Cloudflare automatically collects technical data including your IP address, browser type, and pages visited whenever you use its services or visit a website powered by Cloudflare's network, even if you have no direct relationship with Cloudflare.
This analysis describes what Cloudflare's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Your IP address and browsing behavior are collected passively across a vast range of internet destinations that use Cloudflare's infrastructure, which represents a significant breadth of data collection relative to a single service provider.
Every time you visit a website using Cloudflare's network, your IP address and device information may be logged, regardless of whether you have an account with Cloudflare or are aware of its involvement.
How other platforms handle this
We, or vendors we engage, may automatically collect information about your use of our website or services through cookies and similar technologies. This may include navigational and network-related activity such as your device's IP address, browser type and operating system; the length of time you v...
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
Monitoring
Cloudflare has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When you use our Services, we automatically receive and record information from your browser or device, which may include your IP address or device identifier, the type of browser and/or device you're using to access our Services, and the page or feature you requested. Cloudflare also collects information on behalf of our Customers about End Users of our Customers' websites and applications. This information may include log data, IP addresses, and other information regarding users of our Customers' websites.— Excerpt from Cloudflare's Cloudflare Privacy Policy
REGULATORY LANDSCAPE: Automatic collection of IP addresses and device identifiers constitutes personal data processing under GDPR, requiring a documented legal basis. The FTC Act applies to deceptive or unfair collection practices in the U.S. CCPA and CPRA classify IP addresses as personal information subject to consumer rights. Cookie and tracking disclosures also engage ePrivacy Directive requirements in the EU. GOVERNANCE EXPOSURE: Medium. The scope of automatic data collection across Cloudflare's network is broad, but collection of log data and IP addresses for security and network operations is standard practice for infrastructure providers. Legal basis documentation under GDPR (likely legitimate interests for security operations) and transparency of disclosure are the primary governance concerns. JURISDICTION FLAGS: EU and EEA users have the right to object to processing based on legitimate interests under GDPR Article 21. California residents have the right to know about categories of personal information collected under CCPA. Illinois and other states with biometric or sensitive data laws are less directly implicated by log data collection alone. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using Cloudflare should understand that end-user log data collected on their behalf is governed by the DPA, not this public privacy policy. Vendor assessments should confirm data retention periods for log data and confirm sub-processor obligations are met. COMPLIANCE CONSIDERATIONS: Teams should review whether Cloudflare's legitimate interests assessments for automatic data collection are documented and available, and whether website operators using Cloudflare have disclosed Cloudflare's data collection in their own privacy notices as required under GDPR transparency obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Your IP address and browsing behavior are collected passively across a vast range of internet destinations that use Cloudflare's infrastructure, which represents a significant breadth of data collection relative to a single service provider.
Every time you visit a website using Cloudflare's network, your IP address and device information may be logged, regardless of whether you have an account with Cloudflare or are aware of its involvement.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cloudflare.