Trust & Data Security
Last updated: Jul 18, 2026
You upload images to PhotoCAD to turn them into CAD-ready vector files. Those images are often unreleased products, unpublished designs, or client work. This page explains exactly what happens to them — what we do, what our providers do, and what we deliberately do not do.
What we promise
- We never train AI models on your content — and neither do any of our providers.
- Your images and results live in a private, encrypted bucket. No other user can see them.
- Deleting a conversion permanently destroys its content within 30 days — within 48 hours on Stealth accounts, which also auto-delete everything on a schedule you control.
- Your images are processed by machines, end to end. Admin access is limited, purposeful, and — for Stealth accounts — off by default and logged when used.
No AI training
PhotoCAD never trains AI models on your images or your results — and neither do any of our providers. Their commercial terms prohibit using customer content, inputs or outputs, to train or improve their models. These are contractual commitments, not marketing statements.
We do not name our AI providers publicly — which providers we use, and how, is part of how PhotoCAD works. For enterprise agreements, we can disclose the full list with their data terms under NDA.
Deleted means deleted
Your originals and results are stored in a private bucket, encrypted at rest (AES-256) and in transit (TLS). Access is scoped to your account.
| Standard accounts | Stealth accounts | |
|---|---|---|
| While you keep a conversion | Stored until you delete it — re-download anytime | Auto-deleted after 30 days by default (configurable). Pin individual drawings to keep them longer. |
| When you delete a conversion | Content permanently destroyed within 30 days | Content permanently destroyed within 48 hours |
“Permanently destroyed” means the image files and vector geometry are deleted from live systems and are not recoverable — image files are never included in database backups, so there is no backup copy to linger. What remains is the billing record only: the drawing’s title, dates, credit charges, and processing timings — nothing that contains or can reconstruct your image. Database records may persist in encrypted backups for up to 7 days before those backups expire.
Where your data lives
Stored data (database and files) is hosted on Supabase infrastructure in the United States (AWS us-east-2). AI processing runs on US-based providers whose global infrastructure may process a given conversion in other regions. All transfers are encrypted in transit. For UK/EU customers, international transfers are covered by our providers’ data processing agreements and standard contractual clauses.
Security
- Encryption everywhere. TLS 1.2+ for every transfer, AES-256 at rest. Storage URLs are signed and expire within 1 hour.
- Certified infrastructure. Every layer your data touches is independently certified: Supabase (SOC 2 Type II, on AWS), Vercel (SOC 2 Type II), and Stripe (PCI DSS Level 1).
- No passwords to steal. Sign-in is by single-use, expiring magic link — we never store a password that could be leaked or cracked.
- Card data never touches our servers. Payments are handled entirely by Stripe.
- Found a vulnerability? Email security@photocad.ai. Reports are triaged on receipt and fixes take priority over all feature work.
Who can see your images
- No other user. Content is private to your account, enforced at the database layer (row-level security) and the storage layer (signed, expiring URLs).
- Machines, not people. Your images are processed entirely by automated systems. Nobody at PhotoCAD reviews them in normal operation, and our providers’ terms restrict access to customer content.
- Admin access is limited and purposeful: support, quality diagnostics (understanding failed or poor conversions to improve the service), and abuse investigation. For Stealth accounts it is excluded by default — your content does not appear in any admin view, and any deliberate access requires an explicit “break-glass” step that is logged with a timestamp.
Sub-processors
These are the services that touch your data, and what each one does. Our AI providers are disclosed under NDA as part of enterprise agreements; our infrastructure providers are public.
| Provider | Role | Data terms |
|---|---|---|
| AI providers | Image conversion (disclosed under NDA) | Contractual no-training terms; DPAs in place; independently certified (SOC 2 / ISO 27001) |
| Supabase | Database, file storage, authentication (AWS us-east-2) | DPA — SOC 2 Type II certified |
| Vercel | Application hosting and compute | DPA — SOC 2 Type II certified |
| Stripe | Payments (never sees image content) | DPA — PCI DSS Level 1 |
Stealth accounts
For patent work, unreleased products, and client-confidential material, Stealth Mode changes how the pipeline itself behaves:
- Processing is pinned to the contractual no-training chain — if it fails, the conversion fails cleanly (with the credit refunded) rather than route anywhere else.
- Everything auto-deletes after 30 days by default (configurable per account), with per-drawing pinning when you need to keep something.
- Deleted content is destroyed within 48 hours.
- Your content is excluded from all admin views; any access requires a logged break-glass step.
- An NDA is included as part of Stealth agreements.
Contact us about enabling Stealth Mode on your account.
What we do not claim
Trust pages fail when they overpromise, so, plainly: we are a small company and we do not hold SOC 2 or ISO 27001 certification ourselves — our infrastructure providers do (see Security above), and certification is on our roadmap as the business grows. We do not claim “zero retention” — the billing records and bounded backup windows above are the honest shape of it, and none of it contains your images.
Changes
If we materially change anything on this page — how or where your content is processed, a longer retention window, a weaker guarantee — we will give at least 30 days’ notice by email to affected accounts.
Questions about any of this? Email support@photocad.ai. We complete security questionnaires and vendor review forms for business customers.