Cloudflare and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses Cloudflare, all requests to its website are routed through the global Cloudflare infrastructure. Cloudflare processes web server log data, blocks suspicious requests, accelerates content delivery and protects the website against attacks such as DDoS attacks. This page shows website operators in Germany what data Cloudflare processes according to the publicly available information from the provider, which purposes and legal bases are typically applicable and which mandatory disclosures belong in the privacy policy.

A. Purpose and Functionality of Cloudflare

Cloudflare is a US provider of content delivery network, DDoS protection, web application firewall and security services. If a website operator uses Cloudflare, DNS queries for its domain are configured so that all requests are first routed via the Cloudflare infrastructure (the "edge network"). Cloudflare inspects the requests, blocks suspicious requests, delivers cached content (images, CSS, JavaScript) from the nearest data centre and forwards legitimate requests to the website operator's origin server.

This page focuses on the typical integration function Cloudflare as a reverse proxy (CDN, DDoS protection, web application firewall, bot management). Cloudflare also offers other functions (Cloudflare Workers, Cloudflare Stream, Cloudflare Zero Trust, Cloudflare R2) which are not primarily covered here and must be examined separately by the website operator. Cloudflare Web Analytics, which is a separate analytics component, is also not covered here.

B. Mandatory Disclosures in the Privacy Policy when Using Cloudflare

The GDPR requires the privacy policy to set out tool-specific minimum content in addition to general information about the website operator, data subject rights and the supervisory authority. For the use of Cloudflare this includes in particular:

• the purposes of the processing (Art. 13 para. 1 lit. c GDPR),
• the legal bases (Art. 13 para. 1 lit. c GDPR),
• where based on legitimate interests, the specific interests pursued (Art. 13 para. 1 lit. d GDPR),
• the recipients or categories of recipients (Art. 13 para. 1 lit. e GDPR),
• whether data is transferred to an insecure third country (Art. 13 para. 1 lit. f GDPR),
• the storage duration or the criteria used to determine it (Art. 13 para. 2 lit. a GDPR),
• where data is not collected directly, additionally the categories of personal data (Art. 14 para. 1 lit. d GDPR).

It is not necessary to list Cloudflare with its own boilerplate text in the privacy policy, even though that practice is widespread. The "one boilerplate per tool" approach has become poor practice: it leads to long, redundant texts, makes the privacy policy hard to maintain and tends to run counter to the transparency requirement of Art. 12 para. 1 GDPR. A topic-oriented approach is more appropriate – describing processing across topics (server operations, CDN, captcha, etc.) and naming Cloudflare only in an annex of recipients. This is exactly the methodology that the matterius generator follows.

C. Provider of Cloudflare

According to the publicly available information from the provider, the contracting party for German website operators is generally Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich, Germany, or Cloudflare, Inc., based at 101 Townsend Street, San Francisco, CA 94107, USA. Which group entity is the contracting party in any individual case must be checked by the website operator on the basis of the order and contract documents.

According to the publicly available information, Cloudflare, Inc. is certified under the EU-US Data Privacy Framework (DPF); the status can be verified at https://www.dataprivacyframework.gov/s/participant-search. EU Standard Contractual Clauses are used as additional safeguards. Cloudflare also offers an "EU Data Boundary" configuration with which data processing within the EU can be preferred.

Cloudflare's privacy notice is available at https://www.cloudflare.com/privacypolicy/. The Data Processing Addendum is provided at https://www.cloudflare.com/cloudflare-customer-dpa/. A list of subprocessors is available at https://www.cloudflare.com/gdpr/subprocessors/.

D. Data Processing by Cloudflare – Step by Step

E. Data Collected when Using Cloudflare

In connection with Cloudflare, the data processed according to the provider's publicly available information typically includes IP address, timestamp, requested URL, referrer, user-agent, status code of the server response, transmitted data volume and security and abuse-relevant signals (bot indicators, device fingerprints, request patterns).

The data can be classified into the following standardised data categories:

• Web server log data: IP address, timestamp, URL, referrer, user-agent, status code of the server response, transmitted data volume.
• Device data: device type and operating system, where derivable from the user-agent.
• Browser information: browser name and version.
• Coarse location data: location derived from the IP address at city or municipality level.
• Technical telemetry data: load times, data volume, technical error messages.

If the website operator additionally uses Cloudflare Turnstile (captcha function), click paths and interaction data are added.

F. Purposes when Using Cloudflare

Website operators typically use Cloudflare for the secure and high-performance delivery of their own website, to defend against DDoS attacks and application/network-layer attacks, for bot detection and filtering, and to accelerate content delivery via the global edge network.

These purposes can be classified into the following standardised purpose categories:

• Provision of functionality: delivery of requested content (caching), provision of website functionality, error detection and correction.
• Security and abuse prevention: detecting, preventing and ending attacks (e.g. DDoS), bot and spam defence, web application firewall, detection of anomalous request patterns.
• General product improvement: evaluation of aggregated performance and security data to optimise own infrastructure.

G. Legal Bases when Using Cloudflare

In a first step, Cloudflare must be assigned to a tool category: it is mainly a tool from the CDN and Server operations/Hosting categories, complemented by functions in the Captcha category (Cloudflare Turnstile) and the web application firewall.

In a second step, the following legal bases typically come into consideration:

• For CDN, DDoS protection and web application firewall: legitimate interests in provision of functionality, security, abuse prevention, efficiency and legal defence under Art. 6 para. 1 lit. f GDPR.
• For technically necessary cookies or comparable storage accesses (e.g. for security and session control such as the __cf_bm cookie): typically § 25 para. 2 no. 2 TDDDG (necessity exception), insofar as the storage access is strictly necessary to provide the service explicitly requested by the user (e.g. a secure website).
• Where Cloudflare Turnstile with tracking components or Cloudflare Web Analytics is used, § 25 para. 1 TDDDG and possibly statistics or marketing consent must additionally be considered.

Which legal basis is specifically applicable depends on the configuration and the Cloudflare functions used and must be examined by the website operator on a case-by-case basis.

H. Particularities and Notes on Cloudflare

• DPA: Cloudflare provides a Data Processing Addendum at https://www.cloudflare.com/cloudflare-customer-dpa/; concluding it is generally mandatory when used by website operators in Germany.
• Third-country transfer / DPF: According to the publicly available information, Cloudflare, Inc. is certified under the EU-US Data Privacy Framework; EU Standard Contractual Clauses are used as additional safeguards. Cloudflare offers an "EU Data Boundary" configuration with which processing within the EU can be preferred.
• Subprocessors: A list is available at https://www.cloudflare.com/gdpr/subprocessors/.
• Cookies / __cf_bm: Cloudflare sets cookies such as __cf_bm for bot defence. According to the provider's publicly available information, these are typically considered necessary security cookies; however, the legal classification in the individual case (in particular the scope of the necessity exception under § 25 para. 2 TDDDG) remains debated.
• Settings for the website operator: Recommended is a deliberate configuration of the activated Cloudflare functions, activation of the EU Data Boundary where available, and concluding the DPA.
• Source note: The information is based on the provider's publicly available publications and does not replace a case-by-case assessment.

I. Frequently Asked Questions on Cloudflare and Data Protection

J. Conclusion on Cloudflare

When using Cloudflare, the website operator routes all requests to its website via the global Cloudflare infrastructure. The contracting party is typically Cloudflare Germany GmbH or Cloudflare, Inc.; the parent company Cloudflare, Inc. is certified under the EU-US Data Privacy Framework according to the publicly available information. Key obligations are concluding a data processing agreement, activating the EU Data Boundary where available, and deliberately configuring the Cloudflare functions used.

It is generally not advisable for the website operator to include a dedicated boilerplate text for Cloudflare in the privacy policy. A structured, topic-oriented approach is recommended that explains tools across topical blocks (server operations, CDN, captcha, etc.) and only names individual service providers such as Cloudflare in an annex of recipients. This is exactly the methodology that the matterius generator follows.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com