Privacy policy clauses for Cloudflare
Cloudflare is a content delivery network (CDN) and web security provider that routes internet traffic through its global infrastructure to improve website performance, prevent DDoS attacks, and filter malicious requests. Websites use Cloudflare to protect against cyber threats and deliver content faster to visitors worldwide.
Free scan · No signup · Results in 60 seconds
What data Cloudflare collects
Your privacy policy must disclose each of the following data types when you use Cloudflare.
When does Cloudflare trigger privacy obligations?
Installation triggers immediate data processing
The moment Cloudflare's nameserver or proxy is active, IP addresses and HTTP request headers begin flowing to Cloudflare's US servers for every visitor—before consent is collected. This is not optional: Cloudflare's CDN and DDoS protection require real-time request inspection.
GDPR applies if you have EU visitors
If your site is accessible to EU residents, GDPR Article 13 requires you to disclose in your privacy policy that Cloudflare processes IP addresses (personal data under CJEU case C-582/14). The __cf_bm cookie also triggers GDPR Article 7 (lawful basis) and ePrivacy Directive Article 5(3) (cookie consent), since even bot-management cookies require explicit consent or legitimate interest justification in most EU jurisdictions.
CCPA applies to California residents
CCPA Section 1798.100 requires you to disclose what categories of personal information you collect and with whom you share it. Cloudflare qualifies as a service provider under Section 1798.140(ag), but you must name it in disclosures.
First concrete step
Update your privacy policy to name Cloudflare as a processor, specify that IP addresses and request metadata are collected during CDN routing, and disclose the __cf_bm cookie. Execute a Data Processing Addendum (DPA) with Cloudflare before processing any EU resident data.
