// Trust & Security Report
Pixelcut Inc.
Consumer/SMB AI photo & video editing platform (background removal, upscaling, generative fill, product/UGC image and video generation) available on web, iOS and Android, plus a separate Pixelcut API for developers and a 'Pixelcut for Claude' integration referenced in site navigation.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on pixelcut.ai“"The rights of Users based on the General Data Protection Regulation (GDPR)" - dedicated policy section enumerating rights to withdraw consent, object, access, rectify, restrict, erase, and port data, and to lodge a complaint with a supervisory authority. Note: this is a self-declared policy posture in the vendor's own privacy policy, not a third-party GDPR certification (no such certification exists under GDPR).”
> Show 7 unconfirmed / not-held certifications
source: pixelcut.aiNo public evidence. Checked privacy policy, terms, API docs, developer data-privacy page, and pixelcut.ai/security (404 - page does not exist); none mention SOC 2.
source: pixelcut.aiNo public evidence on any pixelcut.ai page. A third-party site (Nudge Security profile page) displays an 'ISO 27001 Compliant' badge for Pixelcut with no verification statement or sourcing, and is NOT the vendor's own domain, so it cannot be used as proof and is disregarded per evidence rules.
source: pixelcut.aiNo public evidence of any AI-governance certification on vendor domain.
source: pixelcut.aiNo public evidence on vendor domain. Only appears as an unverified badge on a third-party (Nudge Security) profile page, not on pixelcut.ai.
source: pixelcut.aiNo public evidence of HIPAA compliance or BAA availability on vendor domain. Product is a general-purpose consumer image editor, not marketed for PHI use.
source: pixelcut.aiNo public evidence on vendor domain. Payments are processed via Stripe / Apple App Store / Google Play (third-party processors), so card data is offloaded; no vendor-held PCI DSS attestation was found.
source: pixelcut.aiNo public evidence; not applicable to this consumer/SMB product. Appears only as an unverified badge on a third-party (Nudge Security) profile page, not vendor-confirmed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States (Pixelcut Inc., 490 43rd St, Suite 210, Oakland, CA). No documented EU/regional data residency option or data localization commitment found.
Developer data-privacy page states verbatim: "No, Pixelcut does not use your data to train models without your consent." This is a conditional/opt-in framing (no training absent consent) rather than an unconditional no-training guarantee, and how/where that consent is captured is not documented. Separately, the API terms state customers "may not use the API to create training data for your own models" (restricting customer use of Pixelcut's outputs, not Pixelcut's use of customer inputs). Notably, the main legal Privacy Policy document itself is silent on AI training entirely - the only training commitment lives on a secondary developer-docs FAQ page, not the primary privacy policy.
// Security controls
Encryption in transit
Vendor states uploaded images/projects are "sent to Pixelcut using encryption and stored securely"; no specific protocol/version (e.g. TLS 1.2/1.3) is disclosed on any vendor page.
help.pixelcut.aiData retention
Input and output images are automatically deleted within 24 hours of processing; generated result URLs expire in roughly one hour; account/billing metadata is retained indefinitely for billing, fraud prevention, and analytics.
pixelcut.aiInternal access controls
Vendor states staff access to user data is restricted to support and abuse-investigation purposes only (per developer docs); no independently audited access-control attestation found.
pixelcut.aiFormal security certifications
None published on the vendor's own domain as of the assessment date. A dedicated /security page returns 404.
pixelcut.aiThird-party subprocessors
Privacy policy discloses sharing with Google LLC, Meta Platforms, Apple Inc., Stripe, RevenueCat, Firebase, Sentry, Help Scout, Postmark, Mixpanel, and AppsFlyer for analytics, payments, hosting, and communications; several are flagged in the policy itself as constituting a CCPA "sale"/"share".
pixelcut.ai// Products & data scope
data: User-uploaded product/marketing images and video, plus account, usage, and payment data
Freemium subscription; images auto-deleted within 24 hours of processing per vendor docs; used by an estimated 70M+ registered users per marketing claims (unverified third-party metric, not an independently audited figure).
data: Images/video submitted programmatically via API calls
Credit-based pricing ($0.01/credit) with custom enterprise volume pricing above 1M credits/month; customer retains copyright of processed images; customers are contractually barred from using API outputs to train their own models; no API-specific data-retention or security disclosure beyond the general developer data-privacy page.
data: Not documented on vendor domain beyond a navigation link
Referenced only as a nav item on pixelcut.ai; no dedicated page, data-handling description, or security detail was found. Insufficient public evidence to assess - listed here for completeness only.
// What to watch
- No trust center and no independently verified certifications (SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP, CSA STAR) found on the vendor's own domain, despite the product being marketed to businesses via an API and enterprise volume pricing.
- OVER-CLAIM RISK: a third-party site (security-profiles.nudgesecurity.com/app/pixelcut) displays unsourced 'compliant' badges for SOC 2, ISO 27001, HIPAA, PCI, GDPR, FedRAMP, and CSA STAR with no verification statement. None of these are corroborated anywhere on pixelcut.ai; these badges must not be treated as proof and should not be surfaced to buyers.
- Brand/entity transition in progress: press coverage from March 2026 states Pixelcut rebranded to 'Pixa' (pixa.com), but as of this assessment date pixa.com 301-redirects back to pixelcut.ai and the live site still operates entirely under the 'Pixelcut' brand and 'Pixelcut Inc.' entity name in its Terms. Re-verify identity/branding at next review.
- AI-training commitment ('does not use your data to train models without your consent') appears only on a secondary developer-docs FAQ page, not in the primary legal Privacy Policy, and the consent-capture mechanism is undocumented - a gap worth disclosing rather than a confirmed contradiction.
- No DPA (Data Processing Agreement) availability is documented anywhere on the vendor's site, which is notable given the API product targets business/developer customers.
// At a glance
Pricing model
Freemium subscription (web/mobile) plus credit-based pay-as-you-go API pricing ($0.01/credit) with custom enterprise volume pricing above 1,000,000 credits/month
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Pixelcut Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pixelcut.ai