Data Processing Agreement
Last updated: April 2026
1. Overview
This Data Processing Agreement (“DPA”) applies when you use here.now to host files that contain personal data and you are subject to data protection laws such as the UK GDPR or EU GDPR. In that context, you act as the data controller and here.now acts as the data processor on your behalf.
By using the here.now API with an API key to publish files containing personal data, you agree to the terms of this DPA. No separate signature is required.
2. What here.now processes
here.now processes personal data only to the extent necessary to provide the hosting service:
- Storage — files you upload are stored in Cloudflare R2 object storage.
- Serving — files are served over HTTPS to anyone who requests the URL.
- Metadata — file paths, sizes, content types, and hashes are stored in a routing index to enable serving. File contents are not read or inspected.
- Thumbnails — if a screenshot of your published site is captured for preview purposes, the page is rendered once by Cloudflare’s Browser Rendering service and a thumbnail image is stored. This is a rendering pass only; no data is extracted from the content.
here.now does not read, index, analyse, or use the contents of your uploaded files for any purpose other than storing and serving them.
3. Data retention
- Sites published with an API key are retained indefinitely until you delete them.
- Anonymous sites (no API key) are automatically deleted after 24 hours.
- When you delete a site, all associated files are permanently removed from storage.
- If you close your account, all your sites and files are deleted.
4. Your responsibilities as controller
As the data controller, you are responsible for:
- Ensuring you have a lawful basis to process the personal data you upload.
- Providing any required notices to the data subjects whose data appears in your files.
- Not uploading special category data (health, financial, biometric, etc.) unless you have assessed and accepted the associated risk.
- Deleting sites when the personal data they contain is no longer needed.
5. here.now’s obligations
here.now commits to:
- Processing personal data only as described in this DPA and in accordance with your documented instructions (publishing and serving your files).
- Not selling or sharing personal data in your files with third parties for their own purposes.
- Maintaining reasonable technical and organisational security measures (see section 6).
- Notifying you without undue delay if we become aware of a personal data breach affecting your files, to the extent we can identify it as such.
- Deleting your data upon account closure or upon your request.
- Providing reasonable assistance if you need to respond to a data subject rights request, to the extent the information is within our control.
6. Security measures
here.now implements the following measures to protect stored data:
- Files are stored in Cloudflare R2, which encrypts data at rest.
- All data in transit is encrypted using TLS (HTTPS).
- Access to production infrastructure is restricted to authorised personnel.
- Account variables (API secrets) are encrypted at rest with a separate encryption key.
- API keys are required for persistent publishing; anonymous publishing is rate-limited by IP.
Because published sites are served at public URLs, the primary access control is the confidentiality of the URL itself. URLs are randomly generated and non-guessable. You may also enable password protection on any site for an additional layer of access control.
7. Sub-processors
here.now uses the following sub-processors to deliver the service. Each is bound by its own data processing terms with here.now:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | File storage (R2), serving (Workers), CDN, KV, Browser Rendering | Global |
| Railway | Web application hosting, PostgreSQL database | US |
| Resend | Transactional email (magic link authentication) | US |
| Stripe | Payment processing (paid plans only) | US |
We will notify you of any material changes to this sub-processor list by updating this page and the date above.
8. International transfers
here.now’s infrastructure is primarily US-based with Cloudflare’s global network. If you are in the UK or EEA, personal data in your files may be transferred to and stored in the United States. Cloudflare, Railway, Resend, and Stripe all participate in applicable transfer mechanisms (including EU Standard Contractual Clauses) under their own DPAs.
9. Audits and compliance
If you have questions about our data processing practices or need information to complete a compliance assessment, contact us at hello@here.now. We will respond within a reasonable timeframe and provide available information about our security and processing practices.
10. Governing law
This DPA is governed by the same law as the here.now Terms of Service. For the purposes of UK and EU GDPR compliance, this DPA is intended to satisfy the requirement for a written contract between controller and processor under Article 28 of the GDPR.
11. Changes
We may update this DPA. Changes will be reflected by updating the date at the top of this page. Continued use of here.now after a change constitutes acceptance of the updated DPA.
12. Contact
Questions about this DPA or data protection at here.now? Email hello@here.now.