Privacy and the cfduid Cookie

What does Cloudflare do with the __cfduid cookie?

As described in our Cookie Policy, the _cfduid cookie may be placed on the devices of our customers' end users (as that term is defined in our Privacy Policy) to help Cloudflare detect malicious visitors to our customers’ websites and to minimize blocking legitimate users.

The _cfduid does not allow for cross-site tracking. It also does not allow for Cloudflare to follow users from site to site by merging various _cfduid identifiers into a profile. Rather, Cloudflare places the _cfduid cookie in a user's web browser after the user has met certain security requirements, such as solving a Captcha challenge. The _cfduid is a one-way hash of certain values and cannot be used to personally identify the end user.


How long does Cloudflare retain the information provided by End Users who connect to a site through Cloudflare?

Generally, Cloudflare keeps user-level data (including the IP address of a requester) for less than 24 hours for domains in the Free, Pro and Business plans, and up to seven (7) days for Enterprise domains that have enabled Cloudflare Logs (formerly Enterprise LogShare or ELS). There may be exceptions in connection with IP addresses that have triggered security alerts. You can find more information about what Cloudflare logs in this blog post.

Cloudflare has no control over how long a customer may store downloaded Cloudflare Logs in their networks. Regarding any information that may live in cached content on our edge servers, our customers control what data should be cached and for how long.


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk