Do I legally need a privacy policy?

Almost always. GDPR, the UK GDPR, CCPA, and many other laws require a privacy notice if you collect any personal data, including emails or analytics identifiers. App stores and ad networks also require one.

What is the difference between GDPR and CCPA rights?

GDPR gives EU/UK residents rights to access, correct, delete, restrict, port, and object, plus the right to withdraw consent. CCPA/CPRA gives Californians rights to know, delete, and opt out of the sale or sharing of personal information without being penalised for doing so.

What is a data controller versus a processor?

The controller decides why and how personal data is processed; that is usually you. Processors handle data on your behalf, such as payment or hosting providers. The policy names you as controller and lists your key processors.

How long should I keep personal data?

Only as long as needed for the stated purposes. Many businesses use a default such as 24 months after last activity, but accounting and tax records often must be kept longer by law. Set the period that fits your obligations.

Is the generated policy legally binding?

It is a template, not legal advice. Have a qualified data-protection professional review and adapt it for your specific processing activities and jurisdiction before publishing.

Privacy Policy Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Tell users how you handle their data

A privacy policy is a legal requirement almost anywhere you collect personal information — even just an email address or an analytics cookie. It must explain what you collect, why, who you share it with, how long you keep it, and what rights people have. This builder assembles a GDPR- and CCPA-aware policy tailored to the data you actually process.

How it works

You tick the categories of personal data you collect and the frameworks that apply. The generator writes the standard sections — who you are, data collected, how it is used, legal basis, third parties, storage and security, retention, user rights, cookies, children, and contact — and adapts the rights section per framework:

GDPR adds access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint.
CCPA/CPRA adds the right to know, delete, and opt out of sale or sharing, with a non-discrimination promise.

The retention clause uses the number of months you set, noting that legal record-keeping can require longer.

Tips and notes

List your real processors (payments, analytics, hosting) rather than leaving the clause generic, and keep the list current. If you use any analytics or marketing cookies, pair this policy with a cookie policy and a consent banner. Update the “last updated” date whenever your processing changes. This is a template, not legal advice — have a professional review it before you publish.