--- title: "Privacy policy" category: privacy status: required url: https://specification.website/spec/privacy/privacy-policy/ updated: "2026-05-29" sources: - title: "GDPR Articles 13 and 14 — Information to be provided" url: "https://gdpr-info.eu/art-13-gdpr/" publisher: "EU GDPR" - title: "ICO — Right to be informed" url: "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/the-right-to-be-informed/" publisher: "ICO" - title: "EDPB Guidelines on Transparency under Regulation 2016/679" url: "https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-transparency-under-regulation-2016679_en" publisher: "EDPB" source_repo: https://github.com/jdevalk/specification.website licence: CC-BY-4.0 --- # Privacy policy > A privacy policy tells visitors what personal data you collect, why, on what legal basis, who you share it with, how long you keep it, and what rights they have. ## What it is A privacy policy is the public document that explains how your website handles personal data. Under the GDPR it satisfies the transparency obligations of Articles 13 and 14 — the right of the data subject to be informed about processing. Similar laws exist in the UK (UK GDPR), California (CCPA/CPRA), Brazil (LGPD), and most other jurisdictions. It is not a disclaimer. It is a binding statement of practice. ## Why it matters If you collect any personal data — names, email addresses, IP addresses, cookies tied to a user, form submissions — you owe the visitor an accurate description of what happens to it. Regulators treat a missing, vague, or out-of-date policy as a transparency failure on its own, even before they look at what you actually do with the data. A clear policy also reduces support load. Most "what do you do with my data?" questions disappear when there is a page to point at. ## How to implement A privacy policy should disclose, at minimum: - **Identity of the controller**, including a postal address and a contact for privacy questions. If you have a Data Protection Officer, name them. - **Categories of personal data** you process — account data, usage data, payment data, contact data, technical identifiers like IP addresses. - **Purposes** for each category — running the service, billing, marketing, analytics, security, legal compliance. - **Lawful basis** under GDPR Article 6 for each purpose: consent, contract, legal obligation, vital interests, public task, or legitimate interests. If you rely on legitimate interests, say what they are. - **Recipients and processors** — payment providers, hosting, email, analytics, customer support tools. List by name or category, and indicate transfers outside the EU/UK with the safeguard used (SCCs, adequacy decision). - **Retention periods** for each category, or the criteria used to determine them. - **Rights** — access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority. - **Cookies and tracking**, either inline or by linking to a separate cookie notice. - **A "last updated" date** that is visible at the top of the page. Link to the policy from the footer of every page. Do not put it behind a login. ## Common mistakes - Copy-pasted boilerplate that mentions practices you do not have, or omits ones you do. - A single "we may share data with partners" line that names no one. - No retention information at all. - Hiding the policy in the terms of service. - Updating the document without changing the date — or changing the date without telling existing users.