PhotoCAD
Convert
ArchitectureIndustrial DesignFashion DesignPatent DrawingsDigital FabricationHeritage & ArchaeologyIllustration
GalleryAPIPricing
Log in

Trust & Data Security

Last updated: Jul 18, 2026

You upload images to PhotoCAD to turn them into CAD-ready vector files. Those images are often unreleased products, unpublished designs, or client work. This page explains exactly what happens to them — what we do, what our providers do, and what we deliberately do not do.

What we promise

  • We never train AI models on your content — and neither do any of our providers.
  • Your images and results live in a private, encrypted bucket. No other user can see them.
  • Deleting a conversion permanently destroys its content within 30 days — within 48 hours on Stealth accounts, which also auto-delete everything on a schedule you control.
  • Your images are processed by machines, end to end. Admin access is limited, purposeful, and — for Stealth accounts — off by default and logged when used.

No AI training

PhotoCAD never trains AI models on your images or your results — and neither do any of our providers. Their commercial terms prohibit using customer content, inputs or outputs, to train or improve their models. These are contractual commitments, not marketing statements.

We do not name our AI providers publicly — which providers we use, and how, is part of how PhotoCAD works. For enterprise agreements, we can disclose the full list with their data terms under NDA.

Deleted means deleted

Your originals and results are stored in a private bucket, encrypted at rest (AES-256) and in transit (TLS). Access is scoped to your account.

Standard accountsStealth accounts
While you keep a conversionStored until you delete it — re-download anytimeAuto-deleted after 30 days by default (configurable). Pin individual drawings to keep them longer.
When you delete a conversionContent permanently destroyed within 30 daysContent permanently destroyed within 48 hours

“Permanently destroyed” means the image files and vector geometry are deleted from live systems and are not recoverable — image files are never included in database backups, so there is no backup copy to linger. What remains is the billing record only: the drawing’s title, dates, credit charges, and processing timings — nothing that contains or can reconstruct your image. Database records may persist in encrypted backups for up to 7 days before those backups expire.

Where your data lives

Stored data (database and files) is hosted on Supabase infrastructure in the United States (AWS us-east-2). AI processing runs on US-based providers whose global infrastructure may process a given conversion in other regions. All transfers are encrypted in transit. For UK/EU customers, international transfers are covered by our providers’ data processing agreements and standard contractual clauses.

Security

  • Encryption everywhere. TLS 1.2+ for every transfer, AES-256 at rest. Storage URLs are signed and expire within 1 hour.
  • Certified infrastructure. Every layer your data touches is independently certified: Supabase (SOC 2 Type II, on AWS), Vercel (SOC 2 Type II), and Stripe (PCI DSS Level 1).
  • No passwords to steal. Sign-in is by single-use, expiring magic link — we never store a password that could be leaked or cracked.
  • Card data never touches our servers. Payments are handled entirely by Stripe.
  • Found a vulnerability? Email security@photocad.ai. Reports are triaged on receipt and fixes take priority over all feature work.

Who can see your images

  • No other user. Content is private to your account, enforced at the database layer (row-level security) and the storage layer (signed, expiring URLs).
  • Machines, not people. Your images are processed entirely by automated systems. Nobody at PhotoCAD reviews them in normal operation, and our providers’ terms restrict access to customer content.
  • Admin access is limited and purposeful: support, quality diagnostics (understanding failed or poor conversions to improve the service), and abuse investigation. For Stealth accounts it is excluded by default — your content does not appear in any admin view, and any deliberate access requires an explicit “break-glass” step that is logged with a timestamp.

Sub-processors

These are the services that touch your data, and what each one does. Our AI providers are disclosed under NDA as part of enterprise agreements; our infrastructure providers are public.

ProviderRoleData terms
AI providersImage conversion (disclosed under NDA)Contractual no-training terms; DPAs in place; independently certified (SOC 2 / ISO 27001)
SupabaseDatabase, file storage, authentication (AWS us-east-2)DPA — SOC 2 Type II certified
VercelApplication hosting and computeDPA — SOC 2 Type II certified
StripePayments (never sees image content)DPA — PCI DSS Level 1

Stealth accounts

For patent work, unreleased products, and client-confidential material, Stealth Mode changes how the pipeline itself behaves:

  • Processing is pinned to the contractual no-training chain — if it fails, the conversion fails cleanly (with the credit refunded) rather than route anywhere else.
  • Everything auto-deletes after 30 days by default (configurable per account), with per-drawing pinning when you need to keep something.
  • Deleted content is destroyed within 48 hours.
  • Your content is excluded from all admin views; any access requires a logged break-glass step.
  • An NDA is included as part of Stealth agreements.

Contact us about enabling Stealth Mode on your account.

What we do not claim

Trust pages fail when they overpromise, so, plainly: we are a small company and we do not hold SOC 2 or ISO 27001 certification ourselves — our infrastructure providers do (see Security above), and certification is on our roadmap as the business grows. We do not claim “zero retention” — the billing records and bounded backup windows above are the honest shape of it, and none of it contains your images.

Changes

If we materially change anything on this page — how or where your content is processed, a longer retention window, a weaker guarantee — we will give at least 30 days’ notice by email to affected accounts.

Questions about any of this? Email support@photocad.ai. We complete security questionnaires and vendor review forms for business customers.

PhotoCAD

Convert photos to CAD-ready vector files. DXF and SVG for manufacturing, CNC and architectural drawings.

Product

  • Gallery
  • Projects
  • Pricing
  • Convert
  • API
  • How it works

Solutions

  • Architecture
  • Industrial Design
  • Fashion Design
  • Patent Drawings
  • Digital Fabrication
  • Heritage & Archaeology
  • Illustration
  • Laser Cutting
  • Vinyl Cutting
  • CNC Routing
  • Plasma & Metal Art

Converters

  • Image to DXF
  • Sketch to CAD
  • Image to CAD
  • Signature to Vector
  • Logo to Vector
  • Raster to Vector
  • Trace Photo to Vector

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • License
  • Trust & Security

© 2026 PhotoCAD. All rights reserved.