// Trust & Security Report
UX Pilot Inc.
AI UX/UI design generation (wireframes, hi-fi screens, design-to-code, Figma plugin)
Certifications held
6
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on uxpilot.ai“For users in the European Union, we process personal data in accordance with GDPR requirements. In addition to the rights already mentioned, you have: Right to restrict processing... Right to object... Right to withdraw consent... Right to lodge a complaint with a supervisory authority”
Verify on uxpilot.ai“If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including: Right to know what personal information is collected... Right to delete personal information...”
Verify on security-profiles.nudgesecurity.com“No SOC 2 claim appears on UX Pilot's own site. Their /enterprise page only offers 'Security, SSO, and compliance answers' during a booked demo (confirmed by direct fetch of uxpilot.ai/enterprise on 2026-06-27: no certification language present). A third-party aggregator (Nudge Security) lists 'SOC 2 Compliant' but this is not vendor-attested evidence and the same aggregator lists 7 conflicting certs, so it is not treated as proof.”
Verify on security-profiles.nudgesecurity.com“Not claimed on any uxpilot.ai page. Only surfaced via the Nudge Security aggregator profile, which is not vendor-domain proof.”
Verify on uxpilot.ai“Not claimed on uxpilot.ai. Aggregator listing only; no BAA or HIPAA language exists in their published privacy policy or terms.”
Verify on security-profiles.nudgesecurity.com“Not claimed anywhere on the vendor's own domain. Listed only by the Nudge Security aggregator, which is unreliable here (it marks the vendor compliant with nearly every framework simultaneously).”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
United States
Terms of Service section 13 (Data Usage and AI Training): 'we may use anonymized usage data (such as clicks, navigation patterns, and UX interaction metrics) to improve our Services... We do not train our AI models using your generated designs or any confidential information.' So: model training on your generated designs = NO; anonymized product-usage telemetry = YES (opt-in by use). Note the platform integrates third-party AI/LLM providers for generation, and the privacy policy permits sharing data with service providers and using third-party advertising/tracking cookies.
// Security controls
Encryption in transit
Claimed: 'any information collected through our websites or over the Internet is transmitted using current industry-standard security and/or encryption methods'. No specific cipher/at-rest detail published.
uxpilot.aiBreach notification
Claimed: 'If a security breach causes an unauthorized intrusion into our system that materially affects your Personal Data, then we will notify you as soon as possible'.
uxpilot.aiData retention / deletion
On account deletion, data deleted or anonymized within 90 days, subject to legal/fraud retention exceptions. Right to erasure, access, rectification, portability honored within 30 days.
uxpilot.aiBug bounty program
None found. No HackerOne/Bugcrowd presence. Terms actively prohibit users from 'Attempting to probe, scan, or test the vulnerability of our system or network'.
uxpilot.aiSSO / enterprise auth
Enterprise tier advertises SSO (uxpilot.ai/enterprise lists 'Security, SSO, and compliance answers' as a demo topic). Aggregator profile lists Okta, Google, and Microsoft login support; not independently confirmed on vendor's own domain.
security-profiles.nudgesecurity.comData subprocessors / stack
Per aggregator profile (not vendor-published): Stripe, Vercel, Firebase, Google Analytics/Workspace/Tag Manager, Crisp. Vendor's own privacy policy confirms use of third-party service providers and advertising partners but does not publish a subprocessor list.
security-profiles.nudgesecurity.com// Products & data scope
data: Free plan: personal non-commercial use only. Collects name, email, IP, usage telemetry. Designs not used for model training.
45 free credits, no card required. 1M+ users claimed.
data: Same data handling as free; adds commercial usage license for generated designs. Credits roll over with active subscription.
Commercial use rights granted to paid tiers.
data: Team collaboration; same underlying privacy/AI-training stance. No team-specific DPA published.
Marketed separately from Enterprise.
data: Security, SSO, and compliance details provided only via booked demo, not published. Likely DPA/SSO available on request but unverified.
Sales-led; 'Book a Demo'. No public security/compliance documentation.
data: Two-way Figma sync and GitHub code export; api.uxpilot.ai endpoint. Privacy policy explicitly covers Figma plugins. Imported Figma components and design systems are processed.
Connects to user's Figma and GitHub repositories.
// What to watch
- No vendor-published trust center or security/compliance page; enterprise security answers are gated behind a sales demo.
- CONFLICT: third-party aggregator (Nudge Security) lists SOC 2, ISO 27001, HIPAA, PCI, FedRAMP, and CSA STAR as 'Compliant', but UX Pilot publishes ZERO of these on its own domain. Treat aggregator claims as unverified marketing-style data, not evidence. Do not display these as held certifications.
- No bug bounty and no disclosed penetration testing; terms explicitly forbid security probing/scanning by users.
- Privacy policy permits broad third-party data sharing, targeted advertising cookies, and acquisition of data from third-party/public sources; honors Do-Not-Track is NOT guaranteed.
- Generated designs are NOT used for AI model training (good), but anonymized usage telemetry is used and the product relies on external LLM providers for generation.
- No published DPA; US-only data residency may not satisfy EU data-localization requirements despite stated GDPR posture.
// At a glance
Pricing model
Freemium + subscription (Free with 45 credits, Standard, Pro, Teams, Enterprise sales-led)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on UX Pilot Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
uxpilot.ai