Privacy Policy and Cloudflare


I’m not sure if I’m posting this in the right section, but here we go… I serve a cookieless website (a simple REST backend serving static data) through Cloudflare (proxied) and, while Cloudflare tracks users (has cookies, analytics, etc), I don’t gather any kind of data from users (really no data at all).

So, is it required to create a Privacy Policy for my app/website?

And if I do, should I tell the users they’re being tracked by Cloudflare? Or by simply accessing a website that’s served by Cloudflare the user accepts Cloudflare’s Privacy Policy?

Thank you!

Did you get anything on this? I have exact same question.

As for the original question, even if your website doesn’t serve cookies, you still collect PII (Personally identifiable Information) like the visitors’ IP address and actions on the site. Every website should have a privacy policy page outlining what it collects, even if it doesn’t collect anything.

Cloudflare’s __cfduid cookie is only used for IP reputation and security/DDoS protection, so it would be fine if you didn’t include it in your Privacy Policy (DigitalOcean doesn’t mention it), but if you want to be safe, you should at least mention why a Cloudflare cookie is being sent (Quizlet does mention it).