Sample Privacy Policy Template

Sample Privacy Policy Template

Generate Privacy Policy in 2 minutes

Our Privacy Policy template lets you get started with a Privacy Policy agreement. This Privacy Policy template is free to download and use.

A Privacy Policy agreement is the agreement where you specify if you collect personal data from your users, what kind of personal data you collect and what you do with that data.

This agreement is required by law if you collect personal data. Personal data is any kind of data or information that can be considered personal (identifies an individual) such as:

  • Email address
  • First and last name
  • Billing and shipping address
  • Credit card information

What is a Privacy Policy

A Privacy Policy is a legal statement that specifies what the business owner does with the personal data collected from users, along with how the data is processed and for what purposes.

In 1968, Council of Europe did studies on the threat of the Internet expansion as they were concerned with the effects of technology on human rights. This lead to the development of policies that were to be developed to protect personal data.

This marks the start of what we know now as a "Privacy Policy." While the name "Privacy Policy" refers to the legal agreement, the concept of privacy and protecting user data is closely related.

This agreement can also be known under these names:

  • Privacy Statement
  • Privacy Notice
  • Privacy Information
  • Privacy Page

A Privacy Policy can be used for both your website and mobile app if it's adapted to include the platforms your business operates on.

There are two main reasons why you need a Privacy Policy:

✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.

✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.

Excerpt from TermsFeed Testimonials:

"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."

Stephanie P.
Generated a Privacy Policy

Generate a Privacy Policy, 2020 up-to-date, for your business (web, mobile and others) with the Privacy Policy Generator from TermsFeed.

The requirements for Privacy Policies may differ from one country to another depending on the legislation. However, most privacy laws identify the following critical points that a business must comply with when dealing with personal data:

  • Notice - Data collectors must clearly disclose what they are doing with the personal information from users before collecting it.
  • Choice - The companies collecting the data must respect the choices of users on what information they choose to provide.
  • Access - Users should be able to view, update or request the removal of personal data collected by the company.
  • Security - Companies are entirely responsible for the accuracy and security (keeping it properly away from unauthorized eyes and hands) of the collected personal information.

Who needs a Privacy Policy

Any entity (company or individual) that collects or uses personal information from users will need a Privacy Policy.

A Privacy Policy is required regardless of the type of platform your business operates on or what kind of industry you are in:

The basics of a Privacy Policy

Flag of EU

In the EU, the GDPR requires companies dealing with EU citizens to have a Privacy Policy.

This law became enforceable in early 2018 and has affected businesses around the world. Not only does it require a Privacy Policy, but it has requirements for what must go into a Privacy Policy and how it must be written and displayed.

As a general rule, if you're compliant with Privacy Policy requirements of the GDPR, you'll by default end up complying with most other privacy laws around the world. That's because the GDPR is so robust and comes with stringent requirements.

US Flag

In the US, privacy legislation may vary from one state to another. Certain federal laws govern users' data in some circumstances, such as in these examples:

  • The Gramm-Leach-Bliley Act - This act obliges organizations to offer clear and accurate statements about their information collecting practices and it also limits usage and sharing of financial data.
  • COPPA - This act is especially for businesses that collect information about children under 13 years of age.
  • Health Insurance Portability and Accountability Act - This act applies to online health services as well.
  • California Online Privacy Protection Act (CalOPPA) - California's privacy law affects anyone collecting personal information from residents of California.
  • SOPIPA - This act applies if you collect personal data from students.
  • Content Eraser law - This law applies if you collect data from minors (under the age of 18).

Canada Flag

In Canada, there's the Personal Information Protection and Electronic Documents Act (PIPEDA) generated by federal privacy laws.

This law established acceptable standards to limit and organize personal data gathering, usage, and disclosure by commercial institutions. This means that organizations may gather, use and disclose that percent of information for purposes that a reasonable person would consider fit in the circumstance.

The Privacy Commissioner of Canada stands for receiving and peacefully taking care of complaints against organizations. Its purpose is to solve privacy matters through compliance, not through enforcement. It reaches complaints, spreads the importance of awareness of and conducts studies about privacy issues.

Australia Flag

In Australia, the Privacy Act requires Australian companies to have a Privacy Policy.

Before you draft this agreement for your business, consider the basic requirements for most online businesses that deal with personal data from users (this includes SaaS apps or Facebook apps as well):

  • That the privacy of your users is protected.
  • That you take full responsibility to protect the privacy of your users.
  • That you comply with active privacy laws.

What to include in your Privacy Policy

Download our Privacy Policy template by clicking here. It's free.

Users need to know exactly what kinds of personal data you collect from them.

Your Privacy Policy must also disclose why you collect this kind of data. Some examples include:

  • To help develop new services or improve your existing services
  • To send users emails about special offers, new services or other information they may be interested in
  • To personalize their sessions on your website in order to better fit their interests, such as offering them relevant, individually tailored content

If you already have a Privacy Policy for your website and you're now launching a mobile app, you need to first consider what new types of personal data you'll be collecting through the mobile app. Then, update your agreement to include the new changes: what you collect from the website and from the mobile app.

You should always inform users about any updates or changes to your Privacy Policy.

Disclose if any third parties are involved in collecting personal information in your name, i.e. you use MailChimp to collect email addresses to send weekly updates to your members.

Here are a few examples of common sections of a Privacy Policy:

  • The Information Collection and Use section is the most important section of the entire agreement where you need to inform users what kind of personal information you collect and how you are using that information.

    Here's how Asana, a project management tool, informs users that the tool collects personal information:

    Asana Privacy Policy: Information We Collect section intro

    The policy goes on to inform users about what kinds of information they may provide and how (by becoming a member, by connecting through Facebook, Twitter etc.):

    Asana Privacy Policy: Information You Provide to Us - From and About You clause excerpt

    The Guardian's Privacy Policy includes a short, casually-written introduction that generally informs users what it does with the data it collects:

    The Guardian Privacy Policy intro clause excerpt

    The intro also specifies four main reasons why the company collects personal information:

  • The Guardian Privacy Policy intro clause: Main reasons we collect and use data

  • A Log Data disclosure section should inform users that certain data are collected automatically from the web browser users are using and through the web server you're using: IP addresses, browser types (Firefox, Chrome etc.), browser versions and various pages that users are visiting.

    Buffer includes a sub-clause about log data in its clause about personal information that is automatically obtained from its users:

  • Buffer Privacy Policy: Log Data clause

  • A Cookies disclosure should inform users that you may store cookies on their computers when they visit your website. This applies even if you use Google Analytics (which would store cookies) or any other third party that would store cookies.

    It's best to do this by having a Cookie Consent notice, mentioning your use of cookies in your Privacy Policy and even having a separate Cookies Policy.

  • uSwitch cookies notice for consent to cookie policy

  • A Links to Other Sites section should disclose that your website may link to other websites outside your control or ownership, i.e. linking to a news website, and that users are advised to read the Privacy Policies of each website they visit.
  • A Do Not Track clause.
  • A Security disclosure in the policy can give users assurance that their personal data is well protected, but you may also want to note that no method is 100% secure.

    "The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security."

    Example of trust elements can include SSL certificates. Definitely use SSL certificates if you have an ecommerce store.

  • Use SSL

Here's a list of questions that can guide you when drafting your own Privacy Policy:

  • What kind of personal information do you collect?
  • What kind of personal information is collected automatically, e.g. via the web server (Apache, nginx etc.)?
  • What kind of third parties are collecting personal information from your users?
  • How are you using that personal information?
  • Do you send promotional emails (newsletters)? If yes, can users opt-out? If so, how?

The Privacy Policy Agreement and Template basics

How to enforce a Privacy Policy

Always use the clickwrap method to get your users to agree to your terms.

With clickwrap, a user is informed of the legal agreements and must take some action that demonstrates that they're clearly accepting the terms. Using checkboxes is a best practice, such as these on the Adobe ID sign-up page:

Adobe ID Sign-up form with checkboxes for clickwrap consent for Terms of Use, Privacy Policy and email

FAQ: Privacy Policy

Here is a list of frequently asked questions that you may find useful.

You need a Privacy Policy because privacy laws around the world require one if you collect personal information. Many third-party companies also require a Privacy Policy in order to use their services.

Even if you don't collect personal information, you should still have a Privacy Policy. This is because people and the authorities expect to see one. Without one, even one that simply says you don't collect personal information, you may come across as untrustworthy to the public and end up being questioned by authorities.

You should have a Privacy Policy even if you don't collect personal information because the general public and authorities both expect to see one.

Without a Privacy Policy, you may end up having to explain your privacy practices to legal authorities to prove that you aren't violating privacy laws. You may also lose trust with the public for not being clear about what your privacy practices are.

Even if you don't collect personal information, you should post a Privacy Policy that says exactly that.

The standard information that every Privacy Policy should include is as follows:

  • What personal information you collect
  • How you collect it
  • Why you collect it/How you use it
  • How long you keep the personal information
  • How you secure it
  • Whether or not you share it with any third parties
  • Any rights your users have when it comes to your collection, use or retention of their personal information
  • Your contact information

Note that some privacy laws require additional information if you fall under the law's scope. Some of this additional information includes:

  • How you handle personal information of minors/children
  • Whether you use cookies that collect personal information
  • If you transfer data to other countries
  • Whether you sell personal information, and how users can opt out of this
  • How users can exercise their rights under specific laws

You should always display a link to your Privacy Policy in your website's footer. This is where people know to look for it, and it's a common best practice.

You should also display a Privacy Policy link at places where you request to collect personal information.

For example:

  • Email newsletter sign-up forms
  • Contact forms
  • Account sign-up forms
  • Ecommerce checkout pages

For mobile apps, the same concept applies. Add a link to your Privacy Policy in a menu within your app, such as an "About" or "Legal" menu. Also add the link to other areas of your app where you request personal information.

Make your Privacy Policy enforceable by having your users click an unticked checkbox next to a statement that says something similar to "I have read and agree to the terms of the Privacy Policy."

You can also have users click a button that says something like "I Agree" next to a statement like the above if you don't want to use a checkbox.

Generally, you need to update your Privacy Policy when any of your privacy practices change.

Some common times to update your Privacy Policy would be if you:

  • Collect new types of personal information that you didn't used to collect
  • Collect personal information in a new way
  • Start using personal information in a way you didn't previously use it
  • Change how long you retain personal information
  • Start sharing personal information with a new third party

Make sure to update your Privacy Policy's effective date with the date you make the updates. Send notifications to your users of any material changes, such as via an email or a website pop-up message.

Note that some privacy laws (such as the CCPA) require you to update your Privacy Policy once every 12 months.


Examples of Privacy Policy agreements

Download the Privacy Policy template by clicking here. It's free.

Let's take a look at some real Privacy Policies from real businesses.

GitHub

GitHub links to its Privacy Statement from the footer of each web page:

GitHub website footer with links

The Privacy Statement includes a "short version" of what GitHub's privacy practices are.

GitHub Privacy Statement: Intro and Short Version clause

Perhaps the most important part of GitHub's Privacy Statement is the Summary section. A link to each section is provided, as well as a short overview of what information will be found in that section:

GitHub Privacy Statement: Excerpt of Summary of Sections chart

Dropbox

Dropbox uses the embedded method for its iOS mobile app to make its Privacy Policy available to its users.

In the example below from Dropbox, you can see how a user can navigate to the "Legal & Privacy" menu right from within the app:

Dropbox mobile app Settings menu screen

Clicking this menu will take the user to another menu screen that shows the full list of legal agreements:

Dropbox mobile app Legal and Privacy screen

From here, a user can access the Privacy Policy from right within the app:

Dropbox mobile app: Screenshot of Privacy Policy intro

eBay

The eBay mobile app links to its "Mobile Privacy and Legal Notice" rather than linking to its standard Privacy Policy agreement page. The standard agreement may be more difficult to read on a mobile device, so creating a mobile-friendly version is a great idea.

This agreement provides a short and simple summary about the main concerns and issues that users would have and works as a summary of eBay's full Privacy Policy:

Screenshot of eBay Mobile Privacy Notice

The same "Mobile Privacy and Legal Notice" agreement is embedded in eBay's iOS app:

eBay Privacy Policy Embedded on Mobile App

Download Privacy Policy Template

Use the Privacy Policy Generator to create this legal agreement.

Download the Privacy Policy Template as a PDF file or Download the Privacy Policy Template as a DOCX file.

You can also download this Privacy Policy Template as a Google Document.

This template available for download, for free, includes these sections:

  • Information Collection And Use
  • Log Data
  • Cookies
  • Security
  • Links To Other Sites
  • Changes To This Privacy Policy
  • Contact Us

Example of Privacy Policy - Screenshot

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.