This addendum (“Addendum”) supplements the Cloudflare Privacy Policy and sets forth, in greater detail, the information related to how we collect, use, and disclose the personal information of users in South Korea.
For the purposes stated in the Privacy Policy we may entrust and transfer your data overseas to third parties according to the following:
| Entrusted Company and Contact | Countries of recipients | Items of the personal information to be transferred | Date/time/methods of transfer | Purposes of use of recipients of personal information | Periods of retention by such recipients of personal information |
|---|---|---|---|---|---|
Slack Technologies, Inc. | United States | Personal information necessary for customer support (including name, email address, and other similar contact information), usage information (including IP address), and cookie information. | Over the network, upon collection of personal information | Customer support communications | As long as necessary to fulfill the purposes on the left. |
Zendesk, Inc. | Zendesk operates servers globally using Amazon Web Services (AWS) as described here. Current hosting locations are the United States, the European Economic Area, Japan, and Australia | Personal information necessary for customer support (including ticket details, and contact information) and usage information (including IP address). | Over the network, upon collection of personal information | Customer support and account management | As long as necessary to fulfill the purposes on the left. |
Salesforce, Inc. | United States | Personal information necessary for customer relationship management (including your name and contact information). | Over the network, upon collection of personal information | Customer support and account management | As long as necessary to fulfill the purposes on the left. |
Amazon Web Services (AWS) | United States, European Economic Area | Cloudflare Email Security leverages AWS as a subprocessor for various aspects of its service delivery. As a cloud infrastructure provider, AWS helps provide the underlying infrastructure and platform services upon which Cloudflare's Email Security solution runs. Therefore, the personal data processed by AWS as a subprocessor would largely be the data that flows through or is stored by Cloudflare's Email Security system. | Over the network, upon collection of personal information | Cloudflare Email Security (formerly Area 1) | As long as necessary to fulfill the purposes on the left. |
Google LLC | United States | The personal information processed depends on how the customer chooses to use the service to address their needs. For Business Intelligence, personal information processed includes contact information (including name and email address), customer account information (including account number and contracted services), billing information, and usage information (including IP address). | Over the network, upon collection of personal information | Cloudflare Developer Platform, Cloudflare Zero Trust, AI Gateway, and Business Intelligence. | As long as necessary to fulfill the purposes on the left. |
CoreWeave, Inc. | United States | Cloudflare uses Coreweave as an infrastructure provider for GPU-intensive workloads. The specific personal information potentially processed by Coreweave depends on the data created by Cloudflare customers through use of the Cloudflare services. For example, data processed by Coreweave might include a prompt to an AI model made available on Workers AI. The prompt could include personal information if the customer chooses to include such information in their prompt. | Over the network, upon collection of personal information | Workers AI | As long as necessary to fulfill the purposes on the left. |
Nebius BV | England | Cloudflare uses Nebius as an infrastructure provider for GPU-intensive workloads. The specific personal information potentially processed by Nebius depends on the data created by Cloudflare customers through use of the Cloudflare services. For example, data processed by Nebius might include a prompt to an AI model made available on Workers AI. The prompt could include personal information if the customer chooses to include such information in their prompt. | Over the network, upon collection of personal information | Workers AI | As long as necessary to fulfill the purposes on the left. |
Anthropic PBC | United States | Cloudflare routes customer requests to third-party AI providers such as OpenAI, Anthropic, XAI, and Groq as part of its AI Gateway service at each customer's specific request and in accordance with their chosen configuration. The specific personal information potentially processed by such third-party AI providers depends on the data created by Cloudflare customers through use of the Cloudflare services. For example, data processed in this context might include a prompt to an AI model made available by a third-party AI provider. The prompt could include personal information if the customer chooses to include such information in their prompt. | Over the network, upon collection of personal information | AI Gateway | As long as necessary to fulfill the purposes on the left. |
OpenAI, Inc. | OpenAI operates servers globally using Azure as described here. | Cloudflare routes customer requests to third-party AI providers such as OpenAI, Anthropic, XAI, and Groq as part of its AI Gateway service at each customer's specific request and in accordance with their chosen configuration. The specific personal information potentially processed by such third-party AI providers depends on the data created by Cloudflare customers through use of the Cloudflare services. For example, data processed in this context might include a prompt to an AI model made available by a third-party AI provider. The prompt could include personal information if the customer chooses to include such information in their prompt. | Over the network, upon collection of personal information | AI Gateway | As long as necessary to fulfill the purposes on the left. |
X.AI Corp. | United States | Cloudflare routes customer requests to third-party AI providers such as OpenAI, Anthropic, XAI, and Groq as part of its AI Gateway service at each customer's specific request and in accordance with their chosen configuration. The specific personal information potentially processed by such third-party AI providers depends on the data created by Cloudflare customers through use of the Cloudflare services. For example, data processed in this context might include a prompt to an AI model made available by a third-party AI provider. The prompt could include personal information if the customer chooses to include such information in their prompt. | Over the network, upon collection of personal information | AI Gateway | As long as necessary to fulfill the purposes on the left. |
Groq, Inc. | United States | Cloudflare routes customer requests to third-party AI providers such as OpenAI, Anthropic, XAI, and Groq as part of its AI Gateway service at each customer's specific request and in accordance with their chosen configuration. The specific personal information potentially processed by such third-party AI providers depends on the data created by Cloudflare customers through use of the Cloudflare services. For example, data processed in this context might include a prompt to an AI model made available by a third-party AI provider. The prompt could include personal information if the customer chooses to include such information in their prompt. | Over the network, upon collection of personal information | AI Gateway | As long as necessary to fulfill the purposes on the left. |
For name of contact and contact information, please see Section 18 of the Cloudflare Privacy Policy.
| Entrusted Company and Contact | Countries of recipients | Items of the personal information to be transferred | Date/time/methods of transfer | Purposes of use of recipients of personal information | Periods of retention by such recipients of personal information |
|---|---|---|---|---|---|
Cloudflare, Inc. and its subsidiaries (for a full list of each entity, please see Section 18 of the Cloudflare Privacy Policy) | United States, United Kingdom, Singapore, Australia, Germany, Portugal, France, Japan, Canada, Netherlands, UAE, India, Mexico, Malaysia, Sweden | All Personal information as described in section 2 of the Cloudflare Privacy Policy, “Information We Collect” | Over the network, upon collection of personal information | To operate and improve the Application, such as to assist us in our debugging efforts if an issue arises. | As long as necessary to fulfill the purposes on the left. |
| Entrusted Company and Contact | Countries of recipients | Items of the personal information to be transferred | Date/time/methods of transfer | Purposes of use of recipients of personal information | Periods of retention by such recipients of personal information |
|---|---|---|---|---|---|
Adobe, Inc. | United States, Ireland, France, India, Singapore, Japan, Australia | All Personal information as described in section 2 (“Website Visitors”) of the Cloudflare Privacy Policy, “Information We Collect” | Over the network, upon collection of personal information | Marketing automation | As long as necessary to fulfill the purposes on the left. |
Amplitude | United States | All Personal information as described in section 2 (“Website Visitors”) of the Cloudflare Privacy Policy, “Information We Collect” | Over the network, upon collection of personal information | Marketing Analytics | As long as necessary to fulfill the purposes on the left. |
BoostUp | United States | Name, email address, contact information, job title, company information, customer/prospect activity data, and aggregated product use data. | Over the network, upon collection of personal information | Revenue operations | As long as necessary to fulfill the purposes on the left. |
Cognism | Ireland | Name, email address, contact information, job title, company information, customer/prospect activity data, and aggregated product use data. | Over the network, upon collection of personal information | Sales Intelligence | As long as necessary to fulfill the purposes on the left. |
Demandbase | United States, United Kingdom, Germany, Singapore | Name, email address, contact information, job title, company information, customer/prospect activity data, and aggregated product use data. | Over the network, upon collection of personal information | Marketing automation and sales engagement | As long as necessary to fulfill the purposes on the left. |
Gainsight | United States,, Germany, Switzerland, Canada, United Kingdom, South Africa, Australia | All Personal information as described in section 2 of the Cloudflare Privacy Policy, “Information We Collect” | Over the network, upon collection of personal information | Customer success | As long as necessary to fulfill the purposes on the left. |
Iterable, Inc. | United States | All Personal information as described in section 2 of the Cloudflare Privacy Policy, “Information We Collect” | Over the network, upon collection of personal information | Marketing automation | As long as necessary to fulfill the purposes on the left. |
Just Global | United States | All Personal information as described in section 2 of the Cloudflare Privacy Policy, “Information We Collect” | Occasionally as needed to facilitate the marketing services provided by the third party. | Sales and marketing | As long as necessary to fulfill the purposes on the left. |
Pulley Ascent | South Korea | Name, email address, and other contact information as described in section 2 of the Cloudflare Privacy Policy, “Information We Collect” | Occasionally as needed to facilitate the marketing services provided by the third party. | Sales and marketing | As long as necessary to fulfill the purposes on the left. |
PAOS Partners | South Korea | Name, email address, and other contact information as described in section 2 of the Cloudflare Privacy Policy, “Information We Collect” | Occasionally as needed to facilitate the marketing services provided by the third party. | Sales and marketing | As long as necessary to fulfill the purposes on the left. |
Pipeline 360 | United States | All Personal information as described in section 2 of the Cloudflare Privacy Policy, “Information We Collect” | Occasionally as needed to facilitate the marketing services provided by the third party. | Sales and marketing | As long as necessary to fulfill the purposes on the left. |
ThinkABM | Singapore, United Kingdom, Dubai, and Australia | All Personal information as described in section 2 of the Cloudflare Privacy Policy, “Information We Collect” | Occasionally as needed to facilitate the marketing services provided by the third party. | Sales and marketing | As long as necessary to fulfill the purposes on the left. |
Acquisition Inc. | United Kingdom & Ireland | All Personal information as described in section 2 of the Cloudflare Privacy Policy, “Information We Collect” | Occasionally as needed to facilitate the marketing services provided by the third party. | Sales and marketing | As long as necessary to fulfill the purposes on the left. |
Liveramp | United States | Browsing information, contact information, and employment information. | Over the network, upon collection of personal information | User research and advertising and marketing assistance | As long as necessary to fulfill the purposes on the left. |
Goldcast | United States | Browsing information, contact information, and employment information. | Over the network, upon collection of personal information | Virtual event platform | As long as necessary to fulfill the purposes on the left. |
ZoomInfo | United States | Name, email address, contact information, job title, company information, customer/prospect activity data, and aggregated product use data. | Over the network, upon collection of personal information | Sales intelligence | As long as necessary to fulfill the purposes on the left. |
You have the right to refuse to give consent to the collection and use of your personal information by Cloudflare such as the above, in which case you may not be able to use or take advantage of the services set forth in the “Purpose(s) of Collection/Use.”
The subject of personal information may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee and the Personal Information Infringement and Reporting Center of the Korea Internet and Security Agency as follows to remedy the damage caused by personal information infringement.
Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
Personal Information Infringement Report Center: 118 (without area code) (privacy.kisa.or.kr)
Supreme Prosecutors' Office Cyber Investigation Division: 1301 (without area code) (www.spo.go.kr)
National Police Agency Cyber Safety Bureau: (without area code) 182 (cyberbureau.police.go.kr)
Effective date: November 4, 2025