Free Privacy Policy Template for Your Website (Copy & Paste + Customization Guide)
Every modern product—SaaS, marketing site, indie app, newsletter landing page—needs a clear privacy policy. Below is a production‑ready base template you can copy today. Then we walk through the exact edits required for GDPR, CCPA, cookies, analytics, AI training disclosures, and data retention. Finish in 10–15 minutes instead of hours of research.
1. Copy & Paste Base Template
Replace fields in brackets. Keep section numbering stable (helps trust & audits).
PRIVACY POLICY
Last Updated: {{DATE}}
1. Overview
We at {{COMPANY NAME}} ("Company", "we", "us") respect your privacy. This Policy explains what data we collect, why, and how you can control it.
2. Scope
This Policy applies to {{PRODUCT / WEBSITE URL}} and related services.
3. Data We Collect
- Account Data: name, email.
- Usage Data: feature interactions, timestamps.
- Device / Technical: IP (for security), browser type.
- Payment Data: handled securely by our processor; we never store full card numbers.
4. Legal Bases (EEA / UK)
We process data under: (a) Contract performance; (b) Legitimate interests (product improvement, security); (c) Consent (marketing, cookies); (d) Legal obligations.
5. How We Use Data
- Provide & maintain the service
- Personalize experience & improve reliability
- Detect abuse & secure accounts
- Send transactional communications
- (If consent) Send product updates and marketing
6. Sharing & Transfers
We use vetted subprocessors for hosting, analytics, support. No sale of personal data. International transfers rely on Standard Contractual Clauses or equivalent safeguards.
7. Cookies & Tracking
We use strictly necessary cookies plus (optional) analytics / preference cookies. You can adjust settings in the cookie banner.
8. Data Retention
Account data retained while active. Deleted documents retained up to 30 days for recovery then permanently purged.
9. Your Rights (EEA / UK / California)
Access, rectify, delete, portability, restrict, withdraw consent. California: know, delete, opt-out of sale (we do not sell), non-discrimination.
10. Security
Encryption in transit, principle of least privilege, monitored infrastructure.
11. Children
Not directed to children under 13 (or applicable age of digital consent in your jurisdiction).
12. Contact
For requests: privacy@{{DOMAIN}} or via AIDocs generated form.
13. Changes
We will update this Policy as needed and reflect a "Last Updated" date.
2. Customization Checklist (Do Not Skip)
- Company Identity: Legal entity name + contact email.
- Jurisdiction Coverage: If you have EU users include legal bases; California users include CCPA rights language.
- Analytics / Ads: Name each third‑party (e.g. Plausible, PostHog, Google Analytics, Stripe).
- AI / ML Usage: Declare if user content trains internal models; allow opt‑out if applicable.
- Subprocessors: Link a live list page or insert key vendors.
- Data Retention: Be precise—e.g. “Deleted documents purged after 30 days.”
- Security Highlights: List 3–5 controls (encryption, access audits, backups).
- Change Log: Maintain previous versions for trust with enterprise buyers.
3. GDPR vs CCPA Quick Differences
| Aspect | GDPR (EU/UK) | CCPA (California) |
|---|---|---|
| Legal Basis | Required (Art.6 categories) | Not required; focus on disclosures |
| User Rights | Access, rectify, delete, portability, restrict, object | Know, delete, opt-out of sale, non-discrimination |
| Fines | Up to €20M / 4% global turnover | Penalties via AG enforcement |
| Consent Banner | Needed for non-essential cookies | Not strictly required (focus on opt-out) |
4. Common Mistakes
- Copying another company’s policy without adapting data categories.
- Stating “We may sell your data” (avoid ambiguous sales wording).
- Missing deletion window details—auditors look for retention specifics.
- Outdated subprocessor list (enterprise security reviews will ask).
- Not documenting change history (reduces procurement trust).
5. Quick FAQ
Do I need a privacy policy if I only collect emails?
Yes—email is personally identifiable. You must state purpose, storage, and unsubscribe mechanism.
Can I host it inside a Notion doc?
Prefer a stable URL on your domain for trust, link tracking, and version control.
Should I include AI disclosure?
If user content may be used to fine‑tune internal models, yes—give a plain language opt‑out path.
Generate & Maintain Automatically
AIDocs can generate your privacy policy, track changes, and keep a version archive. Save hours every quarter.
Create Policy with AIDocs →