Privacy Policy Template

A customizable privacy policy covering data collection, processing, sharing, and user rights across GDPR, CCPA, and major global privacy regimes.

Updated May 2026Privacy
GDPR CCPA LGPD PIPEDA APPI POPIA
Adjust for your territory

Sets a starting point for your main market; serving several, enable extra sections under Customize. These adjustments cover the US, UK, and EU broadly and are not a substitute for advice on your specific country's law.

Scroll for section-by-section legal context. Click any purple chip to fill in that field. Switch to Customize to enable optional clauses.

PRIVACY POLICY

Effective Date: {Effective Date}

Last Updated: {Last Updated Date}

1. Introduction

{Company Name} ("we", "us", or "our") operates {Website URL} and provides the products and services described on that site (collectively, the "Service"). We are the entity responsible for determining how and why your personal information is processed.

Under US state privacy laws we are the "controller" of your personal information, or the "business" where the CCPA (as amended by the CPRA) applies.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over it. It applies to anyone who uses the Service, regardless of where they are located.

If you do not agree with this Privacy Policy, please do not use the Service.

Definitions. For purposes of this Privacy Policy:

  • "Personal information" (also "personal data") means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under applicable data protection law.
  • "Sensitive personal information" is the subset of personal information that receives heightened protection under applicable law, as defined in Section 2.
  • "Processing" means any operation or set of operations performed on personal information, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transmission, dissemination, restriction, erasure, or destruction.
  • "Service" has the meaning given in the opening paragraph of this Section.
  • "You" means the individual whose personal information is described in this Privacy Policy.

Under the CCPA (as amended by the CPRA), "sale" means disclosing personal information for monetary or other valuable consideration, and "share" means disclosing it to a third party for cross-context behavioral advertising, with or without monetary consideration.

About this section

What's in this section

Anchors the policy to a specific legal entity. Regulators use the named entity, not the brand, to determine jurisdiction; users use it to determine whom to bring a claim against.

Why this section is here

Identifies you as the data controller and sets the policy's scope. Without this, an enforcement body has no way to attribute the policy to a specific entity, and users can't determine which legal regime applies.

Common mistake

Hiding behind a brand name. Use the legal entity name and the operating URL, the same names that appear in your terms of service and corporate filings.

2. Information We Collect

Notice at Collection. Consistent with the CCPA (as amended by the CPRA), we provide notice at or before the point of collection of the categories of personal information collected and the purposes for which they will be used. This Privacy Policy may form part of our notice at collection. Where required, we also provide additional just-in-time notices, cookie consent banners, or privacy-choices links at the specific point where personal information is collected. If we begin collecting additional categories or use personal information for materially different purposes, we will provide updated notice at the time of collection.

We collect the following categories of personal information:

Information you provide to us directly:

  • Identity and contact information, including your name, email address, phone number, postal address, and similar identifiers.
  • Account information, including your username, password, profile preferences, and account settings.
  • Payment information, processed by our third-party payment processors. (Confirm whether you receive and store full payment card numbers on your own systems. If you do not, state so explicitly here; if you do, describe your PCI DSS-compliant protections.)
  • Communications you send us, including support requests, survey responses, and content you submit through the Service.

Information we collect automatically:

  • Device and connection information, including IP address, browser type, operating system, device identifiers, and language settings.
  • Location information, including approximate location derived from your IP address (typically at the city or region level) and, where you grant permission, precise location data from your device's GPS or similar sensors.
  • Usage information, including pages you visit, features you use, the time and duration of your visits, and the referring URL.
  • Cookies and similar technologies, as described in Section 5.

Information we receive from third parties:

  • Information from third-party authentication providers if you sign in using a service such as Google or Apple.
  • Information from analytics, advertising, and fraud-prevention services that help us operate and improve the Service.

Inferences:

We may derive inferences from the personal information described above, such as predicted preferences, behavior patterns, or product affinities. Where applicable law treats inferences as a separate category of personal information, we treat them as personal information for purposes of this Privacy Policy.

Sensitive personal information:

We collect sensitive personal information only where specifically disclosed in this Policy and only where necessary for the relevant purpose, with your consent where required by applicable law. Sensitive personal information has overlapping but not identical definitions across jurisdictions.

Under the CCPA (as amended by the CPRA) and similar US state privacy laws, "sensitive personal information" includes the categories above and may additionally cover government-issued identifiers, account log-in and financial account credentials, precise geolocation, contents of mail and communications, and certain other categories defined by the relevant law.

Where the categories already described above include sensitive personal information (for example, account credentials used for authentication, payment information you provide, or precise location when you grant permission), we process that information only as necessary to deliver the Service, for the limited purposes for which it was provided, and with the additional protections required by applicable law. Where applicable law provides this right, you may request that we limit our use of sensitive personal information as described in Section 7.

Sources of personal information. The categories of sources from which we collect personal information are:

  • Directly from you, when you create an account, make a transaction, communicate with us, or otherwise interact with the Service.
  • Automatically from your device and use of the Service, including through cookies, SDKs, server logs, and other tracking technologies.
  • From third-party authentication providers (such as Google or Apple) when you choose to sign in using their service.
  • From service providers and processors, including analytics platforms, advertising networks, payment processors, and fraud-prevention services.
  • From publicly available sources, where permitted by applicable law.
  • From other users, where applicable (for example, when another user refers you, sends you content, or names you in their account).
About this section

What's in this section

The section regulators scrutinize most. The split between data you ask for, data you capture passively, and data you derive is what tells them whether your disclosures match your actual practice. Generic categories invite enforcement; specific ones do not.

Why this section is here

Required under GDPR Art. 13(1)(c), CCPA §1798.100(a), and parallel provisions in LGPD, PIPEDA, and APPI. Regulators expect specific category disclosure, not generic terms.

Common mistake

Marketing terms like 'your information' or 'usage details.' Use regulator-recognized categories: identity, financial, device, location, communications.

CCPA category disclosure →

3. How We Use Your Information

We use the personal information we collect for the following purposes:

  • To provide, operate, and maintain the Service, including processing transactions, fulfilling orders, and providing customer support.
  • To create and manage your account.
  • To communicate with you about your account, the Service, and any changes to our terms or policies.
  • To send you marketing communications, where permitted by applicable law and subject to your preferences.
  • To improve the Service, develop new features, and conduct research and analytics.
  • To detect, investigate, and prevent fraud, security incidents, and other prohibited or illegal activities.
  • To comply with our legal obligations, enforce our agreements, and protect our rights and the rights of others.

Marketing communications. Where we send you marketing communications, we obtain consent or rely on legitimate interests as permitted by applicable law. You can opt out of marketing communications at any time by:

  • Clicking the "unsubscribe" link in any marketing email,
  • Adjusting your communication preferences in your account settings, or
  • Contacting us using the details in Section 13.

Opting out of marketing communications does not affect transactional or service-related communications about your account or the Service.

About this section

What's in this section

Ties each data point to a purpose. The legal-basis paragraph at the end is what makes the section compliant in the EU and UK; without it, the rest is notice without a lawful ground for processing.

Why this section is here

Purpose specification is mandatory under GDPR Art. 5(1)(b) and a 'categories of business purposes' requirement under CCPA. Vague purposes are the single most common reason a privacy policy fails an audit.

Common mistake

Filler purposes like 'to improve our service.' Be specific about operational uses: analytics, fraud detection, marketing communications, account servicing.

4. How We Share Your Information

We share personal information with the following categories of recipients:

  • Service providers and processors who perform operational services on our behalf, such as hosting, payment processing, email delivery, customer support, and security infrastructure. These providers act only on our documented instructions and are contractually required to protect personal information.
  • Third parties and independent controllers with whom we share personal information for purposes beyond pure service delivery, such as analytics platforms, advertising networks, social media plugins, and fraud-prevention partners. These parties may process the data for their own purposes consistent with their own privacy policies.
  • Business partners and affiliates where necessary to provide a product or service you have requested.
  • Legal and regulatory authorities where required by law, court order, or to protect our legal rights, the safety of our users, or the public.
  • Acquirers or successors in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets.
  • With your consent or at your direction, including when you authorize us to share information with a third party.

Disclosures in the preceding 12 months. In the 12 months before the Effective Date of this Privacy Policy, we may have disclosed the categories of personal information described in Section 2 to the categories of recipients listed above for the purposes described in Section 3. (Confirm before publishing whether you have "sold" or "shared" personal information as those terms are defined in the CCPA/CPRA. If you have not, state so explicitly here. If your service uses advertising pixels, behavioral ad networks, ad SDKs, or similar third-party tracking, your disclosures likely qualify as a "sale" or "share"; in that case, state that you do "sell" and/or "share" personal information and describe the categories sold/shared and the categories of recipients.) To the extent any of our disclosures qualify as a "sale" or "share" under the CCPA (as amended by the CPRA), we provide an opt-out as described in Section 7.

We may also disclose aggregated or de-identified information that cannot reasonably be linked back to you for research, benchmarking, or other business purposes. This information is not treated as personal information under most privacy laws.

Third-party links and services. The Service may contain links to, or be integrated with, third-party websites, applications, or services that are not operated by us. This Privacy Policy does not apply to those third-party services. We do not control the privacy practices of those third parties, and we encourage you to review their privacy policies before providing any personal information to them.

Current service providers. (Include this paragraph only if you maintain a public vendor list; otherwise delete.) A current list of the key service providers and processors with whom we share personal information is available at {Vendor List URL}.

About this section

What's in this section

Surfaces who else touches the data. The CCPA's broad definition of 'sale' and 'share' is the most-litigated point: if your service uses Meta Pixel, Google Ads, or any advertising tag, the section must acknowledge that, even when no money changes hands.

Why this section is here

Discloses processors and third-party recipients. GDPR Art. 13(1)(e) and CCPA §1798.115(a) both require this. It is the basis on which users exercise objection and opt-out rights.

Common mistake

Listing 'service providers' without categories. Name the business purpose (analytics, payments, support) so users understand what each recipient actually does.

When to sign a DPA with a processor →

5. Cookies and Tracking Technologies

We and our service providers use cookies, pixels, software development kits (SDKs), and similar technologies to operate the Service, remember your preferences, measure performance, and personalize content.

  • Strictly necessary cookies are required for the Service to function and cannot be disabled in our systems.
  • Functional cookies remember your preferences and improve your experience.
  • Analytics cookies help us understand how the Service is used so we can improve it.
  • Advertising cookies may be set by us or by third parties to measure the effectiveness of advertising campaigns or to deliver relevant ads.

You can manage your cookie preferences through {Cookie Settings Link}. You can also configure your browser to refuse some or all cookies, though doing so may affect Service functionality.

(Include the following sentence only if your Service uses third-party advertising networks; otherwise delete.) For more information on online advertising opt-outs, you can visit the Network Advertising Initiative (https://www.networkadvertising.org/) or the Digital Advertising Alliance (https://www.aboutads.info/).

Global Privacy Control (GPC). (Include this paragraph only if your website is technically configured to detect and honor recognized opt-out signals such as GPC.) Some browsers and browser extensions send a Global Privacy Control signal that automatically communicates an opt-out of the sale or sharing of personal information. Where required by applicable law (including California, Colorado, Connecticut, Oregon, Texas, and other US states where the law recognizes GPC as a valid opt-out signal), we treat a recognized GPC signal received from your browser or device as a valid request to opt out of the sale or sharing of personal information for that browser or device.

Do Not Track (DNT). Some browsers offer a Do Not Track setting that sends a signal asking websites not to track your activity. Because there is no industry-standard interpretation of DNT signals, we do not currently respond to DNT signals. We honor the Global Privacy Control signal described above, which offers more durable protection. You can also use browser-level controls (such as blocking third-party cookies) for additional protection.

About this section

What's in this section

Where the policy and your consent banner connect. Cookies are the only data category that often requires affirmative consent before collection, not just disclosure after. The Global Privacy Control commitment turns the section from a passive notice into an enforceable opt-out.

Why this section is here

EU and UK users need cookie consent under the ePrivacy Directive before non-essential cookies are set. This section explains what trackers you use and points to your consent tool.

Common mistake

Treating cookies as a privacy disclosure only. They are also an ePrivacy compliance topic and typically require prior, informed consent, not a notice-only treatment.

6. Data Retention

We retain personal information for as long as necessary to provide the Service, to comply with our legal and contractual obligations, to resolve disputes, and to enforce our agreements. The retention period for each category of personal information is determined by the purpose for which it was collected, applicable legal or regulatory requirements, and, where neither applies, the criteria below.

Retention schedule. (Replace the example periods with the periods your service actually uses.)

  • Account profile and credentials are retained for the duration of your account, plus 30 days for backups and account-recovery requests.
  • Transaction and billing records are retained for 7 years, or longer where required by applicable tax, accounting, or financial regulations.
  • Support and communication history is retained for 2 years after your last interaction with us.
  • Usage, analytics, and product telemetry is typically retained for 14 to 26 months, unless aggregated or anonymized.
  • Marketing consent and preference records are retained until you withdraw consent, plus a reasonable period to evidence the basis for past processing.
  • Cookies and online identifiers are retained as described in Section 5; expiration varies per cookie.
  • Security and fraud-prevention logs are retained for up to 12 months from the event, unless a longer period is necessary to investigate or comply with a legal obligation.
  • Legal-hold records are retained for the duration of any legal hold imposed by a regulator, court, or in-house legal team.

When personal information is no longer required, we delete or anonymize it so it can no longer be associated with you. Where deletion is not technically feasible (for example, in encrypted backups), we isolate the data and prevent any further processing until deletion is feasible.

About this section

What's in this section

Storage limitation has become a leading enforcement vector under GDPR. The retention table is the section's anchor: it turns vague 'as long as necessary' commitments into something a regulator can actually verify.

Why this section is here

Storage limitation is a core GDPR principle (Art. 5(1)(e)). Users and regulators expect concrete retention periods or, at minimum, the criteria you use to determine them.

Common mistake

'For as long as necessary' with no further detail. Provide periods tied to purpose: 7 years for tax records, 30 days for support logs, etc.

7. Your Rights

Depending on where you live, you have some or all of the following rights over your personal information.

If you are in the United States (CCPA/CPRA and similar state laws):

  • Know and access - the categories and specific pieces of personal information we collected, the sources, the purposes, and the categories of third parties we disclose to.
  • Delete - deletion of personal information we collected from you, subject to legal exceptions.
  • Correct - correction of inaccurate personal information.
  • Opt out of sale or sharing - to direct us not to sell or share your personal information, including for cross-context behavioral advertising.
  • Limit the use of sensitive personal information - to restrict use of sensitive data (such as precise geolocation, health information, or account credentials) to what is needed to provide the Service.
  • Non-discrimination - we will not deny service, charge different prices, or provide a different quality of service because you exercised a right.
  • Appeal - if we deny a request, you may appeal; we respond within the time your state law allows. This right applies in Colorado, Connecticut, Virginia, and other US states.

We respond within 45 days, with one 45-day extension where reasonably necessary. We offer at least two methods to submit requests and may verify your identity first.

Privacy choice links. (Include only the links you actually operate; delete the rest.) You can exercise these choices directly:

  • Do Not Sell or Share My Personal Information: {Do Not Sell Link}
  • Limit the Use of My Sensitive Personal Information: {Limit Sensitive PI Link}
  • Your Privacy Choices: {Privacy Choices Link}
  • Cookie Settings: {Cookie Settings Link}

To exercise any right, contact us through the designated channels in Section 13. We may need to verify your identity before responding, and you may authorize an agent to submit a request on your behalf.

About this section

What's in this section

The section regulators inspect first when a complaint reaches their desk, and the one users actually exercise. The rights listed must match the user's jurisdiction. CCPA rights and GDPR rights are not interchangeable, and listing the wrong set is treated as a substantive failure.

Why this section is here

GDPR, CCPA, LGPD, and others all grant data subjects specific rights (access, deletion, portability, opt-out). The policy must list each applicable right and how to exercise it.

Common mistake

Listing only GDPR rights and ignoring CCPA's 'right to know,' 'right to delete,' and 'right to opt-out' for US users. Adapt the rights list to each user's jurisdiction.

Data subject rights under GDPR →

8. International Transfers

We are based in {Country/State} and may process the personal information we collect in countries other than your own. This means your information may be transferred to and processed in jurisdictions whose data protection laws differ from those of your home country.

Because we operate in the United States, we store and process personal information there and in other countries where our service providers operate. We protect that information consistent with this Privacy Policy and require our service providers to apply comparable safeguards, wherever the information is processed.

About this section

What's in this section

Schrems II made this section legally hazardous: naming the right mechanism is not enough if the destination country's surveillance laws would override it. The Transfer Impact Assessment commitment is what shows a regulator you have done the analysis, not just picked a label.

Why this section is here

GDPR Chapter V restricts transfers outside the EU or UK without an adequate safeguard. The policy must name the mechanism: adequacy decision, EU–U.S. Data Privacy Framework, Standard Contractual Clauses, or Binding Corporate Rules.

Common mistake

Hand-waving with 'we may transfer data internationally.' Name the mechanism, and where known, identify the data importer or its category.

GDPR international transfers →

9. Children's Privacy

The Service is not directed at children under the age of {Minimum Age}, and we do not knowingly collect personal information from children below that age. If we become aware that we have collected personal information from a child without verifiable parental consent, we will delete that information promptly. If you believe a child has provided personal information to us, please contact us at {Email Address}.

(Keep the next paragraph only if your Service is directed at children or knowingly collects personal information from them; otherwise delete the next paragraph entirely.)

Where the Service is directed at or intended to be used by children under the age threshold that applies in your jurisdiction, we collect personal information from a child only after obtaining verifiable parental consent. We use commercially reasonable verification methods consistent with applicable law, limit the information we collect from a child to what is reasonably necessary for the child to participate in the Service, do not condition a child's participation on the disclosure of more personal information than is reasonably necessary, and give parents the right to review their child's personal information, to direct us to delete it, and to refuse further collection or use of it by contacting us at {Email Address}.

About this section

What's in this section

The section enforcement actions cite when a service is fined for collecting children's data unknowingly. The 'we do not knowingly collect' line is a defense only if you have an actual detection and deletion mechanism behind it; without one, the line is decorative.

Why this section is here

COPPA prohibits collecting personal information from US children under 13 without verifiable parental consent. GDPR sets the minimum at 16, or 13–16 by Member State.

Common mistake

A blanket 'we don't knowingly collect data from children' with no actual age verification or parental consent flow when the service plausibly reaches families.

10. Security

We implement reasonable technical and organizational measures designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. Examples of the measures we maintain include encryption of personal information in transit and at rest, role-based access controls, multi-factor authentication for administrative access, regular security awareness training for personnel, vendor due diligence, and incident response procedures.

If we become aware of a personal data breach affecting your personal information, we will notify the relevant authorities and affected individuals as required by applicable law, without undue delay and within the timeframes the law prescribes.

However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for notifying us promptly of any unauthorized access to your account.

About this section

What's in this section

A double-edged section. Strong language attracts users; the same language exposes you to enforcement if a breach reveals the reality did not match. The 72-hour notification commitment is the highest-risk sentence on the page. Make sure the team can actually meet it.

Why this section is here

GDPR Art. 32 requires technical and organizational measures appropriate to the risk. Disclosing them is both a compliance signal and a contractual commitment to users.

Common mistake

Overstating security ('bank-level encryption,' '100% secure'). Regulators have brought enforcement actions against companies whose stated security did not match reality.

FTC enforcement on security claims →

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make non-material changes (such as clarifying language, correcting typographical errors, or updating internal references), we will update the "Last Updated" date at the top of this Policy without separate notice.

When we make material changes (including new categories of personal information collected, new processing purposes, new categories of recipients, expanded data sharing, or changes that affect your rights), we will provide notice through one or more reasonable methods, such as: (a) prominent in-product banners or modals, (b) email to the address associated with your account, (c) login-time clickwrap re-acceptance, or (d) other channels reasonably calculated to bring the change to your attention. We will give you at least 30 days' advance notice of material changes before they take effect, unless a shorter period is required by law or the change is required to address an urgent legal or security matter.

Your continued use of the Service after the effective date of a change constitutes your acceptance of the revised Policy, except where applicable law requires us to obtain your fresh consent, in which case continued use alone is not sufficient and we will seek your active re-acceptance.

Prior versions of this Policy are available on request by contacting us using the details in Section 13.

About this section

What's in this section

Material changes reset the contract. Without active re-acceptance, courts have refused to enforce new terms against existing users. The 30-day advance notice is what gives users a meaningful chance to object before the change takes effect, and what gives you the evidentiary record if they don't.

Why this section is here

Material changes to data practices typically require active notice to users, not just a footer date update. Both GDPR and FTC enforcement guidance reinforce this.

Common mistake

Treating every change as a 'minor update' without notifying users. Material changes (new purposes, new third parties, expanded sharing) warrant clickwrap re-acceptance.

Re-acceptance after updates →

12. Additional Jurisdictional Provisions

The provisions below apply only to residents of the jurisdictions named. Delete any subsection that does not apply to your operations before publishing.

Other US states. In addition to the rights described above for California, Colorado, Connecticut, and Virginia, where required by applicable state law, residents of other US states with comprehensive privacy laws (including Texas, Oregon, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Indiana, Iowa, Tennessee, Montana, and similar jurisdictions) may have some or all of the following rights: to access, correct, delete, and port personal information; to opt out of certain processing such as targeted advertising, the sale of personal information, or profiling that produces legal or similarly significant effects; and to appeal a denied request. The specific scope of these rights varies by state law. You may lodge a complaint with the Attorney General of your state.

California "Shine the Light." (Include only if you share personal information with third parties for their own direct-marketing purposes; otherwise delete.) California residents may request, once per year and free of charge, information about the categories of personal information we disclosed to third parties for their direct-marketing purposes in the preceding calendar year, along with the names and addresses of those third parties. To make a request, contact us using the details in Section 13. We do not share personal information with third parties for their own direct marketing unless you have opted in.

About this section

What's in this section

Each subsection signals to a foreign regulator that you have considered their law. If you actually serve users in that country, including the relevant subsection puts the right complaint authority in front of them. If you do not, leaving it in creates exposure to enforcement under a law you never analyzed. The safe default is to delete every subsection you cannot back up.

Why this section is here

Different jurisdictions impose overlapping but distinct privacy obligations. Naming the applicable regulator and statutory framework signals that you have considered the local law, not just GDPR and CCPA. It also gives users a concrete escalation path.

Common mistake

Keeping every jurisdiction the template ships with regardless of whether you serve users there. Empty claims of compliance with laws you do not actually follow create enforcement exposure that did not exist before publishing the policy.

Browse all privacy laws in the legal hub →

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, or to exercise any of the rights described in Section 7, please contact us at:

{Company Name}

{Mailing Address}

Email: {Email Address}

California toll-free number (if required by law for your business): {Toll-Free Number}

Data Protection Officer / Privacy Lead (if applicable): {Data Protection Officer or Privacy Lead Contact, if applicable}

We will acknowledge receipt of your request and respond within the statutory deadlines described in Section 7.

(If a contact above does not apply to your operations, remove the corresponding line before publishing.)

About this section

What's in this section

Privacy requests have statutory clocks. This section is the entry point that starts them. A generic info@ address goes to whoever pulls the short straw that day; route requests instead to a team with the authority to act and the data access to honor them in time.

Why this section is here

GDPR requires a contact point for data subjects (and the DPO's contact, where applicable). CCPA requires large businesses to provide a toll-free number alongside the email address.

Common mistake

A generic info@ address with no SLA. Privacy requests have statutory deadlines (45 days for CCPA, 1 month for GDPR). Route them to a team that can actually meet those windows.

CCPA contact requirements →

Got what you need? Copy the template now, or read on for the section-by-section guide to what each clause does and how to adapt it.

What Is a Privacy Policy?

A privacy policy is a public statement in which the organization responsible for personal information (the "data controller" under the GDPR and the "business" under the CCPA) explains how it collects, uses, shares, retains, and protects that information. It is the primary instrument for meeting the transparency and notice obligations imposed by data protection laws around the world.

A privacy policy is not a contract; it is a notice document. In practice, the line has blurred. Many jurisdictions require active, informed acceptance for specific processing purposes (consent-based processing under GDPR, opt-outs under CCPA, age-verified consent under COPPA), and most product flows now bundle privacy policy acceptance into the same clickwrap step as the terms of service.

A privacy policy does three things at once: it puts users on notice of how their data is handled, it provides the legal disclosures regulators expect, and, when presented through a clear acceptance flow, it becomes evidence that the user agreed to those practices.

Who Needs a Privacy Policy?

A privacy policy is required whenever you collect personal information online. The template fits the products most teams ship today:

  • Website

    Public-facing sites that collect emails, contact form submissions, analytics, or marketing data.

  • Mobile App

    iOS or Android apps collecting device identifiers, usage data, or push notification tokens.

  • SaaS Product

    Hosted software that processes customer accounts, payment data, and usage records.

  • B2B Service

    Business-to-business platforms handling client data, integrations, and enterprise contracts.

The legal trigger varies by jurisdiction. Under the GDPR and UK GDPR, you need one the moment you process personal data of anyone in the EU or UK, wherever your business is based. In the United States, requirements come from state laws like the CCPA, VCDPA, and CTDPA, plus sector-specific federal laws like HIPAA, GLBA, and COPPA. Other major regimes (Brazil's LGPD, Canada's PIPEDA, Japan's APPI, Australia's Privacy Act 1988, South Africa's POPIA) impose similar disclosure requirements.

Even where no privacy law would otherwise apply, the app stores and ad platforms (Apple, Google Play, Meta, Google Ads) require a public privacy policy URL as a condition of distribution.

How to Make Your Privacy Policy Binding

A privacy policy is a notice document, but how you present and capture acceptance determines whether you can rely on it as part of an enforceable agreement.

Strictly, a privacy policy does not need to be accepted to be binding; it only needs to be available before you collect data. In practice, regulators and courts increasingly expect a clear acceptance step, especially when the policy supports consent-based processing under the GDPR or evidences reasonable notice under US contract law. Capturing acceptance as a clickwrap makes the document both harder to challenge and easier to evidence later.

Where to place the acceptance step. Require affirmative acceptance the moment a user creates an account or completes their first purchase, with a checkbox tied to the version of the policy presented at that moment. Place the privacy policy link next to the checkbox so the policy is available before the user accepts.

What evidence to capture. Each acceptance should record the user's identifier, the exact policy version presented, the timestamp, and the IP and user-agent context that produced it. If the agreement is later challenged, this is what makes the acceptance defensible.

Re-acceptance after changes. When you materially change the policy, surface the new version inside the product and require active re-acceptance from existing users. Continued use alone is not a reliable consent signal under the GDPR and is weaker than active re-acceptance under US contract law.

Audit trail and versioning. Keep each policy version as a snapshot tied to the acceptance records that reference it. If the policy changes 20 times over 5 years, you should be able to produce the exact text any user agreed to on any specific date.

Together, these four operations (presenting the document, capturing the affirmative action, storing a tamper-evident record, and triggering re-acceptance when versions change) are what turn a published privacy policy into an enforceable contract layer.

Frequently Asked Questions

The consequences are concrete. Under the GDPR, supervisory authorities can impose fines up to €20 million or 4% of global annual turnover, whichever is higher. Under the CCPA, the California Privacy Protection Agency can assess civil penalties of $2,500 per violation, or $7,500 per intentional violation or one involving a minor. App stores (Apple, Google Play) and ad platforms (Meta, Google Ads) reject services without a public policy URL. And in private litigation, a missing or misleading policy weakens any acceptance-based defense for the terms of service that reference it.
A terms of service is a contract: the rules a user accepts to use your product. A privacy policy is a notice document: a public disclosure of how you handle personal information. The terms are enforceable as a contract under standard contract law; the policy is enforced by privacy regulators and through consumer-protection statutes. Most products present both at the same checkbox, but they serve different legal functions and should not be combined into a single document.
Update your privacy policy whenever your data practices change materially: a new data category, a new third-party processor, expansion into a new jurisdiction, or a change in applicable law. Review it at least once a year. Material changes warrant active notice to existing users and, depending on the change and jurisdiction, fresh consent.
This template is a general-purpose privacy policy for SaaS, websites, and mobile apps. It does not cover sector-specific obligations under laws like HIPAA (US health data), GLBA (US financial services), or FERPA (US education records), or industry standards like PCI DSS. It also does not replace the specific notices required when a service is directed at children under 13 under COPPA. If any of those apply to your service, layer the required disclosures on top of this template rather than relying on it alone.

Related templates

Terms
Terms of Service Template
A customizable Terms of Service for SaaS, websites, and apps, covering acceptable use, liability, IP, and termination. Built for clickwrap acceptance.
Compliance
Data Processing Agreement Template
A customizable Data Processing Agreement for B2B SaaS and any service processing personal data on behalf of a controller. Built for clickwrap acceptance.
Confidentiality
Non-Disclosure Agreement Template
A clickwrap-ready Non-Disclosure Agreement for protecting confidential business information. Optional signature blocks for traditional execution.

Not legal advice

This template is provided for informational purposes only and does not constitute legal advice. Review and adapt it to your specific situation, and consult a qualified attorney before relying on it for a real-world filing or transaction.

Make your privacy policy enforceable.

ClickTerm captures acceptance of your privacy policy with timestamps, version history, and audit-ready records, so the document holds up when it matters.

Start freeContact sales