Skip to content

Fly.io

Independent (Delaware C-corp, HQ Chicago). The host behind Deploy to Fly.

Short version: Fly runs your actual app — and, unlike a static host, often its database too — so what sits on their servers is your code plus whatever your app stores about its users. The reassuring part: Fly says plainly that the contents of your app belong to you, staff don't poke around inside without your consent, and there's no AI being fed your data. The one thing that genuinely sets Fly apart here is that you pick the region — you can keep an app and its database in Frankfurt, Amsterdam, London, Paris or Stockholm on any plan, no enterprise upgrade needed. The catch is that Fly is a US company, so US law can still reach data wherever it physically sits.

Last verified: 2026-06-07.

What it holds about you and your users

A static host holds files; Fly holds a running app, so the surface is larger:

  • Your app's contents are yours. Fly's stance is explicit: "We do not intentionally collect information that is stored in your applications... Information in your applications belongs to you." [confirmed]
  • Staff don't look inside. "fly.io employees do not access applications unless required to for security or maintenance, or for support reasons, with the consent of the application owner." [confirmed]
  • Your users' data lives here too. If your app has logins, a form, or a database (Fly Postgres, a volume), the emails and records it stores sit on Fly's infrastructure — that's your responsibility to handle lawfully, and the reason a DPA matters (below). [confirmed]
  • About your account, Fly keeps the usual: name, email, password, plus IP addresses and request metadata to run the service. [confirmed]

Does it train AI on what you upload?

Effectively no — Fly isn't in the model-training business, and there's no AI feature reading your app.

  • No training clause anywhere. Neither the privacy policy nor the terms mention training AI or ML models on customer apps or data — and the policy's "Information in your applications belongs to you" line sits the opposite way. There's no opt-out toggle because there's nothing to opt out of. [confirmed]
  • Honest gap: Fly never publishes an explicit "we will not train on your data" promise the way Netlify or Cloudflare do. The protection is the ownership + no-access language above, not a dedicated no-training warranty. [unclear] (no first-party no-training statement exists — checked 2026-06)
  • One broad clause to know: the terms let Fly "use Usage Data... in an aggregated and de-identified manner" to improve and market its services — operational telemetry, not your app's contents. [confirmed]

Keeping and deleting your data

  • While your account is live, Fly keeps your data "for as long as your account is active or as needed to provide you services." [confirmed]
  • Delete your account and Fly says "we will delete your full profile (within reason) within 30 days" and that "your account and any associated personal information will be permanently deleted from our records." [confirmed]
  • One caveat on its own line: Fly also reserves the right to "retain certain User Personal Information indefinitely, unless you delete it or request its deletion" — so for a clean wipe, delete the account rather than assuming a timer does it. [confirmed]
  • Keep your own backup. Fly tells you to export and back up your own data; a deleted volume or database is gone. [confirmed]

What a paid/enterprise plan changes

Fly is pay-as-you-go, not free-vs-paid in the usual sense, and the compliance paperwork isn't locked behind a sales call:

  • A signed data agreement (DPA) is available to anyone who asks — "pre-signed by Fly.io and... active when signed by the customer," for GDPR. You don't need an enterprise contract to get it. [confirmed]
  • HIPAA covered too. A Business Associate Agreement (BAA) is offered on the same request basis; Fly sells a Compliance add-on (BAA + SOC 2) at $99/month for regulated workloads. [confirmed]
  • Enterprise mainly adds custom resource configs, SLAs, and dedicated support — operational, not a different stance on your data. [estimate] (positioned as "Enterprise-Ready" for SLA/custom needs — Fly plans page, seen 2026-06-07)

Where your data is stored (EU / UK / US)

This is where Fly is unusually friendly for GDPR — with one structural asterisk.

  • You choose the region, on any plan. Set primary_region in your app config to keep it (and its database) in Europe — Frankfurt (fra), Amsterdam (ams), Paris (cdg), Stockholm (arn), or London (lhr). No enterprise tier required, unlike GitHub, Vercel, or Cloudflare where EU pinning is a paid feature. [confirmed] (Fly regions)
  • Default storage is the US. Fly's own records about your account "will be stored and processed in the United States"; pinning the app to the EU doesn't move Fly's account-level data. [confirmed]
  • The asterisk: Fly is a US company, so under US law (the CLOUD Act) authorities could compel data Fly holds regardless of where the server physically is. Region selection controls where the bytes sit, not whose law reaches them. [estimate] (Fly is a Delaware C-corp; CLOUD Act applies to US providers — checked 2026-06)
  • Transfers are covered legally: Fly self-certifies under the EU–U.S., UK Extension, and Swiss–U.S. Data Privacy Framework, and uses Standard Contractual Clauses with subprocessors. [confirmed]

For a public demo or a hobby app this is all fine. If you're storing EU/UK personal data, pin the region to Europe, request the DPA, and you're on solid ground.

Sources