// Trust & Security Report

    Pebblely Pte Ltd logo

    Pebblely Pte Ltd

    AI product photography SaaS: a web app that generates AI backgrounds/lifestyle scenes for product photos (marketplace listings, social, ads, email), plus a bulk-generation mode for producing multiple background variants at scale. Single product line, no separate enterprise/API tier evidenced.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 10 unconfirmed / not-held certifications
    SOC 2 (Type 1)
    NOT CONFIRMED

    No public evidence. No trust center, security page, or mention of SOC 2 exists on pebblely.com; /security and /trust return no compliance content and were not linked from the site footer (only Privacy and Terms are linked).

    source: pebblely.com
    SOC 2 (Type 2)
    NOT CONFIRMED

    No public evidence. Same as SOC 2 Type 1 finding.

    source: pebblely.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. Full-text search of the Privacy Policy for "ISO" returned no matches.

    source: pebblely.com
    GDPR (compliance posture)
    NOT CONFIRMED

    No public evidence of an explicit GDPR compliance claim. Full-text search of the Privacy Policy for "GDPR" and "General Data Protection Regulation" returned no matches; the policy describes access/deletion rights generically ("We take measures to delete your Personal Information... when this information is no longer necessary") but never invokes GDPR by name, names no EU representative, and does not describe an international-transfer mechanism.

    source: pebblely.com
    HIPAA
    NOT CONFIRMED

    No public evidence and not applicable; product handles product-photography images, not health data. No mention of HIPAA anywhere on the site.

    source: pebblely.com
    PCI DSS
    NOT CONFIRMED

    "Payment information provided by you via our Sites will be stored and processed by Stripe." Card-data handling is fully delegated to Stripe; this is Stripe's PCI DSS certification, not a Pebblely-held certification.

    source: pebblely.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence. No AI-governance certification or program is referenced anywhere on the site.

    source: pebblely.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. No CSA STAR registry entry or reference found.

    source: pebblely.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence. Not referenced anywhere on the site.

    source: pebblely.com
    FedRAMP
    NOT CONFIRMED

    No public evidence; not applicable to a consumer/SMB SaaS product with no US government customer base indicated.

    source: pebblely.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not publicly disclosed on the site (no data-residency or hosting-region statement found). The operating entity is Singapore-incorporated (Pebblely Pte Ltd, UEN 202310640R, registered 2023-03-21, per Singapore's ACRA-sourced business registry).

    The Privacy Policy states Pebblely collects "product images, custom descriptions, negative prompts, and reference images in order to provide and improve our Services" but does not explicitly disclose whether uploaded product images are used to train AI models, does not describe a retention period tied to training, and offers no opt-out toggle or tier-based distinction. A full-text search of the policy for "train", "training", and "machine learning" returned no matches. This should be treated as unconfirmed, not as an absence of training use.

    // Security controls

    Encryption in transit/at rest

    Not disclosed. Full-text search of the Privacy Policy for "encrypt" returned no matches.

    pebblely.com

    Payment security

    Card data processing delegated to Stripe: "Payment information provided by you via our Sites will be stored and processed by Stripe."

    pebblely.com

    Data retention

    "We take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required by law to keep this information for a longer period."

    pebblely.com

    Account security responsibility

    "You are responsible for maintaining the security of your account and password. Pebblely cannot and will not be liable for any loss or damage from your failure to comply with this security obligation."

    pebblely.com

    Data subject requests

    Access/deletion/portability requests handled via direct email contact (hello@pebblely.com); no self-serve privacy portal found.

    pebblely.com

    // Products & data scope

    Pebblely (web app)AI product photography / background generation

    data: Uploaded product photos, optional reference images, text prompts/descriptions, account/billing info (billing handled by Stripe).

    Consumer/SMB-facing self-serve SaaS; sign-up via 'Get started', no enterprise/SSO tier or API product evidenced in captured pages.

    Bulk generation (in-app feature)AI product photography at scale

    data: Same as web app; batch-processes multiple product images against templates.

    Marketed as part of the same app for higher-volume users, not a separately governed product or data scope.

    // What to watch

    • No public trust center, security page, or compliance certifications of any kind (SOC2/ISO27001/HIPAA/GDPR/PCI/ISO42001/CSA STAR) — consistent with an early-stage, unfunded startup (Pebblely Pte Ltd, Singapore, incorporated 2023-03-21) rather than a withheld or over-claimed cert.
    • AI-training use of uploaded product images is not addressed in the Privacy Policy or Terms — no opt-out, no tier distinction, no retention-for-training statement. Flag for buyers uploading proprietary/sensitive product imagery.
    • No DPA (Data Processing Agreement) publicly available, and GDPR is never named in the Privacy Policy despite testimonials suggesting an international/EU-adjacent customer base.
    • PCI DSS scope is Stripe's (payment processor), not Pebblely's own — do not list PCI DSS as a Pebblely-held certification.

    // At a glance

    Pricing model

    Self-serve subscription SaaS (paid plans referenced via a 'Pricing' nav link; specific tier/pricing details were not captured in evidence).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pebblely Pte Ltd's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pebblely.com

    > Browse all vendor trust reports