// Trust & Security Report

    UX Pilot Inc. logo

    UX Pilot Inc.

    AI UX/UI design generation (wireframes, hi-fi screens, design-to-code, Figma plugin)

    Certifications held

    6

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture, not a certification)
    HELD

    For users in the European Union, we process personal data in accordance with GDPR requirements. In addition to the rights already mentioned, you have: Right to restrict processing... Right to object... Right to withdraw consent... Right to lodge a complaint with a supervisory authority

    Verify on uxpilot.ai
    CCPA (California, posture)
    HELD

    If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including: Right to know what personal information is collected... Right to delete personal information...

    Verify on uxpilot.ai
    SOC 2
    HELD

    No SOC 2 claim appears on UX Pilot's own site. Their /enterprise page only offers 'Security, SSO, and compliance answers' during a booked demo (confirmed by direct fetch of uxpilot.ai/enterprise on 2026-06-27: no certification language present). A third-party aggregator (Nudge Security) lists 'SOC 2 Compliant' but this is not vendor-attested evidence and the same aggregator lists 7 conflicting certs, so it is not treated as proof.

    Verify on security-profiles.nudgesecurity.com
    ISO 27001
    HELD

    Not claimed on any uxpilot.ai page. Only surfaced via the Nudge Security aggregator profile, which is not vendor-domain proof.

    Verify on security-profiles.nudgesecurity.com
    HIPAA
    HELD

    Not claimed on uxpilot.ai. Aggregator listing only; no BAA or HIPAA language exists in their published privacy policy or terms.

    Verify on uxpilot.ai
    PCI DSS / FedRAMP / CSA STAR
    HELD

    Not claimed anywhere on the vendor's own domain. Listed only by the Nudge Security aggregator, which is unreliable here (it marks the vendor compliant with nearly every framework simultaneously).

    Verify on security-profiles.nudgesecurity.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    United States

    Terms of Service section 13 (Data Usage and AI Training): 'we may use anonymized usage data (such as clicks, navigation patterns, and UX interaction metrics) to improve our Services... We do not train our AI models using your generated designs or any confidential information.' So: model training on your generated designs = NO; anonymized product-usage telemetry = YES (opt-in by use). Note the platform integrates third-party AI/LLM providers for generation, and the privacy policy permits sharing data with service providers and using third-party advertising/tracking cookies.

    // Security controls

    Encryption in transit

    Claimed: 'any information collected through our websites or over the Internet is transmitted using current industry-standard security and/or encryption methods'. No specific cipher/at-rest detail published.

    uxpilot.ai

    Breach notification

    Claimed: 'If a security breach causes an unauthorized intrusion into our system that materially affects your Personal Data, then we will notify you as soon as possible'.

    uxpilot.ai

    Data retention / deletion

    On account deletion, data deleted or anonymized within 90 days, subject to legal/fraud retention exceptions. Right to erasure, access, rectification, portability honored within 30 days.

    uxpilot.ai

    Bug bounty program

    None found. No HackerOne/Bugcrowd presence. Terms actively prohibit users from 'Attempting to probe, scan, or test the vulnerability of our system or network'.

    uxpilot.ai

    Penetration testing

    Not disclosed on any vendor page.

    uxpilot.ai

    SSO / enterprise auth

    Enterprise tier advertises SSO (uxpilot.ai/enterprise lists 'Security, SSO, and compliance answers' as a demo topic). Aggregator profile lists Okta, Google, and Microsoft login support; not independently confirmed on vendor's own domain.

    security-profiles.nudgesecurity.com

    Data subprocessors / stack

    Per aggregator profile (not vendor-published): Stripe, Vercel, Firebase, Google Analytics/Workspace/Tag Manager, Crisp. Vendor's own privacy policy confirms use of third-party service providers and advertising partners but does not publish a subprocessor list.

    security-profiles.nudgesecurity.com

    // Products & data scope

    UX Pilot (web app, individual / Free)AI design generation

    data: Free plan: personal non-commercial use only. Collects name, email, IP, usage telemetry. Designs not used for model training.

    45 free credits, no card required. 1M+ users claimed.

    UX Pilot Standard / Pro (paid individual)AI design generation

    data: Same data handling as free; adds commercial usage license for generated designs. Credits roll over with active subscription.

    Commercial use rights granted to paid tiers.

    UX Pilot TeamsCollaboration / team workspace

    data: Team collaboration; same underlying privacy/AI-training stance. No team-specific DPA published.

    Marketed separately from Enterprise.

    UX Pilot EnterpriseEnterprise design platform

    data: Security, SSO, and compliance details provided only via booked demo, not published. Likely DPA/SSO available on request but unverified.

    Sales-led; 'Book a Demo'. No public security/compliance documentation.

    Figma plugin (Nodey AI Design Agent) + APIFigma integration / API

    data: Two-way Figma sync and GitHub code export; api.uxpilot.ai endpoint. Privacy policy explicitly covers Figma plugins. Imported Figma components and design systems are processed.

    Connects to user's Figma and GitHub repositories.

    // What to watch

    • No vendor-published trust center or security/compliance page; enterprise security answers are gated behind a sales demo.
    • CONFLICT: third-party aggregator (Nudge Security) lists SOC 2, ISO 27001, HIPAA, PCI, FedRAMP, and CSA STAR as 'Compliant', but UX Pilot publishes ZERO of these on its own domain. Treat aggregator claims as unverified marketing-style data, not evidence. Do not display these as held certifications.
    • No bug bounty and no disclosed penetration testing; terms explicitly forbid security probing/scanning by users.
    • Privacy policy permits broad third-party data sharing, targeted advertising cookies, and acquisition of data from third-party/public sources; honors Do-Not-Track is NOT guaranteed.
    • Generated designs are NOT used for AI model training (good), but anonymized usage telemetry is used and the product relies on external LLM providers for generation.
    • No published DPA; US-only data residency may not satisfy EU data-localization requirements despite stated GDPR posture.

    // At a glance

    Pricing model

    Freemium + subscription (Free with 45 credits, Standard, Pro, Teams, Enterprise sales-led)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on UX Pilot Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    uxpilot.ai

    > Browse all vendor trust reports