 100% security.'
legal.lensa.appEncryption Standards
No specific encryption protocols or standards (TLS versions, AES encryption, etc.) are documented in the public privacy policy or terms of service.
legal.lensa.appThird-Party Data Processing
User data shared with affiliates (Palta companies in Cyprus), AWS, Google Cloud Platform, Firebase, AppsFlyer, Amplitude, and OpenAI (for AI-Assistant features). Data may be disclosed during mergers or in response to legal requests.
lensa.appData Breach Notification
Lensa commits to 'informing you of such security incident in accordance with our Privacy Policy' when data loss occurs outside their control.
legal.lensa.appThird-Party Security Audits
No public security audit reports, penetration testing results, or third-party security certifications found on vendor-domain sources.
legal.lensa.app// Products & data scope
data: User uploads photos/videos; processes via cloud (AWS, GCP); generates AI effects (Magic Avatars, Art Styles, portrait retouching, background blur/replacement); deletes originals per retention policy.
Primary product. Processes biometric data (facial geometry) via Apple's TrueDepth API. Trains temporary per-user models for avatar/effect generation only. Available on iOS and Android.
// What to watch
- NO FORMAL COMPLIANCE CERTIFICATIONS: Despite processing biometric data (facial geometry), Lensa holds no public SOC 2, ISO 27001, ISO 27017, or ISO 27018 certifications. This is unusual for a company handling sensitive personal data.
- BBB F RATING: Better Business Bureau rates Prisma Labs, Inc. as 'F' due to failure to respond to 2 filed complaints. BBB file opened 12/5/2022; business started 5/15/2016. This raises questions about responsiveness to compliance issues.
- AI TRAINING CONTRADICTION: Official privacy policy states 'We do not use your Personal Data to train separate AI products,' but historical reports (ArtNews, ArtMajeur, 2022-2023) and earlier ToS language suggest Lensa previously used user data for AI model training. Current policy appears to narrowly exclude per-user custom model training (used only for that user's avatars/effects) from the definition of 'training separate products.' This ambiguity should be clarified.
- WEAK DATA SECURITY POSTURE: Privacy policy explicitly states Lensa 'cannot guarantee the security' and 'there is no ideal technology or measure to maintain 100% security.' This low-assurance language is concerning for a vendor processing biometric/facial data.
- NO ENCRYPTION SPECIFICATIONS: Public privacy policy and terms do not specify encryption standards, protocols, or key management practices for data in transit or at rest.
- NO PUBLIC TRUST CENTER: Lensa does not publish a trust center, security documentation, or compliance audit reports on its vendor domain.
- BIOMETRIC DATA WITH MINIMAL OVERSIGHT: Lensa collects facial geometry (via Apple TrueDepth) and other biometric data without formal security certifications or third-party audits. BIPA lawsuit filed (Illinois Biometric Information Privacy Act) alleging collection of facial geometry without proper consent.
- COPYRIGHTS/LICENSING CONCERN: Lensa's underlying Magic Avatars and Art Styles models use third-party models (Stable Diffusion) trained on internet images with unclear licensing. While this does not directly implicate Lensa's data handling, it raises questions about IP governance and vendor oversight of third-party dependencies.
- DATA RETENTION GAPS: Data retention policies vary by feature (24 hours for Art Styles, immediate for Magic Avatars, 30 days for AI-Assistant via OpenAI). No global data retention policy; complex multi-vendor data lifecycle.
- MINIMAL GDPR CERTIFICATION: Lensa claims GDPR compliance via Standard Contractual Clauses but provides no formal assessment letter, Data Protection Impact Assessment (DPIA), or auditor confirmation of adequacy of safeguards.
// At a glance
Pricing model
Freemium (free app with in-app purchases for credits and subscriptions). Virtual item purchases are 'final and non-refundable.'
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Prisma Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
legal.lensa.app