privacy-policy

$27

Step 1: Research (if URL provided)

If $PRODUCT_URL is provided:

• Visit the product website

• Identify what data is collected (forms, tracking, login, payments)

• Note any third-party integrations (analytics, payment processors, SDKs)

• Understand the product's primary features and use cases

Step 2: Clarify Data Collection

Map out all data your product collects:

• Direct collection: What users enter (name, email, preferences)

• Automatic collection: What is tracked (IP address, usage behavior, device info, cookies)

• Third-party data: What comes from partners, integrations, or service providers

• Special categories: Does the product handle health data, financial data, children's data, biometric data?

Step 3: Identify Applicable Laws

Note which laws apply:

• GDPR (EU users): Stricter; requires explicit consent, data subject rights, DPA

• CCPA/CPRA (California): Consumer rights to access, delete, opt-out

• Other US states: Laws like VIPA, TDPSA emerging

• Industry-specific: HIPAA (health), GLBA (finance), FERPA (education)

• Determine if your product serves international users

Step 4: Structure the Privacy Policy

Organize in standard sections (detailed below).

Step 5: Use Plain Language

Write clearly and accessibly. Avoid technical jargon. Define terms when first used. Help users understand what data you collect and why.

Step 6: Highlight Areas Needing Legal Review

Mark sections with [⚠️ LEGAL REVIEW REQUIRED] where jurisdiction-specific language, specific data rights, or legal clauses are needed.

Step 7: Provide Context

Include notes explaining:

• Why each section is important

• What decisions the company must make

• Compliance considerations

Privacy Policy Template Structure

Preamble

A brief introduction explaining:

• What the policy covers

• When it was last updated

• How users can contact you with questions

Key Sections

#### 1. Information We Collect

Categories of data:

• Personal information (name, email, account info)

• Usage data (pages viewed, features used, time spent)

• Device information (type, OS, browser, IP address)

• Location data (if applicable)

• Payment information (handled securely, often by third parties)

• Communications (if users contact support)

• [⚠️ LEGAL REVIEW REQUIRED] Sensitive or special categories (health, biometric, etc.)

#### 2. How We Collect Information

Methods:

• Directly from users (forms, registration, preferences)

• Automatically (cookies, analytics, device sensors)

• From third parties (partners, service providers, data brokers)

#### 3. How We Use Information

Purposes (be specific, not vague):

• Providing the service and customer support

• Improving and personalizing the product

• Analytics and understanding user behavior

• Marketing and promotional communications

• Security and fraud prevention

• Legal compliance

• [⚠️ LEGAL REVIEW REQUIRED] Other purposes (must be explicitly stated if you plan to use data for new purposes later)

#### 4. Legal Basis for Processing

[⚠️ LEGAL REVIEW REQUIRED] Especially important for GDPR:

• Consent: User has explicitly agreed

• Contract: Data is needed to provide the service

• Legal obligation: Law requires processing

• Vital interests: Protection of life or health

• Public task: Part of your official function

• Legitimate interests: Company has a legitimate business need

#### 5. Data Sharing and Third Parties

Who has access to data:

• Service providers (hosting, analytics, email, payments)

• Business partners (if applicable)

• Legal authorities (if required by law)

• [⚠️ LEGAL REVIEW REQUIRED] Where third parties are located (especially if outside user's jurisdiction)

#### 6. International Data Transfer

[⚠️ LEGAL REVIEW REQUIRED] If applicable:

• How data is transferred across borders

• Mechanisms used (Standard Contractual Clauses, adequacy decisions, user consent)

• Where data is stored and processed

#### 7. Data Retention

How long you keep data:

• Account data: As long as account is active, then X months/years

• Usage logs: X months

• Deleted content: Y days before permanent deletion

• [⚠️ LEGAL REVIEW REQUIRED] Be specific, not vague; many regulations require this

#### 8. User Rights

[⚠️ LEGAL REVIEW REQUIRED] Varies by jurisdiction:

• Right to access: Users can request copy of their data

• Right to deletion: Users can request data be deleted ("right to be forgotten")

• Right to correct: Users can update inaccurate data

• Right to restrict processing: Users can limit how data is used

• Right to data portability: Users can download their data

• Right to opt-out: Users can unsubscribe from marketing

• Right to lodge complaints: Users can contact data protection authorities

• How users exercise these rights (contact info, process)

#### 9. Cookies and Tracking

[⚠️ LEGAL REVIEW REQUIRED] Detailed info:

• What cookies and tracking tools are used

• Why each is used (functionality, analytics, marketing)

• How to manage/disable cookies

• Whether explicit consent is required (GDPR requires it for non-essential cookies)

#### 10. Security

Measures taken to protect data:

• Encryption in transit and at rest

• Access controls and authentication

• Regular security audits

• Incident response procedures

• Limitations (no system is 100% secure)

#### 11. Children's Privacy

[⚠️ LEGAL REVIEW REQUIRED] If product serves users under 13:

• Parental consent mechanisms

• Age gates or verification

• Compliance with COPPA (US), UK Children's Code, similar laws

#### 12. Contact and Rights

How users contact you:

• Privacy contact email

• Mailing address

• Response timeframe for requests

• Data Protection Officer (if required)

#### 13. Policy Changes

How you'll communicate changes:

• Notice period (e.g., 30 days)

• How you'll notify (email, in-app, website)

• User's ability to opt-out if changes are material

#### 14. Additional Provisions

• No sale of data: Whether you sell/share data (if not, explicitly state)

• Third-party links: You're not responsible for external sites

• Governing law: Which jurisdiction's laws govern

• Effective date: When policy became active

Content Guidelines

• Be specific: Don't say "we use your data for product improvement"; say "we analyze usage patterns to identify features that users find confusing and prioritize improvements to those features"

• Plain language: Write for a general audience, not lawyers. Explain what data you collect and why in simple terms

• Transparency: Be honest about all data collection, including analytics, third parties, and uses

• User control: Explain how users can access, delete, or opt-out of data processing

• Align with practice: The policy must match what your product actually does; if it doesn't, change the product or the policy

• Complete information types: Use $INFORMATION_TYPES to make the policy specific to your actual data collection

Output Format

Present the privacy policy in three parts:

Part 1: Summary

Quick reference:

• Product name and purpose

• Data types collected

• Jurisdiction(s) covered

• Key user rights

• Retention periods

• Contact information

Part 2: Full Privacy Policy Document

A complete, ready-to-publish privacy policy.

Part 3: Customization and Compliance Notes

Guidance on:

• Sections marked for legal review

• Jurisdiction-specific considerations (GDPR, CCPA, etc.)

• Compliance checklist

• Common modifications based on product type

• Next steps (legal review, implementation, user communication)

Key Compliance Reminders

• GDPR compliance (if serving EU users): Requires explicit consent, clear rights, DPA with processors, DPIA for risky processing

• CCPA/CPRA (California users): Requires rights to access, delete, opt-out; detailed disclosures; no discrimination for exercising rights

• Transparency: Users must understand what data is collected, how it's used, and who can access it

• Accuracy: Keep your policy updated as data practices change

• Enforcement: Privacy violations can result in fines, user lawsuits, and reputational damage

• Get legal review: Before publishing, have a data privacy attorney in your jurisdiction review the policy

Before You Publish

• Have a data privacy attorney review the policy

• Ensure the policy matches your actual data collection and use

• Make privacy request processes easy for users (accessible contact info, quick response)

• Implement technical measures mentioned in the policy (encryption, access controls, etc.)

• Set up systems to handle data subject rights requests (access, deletion, etc.)

• Document your legal basis for each type of processing

• Have a Data Processing Agreement (DPA) with all third-party processors

• Notify users of material changes; consider giving them a choice to opt-out