"Always the best, without switching tools."
Bolt is an AI-powered builder for websites, web apps, and mobile apps. Users describe their project via prompt, and Bolt generates a working project from it in a short time.
In addition, Bolt bundles Bolt Cloud Hosting, databases, domains, authentication, file storage, analytics, and Edge Functions directly in the interface.
Bolt.new
Always the best, without switching tools
Location: USA ⓘ StackBlitz, Inc., 2443 Fillmore St #380-7122, San Francisco, CA 94115, USA.
Teams For teams with collaborative work, higher limits, and team-oriented usage. Other Enterprise Custom offering for organizations with advanced requirements.
bolt.diy Official open-source version for local/self-hosted use with your own LLM providers such as OpenAI, Anthropic, Ollama, Gemini, Mistral, xAI, DeepSeek, Bedrock, and others.
Target audience
Bolt is aimed at product managers, founders, marketers, agencies, students, and builders who want to create websites, web apps, or mobile apps without the overhead of a traditional setup. Official pages also address teams working with design systems, private registries, organizational sharing, and centralized administration. Bolt is particularly strong for people who want to move quickly from idea to prototype, landing page, or MVP while having hosting, database, and deployments directly in the tool.
Outstanding features
What stands out is the combination of prompt-to-app, model selection within Bolt, integrated infrastructure via Bolt Cloud, and direct integrations with Figma, Expo, Stripe, GitHub, Supabase, and MCP servers. Added to this are private and public publishing, custom domains, SEO-relevant hosting/publishing features, authentication, file storage, edge functions, and built-in analytics. Also relevant for teams are design system knowledge, private NPM registries, and admin/governance functions.
Main use cases
Bolt is particularly well suited for landing pages, campaign pages, prototypes, MVPs, internal tools, smaller SaaS products, and mobile app prototypes. The homepage explicitly addresses product teams, entrepreneurs, marketers, agencies, as well as learning and side-project scenarios. Because Bolt includes hosting, domains, and databases and can connect to Stripe, it is also interesting for first production web products.
Usage & notes
Operation is primarily via chat/prompt, supplemented by code view, publish/share functions, and project/cloud settings. For mobile apps, the mobile use case must be clearly specified in the prompt; Bolt uses Expo for this. It is important to know the technical limitations: Chromium desktop browsers are recommended, mobile browsers are not yet fully supported, and according to the documentation, Bolt is limited to JavaScript-based technologies for backends. For data protection and enterprise procurement, the legal documents should be reviewed individually before production use, because the public legal/compliance situation is not documented as comprehensively as with established enterprise SaaS providers.
| Target audience | Assessment |
|---|---|
| Private individuals / Makers | Very suitable – for fast web apps, websites, prototypes, and experiments via prompt. |
| Self-employed / Freelancers | Very suitable – for landing pages, MVPs, client prototypes, and simple apps without a full development team. |
| Startups / Founders | Very suitable – especially for rapid product validation, prototyping, and early app versions. |
| Agencies / Web designers | Suitable to very suitable – for quick drafts, websites, frontends, and client demos. |
| SMEs / Teams | Suitable – for internal tools and quick app ideas, provided data protection, code quality, and hosting are reviewed. |
| Large enterprises | Conditionally suitable – review the enterprise/team context; for sensitive data and complex architecture only with governance and code review. |
Hosting & Data
1) On-prem / local hosting
Meaning: The company operates the solution on its own hardware or within its own infrastructure. In the strictest sense, not only the application runs locally, but ideally the model as well.
2) Private cloud / data center
Meaning: The solution runs in a dedicated or more clearly separated cloud environment, often with a hosting provider or hyperscaler, but in a German data center or in a particularly controlled environment.
3) EU SaaS / managed
Meaning: The provider operates the solution itself as a service. The company uses the tool as a ready-made cloud service, ideally with EU data residency.
4) Hybrid
Meaning: One part of the processing remains internal / local / in a private cloud, while another part runs in an external cloud or EU SaaS.
5) AVV / DPA
Meaning: This is the data processing agreement or Data Processing Addendum. It governs that the provider processes personal data on behalf of the customer and is bound by the customer's instructions.
6) No training
Meaning: The provider does not use your prompts, uploads, attachments, chat histories, or outputs for training or improving the general model — ideally excluded by contract.
7) Open-source / transparency path
Meaning: There is a path toward greater technical transparency and sovereignty, for example through:
- open models
- documented components
- self-hostable parts
- traceable architecture
- export / switching options
| On-prem / local hosting | ⚠️ |
| Private cloud / data center | ✅ |
| EU SaaS / Managed | ⚠️ |
| Hybrid | ❓ |
| DPA / AVV | ❓ |
| No training on customer data | ⚠️ |
| Open source / transparency path | ⚠️ |
On-premises / local hosting: partially
No classic on-premises solution running on the customer’s own hardware was explicitly found. However, there is a documented Enterprise/BYOK option for deployment in the customer’s own AWS/Azure tenant with full isolation; this is closer to a customer-owned cloud than to an on-premises data center.
Private Cloud / Data Center: Covered
The website describes deployment in the customer’s own AWS/Azure tenant with “full infrastructure isolation and no shared compute.” This covers a dedicated private cloud/tenant variant.
EU SaaS / Managed: Partially
A managed SaaS/cloud service is clearly available. However, the website does not specify explicit EU/EEA data residency or a requirement for the service to be hosted in an EU data center for this standard service.
Hybrid: Indirect / Not Available
An explicit hybrid operating model combining internal/on-premises with external SaaS was not described on the website. While integrations and BYOK deployment are available, there is no clearly documented hybrid offering in the required sense.
AVV / DPA: unclear
No AVV/DPA was found on the website. Nor are any specific data processing agreements or Data Processing Agreements linked to or described on the trust/support pages found.
No Training: Partially
The Enterprise page states that code and prompts “never leave your tenant” or, in the case of BYOK, “never leave your infrastructure.” A general, contractually enforced “no training” rule or an explicit opt-out for standard SaaS usage was not found on the website.
Open Source / Transparency Path: Partial
There is a transparency/sovereignty path via project downloads, GitHub integration, alternative use of custom Supabase projects, and references to open-source components in blog content. However, a clearly documented open-source product base or self-hostable core solution was not found.
Data Processing
The pages found describe two main operational models: First, Bolt Cloud as a provider-managed service for hosting, databases, domains, file storage, and edge functions. The website mentions Netlify and Supabase as the underlying platforms, without specifying EU/EEA data residency or exact server locations. Second, an Enterprise/BYOK option, in which deployment occurs within the user’s own AWS/Azure tenant, with full isolation and the assurance that code and prompts do not leave the user’s own infrastructure. For EU/EEA users, the second option is significantly better documented in terms of data protection.
Conclusion
For an EU/EEA directory, Bolt.new is not documented as a clearly and fully substantiated standard SaaS offering with EU data residency. The most viable option is the Enterprise/BYOK model, particularly if the customer selects an EU/EEA location in AWS or Azure and receives the contractual data protection documents separately during the sales process. Without these additional requirements, the GDPR compliance status for the standard cloud service, as presented on the website, remains too incomplete.
Sources
| On-prem / local hosting | ⚠️ |
| Private cloud / data center | ✅ |
| EU SaaS / Managed | ⚠️ |
| Hybrid | ❓ |
| DPA / AVV | ❓ |
| No training on customer data | ⚠️ |
| Open source / transparency path | ⚠️ |
On-premises / local hosting: partially
No classic on-premises solution running on the customer’s own hardware was explicitly found. However, there is a documented Enterprise/BYOK option for deployment in the customer’s own AWS/Azure tenant with full isolation; this is closer to a customer-owned cloud than to an on-premises data center.
Private Cloud / Data Center: Covered
The website describes deployment in the customer’s own AWS/Azure tenant with “full infrastructure isolation and no shared compute.” This covers a dedicated private cloud/tenant variant.
EU SaaS / Managed: Partially
A managed SaaS/cloud service is clearly available. However, the website does not specify explicit EU/EEA data residency or a requirement for the service to be hosted in an EU data center for this standard service.
Hybrid: Indirect / Not Available
An explicit hybrid operating model combining internal/on-premises with external SaaS was not described on the website. While integrations and BYOK deployment are available, there is no clearly documented hybrid offering in the required sense.
AVV / DPA: unclear
No AVV/DPA was found on the website. Nor are any specific data processing agreements or Data Processing Agreements linked to or described on the trust/support pages found.
No Training: Partially
The Enterprise page states that code and prompts “never leave your tenant” or, in the case of BYOK, “never leave your infrastructure.” A general, contractually enforced “no training” rule or an explicit opt-out for standard SaaS usage was not found on the website.
Open Source / Transparency Path: Partial
There is a transparency/sovereignty path via project downloads, GitHub integration, alternative use of custom Supabase projects, and references to open-source components in blog content. However, a clearly documented open-source product base or self-hostable core solution was not found.
Data Processing
The pages found describe two main operational models: First, Bolt Cloud as a provider-managed service for hosting, databases, domains, file storage, and edge functions. The website mentions Netlify and Supabase as the underlying platforms, without specifying EU/EEA data residency or exact server locations. Second, an Enterprise/BYOK option, in which deployment occurs within the user’s own AWS/Azure tenant, with full isolation and the assurance that code and prompts do not leave the user’s own infrastructure. For EU/EEA users, the second option is significantly better documented in terms of data protection.
Conclusion
For an EU/EEA directory, Bolt.new is not documented as a clearly and fully substantiated standard SaaS offering with EU data residency. The most viable option is the Enterprise/BYOK model, particularly if the customer selects an EU/EEA location in AWS or Azure and receives the contractual data protection documents separately during the sales process. Without these additional requirements, the GDPR compliance status for the standard cloud service, as presented on the website, remains too incomplete.
Sources
Strengths & weaknesses at a glance
| Strengths | Weaknesses |
|---|---|
| • Very fast path from idea to a working prototype or MVP. | • Public privacy/compliance documentation appears thin from an EU perspective; the publicly found StackBlitz Privacy Policy is very old and refers to US hosting/transfers. |
| • Integrated cloud features instead of a zoo of tools: hosting, DB, domains, auth, file storage, analytics, edge functions. | • No verified public information is available about a freely accessible AVV/DPA page specifically for Bolt — as of April 27, 2026. |
| • Good integrations for Figma, Expo, GitHub, Stripe, Supabase, and MCP. | • According to the official documentation, Bolt only supports JavaScript-based backends; PHP or Python are explicitly listed there as incompatible. |
| • Also suitable for commercial use; according to the official docs, the code generated with Bolt/StackBlitz belongs to the user. | • Mobile browsers are not yet fully supported; desktop and Chromium-based browsers are recommended. |
| • Private publishing and team/admin features for collaborative workflows. | • Token consumption increases with project size because a large share of usage comes from reading and synchronizing the project files. |
Reviews
0 reviews in total
There are no confirmed reviews for this tool yet.
Submit review
Your review will only become visible after email confirmation. This protects the portal against abuse.
Report review
Please select the reason why this review should be checked.
GDPR-compliant usage possible?
For the EU/EEA region, GDPR-compliant use is plausible only under certain conditions. Positive aspects include the enterprise options listed on the website for deployment in a user’s own AWS/Azure tenant with full infrastructure isolation, as well as the statement that code and prompts do not leave the user’s own infrastructure. However, for standard SaaS/Bolt Cloud usage, the website lacks essential, reliable information regarding EU data residency, specific server locations within the EU/EEA, the Data Processing Agreement (DPA), and subprocessors. Therefore, there is no verifiable, fully clear GDPR approval for standard use; the best-documented option is the Enterprise/BYOK variant.
Positive
The website mentions BYOK deployment or deployment within the user’s own AWS/Azure tenant, full infrastructure isolation without shared compute, the statement “Your code and prompts never leave your infrastructure,” and SOC 2 information. In addition, the Trust page describes client-side execution as a security feature.
Negative
The website does not specify any concrete EU/EEA server locations for the standard service. Also missing are a privacy policy, an AVV/DPA, a list of subprocessors, an explicit EU data residency for Bolt Cloud, and a clear, contractually documented no-training/opt-out rule for standard use. The support documentation also mentions external platforms such as Netlify and Supabase as the basis for Bolt Cloud.
Server Location
Not specified on the website. For Bolt Cloud, only “secure, high-performance servers” and partner platforms such as Netlify and Supabase are mentioned. A specific EU/EEA data center location or a binding EU data residency requirement is not mentioned on the pages found. For Enterprise, deployment within the customer’s own AWS/Azure tenant is described; the specific location there apparently depends on the customer’s target environment.