Free privacy policy generator
Answer a short form and get a privacy policy written in language aligned with the GDPR and the CCPA. The document builds live as you type, and you can download it as HTML, Word, or PDF. Everything is assembled on your device, so your business details never reach a server, and there is no sign-up.
Your details
Business
Who you serve
Data you collect
Why you collect it
Legal bases (GDPR Art. 6)
Third parties and processors
Cookies you set
Retention and sharing
Copied to clipboard
Privacy Policy
Draft template - not legal advice. Have qualified counsel review before publishing.
1. Who we are
[Your business name] ("we", "us") operates the website at [your-website.com]. This policy explains what personal data we collect from you, why we collect it, who we share it with, and the rights you have over it. We are based in [your country or state].
If you have a question about this policy or about the data we hold on you, write to us at [[email protected]].
2. Data we collect
We collect the following categories of personal data:
- Name
- Email address
- Device and IP address
- Cookies and analytics data
3. Why we collect it
We use the data above for these purposes, and no others without telling you first:
- Provide and run the service
- Answer support requests
- Measure usage and improve the product
- Prevent fraud and keep the service secure
- Meet legal and accounting obligations
4. Legal bases for processing (GDPR)
Where the GDPR applies to you, we rely on the following legal bases under Article 6 to process your data:
- Consent (Art. 6(1)(a))
- Performance of a contract (Art. 6(1)(b))
- Legal obligation (Art. 6(1)(c))
- Legitimate interests (Art. 6(1)(f))
Where we rely on consent, you can withdraw it at any time, and withdrawing it does not affect the processing we carried out before you did. Where we rely on legitimate interests, you can object and we will stop unless we can show compelling grounds to continue.
5. Cookies and tracking
We set the following categories of cookies and similar technologies on [your-website.com]:
- Strictly necessary
- Analytics and performance
Cookies that are not strictly necessary are set only after you accept them, and you can change or withdraw that choice at any time through the cookie settings on the site or through your browser settings.
6. Third parties and recipients
We share personal data with the service providers below, and only the data each of them needs to do its job. Each one processes the data on our instructions under a written agreement.
- Analytics: [provider name], to understand how the service is used.
- Hosting and infrastructure: [provider name], to store data and serve the site.
We also disclose data where the law requires it, for example in response to a valid legal request, and to a buyer if the business is sold, in which case this policy continues to apply until the buyer tells you otherwise.
7. Selling and sharing your data
We do not sell your personal information, and we do not share it for cross-context behavioural advertising as those terms are defined in the CCPA. We have not done so in the past 12 months.
8. How long we keep it
We keep your personal data for as long as your account is active, and for a limited period afterwards where we need the data to meet a legal or accounting obligation. When the period ends we delete the data or anonymise it so that it can no longer be linked back to you.
9. How we protect it
We protect personal data with technical and organisational measures appropriate to the risk, including encryption in transit, access controls that limit who can reach the data, and logging of administrative access. No system is perfectly secure, so we also keep a process for detecting a breach and, where the law requires it, notifying you and the regulator.
10. Your rights (GDPR)
If you are in the EU or the UK, you have the following rights over your personal data. To use any of them, email [[email protected]] and we will answer within one month.
- Access: get a copy of the data we hold on you.
- Rectification: correct data that is wrong or incomplete.
- Erasure: have your data deleted where we no longer have a reason to keep it.
- Restriction: tell us to stop using your data while a dispute is resolved.
- Portability: receive your data in a machine-readable format and move it elsewhere.
- Objection: object to processing based on legitimate interests, and to direct marketing at any time.
- Withdraw consent: where we rely on your consent, take it back at any time.
- Complaint: lodge a complaint with the supervisory authority (the data protection authority) in the country where you live or work. Article 77 of the GDPR gives you this right, and you can use it whether or not you have raised the matter with us first.
11. Your California privacy rights (CCPA/CPRA)
If you are a California resident, you have the following rights. To use any of them, email [[email protected]]. We will verify your identity before we act, and we will answer within 45 days.
- Know: ask what personal information we have collected about you, where it came from, why we collected it, and who we disclosed it to.
- Delete: ask us to delete the personal information we collected from you, subject to the exceptions in the statute.
- Correct: ask us to fix personal information that is inaccurate.
- Opt out: tell us to stop selling or sharing your personal information.
- Limit: tell us to use sensitive personal information only for the purposes the statute permits.
- No retaliation: we will not deny you service, charge you a different price, or give you a lower quality of service because you used any of these rights.
An authorised agent may make a request on your behalf if you give them written permission and we can verify it.
12. International transfers
Some of the providers named above are based outside the EU and the UK, so your personal data may be transferred there. Where that happens we rely on an adequacy decision by the European Commission, or on the Commission's Standard Contractual Clauses together with any extra safeguards the transfer needs. Email [[email protected]] if you want a copy of the clauses we use.
13. Changes to this policy
We update this policy when what we do with data changes. The effective date at the top tells you when the current version took effect. If a change is significant we will tell you by email or with a notice on the website before it takes effect.
14. Contact us
Questions, requests, and complaints all go to [[email protected]]. Write to [Your business name], [your country or state].
How the privacy policy generator works
Fill in the details
Your business name, site, and contact email, then the data you collect, your reasons for collecting it, and the providers you send it to.
Watch the policy build
Clauses appear and disappear as you answer. Tick the EU box and the legal-basis and GDPR rights sections show up. Say you sell data and serve California, and the opt-out section comes with it.
Download and publish
Take the policy as HTML for your site, Word for your lawyer, or PDF for your records. Nothing you typed ever left your device.
Free, private, and aligned with the GDPR and the CCPA
Most privacy policy generators put your business details through their servers, then paywall the download and give you back a watermarked sample. This one works differently, and the document it writes is built around the disclosures that GDPR Article 13 and the CCPA expect a business to publish:
100% in your browser
The form, the preview, and the HTML, Word, and PDF files are all built by JavaScript on your device. Your business name, your email, and your answers are never uploaded.
No account, no email wall
There is nothing to sign up for and nothing to verify. Close the tab and the answers are gone from memory.
The whole document, free
You get every clause, not a preview with the useful half removed, and the download has no watermark and no credit link back to us.
What the generated policy includes
- Who you are, where you are based, and how to reach you.
- The categories of personal data you collect.
- Why you collect each category.
- Your legal basis under GDPR Article 6, when you serve EU or UK users.
- The cookies you set and how consent is handled.
- The recipients you share data with, or a statement that you share with nobody.
- How long you keep the data and what happens when that period ends.
- Whether you transfer data outside the EU or the UK, and the safeguard you rely on when you do.
- The GDPR rights of access, rectification, erasure, restriction, portability, and objection, plus the right to lodge a complaint with a supervisory authority under Article 77.
- The CCPA rights to know, delete, correct, opt out of sale or sharing, limit the use of sensitive information, and be free from retaliation for using any of them.
- A "Do Not Sell or Share My Personal Information" section, when California applies and you sell or share, naming the categories you sell or share and who receives them.
- A children's section citing COPPA or GDPR Article 8, depending on the age you set.
Every document carries this line: "Draft template - not legal advice. Have qualified counsel review before publishing."
Which document do I need?
Three documents get confused with each other constantly. They answer different questions, and most sites end up publishing all three.
Privacy policy
What personal data you collect, why, who you share it with, and how people exercise their rights. Required as soon as you collect an email address. This is the document you are generating above.
GDPR Art. 13, CCPA notice at collection
Cookie policy
The specific cookies and trackers you set, what each one does, how long it lasts, and how someone withdraws consent. This is the page a consent banner links to.
The policy above covers your cookie categories, not each individual cookie. Generate a cookie policy
Terms and conditions
The contract between you and your users: what you promise, what they agree to, how accounts end, and who is liable when something goes wrong. Not a privacy document at all.
Generate terms and conditionsWorking with a vendor that processes personal data for you? That relationship also needs a data processing agreement under GDPR Article 28, which is a contract between the two of you rather than a notice to the public.
Built for every kind of business
A solo store and a growing SaaS need the same disclosures written about different practices. The form scopes the policy to how you actually operate. If you collect personal data through forms, BlockSurvey handles that side with GDPR-ready surveys, where responses are encrypted before they reach a server.
E-commerce stores
Cover payment processors, shipping partners, and abandoned-cart email in one document, and satisfy the policy link Shopify and Stripe both ask for.
SaaS and web apps
Name your hosting, analytics, and support tools as processors, and state a legal basis for each purpose before an enterprise buyer asks you to.
Mobile apps
Get the published policy URL that App Store Connect and Google Play both require before a build can ship, and keep it consistent with your data safety answers.
Agencies and freelancers
Draft a starting policy for a client site in a few minutes, hand the Word file to their counsel, and publish the HTML once it comes back approved.
Bloggers and creators
Say what your analytics, newsletter, and ad network actually do with reader data, which is what ad networks and affiliate programs check for.
Startups
Publish a real policy on day one instead of a copied one, and update it as your stack changes rather than after a customer's security review flags it.
Collecting personal data through forms or surveys?
A policy describes what you do with data. BlockSurvey changes what you can do with it: responses are encrypted on the respondent's device, so the server stores nothing readable. Collect with privacy-first, GDPR-ready surveys.
More free privacy tools
Browse all privacy toolsThese tools run in your browser because that is how we build everything. The same idea, applied to research: privacy-first surveys with end-to-end encryption.