Cloudflare turnstile: Is cloudflare the data controller (GDPR)

I am working on integrating cloudflare turnstile on my website. I am currently looking at the cloudflare privacy policy. I am trying to decide if my analysis that cloudflare is a data controller is correct and thus the DPA does not apply when using turnstile

Text form the cloudflare privacy policy:
Cloudflare is a data controller for the personal information collected from all categories of data subjects listed above, with the following exceptions: Cloudflare is a data processor of Customer Logs, Administrative User logs, and some account settings information. In addition, Cloudflare is a data processor for any of the content provided by Customers and End Users through the Services that transits, or in some cases, is stored on, the Cloudflare network. Where Cloudflare is a data processor, Cloudflare processes data on behalf of its Customers pursuant to their data processing instructions.

My analysis:

  1. when using cloudflare they don’t process my logs
  2. when using cloudlare they don’t process administrative user logs and account settings
  3. Me or my webite visistors don’t provide content that ist stored on the cloudflare network.
  4. In addition cloudflare processes the data it collects with the turnstile solution according to their own insights

Conclusion:-> I am not a data controller, cloudflare is the data controller.

Is that correct?

I’ve read somewhere that just putting cookies on user’s browser makes you the controller.
As in -you decide if that cookie will be on user’s browser or not.
It doesn’t matter that cookie is from cloudflare domain.

But I’d be interested in response from someone who is knowledgeable in this area, too.


It does not set any cookies. So I don’t think that applies.

Indeed there are no cookies from turnstile domain.
So this part is covered.

The question is if there is other data that can be personal information.
It’s mentioned (here) that IP stopped being primary id for identifying bots but it doesn’t say if its collected or not.

If data that Cloudflare is collecting was not PII (meaning it couldn’t be used to identify real person)
then whole problem would be solved.

Theoretically, Cloudflare is the controller and a processor. But since your website is “helping” to gather data it might be considered the controller.

Assumption of being the controller is also what stops me from using turnstile as of now.