Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This document establishes Cloudflare's practices for collecting, processing, and using personal information from visitors to Cloudflare websites and from users of Cloudflare services. The policy authorizes data collection including IP addresses, device information, and browsing behavior both when individuals directly interact with Cloudflare and when their traffic passes through Cloudflare's infrastructure serving third-party websites. The policy permits processing of this data for security, analytics, and marketing purposes, and authorizes disclosure to service providers, partners, and in response to legal requests.
This document is Cloudflare's Privacy Policy governing the collection, use, and disclosure of personal information across Cloudflare's websites, products, and services, with stated legal bases including consent, legitimate interests, and contractual necessity under applicable frameworks including GDPR and CCPA. The policy states that Cloudflare collects information provided directly by users, information collected automatically (including log data, IP addresses, device identifiers, and cookies), and information from third-party sources, and the terms authorize use of this data for service delivery, security operations, product improvement, and marketing communications. Notably, the policy distinguishes between Cloudflare acting as a data controller for its own customer and website visitor data versus acting as a data processor for data passing through its network on behalf of customers, a structurally important distinction that limits Cloudflare's stated obligations regarding end-user data processed on behalf of enterprise clients. The policy references GDPR for EU and UK users, CCPA and CPRA for California residents, and other applicable regional frameworks, with Cloudflare asserting Privacy Shield successor mechanisms and Standard Contractual Clauses for international data transfers, though the enforceability of specific transfer mechanisms may depend on evolving regulatory guidance. Material compliance considerations include the adequacy of consent mechanisms for cookies and tracking technologies, the scope of data retention practices, and the handling of personal data transiting Cloudflare's global network on behalf of business customers.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial3 important changes detected
3 versions captured · Last updated: July 2026
Cloudflare's Privacy Policy was updated on April 18, 2026 to reorganize its navigation and service descriptions. The change adds new service sections including 'Support and success bundles', 'Optimized Cloudflare experience', …
View change record →Provision was consolidated into 'Automatic Data Collection and Log Data' rather than added as new content.
Specific enumeration of passive data collection (ISP, clickstream data, exit pages) was removed in favor of more generic language, reducing transparency about specific tracking categories.
Removal of contractual requirements for third-party data protection and purpose limitation weakens binding obligations on service providers handling personal data.
Specific distinction between session and persistent cookies and detailed enumeration of cookie purposes was removed, reducing granularity of cookie disclosure.
Definition expanded from generic contractual language to explicitly enumerate End User categories and clarify the direct contract requirement for Customers.
Language simplified from detailed enumeration (ISP, referring/exit pages, clickstream data) to broader categories, with clearer delineation of data collection on behalf of Customers.
Added explicit examples of tracking technologies (web beacons, pixels), categorized cookies by necessity, and added disclosure of third-party partner cookie usage.
Removed specific Data Privacy Framework certifications in favor of broader consent-based language emphasizing U.S. governance and reduced local protections, with vaguer reference to transfer mechanisms.
Added explicit mention of CPRA (new California law) and included additional rights (opt-out of sale/sharing, non-discrimination, correct inaccurate information) previously only partially addressed.
Monitoring
Cloudflare has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle Controller vs Processor Distinction and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.