PropoDoc provides self-help document templates and tools. It is not a law firm and does not provide legal advice. Learn more.
Skip to main content

Data Privacy Policy

How you collect, use, store, and protect personal data — and users' rights.

Use Free Template
Create your custom version — free to start

20 free credits on signup — no card needed

policy
moderate
high Risk

About this Document

What a data privacy policy is

A data privacy policy is the public-facing document that tells the people you collect data about exactly what you do with it. It explains what personal information you gather, why you gather it, how you use and share it, how long you keep it, and what choices and rights people have over their own data. It is sometimes called a privacy notice or privacy statement, and you have almost certainly clicked past dozens of them.

A good privacy policy is not a wall of legalese written to be ignored. It is a plain, honest description of your actual data practices. If your policy says one thing and your product does another, the policy is worse than useless — it becomes evidence against you. So the first rule is simple: describe what you really do, not what sounds reassuring.

This guide is educational, not legal advice. PropoDoc is not a law firm and does not provide legal services. Privacy and data-protection law differs by country, state, and sector, changes often, and depends on the specific data you handle. Always have a qualified privacy lawyer review your policy against your real data practices and the laws that apply to you before you publish it or rely on it.

Why a privacy policy is legally required

For most organisations that collect any personal data online, a privacy policy is not optional — it is a legal obligation. Several major laws drive this, and in plain terms they work like this:

  • GDPR (the EU and UK General Data Protection Regulation) applies if you handle the personal data of people in the EU or UK, even if your business sits elsewhere. It requires you to tell people, in clear language and before or when you collect their data, who you are, what you collect, why, on what legal basis, who you share it with, how long you keep it, and what rights they have. It also requires you to actually honour those rights. Penalties for getting it wrong can be very large.
  • CCPA / CPRA (the California Consumer Privacy Act, as amended) applies to many businesses that handle the personal information of California residents. It gives those residents the right to know what is collected, to delete it, to correct it, and to opt out of the "sale" or "sharing" of their data. It expects a clear, accessible privacy notice that describes these rights and how to use them.
  • Other regimes — Canada's PIPEDA, Brazil's LGPD, Australia's Privacy Act, and a growing list of US state laws — impose similar duties. Many app stores, ad networks, and payment processors also contractually require you to publish a privacy policy before you can use them.

The practical takeaway: if you collect names, emails, IP addresses, payment details, location, device identifiers, or analytics on real people, assume you need a privacy policy, and assume more than one law may apply at once. A lawyer can tell you which ones do.

What a privacy policy must cover

Treat this as a checklist of topics to work through with a privacy professional, not as finished wording. A thorough policy addresses each of these:

  • Who you are — your legal entity name and contact details, and (where required) the contact for your data protection officer or privacy lead.
  • What data you collect — the categories of personal data, split between what people give you directly (account details, messages, payment info) and what you collect automatically (IP address, device data, usage analytics, cookies).
  • Why you collect it (purposes) — the specific reasons for each use: providing the service, billing, support, security, product improvement, and marketing. Vague catch-alls like "to improve our business" are a red flag to regulators.
  • Legal basis — under GDPR-style laws, the lawful ground for each use: consent, performance of a contract, legitimate interests, legal obligation, and so on. Marketing usually needs consent; running the core service usually rests on contract.
  • Sharing and third parties — who you disclose data to and why: payment processors, hosting and cloud providers, analytics, email tools, and any sub-processors, plus whether data leaves the country and how that transfer is protected.
  • Retention — how long you keep each category of data and what determines that period. "We keep data as long as necessary" is acceptable only if you can explain what "necessary" means in practice.
  • User rights — the rights people have (access, correction, deletion, portability, objection, opting out of sale or sharing, and withdrawing consent) and a clear, working way to exercise them.
  • Cookies and tracking — what cookies and similar technologies you use, what they do, and how users can control them. Many regions require consent before non-essential cookies load.
  • Security — a fair, non-overstated summary of how you protect data. Do not promise perfect security; no one can deliver it.
  • Children — whether your service is intended for children and how you handle their data, which is subject to stricter rules in many places.
  • Changes and contact — how you will notify people of changes, the effective date, and how to reach you with privacy questions or complaints.

Get legal review before you publish

Everything in this cluster — the guide, the template, and the worked example — is provided for education and as a drafting starting point only. It is not legal advice, it does not create a lawyer-client relationship, and PropoDoc is not a law firm. Privacy law is unusually fact-specific: the right policy depends on exactly what data you collect, where your users are, which third parties you use, and which laws apply. Before you publish, link to, or rely on any privacy policy, have a qualified privacy lawyer in your jurisdiction review it against your actual data practices. The cost of review is small next to the cost of a policy that misstates what you do.

Common mistakes to avoid

  • Copying another company's policy and swapping the name. Their data practices, third parties, and legal bases are not yours, and a mismatched policy is a liability, not a shortcut.
  • Describing aspirations, not reality. The policy must match what your systems actually do today, not what you hope to do later.
  • Forgetting the third parties you already use — analytics, ad pixels, support chat, payment processors. Each one that touches personal data usually belongs in the policy.
  • Listing rights you do not honour. If you promise deletion, you must have a process that actually deletes the data. An unhonoured right is worse than an unmentioned one.
  • Ignoring cookies and tracking, then loading them before the user has any say. Many regions require consent first for non-essential cookies.
  • Overstating security. Claiming data is "completely safe" invites trouble; describe reasonable measures honestly instead.
  • Burying it or never updating it. The policy should be easy to find, written in plain language, dated, and refreshed whenever your practices or the law change.
  • Skipping legal review because a template "looks complete." A template cannot know your facts; only a qualified lawyer reviewing your real operation can confirm the policy is right.

Required Sections

Introduction

Controller identity, policy scope, and applicable laws

Required

Data We Collect

Categories of personal data collected and their sources

Required

How We Use Data

Processing purposes and lawful bases for each

Required

Data Sharing

Third parties who receive data and why

Required

Data Retention

Retention periods and criteria for deletion

Required

Your Rights

Access, erasure, portability, objection, and restriction rights

Required

Data Security

Technical and organisational safeguards protecting personal data

Required

Contact Us

Privacy contact details and complaint escalation routes

Required

Optional Sections

Cookies

Cookie categories, purposes, and opt-out controls

Optional

International Transfers

Cross-border transfer mechanisms and adequacy safeguards

Optional

Children's Privacy

Age restrictions and parental or guardian consent rules

Optional

Automated Decisions

Profiling, automated decision-making, and right to contest

Optional

Frequently Asked Questions

Do I really need a privacy policy?
Almost certainly yes. If you collect any personal data — names, emails, IP addresses, payment details, location, device identifiers, or analytics on real people — most data-protection laws require you to publish a privacy policy, and many app stores, ad networks, and payment processors require one before you can use them. The safe assumption is that you need one, and that more than one law may apply at once. This is general information, not legal advice; a qualified privacy lawyer can confirm what applies to you.
What is the difference between GDPR and CCPA?
In plain terms, GDPR is the EU and UK data-protection law that applies if you handle the personal data of people in those regions, wherever your business is based; it requires you to tell people what you collect and why, to have a lawful basis for each use, and to honour rights such as access and deletion. CCPA (as amended by CPRA) is a California law that applies to many businesses handling California residents' data; it focuses on the rights to know, delete, correct, and opt out of the sale or sharing of personal information. They overlap a lot but differ in detail, so a policy often needs to address both. This is general information, not legal advice.
Where should I display my privacy policy?
Make it easy to find. The common practice is a link in your website or app footer that appears on every page, plus a link at any point where you collect data — for example, on sign-up forms, checkout, and cookie banners. The policy should be reachable before someone hands over personal data, written in plain language, and dated with an effective date. Have a lawyer confirm any specific placement or consent requirements for your situation.
Does my privacy policy need to cover cookies?
If your site or app uses cookies or similar tracking technologies, yes. Your policy should explain what cookies you use, what they do, and how people can control them. In many regions you must also obtain consent before non-essential cookies load, usually through a cookie banner, and let users change their choice later. Some organisations keep a separate cookie policy linked from the main privacy policy. A qualified lawyer can confirm the consent rules that apply where your users are.
Do I need a lawyer to write or review my privacy policy?
Yes, you should have a qualified privacy lawyer review it. Privacy law is unusually fact-specific: the right policy depends on exactly what data you collect, where your users are, which third parties you use, and which laws apply. A template is a useful starting point, but it cannot know your facts, and a policy that misstates what you actually do is a liability. PropoDoc is not a law firm and this material is educational only. Treat the template here as a draft to take to a lawyer, not a finished, compliant policy.
How often should I update my privacy policy?
Review it whenever your data practices change — for example, when you add a new analytics tool, a new payment provider, or a new feature that collects data — and whenever the laws that apply to you change. Even without changes, a periodic review (for instance, once a year) is good practice. When you do update it, change the effective date and notify users of material changes, since the policy must always match what your systems actually do. Have a lawyer confirm your notification obligations.

Ready to create your document?

Use our free template or generate a custom version tailored to your needs.

Use Free Template
Create your custom version — free to start

20 free credits on signup — no card needed

This document involves significant legal or financial considerations. Professional review is strongly recommended.

Last reviewed: June 4, 2026