Privacy policy clauses for Cloudflare Turnstile
Cloudflare Turnstile is a privacy-focused bot detection service that verifies users are human without requiring visual CAPTCHAs. Websites implement it to prevent abuse, spam, and automated attacks while minimizing data collection and user friction.
Free scan · No signup · Results in 60 seconds
What data Cloudflare Turnstile collects
Your privacy policy must disclose each of the following data types when you use Cloudflare Turnstile.
When does Cloudflare Turnstile trigger privacy obligations?
Data flows that activate obligations
The moment you deploy Cloudflare Turnstile on your site or app, two data points flow to Cloudflare Inc (US-based processor): the user's challenge response and their IP address. This is not optional—it happens automatically on every page load or form submission protected by Turnstile, regardless of user consent status.
Which regulations apply and why
GDPR (if you have EU visitors): IP addresses are personal data under GDPR Article 4(1). Cloudflare Turnstile processes these on your behalf, making Cloudflare a processor under GDPR Article 28. You must have a Data Processing Agreement (DPA) in place *before* deployment. You also need a lawful basis (Article 6) to collect the IP—typically Article 6(1)(f) (legitimate interest in fraud prevention)—and must disclose this in your privacy notice under Article 13/14.
CCPA (if you have California residents): IP addresses qualify as personal information under CCPA Section 1798.100(d). You must disclose the "categories of personal information" collected and the business purpose (fraud detection) in your privacy notice before or at collection.
ePrivacy Directive Article 5(3)
