// Trust & Security Report

    Photo AI (photoai.com, operated by Pieter Levels / Levels.io — no separate legal entity name publicly disclosed) logo

    Photo AI (photoai.com, operated by Pieter Levels / Levels.io — no separate legal entity name publicly disclosed)

    Consumer AI photo and video generator: users upload selfies to train a personal AI model, then generate photos, short AI/Mocap videos, AI influencer personas, and AI-model product photography/try-on-clothes content. Sold as individual subscriptions (Pro/Max/Ultra); no team, enterprise, or API tier found. Same operator/legal terms also cover a sibling product, Interior AI (interiorai.com), which is out of scope for this assessment.

    Certifications held

    1

    Maturity

    Startup

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture)
    HELD

    "Photo AI and Interior AI applies these rights to all users of our products, regardless of your location." The policy lists EEA/UK/Swiss user rights: correction/erasure, objection to processing, data portability, withdrawal of consent, and the right to lodge a complaint with a supervisory authority.

    Verify on photoai.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. No trust center, security page, or SOC 2 mention exists on photoai.com; /security and /trust return 404.

    source: photoai.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on photoai.com.

    source: photoai.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence of these certifications found on photoai.com.

    source: photoai.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of AI governance certification found on photoai.com.

    source: photoai.com
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    No public evidence of CSA STAR or CSA STAR AI registration found on photoai.com.

    source: photoai.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Photo AI is a consumer photo/video tool with no healthcare use case and no BAA offering found on the vendor's site.

    source: photoai.com
    PCI DSS
    NOT CONFIRMED

    No public evidence that Photo AI itself is PCI DSS certified. The FAQ directs billing management to 'Stripe's billing portal', indicating payment card handling is delegated to Stripe (the payment processor) rather than certified by Photo AI directly.

    source: photoai.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on photoai.com.

    source: photoai.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Not disclosed. Policy states only: "your information may be stored in computers in other countries outside of your home country" — no named regions or residency options.

    Core product feature: users upload 5-15 selfies which are used to fine-tune (DreamBooth-style) a personal AI model unique to that user, described on the homepage: 'By inputting these images into your model, you're teaching it to recognize and replicate it.' Separately, the Terms of Service grant Photo AI a broad license over user content: 'perpetual, worldwide, non-exclusive, sublicensable, no-charge, royalty-free, irrevocable copyright license to use, copy, reproduce, process, adapt, modify, publish' user-submitted text prompts and images. This license is broader than the stated 'train your own model' feature and has no disclosed opt-out; no separate statement was found addressing use of user photos to improve Photo AI's general/base models beyond the individual user's model.

    // Security controls

    Encryption in transit

    Site is served over HTTPS; no additional TLS version or protocol disclosure found on vendor pages.

    photoai.com

    Encryption at rest

    Not disclosed. Policy states only generic "physical, business and technical security measures" with no specifics.

    photoai.com

    Data retention

    "We only keep your personal information for as long as is needed to do what we collected it for" — retained to provide services, fulfill transactions, meet legal obligations, resolve disputes, and enforce agreements. No fixed retention period disclosed.

    photoai.com

    Third-party data sharing

    "As needed, including to third-party service providers, to process or provide Services or products to you, but only if those entities agree to provide at least the same level of privacy protection." Named sub-processors are not listed.

    photoai.com

    Breach notification

    Policy commits to notifying affected users in the event of a data breach, without specifying a timeframe.

    photoai.com

    Payment processing

    Billing and subscription management is handled through Stripe's billing portal, per the site FAQ.

    photoai.com

    // Products & data scope

    Photo AI - Personal AI Model PhotosConsumer AI image generation

    data: 5-15 user-uploaded selfies used to fine-tune a personal AI model; generates new photos in any pose/place from that model

    Core product. Pro/Max/Ultra subscription tiers differ by photo credits and training speed, not by data handling or compliance posture.

    AI Influencer CreatorSynthetic persona generation

    data: No real user photos required; user designs a synthetic identity from scratch

    Marketed for building monetizable synthetic 'AI influencers'.

    AI Product Photos/Videos & Try-On ClothesE-commerce / marketing content generation

    data: User-uploaded product photos and clothing images combined with the user's AI model

    Aimed at Shopify/e-commerce sellers and marketers; no separate business/enterprise agreement found.

    AI Mocap VideoAI video generation

    data: User-uploaded motion/reference video plus an AI-generated photo of the user's model

    Transfers motion from an uploaded video onto the user's AI photo.

    // What to watch

    • No trust center and no third-party security certifications (SOC 2, ISO 27001, ISO 27701, ISO 42001, CSA STAR, HIPAA, PCI DSS, FedRAMP) found anywhere on the vendor's own domain — consistent with a solo-founder indie SaaS, not evidence of wrongdoing, but AIFOXX should not display any compliance badges for this vendor.
    • Broad, perpetual, irrevocable IP license over user-submitted photos and prompts in the Terms of Service goes beyond what is needed for the advertised 'train your own model' feature, with no disclosed opt-out — worth surfacing given the sensitivity of uploaded face photos.
    • PCI DSS: payment handling is delegated to Stripe (the payment processor); any PCI DSS compliance belongs to Stripe, not Photo AI directly — do not credit Photo AI with PCI DSS.
    • No formal legal entity name, business address, or dedicated privacy/DPO contact found on the vendor's privacy policy or terms page, limiting verification of e.g. EU representative requirements for a US-based data controller/processor.
    • No Data Processing Agreement (DPA) found or offered on the vendor's site.

    // At a glance

    Pricing model

    Consumer subscription only (Pro/Max/Ultra, monthly or yearly with an annual discount); no self-serve API, team, or enterprise tier found

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Photo AI (photoai.com, operated by Pieter Levels / Levels.io — no separate legal entity name publicly disclosed)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    photoai.com

    > Browse all vendor trust reports