What are the institutional and regulatory implications of this document?

REGULATORY EXPOSURE: This policy engages GDPR Arts. 6 (lawful basis), 13 (transparency), 17 (right to erasure), 28 (processor agreements), and Chapter V (international transfers via EU-US Data Privacy Framework and SCCs); CCPA/CPRA §§1798.100, 1798.105, 1798.110, 1798.120 for California residents; COPPA 16 C.F.R. Part 312 for any consumer products accessible to minors; and FTC Act Section 5 for unfair or deceptive data practices. Primary enforcement authorities include the FTC (US), state attor…

How does Cloudflare's Cloudflare Privacy Policy affect users?

Cloudflare collects personal data including IP addresses, browsing metadata, and device identifiers both through direct product use and passively as internet traffic flows through its network infrastructure, meaning consumers may not be aware their data is being processed. For end users whose data is processed on behalf of a business customer, Cloudflare acts as a data processor and directs privacy requests to those businesses rather than handling them directly, which can limit consumers' pract…

How often is Cloudflare's Cloudflare Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Cloudflare updates this document?

Yes. Watcher subscribers ($9.99/month) can add Cloudflare to their watchlist and receive same-day email alerts whenever this document or any other Cloudflare document changes.

Cloudflare Privacy Policy — Cloudflare

8 Total

2 High severity

6 Medium severity

0 Low severity

Summary

This is Cloudflare's privacy policy explaining how Cloudflare — a major internet infrastructure company whose network handles a large portion of global web traffic — collects and uses your personal data when you visit their website, use their consumer products like 1.1.1.1 DNS, or when your internet traffic passes through Cloudflare's network on behalf of a business customer. The most important thing to know is that Cloudflare collects technical data including IP addresses, device identifiers, and browsing metadata both when you directly use Cloudflare products and when you use any website or app that relies on Cloudflare's infrastructure, meaning your data may be processed by Cloudflare even without a direct relationship. California residents and EU users can submit formal data access, deletion, or opt-out requests by contacting privacyquestions@cloudflare.com.

Technical Summary

This document is Cloudflare's Privacy Policy governing the collection, use, storage, and disclosure of personal data across Cloudflare's network infrastructure, consumer-facing products, and enterprise services, with legal bases including consent, legitimate interests, and contractual necessity under applicable data protection laws including GDPR and CCPA. The policy creates obligations for Cloudflare to respond to data subject access requests, honor opt-out rights for California residents, and maintain data processing agreements with enterprise customers, while imposing on users the practical consequence that significant technical and operational data is collected as a byproduct of Cloudflare's role as a network intermediary. Notably, Cloudflare distinguishes between data it processes as a 'data controller' for its own purposes and as a 'data processor' on behalf of enterprise customers, creating a layered liability structure that limits Cloudflare's direct consumer obligations for end-user data flowing through customer-operated services. The policy engages GDPR (Articles 6, 13, 17, and 28), CCPA/CPRA (§1798.100 et seq.), and potentially COPPA given consumer product offerings; EU-US Data Privacy Framework and Standard Contractual Clauses are cited as transfer mechanisms for international data flows. Material compliance considerations include the adequacy of Cloudflare's data processor agreements with enterprise customers, the robustness of its consent mechanisms for tracking technologies, and the accuracy of its data retention disclosures given the scale and technical complexity of its infrastructure.

Evidence Provenance

Captured April 18, 2026 07:55 UTC

Document ID CA-D-000282

Version ID CA-V-000613

Source URL https://www.cloudflare.com/privacypolicy/

Wayback Machine View archived versions →

SHA-256 88a4858a8dd1b68b39fcc70e4879f1c6eb6b4bd7f3fb09db73b9eff738705281

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Institutional Analysis

🔒 Institutional analysis locked

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Upgrade to Professional — $149/mo

Change Timeline

April 18, 2026 — Initial capture

Initial snapshot — monitoring begins

88a4858a…

View full version history (0 captures) →

High Severity — 2 provisions

Controller vs Processor Distinction

Cloudflare separates itself into two roles: when you use Cloudflare's own products directly, Cloudflare is responsible for your data; but when a website you visit uses Cloudflare behind the scenes, that website's owner is responsible, not Cloudflare.

Added April 18, 2026
Law Enforcement and Government Disclosure

Cloudflare can share your personal data with law enforcement, government agencies, or private parties when legally required or when Cloudflare itself decides it is necessary — including to prevent activity it considers illegal or unethical, which is a broad discretionary power.

Added April 18, 2026

Medium Severity — 6 provisions

Passive Network Data Collection

Cloudflare automatically collects your IP address, browser type, and browsing behavior not just when you use Cloudflare's own products, but also when you visit any website that uses Cloudflare's infrastructure — even if you've never heard of Cloudflare.

Added April 18, 2026
International Data Transfers

Cloudflare moves data about EU and UK users to the United States using legal frameworks called the EU-US Data Privacy Framework and Standard Contractual Clauses, which are EU-approved mechanisms designed to protect your data during cross-border transfers.

Added April 18, 2026
California Resident Privacy Rights (CCPA/CPRA)

If you live in California, you have legal rights to see what data Cloudflare has collected about you, ask them to delete it, correct it, or opt out of your data being shared — and you can exercise these rights by contacting Cloudflare directly.

Added April 18, 2026
Cookie and Tracking Technology Use

Cloudflare uses cookies and tracking tools to monitor how you use their services and to show you targeted ads — some of these cookies stay on your device permanently until you manually delete them.

Added April 18, 2026
Third-Party Service Provider Data Sharing

Cloudflare shares your personal information with third-party companies that help run its business — including payment processors, marketing firms, and analytics providers — though it says those companies are required to protect your data and not use it for their own purposes.

Added April 18, 2026
Data Retention

Cloudflare keeps your personal data for as long as it needs to run its services or meet legal requirements, but does not specify exact timeframes — meaning your data could be retained indefinitely without a clear deletion schedule.

Added April 18, 2026

Cross-platform context

See how other platforms handle Controller vs Processor Distinction and similar clauses.

Compare across platforms →

Applicable Regulations

CCPA/CPRA

California, USA

CFAA

United States Federal

CAN-SPAM

United States Federal

GDPR

European Union