Turnstile vs GDPR, which data are exchanged

Hello all,

I checked Turnstile documentation and the community discussions, but could not find details about the user data that is captured and processed by Turnstile (for example IP address, user agent, geolocation…). We need to update our GDPR records of processing and our privacy notice to properly inform our customers (GDPR mandates that you inform your customers about the data you capture and for which purpose).

Can you point me to a resource that itemizes the captured data ? Is it publicly available ?

Thank you for your help.

Interested in Cloudflare’s response to this question.

Sharing here the answer received from Cloudflare support:

“Thank you for your email. Regarding end user data collected by Turnstile, please bear in mind that Turnstile performs reading and writing operations with the sole purposes of 1) securing a website and 2) improving the Turnstile solution itself, deploying strict necessary cookies only. The end user data collected is minimized to these purposes and, concerning personal data, only IP addresses may be collected. Any data item is subject to strict retention schedules, no longer than a few weeks.”

Our Legal department also analyzed their DPA that you can find on their website.

Hope this helps.