Skip to content

Netlify

The short version: Netlify deploys and hosts your site; you keep ownership, and they say plainly they won't train AI on your code or content unless you opt in. Stored on US infrastructure — fine for most public-facing sites, worth a closer look if you're putting regulated personal data behind it.

Last verified: 2026-06-07 · Confidence: high on AI-training and ownership stance, medium on retention specifics.

Does it train AI on what you upload?

No — and they're unusually clear about it. Netlify's privacy policy states it "does not use Customer Content for artificial intelligence or machine learning model training, and does not allow others to do so." [confirmed] Their April 2026 stance post repeats it: "We don't sell your code or content. We don't use it to train AI models unless you explicitly opt in." [confirmed]

  • No setting to flip. Because it's no-by-default, there's nothing to turn off — opt-in would be a deliberate future choice on your part, and that feature doesn't exist yet. [confirmed]
  • AI features don't leak either. When Netlify wires in AI capabilities, it says it "use[s] API endpoints and vendors that do not feed your data back into model training." [confirmed]
  • They do read telemetry. Usage metrics and telemetry run the service and improve it — but "this never includes sharing or selling your IP for AI model training." [confirmed]

Can you delete it, and how long do they keep it?

You own your content — the agreement says you keep "all right, title and interest" in your data. [confirmed]

  • After you leave: Netlify keeps your data retrievable for 30 days post-termination, then "may, but is not obligated to, delete" it. So deletion isn't instant or guaranteed on a timer — plan to pull anything you need within the month. [confirmed]
  • Personal data: you can request erasure; they say it's deleted "after expiry of the applicable retention periods," but the policy doesn't name a specific number of days. [unclear] (privacy policy gives no fixed figure — checked 2026-06)
  • One honest caveat, on its own line: the self-serve agreement also grants Netlify the right to "use and analyze Customer Data to administer, improve, customize, enhance and develop its products" — broad, but the AI-training carve-out above is explicit and sits on top of it. [confirmed]

What enterprise changes

Less than with most hosts here — the good defaults already apply to free and self-serve accounts.

  • Data-processing agreement (DPA): "incorporated by reference in Netlify's terms and conditions," so it covers self-serve customers too, not just enterprise. [confirmed] Under it Netlify is your processor and won't sell personal data.
  • Enterprise adds a signed Master Subscription Agreement, SSO/SAML, role-based admin controls, and audit/support guarantees — operational and contractual, not a different stance on training. [estimate] (standard enterprise tier features — Netlify's plan pages, seen 2026-06-07)

Where is it stored? (matters under GDPR)

US-primary. Origin servers and the backing store sit on US AWS infrastructure; the global CDN just caches copies near visitors. [confirmed] (unofficial — Netlify support forum, seen 2026-06-07)

  • No EU-resident hosting tier. You can pick a region for serverless functions, but not for core site hosting or the origin store. [unclear] (no first-party data-residency control documented — checked 2026-06)
  • Transfers are covered legally: Netlify uses the EU Commission's Standard Contractual Clauses and self-certifies under the EU–U.S. / Swiss–U.S. Data Privacy Framework. [confirmed]
  • For a static public site this is a non-issue. If you're storing EU/UK personal data behind a form or function, weigh residency before committing.

Sources