Cloudflare's commitment to GDPR compliance

At Cloudflare, our mission is to help build a better Internet, and we believe the protection of our customers' and their end users' data is fundamental to this mission.

Even before Europe’s watershed General Data Protection Regulation (GDPR) went into effect in 2018, Cloudflare was focused on how we could improve privacy globally. We’ve built products to expand and improve privacy online, and we minimize our collection of personal data and only use personal data for the purpose for which it was collected. Since our founding, we have committed that we would keep personal information private, so we have never sold or rented our users’ personal information to anyone.

On a practical level, GDPR was a codification of many of the steps we were already taking: only collect the personal data you need to provide the service you’re offering; don’t sell personal information; give people the ability to access, correct, or delete their personal information; and, consistent with our role as a data processor, give our customers control over the information that, for example, is cached on our content delivery network (CDN), stored in Workers Key Value Store, or captured by our web application firewall (WAF).

We have compiled on this page responses to questions we frequently receive about how we process data on behalf of our customers in a way that complies with the GDPR. As data protection is an ever-evolving environment, we continue to monitor ongoing developments globally and will update this page as appropriate.

Information about the personal data Cloudflare collects, how we use and disclose that information, data subject rights (including how to contact Cloudflare to exercise those rights), and international data transfers can be found in our Privacy Policy.


Trusted by millions of Internet properties