// Trust & Security Report

    Pixelcut Inc. logo

    Pixelcut Inc.

    Consumer/SMB AI photo & video editing platform (background removal, upscaling, generative fill, product/UGC image and video generation) available on web, iOS and Android, plus a separate Pixelcut API for developers and a 'Pixelcut for Claude' integration referenced in site navigation.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture)
    HELD

    "The rights of Users based on the General Data Protection Regulation (GDPR)" - dedicated policy section enumerating rights to withdraw consent, object, access, rectify, restrict, erase, and port data, and to lodge a complaint with a supervisory authority. Note: this is a self-declared policy posture in the vendor's own privacy policy, not a third-party GDPR certification (no such certification exists under GDPR).

    Verify on pixelcut.ai
    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. Checked privacy policy, terms, API docs, developer data-privacy page, and pixelcut.ai/security (404 - page does not exist); none mention SOC 2.

    source: pixelcut.ai
    ISO 27001
    NOT CONFIRMED

    No public evidence on any pixelcut.ai page. A third-party site (Nudge Security profile page) displays an 'ISO 27001 Compliant' badge for Pixelcut with no verification statement or sourcing, and is NOT the vendor's own domain, so it cannot be used as proof and is disregarded per evidence rules.

    source: pixelcut.ai
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of any AI-governance certification on vendor domain.

    source: pixelcut.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence on vendor domain. Only appears as an unverified badge on a third-party (Nudge Security) profile page, not on pixelcut.ai.

    source: pixelcut.ai
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or BAA availability on vendor domain. Product is a general-purpose consumer image editor, not marketed for PHI use.

    source: pixelcut.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence on vendor domain. Payments are processed via Stripe / Apple App Store / Google Play (third-party processors), so card data is offloaded; no vendor-held PCI DSS attestation was found.

    source: pixelcut.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence; not applicable to this consumer/SMB product. Appears only as an unverified badge on a third-party (Nudge Security) profile page, not vendor-confirmed.

    source: pixelcut.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States (Pixelcut Inc., 490 43rd St, Suite 210, Oakland, CA). No documented EU/regional data residency option or data localization commitment found.

    Developer data-privacy page states verbatim: "No, Pixelcut does not use your data to train models without your consent." This is a conditional/opt-in framing (no training absent consent) rather than an unconditional no-training guarantee, and how/where that consent is captured is not documented. Separately, the API terms state customers "may not use the API to create training data for your own models" (restricting customer use of Pixelcut's outputs, not Pixelcut's use of customer inputs). Notably, the main legal Privacy Policy document itself is silent on AI training entirely - the only training commitment lives on a secondary developer-docs FAQ page, not the primary privacy policy.

    // Security controls

    Encryption in transit

    Vendor states uploaded images/projects are "sent to Pixelcut using encryption and stored securely"; no specific protocol/version (e.g. TLS 1.2/1.3) is disclosed on any vendor page.

    help.pixelcut.ai

    Encryption at rest

    Not specified on any vendor-domain page.

    pixelcut.ai

    Data retention

    Input and output images are automatically deleted within 24 hours of processing; generated result URLs expire in roughly one hour; account/billing metadata is retained indefinitely for billing, fraud prevention, and analytics.

    pixelcut.ai

    Internal access controls

    Vendor states staff access to user data is restricted to support and abuse-investigation purposes only (per developer docs); no independently audited access-control attestation found.

    pixelcut.ai

    Formal security certifications

    None published on the vendor's own domain as of the assessment date. A dedicated /security page returns 404.

    pixelcut.ai

    Third-party subprocessors

    Privacy policy discloses sharing with Google LLC, Meta Platforms, Apple Inc., Stripe, RevenueCat, Firebase, Sentry, Help Scout, Postmark, Mixpanel, and AppsFlyer for analytics, payments, hosting, and communications; several are flagged in the policy itself as constituting a CCPA "sale"/"share".

    pixelcut.ai

    // Products & data scope

    Pixelcut Web/iOS/Android AppConsumer/SMB AI photo & video editor

    data: User-uploaded product/marketing images and video, plus account, usage, and payment data

    Freemium subscription; images auto-deleted within 24 hours of processing per vendor docs; used by an estimated 70M+ registered users per marketing claims (unverified third-party metric, not an independently audited figure).

    Pixelcut APIDeveloper/API image & video processing

    data: Images/video submitted programmatically via API calls

    Credit-based pricing ($0.01/credit) with custom enterprise volume pricing above 1M credits/month; customer retains copyright of processed images; customers are contractually barred from using API outputs to train their own models; no API-specific data-retention or security disclosure beyond the general developer data-privacy page.

    Pixelcut for ClaudeAI agent / MCP integration

    data: Not documented on vendor domain beyond a navigation link

    Referenced only as a nav item on pixelcut.ai; no dedicated page, data-handling description, or security detail was found. Insufficient public evidence to assess - listed here for completeness only.

    // What to watch

    • No trust center and no independently verified certifications (SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP, CSA STAR) found on the vendor's own domain, despite the product being marketed to businesses via an API and enterprise volume pricing.
    • OVER-CLAIM RISK: a third-party site (security-profiles.nudgesecurity.com/app/pixelcut) displays unsourced 'compliant' badges for SOC 2, ISO 27001, HIPAA, PCI, GDPR, FedRAMP, and CSA STAR with no verification statement. None of these are corroborated anywhere on pixelcut.ai; these badges must not be treated as proof and should not be surfaced to buyers.
    • Brand/entity transition in progress: press coverage from March 2026 states Pixelcut rebranded to 'Pixa' (pixa.com), but as of this assessment date pixa.com 301-redirects back to pixelcut.ai and the live site still operates entirely under the 'Pixelcut' brand and 'Pixelcut Inc.' entity name in its Terms. Re-verify identity/branding at next review.
    • AI-training commitment ('does not use your data to train models without your consent') appears only on a secondary developer-docs FAQ page, not in the primary legal Privacy Policy, and the consent-capture mechanism is undocumented - a gap worth disclosing rather than a confirmed contradiction.
    • No DPA (Data Processing Agreement) availability is documented anywhere on the vendor's site, which is notable given the API product targets business/developer customers.

    // At a glance

    Pricing model

    Freemium subscription (web/mobile) plus credit-based pay-as-you-go API pricing ($0.01/credit) with custom enterprise volume pricing above 1,000,000 credits/month

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pixelcut Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pixelcut.ai

    > Browse all vendor trust reports