Can you trust CloudFlare with your personal data?
I'm increasingly concerned with the power that CDNs wield - and CloudFlare in particular. So I decided to delete my CloudFlare account. While they claim to have removed my account, they still seem to count me as an active customer.
I wonder how many people bought shares in their IPO based on inaccurate customer numbers?
Timeline
- 2019-08-04 I raised a support ticket to close my account.
- 2019-08-05 CloudFlare sent me confirmation that they'd removed my account.
- 2019-10-02 I received an email from CloudFlare "because I am a customer"
The ironic thing? It was an update to their privacy policy!
I can't log in to CloudFlare, and I can't reset my password. So they appear to have disabled my account. But, somewhere in their labyrinthine data warehouse, they still retain my email address and other information. They seem to think it's acceptable to call me their customer and continue to contact me.
Does it really take over 2 months to remove someone's data? If this message had been a physical bit of post, I'd get it - they're often prepared months in advance. But this is the Internet. We expect global giants with no legacy infrastructure to be able to instantly manipulate data.
I emailed their privacy team to find out exactly why they're still emailing ex-customers. After a month, I hadn't heard back from them. But a bit of public Twitter prompting got the CTO to respond.
A few hours later, I got this:
Sorry for the late reply about your issue. When we receive a request for account deletion, we may retain the email address on the account up to a year to ensure that we comply with internal policies and legal obligations. Per your account deletion request, we scheduled your account for deletion and it has not yet been purged. This is why you received the email about our updated privacy policy. Your account is scheduled to be purged from our systems and when that happens, you should no longer receive communications from us unless that email address is used to sign up for a new account.
Politely, I think that's bunkum. Their new privacy policy doesn't make any mention of retaining data for a year. I can't comment on the legal aspects, but I've never had another company continue to email me after they've "deleted" my account. Or are they saying I am still beholden to their policies even after I'm no longer a customer?
I can't help but wonder what other data are they holding hostage. How many of their "active" customers have "deleted" their accounts?
CF says:
Nice. The account data should be deleted if the user demand so. Good to know you’ve left CF.