Application Privacy Policy

Last updated: October 22, 2020

We have updated our April 16, 2020 Application Privacy Policy to clarify that the use of this Application as part of Cloudflare for Teams is not subject to this Application Privacy Policy and to update information about data transfers from the EU to the U.S.

This Application Privacy Policy (“Application Privacy Policy”) outlines the information that Cloudflare gathers, how we use that information, and the options you have to access, correct, or delete such information when you use the Cloudflare Application(s). As used in this Application Privacy Policy, “Cloudflare,” “Us” or “We” refers to Cloudflare, Inc. and its affiliates as listed at the end of this policy. Capitalized terms used but not defined herein have the meanings ascribed to them in the Application Terms of Service.

This Application Privacy Policy does not apply to your use of the Application as part of Cloudflare for Teams, in which case the Cloudflare Privacy Policy applies.

1. Scope of Policy
Our mission to help build a better Internet is rooted in the importance we place on establishing trust with the Internet community globally. To earn and maintain that trust, we commit to communicating transparently, providing security, and protecting the privacy of data on our systems.

This Policy only applies to Cloudflare’s collection, use, and disclosure of personal information in connection with the use of the Cloudflare Application(s). This Policy does not apply to Cloudflare’s collection, use, and disclosure of personal information through the Application when the Application is used as part of a Cloudflare for Teams account, as described in more detail in Section 3.

2. Information We Collect
We only collect and store the minimum amount of data we believe is required to operate and improve the Application. There are three categories of data that we collect: Account Data, Operational Data, and DNS Resolver Information as described more fully below. Your Account Data and Operational Data are pseudonymized. Your DNS Resolver Information is anonymized at our edge data centers.

We do not collect your name, phone number, or credit card information (or records of any payments collected by the applicable App Store). The only information we receive from the applicable App Store is a limited amount of information that we need to confirm your subscription for a Service. We do not receive from the App Store any of your personal data or other information about your App Store account. We only receive your email address if you have decided to give us feedback and/or report bugs.

We promise to keep your personal information personal and private. We will not sell or rent your personal information to anyone. We will not share or otherwise disclose your personal information except as necessary to provide our services or as otherwise described in this Application Privacy Policy without first providing you with notice and the opportunity to consent.

2.1 Account Data
When you install the Application on your device, create or update your account, sign up for a Paid Application Service, or participate in one of our referral programs, we collect and store the “Account Data” described below, depending on your use of the Application.

Account Data


Information Type                                                  
Purpose
Account We use account information, such as your account ID, to administer your account and authorize Internet requests from your device to the Cloudflare network.
Subscription If you subscribe to Paid Application Services, we use subscription information, such as your order ID, to administer those subscriptions.
Referral If you participate in our referral programs, we use referral information, such as your registration ID, to credit referrals to you.

2.2 Operational Data
Cloudflare also collects and stores “Operational Data” when you connect to our network. This data is required to operate and improve our Application.

Operational Data


Information Type                                                  
Purpose
Request data (Source IP, Source Port, Destination IP) The Application is not designed to hide your identity from the Internet properties you access from your device. As a result, we may retain your request data when you use WARP™ and WARP+™ for a period of 24 hours for emergency purposes, such as responding to emergency law enforcement requests.
Performance data We track the services you have enabled and the amount of data you have transferred via the Application. We also use performance data to understand how the Application impacts your Internet connection and to improve our Application. Performance Data does not include personal information.
Device data We use information regarding your device, such as device model and operating system, for troubleshooting and to improve our Application. This data does not include unique device identifiers.
Crash Logs We use crash log information regarding your device’s use of the Application for troubleshooting and to improve our Application. Crash logs do not contain your IP addresses or other personal information.
Connection Data We retain anonymized network information to look for connection problems between your device and Cloudflare’s network. You may disable the reporting of anonymized network information in the Application.
Feedback/Bug Reports We require your email address when you provide feedback and bug reports. When you provide feedback, you can choose whether to share your console logs. Console logs can include your device name and IP address. We use this information for troubleshooting and to improve our Application. Your email address will be deleted 6 months from the date of collection.

2.3 DNS Resolver Information
We collect limited DNS query data that is sent to the 1.1.1.1 Public DNS resolver when you have the Application enabled on your device. Unlike WARP and WARP+, the DNS query data that we retain does not contain your IP addresses or personal information, and the bulk of the data is only stored for 24 hours. You can learn more about our 1.1.1.1 Public DNS Resolver commitment to privacy here.

3. Cloudflare for Teams
The Application may be used as part of the Cloudflare for Teams offerings to which you or your organization may subscribe. You understand that when your device is in Cloudflare for Teams mode, information we collect about your use of the Application and your Internet activity will be associated with your Cloudflare for Teams identity (e.g., work email address), and Cloudflare will process your personal data on behalf of the Cloudflare for Teams organization that you have associated with your account. All information provided by you or resulting from your use of the Application as part of Cloudflare for Teams services to which you or your organization subscribe is collected, used, maintained, shared, and destroyed in accordance with the Cloudflare Privacy Policy, available here, and this Application Privacy Policy will no longer apply.

You further understand that when Cloudflare for Teams is enabled in the Application, Cloudflare may be able to associate your Cloudflare for Teams account information with your other use of the Application for up to 24 hours from when you enable Cloudflare for Teams.

4. How We Use Information We Collect
Cloudflare only processes personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized. We use the information we collect, as described in Section 2 to operate and improve the Application, such as to assist us in our debugging efforts if an issue arises. We may also use the information we collect to comply with legal obligations as well as to investigate and prevent violations of the Application Terms of Service. We will not combine the information collected from DNS queries with any other Cloudflare or third party data in any way that can be used to identify individual end users. Learn more.

5. Retention
We store your personal data only as long as is necessary to provide our Application and the associated services, pursue legitimate interests, and comply with applicable laws. Your Account Data and Operational Data will be stored for no longer than two years after your last use of the Application. Information associated with feedback and bug reports may be retained longer as needed.

6. Information Sharing
We work with other companies who help us run our business (“Service Providers”). These companies provide services to help us operate and improve the Application, including assisting with debugging and crash analytics. These Service Providers may only process personal information pursuant to our instructions and in compliance both with this Application Privacy Policy, Cloudflare’s Privacy Policy and other applicable confidentiality and security measures and regulations.

Specifically, we do not permit our Service Providers to sell any personal information we share with them, or to use any personal information we share with them for their own marketing purposes or for any other purpose than to perform the services they provide to us.

In addition to sharing with Service Providers as described above, we may also share your information with others in the following circumstances:

  • Within the Cloudflare Group (defined for the purposes of this Application Privacy Policy as the Cloudflare entities listed at the end of this policy);
  • When we are required to disclose personal information to respond to subpoenas, court orders, or legal process; or in the case of an emergency to protect any person from the danger of death or serious physical injury; or to establish or exercise our legal rights or defend against legal claims. (Learn more about how we handle law enforcement requests here);
  • In the event of a merger, sale, change in control, or reorganization of all or part of our business;
  • Where we have a good-faith belief sharing is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required to comply with our legal obligations; or as you may otherwise consent from time to time.

Learn more about information sharing specific to the 1.1.1.1 Public DNS Resolver here.

We do not sell, rent, or share personal information with third parties as defined under the California Consumer Privacy Act of 2018 (California Civil Code Sec. 1798.100 et seq.), nor do we sell, rent, or share personal information with third parties for their direct marketing purposes, including as defined under California Civil Code Sec. 1798.83.

7. Legal Basis for Processing
If you are an individual from the European Economic Area (EEA), please note that our legal basis for collecting and using your personal information will depend on the personal information collected and the specific context in which we collect it. We normally will collect personal information from you only where: (a) we need your personal information to perform a contract with you (e.g. to deliver the services you have requested), or (b) the processing is in our legitimate interests. In some cases, we may also have a legal obligation to collect personal information from you, or may otherwise need the personal information to protect your vital interests or those of another person. We will obtain your consent where required by law. Where we rely on our legitimate interests to process your personal data, you have the right to object. If you have any questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us at privacyquestions@cloudflare.com.

8. International Information Transfers
Cloudflare is a U.S.-based, global company. We primarily store your information in the United States, the European Economic Area (the “EEA”), and the United Kingdom. To facilitate our global operations, we may transfer and access such information from around the world, including from other countries in which the Cloudflare Group has operations for the purposes described in this Policy.

Whenever Cloudflare shares personal information originating in the EEA, the United Kingdom or Switzerland with a Cloudflare entity outside the EEA, the United Kingdom or Switzerland, it will do so on the basis of the EU standard contractual clauses (adjusted to address transfers from the United Kingdom).

If you are accessing or using our Application, you are agreeing to the transfer of your limited personal information described in Section 2 of this Application Privacy Policy to the United States and other jurisdictions in which we operate.

9. Privacy Shield
Cloudflare is a U.S.-based, global company. We primarily store your information in the United States and the European Economic Area. You acknowledge that to facilitate your use of the Application, we may transfer and access such information from around the world, including from other countries in which the Cloudflare Group has operations for the purposes described in this Application Privacy Policy, and we will ensure appropriate safeguards are in place to protect your personal information. We describe our additional safeguards here.

If you are using the Application and provide us with feedback, then you are consenting to Cloudflare processing your personal data outside of the EEA, the UK, or Switzerland.

While Cloudflare no longer relies on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as a lawful basis for international transfers of personal data from the EEA and Switzerland to the U.S., Cloudflare remains certified under both the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA, the United Kingdom and Switzerland to the United States, respectively (“Privacy Shields”). We commit to periodically review and verify the accuracy of our policies and our compliance with the Privacy Shields. If there is any conflict between the terms in this Application Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. For more information on the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield, please visit the U.S. Department of Commerce’s Privacy Shield website at: https://www.privacyshield.gov/welcome.

If you believe that we maintain copies of your personal data within the scope of the Privacy Shields, you may direct any inquiries to SAR@cloudflare.com or via mail to: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, Attn: Data Protection Officer. We will respond to your inquiry within 30 days of receipt and verification of your identity. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. If neither we nor our dispute resolution provider are able to resolve your complaint, as a last resort you may engage in binding arbitration through the Privacy Shield Panel.

Our commitments under the Privacy Shields are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. We may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Under such circumstances, we may be prohibited by law, court order or other legal process from providing notice of disclosure.

10. Data Subject Rights and Choices
In the event you elect to contact us to report an issue with the Application, to share feedback or to send console logs, we may receive limited personal data about you, such as your email address, that we retain for a limited period of time. You will have the right to access, correct, update, export, or delete your limited personal information that we retain. You may email us at SAR@cloudflare.com with any such subject access requests (“SAR”), and we will respond within thirty (30) days.

Please keep in mind that except for when you provide feedback, we don’t receive personally identifiable information from you, and we are unable to associate your identity with your Account Data or Operational Data. As a result, our ability to comply with data subject rights is limited to those circumstances in which we have your personally identifiable data.

11. Data Security, Data Integrity and Access
We take all reasonable steps to protect information we receive from you from loss, misuse or unauthorized access, disclosure, alteration, and/or destruction. We have put in place appropriate physical, technical, and administrative measures to safeguard and secure your information, and we make use of privacy-enhancing technologies such as encryption. If you have any questions about the security of your personal information, you can contact us at privacyquestions@cloudflare.com

12. Notification of Changes
If we make changes to this Application Privacy Policy that we believe materially impact the privacy of your personal data, we will promptly provide notice of any such changes (and, where necessary, obtain consent), as well as post the updated Application Privacy Policy on this website noting the effective date of any changes.

13. Business Transactions
We may assign or transfer this Application Privacy Policy, as well as information covered by this Application Privacy Policy, in the event of a merger, sale, change in control, or reorganization of all or part of our business.

14. English Language Controls
Non-English translations of this Application Privacy Policy are provided for convenience only. In the event of any ambiguity or conflict between translations, the English version is authoritative and controls.

15. Contact Information

Cloudflare, Inc.
101 Townsend St.
San Francisco, CA 94107
Attention: Data Protection Officer
privacyquestions@cloudflare.com

Cloudflare, Ltd.
County Hall/The Riverside Building
Belvedere Road
London, SE1 7PB
Attention: Data Protection Officer
privacyquestions@cloudflare.com

Cloudflare Portugal, Unipessoal Lda.
Largo Rafael Bordalo Pinheiro 29
1200-369 Lisboa
Attention: Data Protection Officer
privacyquestions@cloudflare.com

Cloudflare, Pte., Ltd.
120 Robinson Road #15-00
Singapore 068913
Attention: Data Protection Officer
privacyquestions@cloudflare.com

Cloudflare Germany GmbH
Rosental 7
80331 München
Attention: Data Protection Officer
privacyquestions@cloudflare.com

Cloudflare Australia Pty Ltd.
333 George St., 5th Floor
Sydney, NSW 2000
Attention: Data Protection Officer
privacyquestions@cloudflare.com

Cloudflare (Beijing) Information Technology Co., Ltd.
16 South Guangshun Street
Donghuang Building 17th Floor
Chaoyang District Beijing 100015
Attention: Data Protection Officer
privacyquestions@cloudflare.com

Cloudflare France SAS
6 place de la Madeleine
75008 Paris
Attention: Data Protection Officer
privacyquestions@cloudflare.com

Cloudflare Japan K.K.
3-1-6 Motoazabu, Minato-ku
Tokyo, 106-0046
Attention: Data Protection Officer
privacyquestions@cloudflare.com

Have Questions?

If you have questions about these terms or anything else about Cloudflare, please don't hesitate to contact us:

+1 (650) 319-8930

Cloudflare, Inc.
101 Townsend St,
San Francisco, CA 94107
USA
Attention: Data Protection Officer
privacyquestions@cloudflare.com