Cloudflare plays two different privacy roles: it controls your data when you are its direct customer, but when you visit another website that uses Cloudflare's network, Cloudflare only processes your data on behalf of that website's operator, who is responsible for informing you about how your data is used.
This analysis describes what Cloudflare's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This distinction means that if you want to exercise privacy rights regarding data processed on behalf of a third-party website, you may need to contact that website's operator rather than Cloudflare directly, which can make it harder to know where to direct requests.
If your data is processed because you visited a third-party site using Cloudflare's infrastructure, Cloudflare's policy may not be the right place to seek data access or deletion; you may need to contact the operator of the site you visited instead.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Cloudflare has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"In this Privacy Policy, we use the term "Customer" to refer to individuals and organizations that directly contract with us for the purpose of using our products and services. We use the term "End Users" to refer to those individuals who (1) access or use our Customers' domains, networks, websites, application programming interfaces, and applications, or (2) Cloudflare's products and services are directed toward. Unlike Customers who directly interact with Cloudflare, End Users typically interact with our Customers' Internet properties that use our Services. In connection with providing our Services, Cloudflare may process End Users' data on behalf of Customers. In that case, Cloudflare is a data processor and the Customer is the data controller.— Excerpt from Cloudflare's Cloudflare Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4(7) and 4(8), which define controller and processor, and Article 28, which requires a Data Processing Agreement between controllers and processors. The Irish Data Protection Commission is identified as lead EU supervisory authority. Where Cloudflare acts as processor, the enterprise customer bears primary GDPR accountability for lawful basis and data subject rights fulfillment. GOVERNANCE EXPOSURE: High. The controller-processor distinction creates significant accountability allocation between Cloudflare and its enterprise customers. If a DPA is not properly in place, or if sub-processor obligations are not met, both Cloudflare and the enterprise customer could face regulatory exposure under GDPR. The policy's assertion that customers are responsible for end-user data subject requests may not fully discharge Cloudflare's obligations as processor under applicable law. JURISDICTION FLAGS: EU and EEA exposure is highest given GDPR Article 28 DPA requirements. UK GDPR applies post-Brexit with analogous processor obligations. California CPRA similarly distinguishes service providers from businesses, and enterprise customers must ensure Cloudflare's contractual terms satisfy CPRA service provider restrictions to avoid characterization as a data sale or sharing arrangement. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams engaging Cloudflare as infrastructure provider should confirm a compliant DPA is in place, review Cloudflare's sub-processor list and notification procedures, and assess whether the DPA includes adequate data subject rights assistance obligations under GDPR Article 28(3)(e). The policy's framing that customer privacy policies govern end users does not eliminate Cloudflare's processor-level obligations. COMPLIANCE CONSIDERATIONS: Legal teams should map which data flows involve Cloudflare acting as processor versus controller, update internal data maps accordingly, and confirm DPAs address sub-processing, breach notification timelines, and audit rights. Organizations in regulated sectors (financial services, healthcare) should assess whether Cloudflare's processor role creates additional sector-specific notification or contractual obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This distinction means that if you want to exercise privacy rights regarding data processed on behalf of a third-party website, you may need to contact that website's operator rather than Cloudflare directly, which can make it harder to know where to direct requests.
If your data is processed because you visited a third-party site using Cloudflare's infrastructure, Cloudflare's policy may not be the right place to seek data access or deletion; you may need to contact the operator of the site you visited instead.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cloudflare.