Most websites have both a privacy policy and terms of service (sometimes called terms and conditions). The two documents are often grouped together in a site's footer, which leads many business owners to assume they cover similar ground or could be merged. They cannot. They serve distinct legal purposes, are required by different laws, and protect different parties in different ways.
What a privacy policy does
A privacy policy is a disclosure document. Its primary purpose is to inform visitors and customers about how you collect, use, store, and share their personal data. It is required by data protection laws — GDPR, UK GDPR, CCPA, and many other national frameworks — rather than by contract law. It is not an agreement; it is a statement of your data practices.
The key things a privacy policy must cover: what data you collect, why you collect it, the legal basis for processing, who you share it with, how long you retain it, what rights individuals have, and how they can exercise those rights. It should be written in plain language that a non-lawyer can understand.
Critically, a privacy policy protects the individual, not the business. It gives people the information they need to make informed choices about sharing their data and to exercise their legal rights. Regulators can — and do — take action against businesses for inadequate or misleading privacy policies.
What terms of service do
Terms of service (or terms and conditions) are a contract between you and your users. Their purpose is to define the rules of the relationship: what your service is, what users can and cannot do, what you promise and what you disclaim, and what happens in the event of a dispute. They protect the business — your intellectual property, your liability exposure, your ability to suspend accounts, and your right to set the rules of the platform.
Key sections in terms of service: permitted use and prohibited conduct; intellectual property ownership; payment terms and refund policy; account termination rights; limitation of liability; disclaimer of warranties; dispute resolution and governing law. These are contract terms — users agree to them, typically by creating an account or making a purchase.
Why you need both
You need a privacy policy because the law requires it — full stop. If you collect personal data (and if you have a website with any analytics or a contact form, you do), data protection law mandates that you disclose your practices. There is no legitimate reason not to have one.
You need terms of service because without them, the relationship between you and your users is governed by whatever default rules apply in your jurisdiction — rules that were written for general commerce, not your specific service. Terms of service let you define and enforce the rules of engagement: what your software can be used for, who owns user-generated content, what your refund policy is, and countless other specifics that a court would otherwise have to invent on your behalf.
The two documents should cross-reference each other but remain separate. A combined document risks making both unclear and harder to update as your practices evolve.