Cloudflare plays two different privacy roles: it controls your data when you are its direct customer, but when you visit another website that uses Cloudflare's network, Cloudflare only processes your data on behalf of that website's operator, who is responsible for informing you about how your data is used.
This analysis describes what Cloudflare's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This distinction means that if you want to exercise privacy rights regarding data processed on behalf of a third-party website, you may need to contact that website's operator rather than Cloudflare directly, which can make it harder to know where to direct requests.
If your data is processed because you visited a third-party site using Cloudflare's infrastructure, Cloudflare's policy may not be the right place to seek data access or deletion; you may need to contact the operator of the site you visited instead.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
Docusign may be a 'data controller' or a 'data processor' (or both) depending on the type of personal information and the context in which it is processed. When Docusign determines the purpose and means of processing personal information, we act as a data controller. When Docusign processes personal...
Monitoring
Cloudflare has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"In this Privacy Policy, we use the term "Customer" to refer to individuals and organizations that directly contract with us for the purpose of using our products and services. We use the term "End Users" to refer to those individuals who (1) access or use our Customers' domains, networks, websites, application programming interfaces, and applications, or (2) Cloudflare's products and services are directed toward. Unlike Customers who directly interact with Cloudflare, End Users typically interact with our Customers' Internet properties that use our Services. In connection with providing our Services, Cloudflare may process End Users' data on behalf of Customers. In that case, Cloudflare is a data processor and the Customer is the data controller.— Excerpt from Cloudflare's Cloudflare Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4(7) and 4(8), which define controller and processor, and Article 28, which requires a Data Processing Agreement between controllers and processors. The Irish Data Protection Commission is identified as lead EU supervisory authority. Where Cloudflare acts as processor, the enterprise customer bears primary GDPR accountability for lawful basis and data subject rights fulfillment. GOVERNANCE EXPOSURE: High. The controller-processor distinction creates significant accountability allocation between Cloudflare and its enterprise customers. If a DPA is not properly in place, or if sub-processor obligations are not met, both Cloudflare and the enterprise customer could face regulatory exposure under GDPR. The policy's assertion that customers are responsible for end-user data subject requests may not fully discharge Cloudflare's obligations as processor under applicable law. JURISDICTION FLAGS: EU and EEA exposure is highest given GDPR Article 28 DPA requirements. UK GDPR applies post-Brexit with analogous processor obligations. California CPRA similarly distinguishes service providers from businesses, and enterprise customers must ensure Cloudflare's contractual terms satisfy CPRA service provider restrictions to avoid characterization as a data sale or sharing arrangement. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams engaging Cloudflare as infrastructure provider should confirm a compliant DPA is in place, review Cloudflare's sub-processor list and notification procedures, and assess whether the DPA includes adequate data subject rights assistance obligations under GDPR Article 28(3)(e). The policy's framing that customer privacy policies govern end users does not eliminate Cloudflare's processor-level obligations. COMPLIANCE CONSIDERATIONS: Legal teams should map which data flows involve Cloudflare acting as processor versus controller, update internal data maps accordingly, and confirm DPAs address sub-processing, breach notification timelines, and audit rights. Organizations in regulated sectors (financial services, healthcare) should assess whether Cloudflare's processor role creates additional sector-specific notification or contractual obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This distinction means that if you want to exercise privacy rights regarding data processed on behalf of a third-party website, you may need to contact that website's operator rather than Cloudflare directly, which can make it harder to know where to direct requests.
If your data is processed because you visited a third-party site using Cloudflare's infrastructure, Cloudflare's policy may not be the right place to seek data access or deletion; you may need to contact the operator of the site you visited instead.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cloudflare.