Privacy policy clauses for Cloudflare Workers
Cloudflare Workers is a serverless computing platform that runs JavaScript code at Cloudflare's edge network locations worldwide. Websites use it to execute custom backend logic, process requests, and deliver dynamic content with reduced latency without managing traditional servers.
Free scan · No signup · Results in 60 seconds
What data Cloudflare Workers collects
Your privacy policy must disclose each of the following data types when you use Cloudflare Workers.
When does Cloudflare Workers trigger privacy obligations?
Cloudflare Workers processes request data at Cloudflare's edge locations the moment it is deployed—before your origin server receives traffic. This triggers GDPR Article 6 (lawful basis) and Article 28 (processor obligations) immediately if any EU residents' requests flow through it, regardless of where your origin is hosted.
GDPR applicability: If you serve EU residents, you must have a Data Processing Agreement (DPA) with Cloudflare. Cloudflare provides a standard DPA, but you must execute it before processing begins. GDPR Article 28(3) requires this in writing.
CCPA applicability: If you process California residents' personal information and Workers handles request headers, cookies, IP addresses, or query parameters, those are "personal information" under CCPA Section 1798.100. You must disclose your use of Cloudflare as a service provider in your privacy notice (CCPA Section 1798.100(b)).
First concrete step
