diff --git a/icons/cloudflare.png b/icons/cloudflare.png
new file mode 100644
index 00000000..5eb52e53
Binary files /dev/null and b/icons/cloudflare.png differ
diff --git a/icons/spotify.png b/icons/spotify.png
new file mode 100644
index 00000000..b89b3020
Binary files /dev/null and b/icons/spotify.png differ
diff --git a/products/cloudflare.toml b/products/cloudflare.toml
new file mode 100644
index 00000000..d9c942f8
--- /dev/null
+++ b/products/cloudflare.toml
@@ -0,0 +1,124 @@
+name = "Cloudflare"
+description = "Cloudflare is a U.S.-based company that provides internet security, performance, and reliability services, including content delivery networks (CDN), DDoS protection, and zero-trust networking solutions."
+slug = "cloudflare"
+hostnames = ["cloudflare.com"]
+sources = [
+  "https://www.cloudflare.com/privacypolicy/",
+  "https://www.cloudflare.com/candidate-privacy-notice/",
+  "https://www.cloudflare.com/cookie-policy/"
+]
+contributors = ["Anon-sec"]
+
+[rubric.behavioral-marketing]
+value = "yes-opt-out"
+citations = [
+  "You may opt out of Targeting cookies through the \"Cookie Preferences\" (or, in the United States, the “Your Privacy Choices” link) on cloudflare.com or through the links listed below.",
+  "If you wish to opt-out of cookies that collect information to serve you interest-based ads generally, you may opt-out by clicking \"https://thenai.org/opt-out/\" (or if located in the European Union or United Kingdom, click here \"https://youronlinechoices.eu/\")."
+]
+notes = ["Refer to https://www.cloudflare.com/cookie-policy/ for more details"]
+
+[rubric.data-breaches]
+value = "eventually"
+citations = [
+  "We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so."
+]
+notes = [
+  "Refer to https://www.cloudflare.com/candidate-privacy-notice/ Section 8 for more details",
+  "Note that this condition applies only to candidates applying to work with any Cloudflare Group company."
+]
+
+[rubric.data-collection-reasoning]
+value = "mostly"
+citations = [
+  "We may ask for and collect personal information such as your name, address, phone number and email address when you visit our offices, register for or attend a sponsored event or other events at which Cloudflare (and/or its representatives) participates, or participate in Cloudflare’s studies such as user experience research.",
+  "We ask for and—at your option—collect personal information from you when you submit web forms on our Websites, including opportunities to sign up for and agree to receive email communications from us.",
+  "Log files: Just as when you visit and interact with most websites and services delivered via the Internet, when you visit our Websites, including the Cloudflare Community Forum, we gather certain information and store it in log files. This information may include but is not limited to Internet Protocol (IP) addresses, system configuration information, URLs of referring pages, and locale and language preferences.",
+  "“Comply with legal obligations as well as to investigate and prevent fraudulent transactions, unauthorized access to the Services, and other illegal activities;”"
+]
+
+[rubric.data-deletion]
+value = "yes-contact"
+citations = [
+  "You have the right to access, correct, update, port, or delete your personal information, and to restrict or object to the processing of your personal information (each of these a ‘Rights Request’). You may email us at sar@cloudflare.com with any Rights Request, and we will respond within thirty (30) days. (Section 8: Data Subject Rights and Choices)",
+  "When the data retention period expires for a given type of data, we will delete or destroy it. If, for technical reasons, we are unable to do so, we will implement appropriate security measures to prevent any further use of such data. (Section 11: Data Retention)",
+  "Please note that we do not retain any personal information about 1.1.1.1 resolver users that would be subject to the Rights Requests described above (Section 8)."
+]
+
+[rubric.history]
+value = "last-modified"
+citations = [
+  ""
+]
+notes = [
+  "Mentioned at the top of the Privacy Policy"
+]
+
+[rubric.law-enforcement]
+value = "strict"
+citations = [
+  "When we are required to disclose personal information to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims."
+]
+notes = [
+  "Section 5: Information Sharing"
+]
+
+[rubric.list-collected]
+value = "generally"
+citations = [
+  "Attendees: Name, address, phone number, email; voice and image recordings with consent.",
+  "Website Visitors: Contact info via forms, surveys, feedback; log data including IP addresses, system info, URLs, locale; cookies and tracking for marketing; public posts in forums.",
+  "Customers and Admin Users: Account info, payment info (limited storage), crash reports.",
+  "Public DNS Resolver Users: Limited DNS query data stored for 25 hours; different policy for 1.1.1.1 app.",
+  "End Users: IP addresses, traffic routing, system configs; data shared as 'Customer Logs' with customers.",
+  "Registrants: Contact info, domain data, WHOIS including IP of transfer initiator.",
+  "Network Data: Service metrics, request volumes, error rates, malware info, IP threat scores."
+]
+notes = [
+  "Generally is preferred over exhaustively because the policy clearly lists all main categories of personal data collected but uses example phrases ('may include' or 'such as,') that show the list may not include every specific type."
+]
+
+[rubric.noncritical-purposes]
+value = "opt-out-some"
+citations = [
+  ""
+]
+notes = [
+  "You can disable certain non-critical uses of your data—such as performance tracking, feature enhancements, and ad targeting—but other non-critical processing—like service improvements, analytics under legitimate interests, and security or fraud prevention—is not included in the cookie-based opt-out mechanism, so you can’t opt out of it."
+]
+
+[rubric.revision-notify]
+value = "yes"
+citations = [
+  "If we make changes to this Policy that we believe materially impact the privacy of your personal information, we will promptly provide notice of any such changes (and, where necessary, obtain consent), as well as post the updated Policy on this website noting the effective date of any changes."
+]
+notes = [
+  "Section 12: Notification of Changes"
+]
+
+[rubric.security]
+value = "yes-independent-audits"
+citations = [
+  "Cloudflare’s technical and organizational measures are regularly tested and evaluated by external third-party auditors as part of Cloudflare’s Security & Privacy Compliance Program. These may include annual ISO/IEC 27001 audits; AICPA SOC 2 Type II; PCI DSS Level 1; and other external audits.– Annex 2",
+]
+notes = [
+  "DPA: https://www.cloudflare.com/cloudflare-customer-dpa/"
+]
+
+[rubric.third-party-access]
+value = "yes-specified-noncritical"
+citations = [
+  "Our marketing and advertising partners may collect or receive personal information about you and/or collect certain information about your interactions with our Websites, or your email communications with Cloudflare. We share this personal information for our business purposes.",
+  "In addition, we may also provide these marketing and advertising partners with your email address or other limited account information."
+]
+notes = [
+  "Section 5: Information Sharing"
+]
+
+[rubric.third-party-collection]
+value = "critical-only"
+citations = [
+  "We may combine information we collect as described in Section 2 above with personal information we obtain from third parties.",
+]
+notes = [
+  "Section 3: How we use Information we collect"
+]
diff --git a/products/spotify.toml b/products/spotify.toml
new file mode 100644
index 00000000..e2ffda21
--- /dev/null
+++ b/products/spotify.toml
@@ -0,0 +1,124 @@
+name = "Spotify"
+description = "Spotify is a Sweden-based music and podcast streaming platform offering free and premium streaming, recommendations, and social features."
+slug = "spotify"
+hostnames = ["spotify.com"]
+sources = [
+  "https://www.spotify.com/de-en/legal/privacy-policy/",
+  "https://www.spotify.com/de-en/account/privacy/"
+]
+contributors = ["Anon-sec"]
+
+[rubric.behavioral-marketing]
+value = "yes-opt-out"
+citations = [
+  "Control the tailored ads you see and hear on Spotify.",
+  "The toggle below controls the tailored ads you experience on Spotify's services, as well as Spotify's ads targeted to you on other platforms.",
+  "If tailored ads are turned off: We will not share your information with third party advertising partners for the purposes of tailored advertising",
+  "If tailored ads are turned off: We will not share your information with other platforms to market Spotify promotions, features, or new releases on those other platforms"
+]
+notes = [
+  "The Account Privacy page provides a toggle to disable tailored advertising. Turning it off also stops sharing with third-party advertising partners and other platforms. Non-tailored ads may still be shown."
+]
+
+[rubric.data-breaches]
+value = "no"
+citations = []
+notes = [
+  "The privacy policy does not state that Spotify notifies users of data breaches or commits to a breach-notification process."
+]
+
+[rubric.data-collection-reasoning]
+value = "yes"
+citations = [
+  "The table below sets out: our purpose for processing your personal data; our legal justifications (each called a “legal basis”) under data protection law."
+]
+notes = [
+  "Spotify includes a table explaining purposes and legal bases such as Performance of a Contract, Consent, Legal Obligation, and Legitimate Interest."
+]
+
+[rubric.data-deletion]
+value = "yes-contact"
+citations = [
+  "Request that we erase certain of your personal data.",
+  "To request erasure of your other personal data from Spotify, follow the steps on our support page."
+]
+notes = [
+  "Full data erasure requires submitting a request; it is not fully automated."
+]
+
+[rubric.history]
+value = "last-modified"
+citations = [
+  "Effective as of 27 August 2025"
+]
+notes = [
+  "Only an effective date is given; no change history is provided."
+]
+
+[rubric.law-enforcement]
+value = "reasonable"
+citations = [
+  "To comply with a request from law enforcement, courts, or other competent and authorized third parties.",
+  "to respond to a valid legal process (such as a search warrant, court order, or subpoena)"
+]
+notes = [
+  "Policy allows disclosure when legally required or in response to valid legal processes. It also allows disclosure under good faith justifications."
+]
+
+[rubric.list-collected]
+value = "generally"
+citations = [
+  "These tables set out the categories of personal data we collect from you.",
+  "Personal data that we need to create your Spotify account and that enables you to use the Spotify Service."
+]
+notes = [
+  "Lists are structured but use language such as 'may include', meaning they are examples rather than exhaustive lists."
+]
+
+[rubric.noncritical-purposes]
+value = "opt-out-some"
+citations = [
+  "Control the tailored ads you see and hear on Spotify.",
+  "If tailored ads are turned off, the content of ads we show you will not be based on: Your use of Spotify over time; Your interests obtained from 3rd party advertising partners."
+]
+notes = [
+  "Users can disable tailored advertising, but some non-essential purposes such as analytics and service improvements cannot be disabled."
+]
+
+[rubric.revision-notify]
+value = "yes"
+citations = [
+  "When we make material changes to this Policy, we'll provide you with prominent notice as appropriate under the circumstances."
+]
+notes = [
+  "Spotify commits to notifying users when material changes occur."
+]
+
+[rubric.security]
+value = "yes"
+citations = [
+  "We put in place appropriate technical and organisational measures to help protect the security of your personal data."
+]
+notes = [
+  "Security measures are described, but audits or certifications are not mentioned."
+]
+
+[rubric.third-party-access]
+value = "yes-unspecified"
+citations = [
+  "If tailored ads are turned off: We will not share your information with third party advertising partners for the purposes of tailored advertising",
+  "Our partners may also combine the personal data we share with them with other data they collect about you, e.g. your use of their services."
+]
+notes = [
+  "Spotify names categories of recipients but does not provide a full list of specific companies who receive user data."
+]
+
+[rubric.third-party-collection]
+value = "yes"
+citations = [
+  "If you connect your Spotify account to a third party application, service or device, we may collect and use information from them.",
+  "If you choose to pay through third parties (e.g. telco carriers) or by invoice, we may get data from our payment partners."
+]
+notes = [
+  "Spotify receives personal data from connected third-party services, payment providers, and integrated platforms."
+]