[dannyw]

The 'odd email' is just irrefutable evidence of Cloudflare's retention of the poster's email address, which is considered personal data under GDPR.

If Cloudflare is unable to even remove a deleted account from a mailing list, how do you know they have actually deleted ANY other information?

[ZWoz]

General Data Protection Regulation don't exist in vacuum, other laws are regulating data handling. Most importantly, accounting related regulations. So, if you request your account deletion, all billing related information is still hold - that is probably 7 years in all EU countries. Sending unwanted mail for those addresses is different issue though, but having contact data as part of billing data is legal.

[corty]

Yes. But for all personal data the purposes for which it may be used is limited: generally[0] only the original reason for collecting the data or the legal basis for keeping the data dictate the uses. So anything kept for use in filing taxes or other bookkeeping obligations must only be used for those purposes.

[0] it is possible to use data for other purposes than originally collected in some circumstances, but I'm not sure if there are many legal precedents for that yet.