audit report
Cloudflare
Cloudflare's privacy policy claims are substantially consistent with observed behavior. The site loads Google Tag Manager, Google Analytics (inferred from cfz_google-analytics_v4 cookie), Cloudflare Web Analytics, and Adobe tracking (cfz_adobe cookie), all disclosed in the policy. Cookies for Cloudflare Bot Management (__cf_bm) and Adobe Identity (kndctr) align with stated uses of security and marketing/analytics services. The policy explicitly permits interest-based advertising and sharing with marketing partners, matching the analytics and advertising tech observed. Claims about third-party sharing, user rights (access, deletion, portability), security measures, and cookie preferences are well-documented. One transparency gap: the policy names only "Google Analytics" as a named third party but doesn't explicitly name Google Tag Manager, Adobe, or Cloudflare Web Analytics in the named_third_parties list, despite using all three.
claim vs. reality
“When you register for an account, we collect contact information. Depending on subscription level, this contact information may include your Customer name, the email address(es) of your account administrator(s), telephone number, and addresses”
observed · html
Cloudflare Web Analyticsfindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Cloudflare Web Analytics, Google Tag Manager.
Cloudflare Web Analytics Google Tag Manager - note
Cloudflare Web Analytics loaded (analytics)
Observed 1 time(s) on the page.
script src: https://static.cloudflareinsights.com/beacon.min.js/v8c78df7c7c0f484497ecbca7046644da1771523124516 - note
Google Tag Manager loaded (tag_manager)
Observed 1 time(s) on the page.
inline: } }, loadGTMScript() { window.dataLayer = window.dataLayer || []; const dataLayerPush = win - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Named third parties list incomplete relative to observed vendors
The policy explicitly names 'Google Analytics' but the observed tech stack includes Google Tag Manager, Adobe (evidenced by cfz_adobe and Adobe identity cookies), and Cloudflare Web Analytics (cloudflareinsights.com). While these are all mentioned in policy prose, they don't appear in the named_third_parties list, creating a gap between what's enumerated and what actually processes data on-site.
Named third parties: [APNIC, ICANN, TRUSTe, Google Analytics] Observed third parties: googletagmanager.com (Google Tag Manager), cloudflareinsights.com (Cloudflare Web Analytics), cfz_adobe cookie set, kndctr_8AD56F28618A50850A495FB6_AdobeOrg_identity cookie set - note
No CSP header despite complex third-party integrations
Cloudflare's own site does not have a Content Security Policy header (has_csp: false), despite loading multiple third-party scripts (Google Tag Manager, analytics). This is internally inconsistent with the policy's claims of implementing 'appropriate physical, technical and administrative measures' and raises questions about inline script execution risks that CSP would help mitigate.
has_csp: false Third-party integrations present: googletagmanager.com, cloudflareinsights.com
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Cloudflare Web Analytics | cloudflareinsights.com | analytics | 1 | not named |
| Google Tag Manager | googletagmanager.com | tag_manager | 1 | not named |
policy claims
source · https://cloudflare.com/privacypolicy/
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (4)
APNIC, ICANN, TRUSTe, Google Analytics
retention
Cloudflare retains personal information for as long as needed to fulfill business purposes and comply with legal obligations. Retention periods vary based on the purpose of collection, data sensitivity, potential harm risks, and legal requirements. When retention periods expire, data is deleted or destroyed, or appropriate security measures prevent further use.
user rights
Users have the right to access, correct, update, port, or delete their personal information, and to restrict or object to processing. Rights Requests can be submitted to sar@cloudflare.com and will be responded to within 30 days. California residents have additional rights including knowledge, access, deletion, correction, and opt-out from data sales/sharing. Users can manage communication preferences and opt out of cookies/tracking.
response headers
- hsts
- yes
- csp
- no
- server
- cloudflare
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://cloudflare.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://cloudflare.comprovenance
This audit was generated by running
stackpeek
against https://cloudflare.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.