// Trust & Security Report
Postcrafts PTE LTD (operating as ProfilePicture.AI / PFP.AI)
Consumer AI headshot/profile-picture generator: Free PFP Maker (single-photo, casual avatars) and Studio Photoshoots (paid, higher-volume photorealistic headshot packs). Cross-promotes a separate sibling product, HeadshotPro.com, which is not covered by this assessment.
Certifications held
1
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on profilepicture.ai“"This policy is fully compliant with GDPR and Singapore regulations."”
> Show 8 unconfirmed / not-held certifications
source: profilepicture.aiNo public evidence. No trust center exists on profilepicture.ai; the privacy policy, terms, and sub-processors pages make no mention of SOC 2.
source: profilepicture.aiNo public evidence. No ISO 27001 claim found anywhere on the vendor's domain.
source: profilepicture.aiNo public evidence found on any vendor-domain page.
source: profilepicture.aiNo public evidence. No AI-governance certification mentioned.
source: profilepicture.aiNo public evidence found on any vendor-domain page.
source: profilepicture.aiNo public evidence and no plausible fit: this is a consumer image-generation tool with no health-data use case, and no HIPAA claim appears on the vendor's site.
source: profilepicture.ai"Yes, we only use Stripe for payment. We do not store any of your credit card information." This reduces the vendor's own PCI scope by outsourcing card handling to Stripe, but the vendor does not itself hold a PCI DSS certification.
source: profilepicture.aiNo public evidence; not applicable to this consumer product.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Primarily United States per the homepage FAQ ("Data is stored securely on servers in the United States, by vetted, highly secure, third party partners of us"), but the published sub-processors list also names EU-based vendors (Splitbee for analytics, Crisp for support) and both US and EU regions for Google Cloud Platform hosting. No single explicit data-residency guarantee is published.
Vendor uses third-party AI sub-processors (Astria for "AI Processing and Training", plus OpenAI and Stability AI for generation) to build a per-user model from the uploaded photo, used only to generate that user's own images. Vendor states: "We use your input photos to generate your AI profile pictures, then delete the data and models from our servers or GPU APIs within 24 hours." (homepage FAQ) versus the privacy policy's "Data is deleted within 7 days upon request or account deletion unless legally required otherwise." These two vendor-domain statements describe different triggers (automatic post-generation cleanup vs. deletion-on-request) but the numeric inconsistency (24 hours vs 7 days) is not fully reconciled from the public pages, so this is flagged rather than resolved. No evidence either way that photos are reused to train a shared/foundation model benefiting other customers; the privacy policy's vague "anonymous data may be shared with trusted partners for service improvement" clause could not be confirmed to include or exclude uploaded photos, hence null rather than false.
// Security controls
Payment handling
Outsourced to Stripe; vendor does not store credit card information
profilepicture.aiData retention
Uploaded photos and generated models deleted within 24 hours per marketing FAQ; privacy policy states deletion within 7 days upon request or account deletion (inconsistency flagged)
profilepicture.aiSub-processor transparency
Publishes a named sub-processors list (Render, Google Cloud Platform, Postgres, Astria, Splitbee, Crisp, Bento, Hotjar, OpenAI, Stability AI, Cloudflare)
profilepicture.aiRefund / data-handling transparency
7-day refund window; support contact published (support@profilepicture.ai)
profilepicture.ai// Products & data scope
data: Single uploaded photo, used to generate stylized profile pictures for personal social-media use
Free entry-point product; same data-retention and sub-processor posture as the paid product per the shared privacy policy.
data: One or more uploaded photos, used to generate a larger gallery of photorealistic headshots; marketed to individuals and small teams ("corporate teams", "executive team" in testimonials)
Paid, one-time-purchase product ($ per photoshoot, not subscription per FAQ: "We charge upfront"). No evidence of a distinct enterprise/team data-handling tier or separate DPA for team use despite testimonial mentions of team/corporate use.
// What to watch
- No trust center and no third-party-audited certifications (SOC 2, ISO 27001, etc.) found anywhere on the vendor's domain; this is a small, self-funded, two-founder indie product (vendor's own FAQ: "We do not have any investors and built this project 100% independently"), which is consistent with startup maturity rather than a gap to penalize.
- GDPR compliance is self-declared in the privacy policy with no published DPA, no named DPO/EU representative, and no explicit legal-basis breakdown found on the site.
- Data-retention claims are inconsistent across vendor-owned pages: homepage FAQ says photos/models are deleted within 24 hours, while the privacy policy says data is deleted within 7 days upon request or account deletion. Could not fully reconcile from public pages; treat the shorter automatic-cleanup window and the longer request-based window as two different (undocumented) processes rather than a single confirmed number.
- Two legal entity names appear across vendor pages: "Postcrafts PTE LTD" (privacy policy) and "ProfilePicture.AI Inc." (terms & conditions). Could not fully resolve which is the contracting entity from public pages; do not conflate either name with an unrelated company of similar name.
- Relies on third-party AI sub-processors (OpenAI, Stability AI, Astria) for generation/training; those providers' own certifications belong to the sub-processor, not to ProfilePicture.AI, and should not be attributed to this vendor.
- HeadshotPro.com is cross-promoted on the ProfilePicture.AI homepage as a related product but is a separate site/listing; its trust posture must be assessed independently and not merged with this vendor's record.
// At a glance
Pricing model
One-time purchase per generation/photoshoot (no subscription mentioned; "We charge upfront so we don't have to sell your data")
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Postcrafts PTE LTD (operating as ProfilePicture.AI / PFP.AI)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
profilepicture.ai