Privacy Policy Generator
Generate a free starter privacy policy template covering common website, analytics, cookie, and contact-form topics.
Answer a short questionnaire about your site to generate a starter privacy policy template. It is not legal advice or a compliance certificate, so have it reviewed before publishing.
Tick every type of data you collect, including analytics and cookies from embedded third-party scripts, and list each external service (such as Google Analytics or Stripe) so the policy names every processor.
Company Details
What data do you collect?
Preview
General information only. This generator produces a starter privacy policy template, not legal advice or a compliance certificate. Privacy law differs by jurisdiction and by how your site handles data. Have the policy reviewed by a qualified solicitor or data-protection professional, and check guidance from the ICO (UK) or your national regulator, before publishing.
Methodology and sources
Formula or method
Assembles a plain-text Markdown privacy policy by concatenating hardcoded clause blocks. A short questionnaire (5 checkboxes and 5 text fields) controls which sections are included. The output is a fixed-structure starter template; no regulatory database, API, or AI model is involved. The user supplies all identifiers (company name, URL, contact email, effective date, third-party services). Section numbering shifts automatically when the user-accounts section is included.
Basis and assumptions
- All clause text is hardcoded string literals in the tool source; the template is not updated automatically when law changes.
- The GDPR lawful-basis section (Section 4) is always included regardless of jurisdiction; users outside the EEA should remove or adapt it.
- Third-party service names are entered free-form by the user; the tool does not validate them or check whether a processor agreement is required.
- The children's privacy age threshold is hardcoded at 16 (UK GDPR / GDPR default); COPPA (USA) sets this at 13, which the template does not distinguish.
- Effective date defaults to today's date (set via useEffect after the prerender flag check); the user may override it.
- No section covers international data transfers (Standard Contractual Clauses, adequacy decisions) or data-breach notification procedures.
Key handling decisions
- Prerender guard: effectiveDate is initialised as an empty string and populated in a useEffect that bails if window.__IFORGE_PRERENDER__ is true, preventing clock drift in the HTML fragment.
- Section numbering: sections 9-12 are numbered via ternary on hasUserAccounts so numbering stays sequential regardless of which optional sections are active.
- Output format: Markdown only; the user must convert to HTML separately (a link to the Markdown-to-HTML tool is provided in the content section).
What this tool does not decide
- Whether the generated text makes your site legally compliant. A qualified solicitor or data-protection lawyer should review the policy before you publish it.
- Which lawful basis for processing applies to your specific data activities. A Data Protection Officer (DPO) or qualified solicitor should advise on this.
- Whether your organisation is a controller or processor under UK GDPR / EU GDPR, or whether you need a Record of Processing Activities (ROPA). Seek advice from the UK ICO or a qualified solicitor.
- CCPA / CPRA applicability thresholds (annual revenue, number of consumers, or data sold). A US-qualified attorney familiar with California privacy law should advise on this.
- Whether a Data Protection Impact Assessment (DPIA) is required for your processing activities. Consult a qualified DPO or solicitor.
- Cookie-consent banner requirements (separate from the policy). The UK ICO and EU Data Protection Authorities set guidance on this; a solicitor or compliance specialist should advise.
Sources
- UK Information Commissioner's Office: Guide to the UK GDPR (UK ICO) last accessed 2026-06-17
- UK Data Protection Act 2018 (legislation.gov.uk) (legislation.gov.uk) last accessed 2026-06-17
- EU General Data Protection Regulation (GDPR), full text (EUR-Lex / European Commission) last accessed 2026-06-17
- California Consumer Privacy Act (CCPA) as amended by CPRA, full text (California Legislative Information) last accessed 2026-06-17
- Office of the Australian Information Commissioner: Privacy Act 1988 and Australian Privacy Principles (OAIC) last accessed 2026-06-17
- Office of the Privacy Commissioner of Canada: PIPEDA overview (OPC Canada) last accessed 2026-06-17
Last checked: 2026-06-17
Why Every Website Needs a Privacy Policy
If your website collects any data at all, even anonymous analytics, you legally need a privacy policy in most jurisdictions. GDPR (Europe), CCPA (California), LGPD (Brazil), POPIA (South Africa), the UK Data Protection Act, and Australia's Privacy Act 1988 all require clear disclosure of what data you collect and how you use it.
Beyond legal compliance, a privacy policy builds trust. Users are increasingly privacy-conscious, and a clear, honest policy signals that you take their data seriously. Google also requires a privacy policy for sites using AdSense, Analytics, or any Google API.
Privacy Law Comparison
| Regulation | Region | Key Requirement | Max Fine |
|---|---|---|---|
| GDPR | EU / EEA | Explicit consent, right to deletion, data portability | €20M or 4% global revenue |
| UK GDPR | United Kingdom | Mirrors EU GDPR post-Brexit with ICO enforcement | £17.5M or 4% revenue |
| CCPA / CPRA | California, USA | Right to know, delete, opt-out of sale | $7,500 per intentional violation |
| LGPD | Brazil | Similar to GDPR with local data authority (ANPD) | 2% of revenue, up to R$50M |
| POPIA | South Africa | Lawful processing conditions, data subject rights | R10M or imprisonment |
| PIPEDA | Canada | Meaningful consent, accountability principle | CAD $100,000 per violation |
| Privacy Act 1988 + APPs | Australia | 13 Australian Privacy Principles, Notifiable Data Breaches scheme, OAIC enforcement | AUD $50M or 3x benefit or 30% turnover (whichever is greater) |
What this means for you: If your website is accessible globally (and most are), you should comply with the strictest regulation that applies to your users. In practice, building for GDPR compliance covers most other regulations.
What Your Privacy Policy Must Cover
What Data You Collect
Be specific. "We collect personal information" is too vague. List categories: names, emails, IP addresses, browser type, cookies, payment data. If you use analytics, say which provider.
Why You Collect It
GDPR requires a "lawful basis" for each type of processing: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Most websites use consent and legitimate interests.
Who You Share It With
Name your third-party processors: Google Analytics, Stripe, Mailchimp, cloud hosting providers. Users have a right to know who else accesses their data.
User Rights
Under GDPR: access, rectification, erasure, restriction, portability, and objection. Under CCPA: know, delete, opt-out of sale. Provide a clear way to exercise these rights (email, form, or in-app).
Cookie Categories You Must Disclose
| Category | Consent Needed? | Examples |
|---|---|---|
| Strictly necessary | No (exempt) | Session cookies, CSRF tokens, login state |
| Analytics / Performance | Yes (GDPR) | Google Analytics, Hotjar, Plausible |
| Functional / Preferences | Yes (GDPR) | Language preference, theme choice, saved filters |
| Advertising / Targeting | Yes (always) | Google Ads, Facebook Pixel, retargeting tags |
Under GDPR and the UK PECR, you must get active consent before setting non-essential cookies. Pre-ticked boxes don't count. Your cookie banner must allow genuine choice, "Accept All" without an equally prominent "Reject All" violates the spirit of the law.
Related Tools
Terms & Conditions Generator
Generate T&C to pair with your privacy policy.
Meta Tag Generator
Add meta tags to your privacy policy page for SEO.
Robots.txt Generator
Control which pages search engines can crawl on your site.
Markdown to HTML
Convert the generated Markdown policy to HTML for your website.
Sitemap Generator
Include your privacy policy URL in your sitemap.
Schema Markup Generator
Add WebPage schema to your legal pages.
How to use this tool
Enter your company details
Select which data you collect
Preview and copy or download the policy
Common uses
- Drafting a starter privacy policy for a new website
- Preparing privacy-policy text for SaaS products and mobile apps
- Updating an existing policy when adding new data collection methods
- Collecting privacy-policy details before legal review
Share this tool
Frequently Asked Questions
Is this privacy policy legally binding?
Does this cover GDPR?
Can I use this for free?
Do I need a privacy policy if I don't collect personal data?
What's the difference between GDPR and CCPA?
How often should I update my privacy policy?
Where should I display my privacy policy?
Does this cover cookie consent?
Can I download the policy?
What third-party services should I disclose?
Is my data stored when I generate a policy?
Do I need a separate cookie policy?
Results are for general informational purposes only and should be checked before use. They are not professional advice. See our Disclaimer and Terms of Service.