Thank you for the link. It was a simple and yet detailed. Wish more companies took time to explain parts of their privacy policy.
However my concern is more to do with thinking as an outsider. I have toyed with idea of a company that requires establishment of trust among users. Although it may seem as simple as do no evil on the surface, it is an extremely hard undertaking. The thing with Cloudflare is that its niche is its own problem, "Man in the Middle", even if I were to place trust in the privacy policy, there are other things I need to be worried about. What if there is a break in and a hacker places a sniffer to sniff the communication between Cloudflare and the client sites? Sure the client followed the best practices such as, one way hash, strong crypto (eg bcrypt), 1000+ iterations, database encryption, https communication, etc but all of it is pointless or redundant now because the browser ends up sending the password in plaintext. Now imagine if instead of an hacker its a govt agency and that too with a gag order. See my concern?
From an engineering feasibility/cost standpoint: there is no scenario in which they could log (as in packet capture) and dedupe all traffic without a nation-state-like (alphabet orgs, interested companies a la Google) budget.
CloudFlare's (non-enterprise) prices simply aren't even in the required order of magnitude.
Now: whether or not metadata, request bodies, etc. are logged, and to what scale, is another story/discussion of possibility.
At some small, targeted scale, it's safe to say that total duplication (certainly request bodies, etc.) is possible, if they were so interested.
