// Trust & Security Report

    starryai, Inc. (STARRY AI LTD, UK) logo

    starryai, Inc. (STARRY AI LTD, UK)

    AI image generator with text-to-image, image enhancement, background removal, and upscaling capabilities. Available as web app and iOS/Android mobile app.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1 or 2)
    NOT CONFIRMED

    No public evidence of SOC 2 certification found on starryai.com or vendor's own security/compliance pages

    source: starryai.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on starryai.com

    source: starryai.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on starryai.com

    source: starryai.com
    ISO 27018 (Cloud PII)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on starryai.com

    source: starryai.com
    GDPR Compliance (Posture)
    NOT CONFIRMED

    Privacy policy references GDPR compliance but no formal GDPR certification held. Policy states 'comply with any applicable law and regulation' but lacks attestation or certification badge

    source: starryai.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA in privacy policy or public materials; no BAA or HIPAA compliance claimed

    source: starryai.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification. Payment processing handled by Stripe but vendor does not claim PCI DSS directly

    source: starryai.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    United States and European Union (face data stored in both regions per section 3.6)

    Vendor's own privacy policy (Section 3.2) lists a distinct purpose for face data: 'To improve the accuracy and quality of our image generation models' - i.e. the vendor reserves the right to use customer face data to improve its own models. Separately, third-party provider OpenAI is stated not to train on data submitted through its API (retained max 30 days for abuse monitoring). Face data is retained 7 days for uploaded images; raw account-saved images deleted within 30 days; account deletion cleanup within 90 days. Because the vendor's own model-improvement use of face data is not scoped or opt-out in the policy, trains_on_customer_data is treated as true pending clarification.

    // Security controls

    Encryption in transit

    Mentioned generally; all third-party transmissions explicitly stated as secure but no TLS version or cipher detail provided

    starryai.com

    Encryption at rest

    Industry-standard encryption applied to data at rest; no specific standard (AES-256, etc.) disclosed

    starryai.com

    Access controls

    Access restricted to personnel who require it to perform job functions; no zero-trust or role-based detail

    starryai.com

    Data retention (face data)

    Uploaded images retained max 7 days after delivery; processed feature data 30 days; account deletion cleanup 90 days

    starryai.com

    Third-party processors

    AWS, Cloudflare, OpenAI, Replicate, Google Cloud, Mixpanel, AppsFlyer, Intercom, Stripe contractually restricted from using data for their own purposes

    starryai.com

    // Products & data scope

    StarryAI Web AppAI Image Generator

    data: Text prompts, uploaded images, face data for likeness-based generation, usage logs, account data

    Free tier with daily credits (5 lumens = 25 images); paid tiers. Generates images via Replicate/OpenAI infrastructure. Face data explicitly handled with user consent.

    StarryAI Mobile App (iOS/Android)AI Image Generator

    data: Same as web app plus device identifiers (IDFA/GAID), analytics, mobile network info

    App Store and Google Play availability. Includes third-party analytics (Mixpanel, AppsFlyer) for attribution.

    // What to watch

    • No dedicated trust center or security documentation page found (404 on /security and /trust)
    • No published SOC 2, ISO 27001, or HIPAA certifications on vendor's domain
    • Third-party claim of 'SOC 2 compliance' found in external comparison site (topai.tools) but cannot be verified via vendor's domain or independent sources
    • Small company (2-10 employees) indicates startup/growth stage maturity despite millions of users
    • Privacy policy is comprehensive and detailed but does not reference formal compliance certifications
    • Face data handling is explicit and granular, suggesting privacy-first design, but no formal certification backing this posture
    • Privacy policy Section 3.2 reserves the right to use customer face data 'to improve the accuracy and quality of our image generation models' - a vendor-side model-training use that is not scoped or opt-out; trains_on_data set to true on this basis (distinct from third-party OpenAI, which does not train on API data)
    • No Data Processing Agreement (DPA) or GDPR addendum mentioned; GDPR compliance stated as general intent, not certified
    • UK-registered entity (STARRY AI LTD, 2019) but US-facing privacy policy (starryai, Inc.) - dual jurisdiction structure

    // At a glance

    Pricing model

    Freemium: free daily credits + paid lumens/subscriptions

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on starryai, Inc. (STARRY AI LTD, UK)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    starryai.com

    > Browse all vendor trust reports