// Trust & Security Report
Photo AI (photoai.com, operated by Pieter Levels / Levels.io — no separate legal entity name publicly disclosed)
Consumer AI photo and video generator: users upload selfies to train a personal AI model, then generate photos, short AI/Mocap videos, AI influencer personas, and AI-model product photography/try-on-clothes content. Sold as individual subscriptions (Pro/Max/Ultra); no team, enterprise, or API tier found. Same operator/legal terms also cover a sibling product, Interior AI (interiorai.com), which is out of scope for this assessment.
Certifications held
1
Maturity
Startup
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on photoai.com“"Photo AI and Interior AI applies these rights to all users of our products, regardless of your location." The policy lists EEA/UK/Swiss user rights: correction/erasure, objection to processing, data portability, withdrawal of consent, and the right to lodge a complaint with a supervisory authority.”
> Show 8 unconfirmed / not-held certifications
source: photoai.comNo public evidence. No trust center, security page, or SOC 2 mention exists on photoai.com; /security and /trust return 404.
source: photoai.comNo public evidence of ISO 27001 certification found on photoai.com.
source: photoai.comNo public evidence of these certifications found on photoai.com.
source: photoai.comNo public evidence of AI governance certification found on photoai.com.
source: photoai.comNo public evidence of CSA STAR or CSA STAR AI registration found on photoai.com.
source: photoai.comNo public evidence. Photo AI is a consumer photo/video tool with no healthcare use case and no BAA offering found on the vendor's site.
source: photoai.comNo public evidence that Photo AI itself is PCI DSS certified. The FAQ directs billing management to 'Stripe's billing portal', indicating payment card handling is delegated to Stripe (the payment processor) rather than certified by Photo AI directly.
source: photoai.comNo public evidence of FedRAMP authorization found on photoai.com.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
Not disclosed. Policy states only: "your information may be stored in computers in other countries outside of your home country" — no named regions or residency options.
Core product feature: users upload 5-15 selfies which are used to fine-tune (DreamBooth-style) a personal AI model unique to that user, described on the homepage: 'By inputting these images into your model, you're teaching it to recognize and replicate it.' Separately, the Terms of Service grant Photo AI a broad license over user content: 'perpetual, worldwide, non-exclusive, sublicensable, no-charge, royalty-free, irrevocable copyright license to use, copy, reproduce, process, adapt, modify, publish' user-submitted text prompts and images. This license is broader than the stated 'train your own model' feature and has no disclosed opt-out; no separate statement was found addressing use of user photos to improve Photo AI's general/base models beyond the individual user's model.
// Security controls
Encryption in transit
Site is served over HTTPS; no additional TLS version or protocol disclosure found on vendor pages.
photoai.comEncryption at rest
Not disclosed. Policy states only generic "physical, business and technical security measures" with no specifics.
photoai.comData retention
"We only keep your personal information for as long as is needed to do what we collected it for" — retained to provide services, fulfill transactions, meet legal obligations, resolve disputes, and enforce agreements. No fixed retention period disclosed.
photoai.comThird-party data sharing
"As needed, including to third-party service providers, to process or provide Services or products to you, but only if those entities agree to provide at least the same level of privacy protection." Named sub-processors are not listed.
photoai.comBreach notification
Policy commits to notifying affected users in the event of a data breach, without specifying a timeframe.
photoai.comPayment processing
Billing and subscription management is handled through Stripe's billing portal, per the site FAQ.
photoai.com// Products & data scope
data: 5-15 user-uploaded selfies used to fine-tune a personal AI model; generates new photos in any pose/place from that model
Core product. Pro/Max/Ultra subscription tiers differ by photo credits and training speed, not by data handling or compliance posture.
data: No real user photos required; user designs a synthetic identity from scratch
Marketed for building monetizable synthetic 'AI influencers'.
data: User-uploaded product photos and clothing images combined with the user's AI model
Aimed at Shopify/e-commerce sellers and marketers; no separate business/enterprise agreement found.
data: User-uploaded motion/reference video plus an AI-generated photo of the user's model
Transfers motion from an uploaded video onto the user's AI photo.
// What to watch
- No trust center and no third-party security certifications (SOC 2, ISO 27001, ISO 27701, ISO 42001, CSA STAR, HIPAA, PCI DSS, FedRAMP) found anywhere on the vendor's own domain — consistent with a solo-founder indie SaaS, not evidence of wrongdoing, but AIFOXX should not display any compliance badges for this vendor.
- Broad, perpetual, irrevocable IP license over user-submitted photos and prompts in the Terms of Service goes beyond what is needed for the advertised 'train your own model' feature, with no disclosed opt-out — worth surfacing given the sensitivity of uploaded face photos.
- PCI DSS: payment handling is delegated to Stripe (the payment processor); any PCI DSS compliance belongs to Stripe, not Photo AI directly — do not credit Photo AI with PCI DSS.
- No formal legal entity name, business address, or dedicated privacy/DPO contact found on the vendor's privacy policy or terms page, limiting verification of e.g. EU representative requirements for a US-based data controller/processor.
- No Data Processing Agreement (DPA) found or offered on the vendor's site.
// At a glance
Pricing model
Consumer subscription only (Pro/Max/Ultra, monthly or yearly with an annual discount); no self-serve API, team, or enterprise tier found
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Photo AI (photoai.com, operated by Pieter Levels / Levels.io — no separate legal entity name publicly disclosed)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
photoai.com