Application Privacy Policy

Effective April 16, 2020

This Application Privacy Policy (“ Application Privacy Policy”) outlines the information that Cloudflare gathers, how we use that information, and the options you have to access, correct, or delete such information when you use Cloudflare’s Application and the associated Application Services. As used in this Application Privacy Policy, “Cloudflare,” “Us” or “We” refers to Cloudflare, Inc. and its affiliates as listed at the end of this policy. Capitalized terms used but not defined herein have the meanings ascribed to them in the Application Terms of Service.

1. Scope of Policy.
Our mission to help build a better Internet is rooted in the importance we place on establishing trust with the Internet community globally. To earn and maintain that trust, we commit to communicating transparently, providing security, and protecting the privacy of data on our systems.

This Policy only applies to Cloudflare’s collection, use, and disclosure of the information of individuals who use Cloudflare’s Application and associated Application Services. Information processed by other Cloudflare products and services is governed by Cloudflare’s Privacy Policy.

2. Information We Collect.
We only collect and store the absolute minimum amount of data we believe is required to provide the Service. There are three categories of data that we collect: Account Data, Operational Data, and DNS Resolver Information as described more fully below. Your Account Data and Operational Data are kept pseudonymized. Your DNS Resolver Information is anonymized at our edge data centers.

We do not collect your name, phone number, or credit card information (any payments are collected by the applicable App Store). The only information we receive from the applicable App Store is a limited amount of information that we need to confirm your subscription for a Service. We do not receive from the App Store any of your personal data or other information about your App Store account. We only receive your email address if you have decided to give us feedback.

We promise to keep your personal information personal and private. We will not sell, rent, share, or otherwise disclose your personal information to anyone except as necessary to provide our services or as otherwise described in this Application Privacy Policy without first providing you with notice and the opportunity to consent.

2.1 Account Data
When you install the Application on your device, create or update your account, sign up for a Paid Application Service, or participate in one of our referral programs, we collect and store the “Account Data” described below, depending on your use of the Application.

Account Data

Information Type                                                  
Account We use account information to administer your account and authorize Internet requests from your device to the Cloudflare network.
Subscription If you subscribe to paid Application Services, we use subscription information to administer those subscriptions.
Referral If you participate in our referral programs, we use referral information to credit referrals to you.

2.2 Operational Data
Cloudflare also collects and stores “Operational Data” when you connect to our network. This data is required to operate our Application Services.

Operational Data

Information Type                                                  
Request data (Source IP, Source Port, Destination IP) The Application is not designed to hide your identity from the Internet properties you access from your device. As a result, we may retain your request data for a period of 24 hours for emergency purposes, such as responding to emergency law enforcement requests.
Performance data We track the Application Services you have enabled and the amount of data you have transferred via Warp and/or Warp+. (Warp and Warp+ are defined in the Application Terms of Service.) We also use performance data to understand how the Application impacts your Internet connection and to improve our Application Services. Performance Data does not include your personally identifiable information.
Device data We use information regarding your device, such as device model and operating system, for troubleshooting and to improve our Application Services. This data does not include unique device identifiers.
Crash Logs We use crash log information regarding your device’s use of the Application for troubleshooting and to improve our Application Services. Crash logs do not contain your IP addresses or other personally identifiable data.
Feedback We require your email address when you provide feedback or share your console logs. We use this information for troubleshooting and to improve our Application Services. Your email address will be deleted 6 months from the date of collection.

2.3 DNS Resolver Information
We collect limited DNS query data that is sent to the resolvers when you have the Application activated on your device. The DNS query data that we retain does not contain user IP addresses or personally identifiable information, and the bulk of the data is only stored for 24 hours. You can learn more about our commitment to privacy here.

3. How We Use Information We Collect.
Cloudflare only processes personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized. We use the information we collect, as described above, to operate and improve the Application Services, such as to assist us in our debugging efforts if an issue arises. We may also use the information we collect to comply with legal obligations as well as to investigate and prevent violations of the Application Terms of Service. We will not combine the information collected from DNS queries with any other Cloudflare or third party data in any way that can be used to identify individual end users. Learn more.

4. Retention.
We store your personal data only as long as is necessary to provide our Application Services, pursue legitimate interests, and comply with applicable laws. Your Account Data and Operational Data will be stored for no longer than two years after your last use of the Application Services.

5. Information Sharing.
We work with other companies who help us run our business (“Service Providers”). These companies provide services to help us operate and improve the Application Services, including assisting with debugging and crash analytics. These Service Providers may only process personal information pursuant to our instructions and in compliance both with this Application Privacy Policy, Cloudflare’s Privacy Policy and other applicable confidentiality and security measures and regulations, including our obligations under the EU-US and Swiss-US Privacy Shield frameworks described in Section 5, below.

Specifically, we do not permit our Service Providers to sell any personal information we share with them, or to use any personal information we share with them for their own marketing purposes or for any other purpose than to perform the services they provide to us.

In addition to sharing with Service Providers as described above, we may also share your information with others in the following circumstances:

  • Within the Cloudflare Group (defined for the purposes of this Application Privacy Policy as the Cloudflare entities listed at the end of this policy);
  • When we are required to disclose personal information to respond to subpoenas, court orders, or legal process; or in the case of an emergency to protect any person from the danger of death or serious physical injury; or to establish or exercise our legal rights or defend against legal claims. (Learn more about how we handle law enforcement requests here);
  • In the event of a merger, sale, change in control, or reorganization of all or part of our business;
  • Where we have a good-faith belief sharing is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required to comply with our legal obligations; or as you may otherwise consent from time to time.

Learn more about information sharing specific to the Resolver here.

We do not sell, rent, or share personal information with third parties as defined under the California Consumer Privacy Act of 2018 (California Civil Code Sec. 1798.100 et seq.), nor do we sell, rent, or share personal information with third parties for their direct marketing purposes, including as defined under California Civil Code Sec. 1798.83.

6. Legal Basis for Processing.
If you are an individual from the European Economic Area (EEA), please note that our legal basis for collecting and using your personal information will depend on the personal information collected and the specific context in which we collect it. We normally will collect personal information from you only where: (a) we need your personal information to perform a contract with you (e.g. to deliver the services you have requested), or (b) the processing is in our legitimate interests. In some cases, we may also have a legal obligation to collect personal information from you, or may otherwise need the personal information to protect your vital interests or those of another person. We will obtain your consent where required by law. Where we rely on our legitimate interests to process your personal data, you have the right to object. If you have any questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us at privacyquestions@cloudflare.com.

7. International Information Transfers
Cloudflare is a U.S.-based, global company. We primarily store your information in the United States, the European Economic Area (the “EEA”), and the United Kingdom. To facilitate our global operations, we may transfer and access such information from around the world, including from other countries in which the Cloudflare Group has operations for the purposes described in this Policy.

Whenever Cloudflare shares personal information originating in the EEA, the United Kingdom or Switzerland with a Cloudflare entity outside the EEA, the United Kingdom or Switzerland, it will do so on the basis of the EU standard contractual clauses (adjusted to address transfers from the United Kingdom) or the Privacy Shield Frameworks detailed in Section 8.

If you are accessing or using our Application, you are agreeing to the transfer of your limited personal information described in Section 2 of this Application Privacy Policy to the United States and other jurisdictions in which we operate.

8. Privacy Shield.
Cloudflare is certified under both the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA, the United Kingdom and Switzerland to the United States, respectively (“Privacy Shields”). We commit to periodically review and verify the accuracy of our policies and our compliance with the Privacy Shields. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. For more information on the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield, please visit the U.S. Department of Commerce’s Privacy Shield website at: https://www.privacyshield.gov/welcome.

If you believe that we maintain copies of your personal data within the scope of the Privacy Shields, you may direct any inquiries to SAR@cloudflare.com or via mail to: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, Attn: Data Protection Officer. We will respond to your inquiry within 30 days of receipt and verification of your identity. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. If neither we nor our dispute resolution provider are able to resolve your complaint, as a last resort you may engage in binding arbitration through the Privacy Shield Panel.

Our commitments under the Privacy Shields are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. We may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Under such circumstances, we may be prohibited by law, court order or other legal process from providing notice of disclosure.

9. Data Subject Rights and Choices
In the event you elect to contact us to report an issue with the Application, to share feedback or to send console logs, we may receive limited personal data about you, such as your email address, that we retain for a limited period of time. You will have the right to access, correct, update, export, or delete your limited personal information that we retain. You may email us at SAR@cloudflare.com with any such subject access requests (“SAR”), and we will respond within thirty (30) days.

Please keep in mind that except for when you provide feedback, we don’t receive personally identifiable information from you, and we are unable to associate your identity with your Account Data or Operational Data. As a result, our ability to comply with data subject rights is limited to those circumstances in which we have your personally identifiable data.

10. Data Security, Data Integrity and Access
We take all reasonable steps to protect information we receive from you from loss, misuse or unauthorized access, disclosure, alteration, and/or destruction. We have put in place appropriate physical, technical, and administrative measures to safeguard and secure your information, and we make use of privacy-enhancing technologies such as encryption. If you have any questions about the security of your personal information, you can contact us at privacyquestions@cloudflare.com

11. Notification of Changes.
If we make changes to this Application Privacy Policy that we believe materially impact the privacy of your personal data, we will promptly provide notice of any such changes (and, where necessary, obtain consent), as well as post the updated Application Privacy Policy on this website noting the effective date of any changes.

12. Business Transactions.
We may assign or transfer this Application Privacy Policy, as well as information covered by this Application Privacy Policy, in the event of a merger, sale, change in control, or reorganization of all or part of our business.

13. English Language Controls.
Non-English translations of this Application Privacy Policy are provided for convenience only. In the event of any ambiguity or conflict between translations, the English version is authoritative and controls.

14. Contact Information.

Cloudflare, Inc.
101 Townsend St.
San Francisco, CA 94107
Attention: Data Protection Officer

Cloudflare, Ltd.
County Hall/The Riverside Building
Belvedere Road
London, SE1 7PB
Attention: Data Protection Officer

Cloudflare Portugal, Unipessoal Lda.
Largo Rafael Bordalo Pinheiro 29
1200-369 Lisboa
Attention: Data Protection Officer

Cloudflare, Pte., Ltd.
120 Robinson Road #15-00
Singapore 068913
Attention: Data Protection Officer

Cloudflare Germany GmbH
Rosental 7
80331 München
Attention: Data Protection Officer

Cloudflare Australia Pty Ltd.
333 George St., 5th Floor
Sydney, NSW 2000
Attention: Data Protection Officer

Have Questions?

If you have questions about these terms or anything else about Cloudflare, please don't hesitate to contact us:

+1 (650) 319-8930

Cloudflare, Inc.
101 Townsend St,
San Francisco, CA 94107
Attention: Data Protection Officer