Don't trust Cloudflare with your personal data

It has been over a year since I cancelled my Cloudflare account. They keep emailing me and haven't taken me off their marketing lists despite repeated requests. Their CTO told me he would investigate, but nothing changed. Their Data Protection Office hasn't respond to my requests.

Cloudflare do not appear to respect the GDPR.

I've escalated this to the highest levels of Cloudflare, but they just don't seem to be able to take any action. This is concerning.

JGC promising he'll look into it.

Sadly, John Graham-Cumming - the CTO - deleted his Tweet saying that he'd look into it. I assume that JGC doesn't like his personal data being misused. If only I were able to delete my personal data from Cloudflare, eh?

Luckily, the Internet Archive has a backup

Despite promising an investigation and a response from their Data Protection Office - I've received no assurance that they have respected my rights.


At the start of August last year, I cancelled my Cloudflare account. I received confirmation from them that I was no longer a customer. My login was disabled. That should have been the last I heard from them.

Two months later, I received an email update about their privacy policy.

Email with CloudFlare's new privacy policy.

I complained on Twitter, and their CTO promised he'd look into it:

(Again, tweet deleted, but saved in the Internet Archive)

I never heard back from John. But one of his minions sent me this:

When we receive a request for account deletion, we may retain the email address on the account up to a year to ensure that we comply with internal policies and legal obligations.

*Pffft* Whatever. No mention of that is made in their privacy policy.

At the end of August this year - well over 12 months after I unsubscribed - I received another email from Cloudflare. This time apologising for their downtime!

There was no option to unsubscribe. I'm not a customer - but apparently I still have to receive emails from them.

I got a message from someone at Cloudflare who said that they have multiple customer mailing lists and they are rarely in sync with each other. They don't have a good idea of who they are sending emails to, or whether people have consented. I think this is unacceptable for a company of this size to be so lax about their GDPR obligations.

I asked Cloudflare to report this breach to the Information Commissioners Office, and I suggested that they may need to notify the SEC if they are expecting a large fine. They may also need to let investors know if they have misrepresented their customer numbers.

I asked JGC and Cloudflare PR for a comment - but they were not inclined to provide one. They said their DPO would get back to me last week, but I heard nothing.

At this point, I can only conclude that Cloudflare do not respect their users' privacy. Cloudflare has no idea who its customers are, nor how many they have. Cloudflare doesn't care about your data rights.


Our mission to help build a better Internet is rooted in the importance we place on establishing trust with our Customers, users, and the Internet community globally. To earn and maintain that trust, we commit to communicating transparently, providing security, and protecting the privacy of data on our systems.
Cloudflare's privacy policy

*bitter laugh*

Share this post on…

11 thoughts on “Don't trust Cloudflare with your personal data”

  1. AntiSol says:

    "Our mission to help build a better Internet"

    Then why do you break a large percentage of the internet for anybody running TOR, or who dares to use a browser that isn't chrome or firefox?

  2. says:

    Why does somebody working at a company doing internet content distribution network stuff delete their tweets? I would think that somebody in their position might be a bit more keen on policies regarding data retenti– oh, right then.

  3. said on

    Are we surprised by CF?

    Orgs are allowed to retain the minimal amount of data to respect your opt out (otherwise if they lawfully buy another marketing list, they won't be able to take you out) so for emails this is usually forgetting name, etc but just remembering your email.

    Reply | Reply to original comment on

What links here from around this blog?

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">