A privacy policy is not just a legal formality — it's a transparency document that tells your users exactly how their personal data is collected, used, and protected. Privacy laws across the EU, UK, USA, Canada, and Australia all specify what information must be included. Here's what every compliant privacy policy needs.
Who you are and how to contact you
Your privacy policy must identify who is responsible for the personal data. This means your full business name, registered address, and contact details. Under GDPR and UK GDPR, if you have a Data Protection Officer (DPO), their contact details must be included too.
What personal data you collect
List all categories of personal data you collect. Common categories include:
- Identity data (name, username)
- Contact data (email address, phone number, address)
- Technical data (IP address, browser type, device identifiers)
- Usage data (pages visited, time on site, click behaviour)
- Transaction data (purchase history, payment method)
- Marketing preferences
Don't only list what you actively ask for — include data collected automatically by analytics tools, cookies, and third-party services.
How you collect it
Explain the sources: directly from users (forms, registrations, purchases), automatically (cookies, analytics), and from third parties (ad networks, data providers). GDPR Article 14 requires specific disclosures when data is obtained from third parties.
Why you collect it — the legal basis (GDPR/UK GDPR)
Under GDPR and UK GDPR, you must state the legal basis for each processing activity. The six lawful bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. You cannot simply say "legitimate interests" without explaining what the interest is and why it overrides user rights.
Who you share data with
List all third parties you share personal data with. This includes cloud providers, analytics platforms, payment processors, marketing tools, and any data processors acting on your behalf. For GDPR compliance, if you transfer data outside the UK or EU, you must explain the safeguards in place (Standard Contractual Clauses, adequacy decision, etc.).
How long you keep data
Specify retention periods for each category of data, or the criteria used to determine them. "We keep data for as long as necessary" is not sufficient. Under GDPR, you must be specific.
User rights
Your privacy policy must explain the rights users have over their personal data. Under GDPR and UK GDPR these include the right to access, rectify, erase, restrict processing, data portability, and to object. Under CCPA/CPRA, California residents have rights to know, delete, correct, and opt out of sale. Explain how users can exercise these rights and your response timeframe (30 days under GDPR).
Cookies and tracking
If you use cookies or similar tracking technologies, your privacy policy should reference your cookie policy or include a summary of what you set and why. In the EU and UK, a separate cookie policy or cookie notice is common.
How you protect data
Describe the security measures in place to protect personal data. You don't need to publish your full security architecture, but you should explain that appropriate technical and organisational measures are in place.
How to complain
Under GDPR and UK GDPR, you must tell users they have the right to lodge a complaint with their national data protection authority (the ICO in the UK, national DPAs in EU member states). Include the relevant contact details or links.
Keeping it up to date
Privacy policies must reflect how you actually process data. If you add a new analytics tool, a new third-party processor, or start collecting a new category of data, your privacy policy must be updated. Trust Center maintains your policy automatically as laws and your configuration change.