Cloudflare shares your personal data with third-party service providers for functions like billing and marketing, and may also transfer your data as part of a business sale, merger, or acquisition.
This analysis describes what Cloudflare's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
A merger or acquisition could result in your personal data being transferred to a new corporate entity with different privacy practices, and you may not be notified before the transfer occurs.
Removed contractual restrictions on third-party use and protection requirements, and added new category of disclosure for corporate transactions (M&A, asset sales, etc.).
View full change record →Your personal data could be transferred to a new company if Cloudflare is acquired or merged, potentially under different privacy terms, which is a standard but material risk in any platform relationship.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
We may share your information with third-party vendors and service providers that perform services on our behalf, such as payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance. We may also share your information with third-party advertising p...
We may also share your personal information with third parties that assist us in providing our services, or where we are under an obligation to report to. But rest assured: we will only ever share your personal information in the limited circumstances described in this Policy.
Monitoring
Cloudflare has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Cloudflare may share your information with third-party vendors and other service providers that perform services on our behalf, such as billing, marketing, and analytics. We may also disclose your information in connection with, or during negotiations concerning, a corporate merger, consolidation, the sale of substantially all of our stock or assets, financing, acquisition, divestiture or dissolution of all or a portion of our business.— Excerpt from Cloudflare's Cloudflare Privacy Policy
REGULATORY LANDSCAPE: GDPR requires that data transfers in corporate transactions maintain lawful basis and that users be informed of changes to data controller identity. CCPA requires disclosure of categories of third parties with whom data is shared. The FTC Act applies to deceptive representations about data sharing practices. Corporate transaction data transfers may engage merger notification requirements in various jurisdictions. GOVERNANCE EXPOSURE: Low to Medium. Third-party service provider sharing for operational purposes is standard and expected. The merger and acquisition carve-out is a common provision but may create transition risks if the acquiring entity changes data practices. GDPR requires that data subjects be informed of controller changes with adequate notice. JURISDICTION FLAGS: EU users have the right to be informed of controller changes under GDPR. California users have the right to know categories of third parties receiving their data. In an acquisition scenario, the acquiring entity would need to assess whether existing consent and legal bases remain valid for their intended processing purposes. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should assess whether their DPAs with Cloudflare include change-of-control provisions requiring notice and an opportunity to terminate or renegotiate in the event of an acquisition. Standard commercial practice includes such provisions in enterprise agreements. COMPLIANCE CONSIDERATIONS: Legal teams should monitor for Cloudflare corporate transaction announcements that could trigger data transfer obligations and assess whether existing consent mechanisms and legal bases would remain valid post-transaction. Privacy impact assessments for any corporate transaction should include Cloudflare data flows.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
A merger or acquisition could result in your personal data being transferred to a new corporate entity with different privacy practices, and you may not be notified before the transfer occurs.
Your personal data could be transferred to a new company if Cloudflare is acquired or merged, potentially under different privacy terms, which is a standard but material risk in any platform relationship.
ConductAtlas has identified this type of provision across 25 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cloudflare.