// Trust & Security Report
starryai, Inc. (STARRY AI LTD, UK)
AI image generator with text-to-image, image enhancement, background removal, and upscaling capabilities. Available as web app and iOS/Android mobile app.
Certifications held
0
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 7 unconfirmed / not-held certifications
source: starryai.comNo public evidence of SOC 2 certification found on starryai.com or vendor's own security/compliance pages
source: starryai.comNo public evidence of ISO 27001 certification found on starryai.com
source: starryai.comNo public evidence of ISO 27017 certification found on starryai.com
source: starryai.comNo public evidence of ISO 27018 certification found on starryai.com
source: starryai.comPrivacy policy references GDPR compliance but no formal GDPR certification held. Policy states 'comply with any applicable law and regulation' but lacks attestation or certification badge
source: starryai.comNo mention of HIPAA in privacy policy or public materials; no BAA or HIPAA compliance claimed
source: starryai.comNo public evidence of PCI DSS certification. Payment processing handled by Stripe but vendor does not claim PCI DSS directly
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States and European Union (face data stored in both regions per section 3.6)
Vendor's own privacy policy (Section 3.2) lists a distinct purpose for face data: 'To improve the accuracy and quality of our image generation models' - i.e. the vendor reserves the right to use customer face data to improve its own models. Separately, third-party provider OpenAI is stated not to train on data submitted through its API (retained max 30 days for abuse monitoring). Face data is retained 7 days for uploaded images; raw account-saved images deleted within 30 days; account deletion cleanup within 90 days. Because the vendor's own model-improvement use of face data is not scoped or opt-out in the policy, trains_on_customer_data is treated as true pending clarification.
// Security controls
Encryption in transit
Mentioned generally; all third-party transmissions explicitly stated as secure but no TLS version or cipher detail provided
starryai.comEncryption at rest
Industry-standard encryption applied to data at rest; no specific standard (AES-256, etc.) disclosed
starryai.comAccess controls
Access restricted to personnel who require it to perform job functions; no zero-trust or role-based detail
starryai.comData retention (face data)
Uploaded images retained max 7 days after delivery; processed feature data 30 days; account deletion cleanup 90 days
starryai.comThird-party processors
AWS, Cloudflare, OpenAI, Replicate, Google Cloud, Mixpanel, AppsFlyer, Intercom, Stripe contractually restricted from using data for their own purposes
starryai.com// Products & data scope
data: Text prompts, uploaded images, face data for likeness-based generation, usage logs, account data
Free tier with daily credits (5 lumens = 25 images); paid tiers. Generates images via Replicate/OpenAI infrastructure. Face data explicitly handled with user consent.
data: Same as web app plus device identifiers (IDFA/GAID), analytics, mobile network info
App Store and Google Play availability. Includes third-party analytics (Mixpanel, AppsFlyer) for attribution.
// What to watch
- No dedicated trust center or security documentation page found (404 on /security and /trust)
- No published SOC 2, ISO 27001, or HIPAA certifications on vendor's domain
- Third-party claim of 'SOC 2 compliance' found in external comparison site (topai.tools) but cannot be verified via vendor's domain or independent sources
- Small company (2-10 employees) indicates startup/growth stage maturity despite millions of users
- Privacy policy is comprehensive and detailed but does not reference formal compliance certifications
- Face data handling is explicit and granular, suggesting privacy-first design, but no formal certification backing this posture
- Privacy policy Section 3.2 reserves the right to use customer face data 'to improve the accuracy and quality of our image generation models' - a vendor-side model-training use that is not scoped or opt-out; trains_on_data set to true on this basis (distinct from third-party OpenAI, which does not train on API data)
- No Data Processing Agreement (DPA) or GDPR addendum mentioned; GDPR compliance stated as general intent, not certified
- UK-registered entity (STARRY AI LTD, 2019) but US-facing privacy policy (starryai, Inc.) - dual jurisdiction structure
// At a glance
Pricing model
Freemium: free daily credits + paid lumens/subscriptions
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on starryai, Inc. (STARRY AI LTD, UK)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
starryai.com