Privacy policy
A privacy policy tells visitors what personal data you collect, why, on what legal basis, who you share it with, how long you keep it, and what rights they have.
What it is
A privacy policy is the public document that explains how your website handles personal data. Under the GDPR it satisfies the transparency obligations of Articles 13 and 14 — the right of the data subject to be informed about processing. Similar laws exist in the UK (UK GDPR), California (CCPA/CPRA), Brazil (LGPD), and most other jurisdictions.
It is not a disclaimer. It is a binding statement of practice.
Why it matters
If you collect any personal data — names, email addresses, IP addresses, cookies tied to a user, form submissions — you owe the visitor an accurate description of what happens to it. Regulators treat a missing, vague, or out-of-date policy as a transparency failure on its own, even before they look at what you actually do with the data.
A clear policy also reduces support load. Most “what do you do with my data?” questions disappear when there is a page to point at.
How to implement
A privacy policy should disclose, at minimum:
- Identity of the controller, including a postal address and a contact for privacy questions. If you have a Data Protection Officer, name them.
- Categories of personal data you process — account data, usage data, payment data, contact data, technical identifiers like IP addresses.
- Purposes for each category — running the service, billing, marketing, analytics, security, legal compliance.
- Lawful basis under GDPR Article 6 for each purpose: consent, contract, legal obligation, vital interests, public task, or legitimate interests. If you rely on legitimate interests, say what they are.
- Recipients and processors — payment providers, hosting, email, analytics, customer support tools. List by name or category, and indicate transfers outside the EU/UK with the safeguard used (SCCs, adequacy decision).
- Retention periods for each category, or the criteria used to determine them.
- Rights — access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
- Cookies and tracking, either inline or by linking to a separate cookie notice.
- A “last updated” date that is visible at the top of the page.
Link to the policy from the footer of every page. Do not put it behind a login.
Common mistakes
- Copy-pasted boilerplate that mentions practices you do not have, or omits ones you do.
- A single “we may share data with partners” line that names no one.
- No retention information at all.
- Hiding the policy in the terms of service.
- Updating the document without changing the date — or changing the date without telling existing users.