Skip to content

Cloudflare

Independent (NYSE: NET). The host behind Cloudflare Pages.

Short version: One of the easier hosts to feel good about here. Cloudflare's written line is unusually plain — it does not train AI on the content you put on it, and unlike some hosts there's no default-on switch to remember, because the no-training stance is the baseline for everyone. The files you push to Pages sit on Cloudflare's network; staff don't mine them, and you can delete them. The fine print worth knowing is about where data lives, which only matters if a grant or DPA pins you to the EU/UK.

Last verified: 2026-06-07.

Does it train AI on what you upload?

No — and there's no toggle to hunt for, because it's not opt-out, it's just off:

  • Your content: not used for training. Cloudflare's own statement is direct: "we do not use our customers' content to train any LLMs," and it won't use Customer Content to train its machine-learning products "without customer consent." [confirmed]
  • Cloudflare doesn't train LLMs at all. "we do not train large language models (LLMs)" — so there's no model being fed your site's files in the background. [confirmed]
  • Even its AI product (Workers AI) doesn't learn from you. If you ever wire up Cloudflare's AI features, the same line holds: it "does not use your Customer Content to (1) train any AI models made available on Workers AI or (2) improve any Cloudflare or third-party services." [confirmed]

For deploying a website, you're not using any AI feature anyway — the point is just that the host behind your site isn't quietly mining it. No setting to change.

Keeping and deleting your data

  • While your project is live, Cloudflare keeps your files — that's what a host does. [confirmed]
  • Delete a project (or your account) and the data goes. Cloudflare's policy: "When the data retention period expires for a given type of data, we will delete or destroy it." You can also send a deletion request — "You can ask us to delete the Personal Information that we have collected from you," by emailing sar@cloudflare.com, answered within 30 days. [confirmed]
  • Traffic logs are short-lived by design. Edge access logs are dropped within hours rather than kept — Cloudflare is a network company, not a data hoarder. [confirmed] (what Cloudflare logs)
  • Anything someone already saved is theirs to keep — deleting your site doesn't reach a copy already downloaded by a visitor. [estimate]

What a paid/Enterprise plan changes

For a personal site or a public tool, the free plan already carries the no-training stance and a real privacy policy — you don't need to pay for the basics. Enterprise mainly adds control and paperwork for regulated data:

  • A signed data agreement (DPA) with Standard Contractual Clauses for international transfers — the document a compliance review asks for. [confirmed] (Cloudflare DPA)
  • Region pinning — the Data Localization Suite lets you force data to stay in a chosen region (next section). [confirmed]
  • Admin controls — org-level policies, audit logs, SSO. [confirmed]

The no-training guarantee isn't a paid upgrade — it applies the same on free and Enterprise. [confirmed]

Where your data is stored (EU / UK / US)

  • By default, US and EU. Cloudflare "primarily store[s] your information in the United States and the European Economic Area," and may "transfer and access such information from around the world." On the free plan you don't pick the region. [confirmed]
  • Pinning data to the EU is an Enterprise feature. The Data Localization Suite / Customer Metadata Boundary lets an org force logs and metadata to stay in a chosen region — selectable as EU or US — for customers who "prefer that any personal data subject to the GDPR (or its UK or Swiss equivalents) remain in the EU." [confirmed] It's sold to Enterprise customers; the docs don't list a free tier for it. [unclear] (docs name no plan; positioned as Enterprise — DLS docs, checked 2026-06-07)
  • No separate UK-only region as of 2026-06; the EU boundary is the closest GDPR-aligned option, and Cloudflare relies on SCCs for UK transfers. [confirmed]
  • Under GDPR, the default US/EU mix is usually fine for a personal or public site — name it only if your grant or DPA forbids data leaving the EU/UK, in which case the localization features are the lever. [estimate]

Sources