// Trust & Security Report

    AI Creativity S.r.l. (a Bending Spoons company) logo

    AI Creativity S.r.l. (a Bending Spoons company)

    Remini is a consumer AI photo/video enhancement app (unblur, denoise, face enhance, old-photo restoration, up to 2x upscaling) plus an "AI Photos" generative avatar feature and a video enhancer, available via web (app.remini.ai), iOS, and Android. Operated by AI Creativity S.r.l. (Milan, Italy), wholly owned and managed/coordinated by Bending Spoons S.p.A., which also handles privacy/legal/compliance centrally for the app portfolio. No distinct team/enterprise/API tier was found publicly.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture)
    HELD

    "The Data Controller is Bending Spoons S.p.A., based in Via Nino Bonnet 10, 20154 Milan, Italy" with a named Data Protection Officer and data-subject rights described under "Regulation (EU) 2016/679"; international transfers rely on "the standard contractual clauses developed by the European Commission."

    Verify on app.remini.ai
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. No trust center, SOC 2 badge, or SOC 2 report reference found on remini.ai, app.remini.ai, or support.bendingspoons.com/compliance.

    source: support.bendingspoons.com
    ISO/IEC 27001
    NOT CONFIRMED

    No public evidence. The Bending Spoons compliance page lists only a Modern Slavery Statement, Organizational Management/Control Model, Code of Ethics, and whistleblowing policy — no ISO 27001 certificate or scope statement.

    source: support.bendingspoons.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Remini is a consumer photo/video tool with no BAA, healthcare-specific terms, or HIPAA language anywhere on the vendor's own domains; not applicable to this product.

    source: app.remini.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence on vendor domains. Payment processing (App Store/Play Store/web billing) is handled by third-party processors; no PCI attestation published by Remini/AI Creativity/Bending Spoons.

    source: support.bendingspoons.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence found on any vendor-owned page.

    source: support.bendingspoons.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. No AI-governance certification is referenced on remini.ai, app.remini.ai, or the Bending Spoons compliance page.

    source: support.bendingspoons.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on vendor domains.

    source: support.bendingspoons.com
    FedRAMP
    NOT CONFIRMED

    No public evidence; not applicable — Remini is a consumer product with no U.S. government offering referenced anywhere on its own domains.

    source: support.bendingspoons.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    EU-based controller (Bending Spoons S.p.A. / AI Creativity S.r.l., Milan, Italy); data may be transferred outside the EEA/UK/Switzerland under EU Standard Contractual Clauses. No dedicated EU-only or U.S.-only data-residency option is published.

    Vendor policy states training use is opt-in only: "in limited cases, (v) user-provided images where users have explicitly opted in to model training" (app.remini.ai). A separate press/search summary of the same policy corroborates: "user images aren't used to train AI technologies unless users explicitly opt in." Retention language differs slightly across vendor pages (web app: "deleted from our servers after 1 day" / "after 15 days" for the web app vs. a subscription-tier plan page reportedly citing 7/20-day windows and a 2-year outer limit) — flagged below as an unresolved cross-page inconsistency likely reflecting different product surfaces (free web tool vs. AI Photos/subscription feature) rather than a single unified retention policy.

    // Security controls

    Encryption / data protection measures

    "We adopt technical and organizational measures designed to prevent the loss, improper use and alteration of your personal data. In some cases, we may also adopt data encryption and pseudonymization measures." (Not tied to a certified ISMS or independently audited standard.)

    app.remini.ai

    Face data use restriction

    Vendor states face data is used only to enhance photos/videos and generate requested AI images, and "in no instance does Remini process face data to identify or authenticate people in images or videos."

    app.remini.ai

    Upload retention (web app)

    "Images, videos and audio-recordings uploaded to the web app are deleted from our servers after 1 day" (up to 15 days if needed for a requested feature).

    app.remini.ai

    International transfer safeguards

    Transfers outside the EEA/UK/Switzerland rely on "the standard contractual clauses developed by the European Commission."

    app.remini.ai

    Independent third-party audit / certification

    None published. No trust center, SOC 2 report, or ISO certificate is hosted on any Remini or Bending Spoons domain as of this review.

    support.bendingspoons.com

    // Products & data scope

    Remini Photo & Video Enhancer (mobile + web)Consumer AI image/video enhancement

    data: User-uploaded photos/videos and derived face data; short server retention (1–15 days per current web-app policy) unless a feature requires longer processing.

    Primary product; 100M+ monthly active users per vendor homepage. Free tier with ads plus paid subscription.

    Remini AI Photos (generative avatars)Consumer generative AI

    data: User-submitted reference photos used to generate stylized AI images of the user; training use is opt-in only per privacy policy.

    Distinct feature/flow from the core enhancer; a subscription plan management page (yourplan.remini.ai) suggests separate/longer retention windows for this feature, which could not be fully reconciled with the main web-app privacy policy — see flags.

    Enterprise / API tierNot confirmed

    data: n/a

    A developer.remini.ai subdomain surfaced in search results (referencing a hosted privacy-policy PDF) but did not resolve live during this review, so no enterprise/API/business offering, terms, or security posture could be independently verified. Treat as unconfirmed, not as evidence of a B2B product.

    // What to watch

    • No trust center or third-party audited certification (SOC 2, ISO 27001, HIPAA, PCI, ISO 42001, CSA STAR, FedRAMP) found on any vendor-owned domain (remini.ai, app.remini.ai, support.bendingspoons.com) despite searching; graded held=false across the board rather than assumed.
    • Over-claim risk found in third-party research: a third-party "security profile" directory (nudgesecurity.com, not a vendor-owned source) lists Remini as simultaneously 'PCI Compliant, HIPAA Compliant, SOC 2 Compliant, GDPR Compliant, ISO 27001 Compliant, FedRAMP Compliant, and CSA Star Level 1 Compliant' with no methodology, verification link, or supporting evidence disclosed. This is almost certainly an auto-generated/template badge list, not a verified fact, and should NOT be used as a source for AIFOXX's listing.
    • Identity/controller ambiguity: the remini.ai homepage footer names 'AI Creativity S.r.l.' (Milan) as the copyright holder and operating entity, 'subject to the management and coordination of Bending Spoons S.p.A.', while the app.remini.ai privacy policy names 'Bending Spoons S.p.A.' directly as the Data Controller. This likely reflects Bending Spoons centralizing privacy operations across its app portfolio (it also owns Evernote, WeTransfer, Meetup, Splice, etc.) rather than a conflation error, but the exact legal-entity relationship for contracting purposes is not fully clear from public pages alone.
    • Retention-period inconsistency across vendor pages: the current app.remini.ai privacy policy states uploads are deleted after 1 day (up to 15 days), while other vendor-linked material (a subscription plan/terms page) reportedly describes 7-day/20-day windows and a 2-year outer deletion limit for AI Photos. Could not fully reconcile whether this is a stale document, a per-feature difference, or a versioning gap; treat retention claims as feature-specific, not universal.
    • Do not confuse with 'Rimini Street' (NASDAQ: RMNI), an unrelated enterprise software support company that does hold ISO 27001/ISO 9001 — search noise conflated the two names; none of Rimini Street's certifications apply to Remini/AI Creativity S.r.l.

    // At a glance

    Pricing model

    Freemium consumer subscription (free with ads/limited enhancements; paid subscription for full-resolution, ad-free, and AI Photos access)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on AI Creativity S.r.l. (a Bending Spoons company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    app.remini.ai

    > Browse all vendor trust reports