What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacyquestions@cloudflare.com', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': 'Email privacyquestions@cloudflare.com to request deletion of your personal data and to ask what retention periods apply to your specific data categories.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has authority over deceptive data retention representations and enforces reasonable retention practices as part of its commercial surveillance framework under FTC Act Section 5.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Data Retention clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Data Retention clauses across approximately 39 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Data Retention — Cloudflare

Share 𝕏 Share in Share 🔒 PDF

What it is

Cloudflare keeps your personal data for as long as it needs to run its services or meet legal requirements, but does not specify exact timeframes — meaning your data could be retained indefinitely without a clear deletion schedule.

Consumer impact (what this means for users)

Cloudflare does not commit to specific data retention timeframes in this policy, which means your personal information — including IP addresses and browsing metadata — may be retained for extended or indefinite periods tied to vague 'business purposes.'

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Email privacyquestions@cloudflare.com to request deletion of your personal data and to ask what retention periods apply to your specific data categories.

Cross-platform context

See how other platforms handle Data Retention and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

The absence of specific retention periods makes it difficult for consumers to know when their data will be deleted and makes it harder for regulators to audit whether Cloudflare's retention practices are proportionate under data minimization principles.

View original clause language

We generally retain personal data for as long as needed to provide our Services and fulfill the transactions you have requested, or for other business or legal purposes. We take measures to delete or de-identify personal information when it is no longer necessary for the purposes for which it was collected, unless we are required to retain it for legal or compliance reasons.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: Data retention practices are governed by GDPR Art. 5(1)(e) (storage limitation principle), which requires data be kept 'no longer than is necessary for the purposes for which the personal data are processed.' Art. 13(2)(a) requires disclosure of retention periods or criteria used to determine them. CCPA does not impose explicit retention limits but requires accurate disclosure of retention practices. FTC Act Section 5 applies to deceptive retention representations.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has authority over deceptive data retention representations and enforces reasonable retention practices as part of its commercial surveillance framework under FTC Act Section 5.
File a complaint →

Provision details

Document information

Document

Cloudflare Privacy Policy

Entity

Cloudflare

Document last updated

April 29, 2026

Tracking information

First tracked

April 18, 2026

Last verified

April 18, 2026

Record ID

CA-P-003016

Document ID

CA-D-00282

Evidence Provenance

Source URL

https://www.cloudflare.com/privacypolicy/

Wayback Machine

View archived versions →

SHA-256

f8e88ec9d8c545e030482f3dd3f67f81792db81930414a668aae4f61c5cebe58

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Cloudflare | Document: Cloudflare Privacy Policy | Record: CA-P-003016
Captured: 2026-04-18 11:44:46 UTC | SHA-256: f8e88ec9d8c545e0…
URL: https://conductatlas.com/platform/cloudflare/cloudflare-privacy-policy/data-retention/
Accessed: May 2, 2026

Classification

Severity

Medium

Data Retention