Free privacy policy generator

Answer a short form and get a privacy policy written in language aligned with the GDPR and the CCPA. The document builds live as you type, and you can download it as HTML, Word, or PDF. Everything is assembled on your device, so your business details never reach a server, and there is no sign-up.

Your details

Business

Who you serve

Data you collect

Why you collect it

Legal bases (GDPR Art. 6)

Third parties and processors

Cookies you set

Retention and sharing

Live preview

Copied to clipboard

Privacy Policy

[Your business name]
Effective date: 16 July 2026

Draft template - not legal advice. Have qualified counsel review before publishing.

1. Who we are

[Your business name] ("we", "us") operates the website at [your-website.com]. This policy explains what personal data we collect from you, why we collect it, who we share it with, and the rights you have over it. We are based in [your country or state].

If you have a question about this policy or about the data we hold on you, write to us at [[email protected]].

2. Data we collect

We collect the following categories of personal data:

  • Name
  • Email address
  • Device and IP address
  • Cookies and analytics data

3. Why we collect it

We use the data above for these purposes, and no others without telling you first:

  • Provide and run the service
  • Answer support requests
  • Measure usage and improve the product
  • Prevent fraud and keep the service secure
  • Meet legal and accounting obligations

4. Legal bases for processing (GDPR)

Where the GDPR applies to you, we rely on the following legal bases under Article 6 to process your data:

  • Consent (Art. 6(1)(a))
  • Performance of a contract (Art. 6(1)(b))
  • Legal obligation (Art. 6(1)(c))
  • Legitimate interests (Art. 6(1)(f))

Where we rely on consent, you can withdraw it at any time, and withdrawing it does not affect the processing we carried out before you did. Where we rely on legitimate interests, you can object and we will stop unless we can show compelling grounds to continue.

5. Cookies and tracking

We set the following categories of cookies and similar technologies on [your-website.com]:

  • Strictly necessary
  • Analytics and performance

Cookies that are not strictly necessary are set only after you accept them, and you can change or withdraw that choice at any time through the cookie settings on the site or through your browser settings.

6. Third parties and recipients

We share personal data with the service providers below, and only the data each of them needs to do its job. Each one processes the data on our instructions under a written agreement.

  • Analytics: [provider name], to understand how the service is used.
  • Hosting and infrastructure: [provider name], to store data and serve the site.

We also disclose data where the law requires it, for example in response to a valid legal request, and to a buyer if the business is sold, in which case this policy continues to apply until the buyer tells you otherwise.

7. Selling and sharing your data

We do not sell your personal information, and we do not share it for cross-context behavioural advertising as those terms are defined in the CCPA. We have not done so in the past 12 months.

8. How long we keep it

We keep your personal data for as long as your account is active, and for a limited period afterwards where we need the data to meet a legal or accounting obligation. When the period ends we delete the data or anonymise it so that it can no longer be linked back to you.

9. How we protect it

We protect personal data with technical and organisational measures appropriate to the risk, including encryption in transit, access controls that limit who can reach the data, and logging of administrative access. No system is perfectly secure, so we also keep a process for detecting a breach and, where the law requires it, notifying you and the regulator.

10. Your rights (GDPR)

If you are in the EU or the UK, you have the following rights over your personal data. To use any of them, email [[email protected]] and we will answer within one month.

  • Access: get a copy of the data we hold on you.
  • Rectification: correct data that is wrong or incomplete.
  • Erasure: have your data deleted where we no longer have a reason to keep it.
  • Restriction: tell us to stop using your data while a dispute is resolved.
  • Portability: receive your data in a machine-readable format and move it elsewhere.
  • Objection: object to processing based on legitimate interests, and to direct marketing at any time.
  • Withdraw consent: where we rely on your consent, take it back at any time.
  • Complaint: lodge a complaint with the supervisory authority (the data protection authority) in the country where you live or work. Article 77 of the GDPR gives you this right, and you can use it whether or not you have raised the matter with us first.

11. Your California privacy rights (CCPA/CPRA)

If you are a California resident, you have the following rights. To use any of them, email [[email protected]]. We will verify your identity before we act, and we will answer within 45 days.

  • Know: ask what personal information we have collected about you, where it came from, why we collected it, and who we disclosed it to.
  • Delete: ask us to delete the personal information we collected from you, subject to the exceptions in the statute.
  • Correct: ask us to fix personal information that is inaccurate.
  • Opt out: tell us to stop selling or sharing your personal information.
  • Limit: tell us to use sensitive personal information only for the purposes the statute permits.
  • No retaliation: we will not deny you service, charge you a different price, or give you a lower quality of service because you used any of these rights.

An authorised agent may make a request on your behalf if you give them written permission and we can verify it.

12. International transfers

Some of the providers named above are based outside the EU and the UK, so your personal data may be transferred there. Where that happens we rely on an adequacy decision by the European Commission, or on the Commission's Standard Contractual Clauses together with any extra safeguards the transfer needs. Email [[email protected]] if you want a copy of the clauses we use.

13. Changes to this policy

We update this policy when what we do with data changes. The effective date at the top tells you when the current version took effect. If a change is significant we will tell you by email or with a notice on the website before it takes effect.

14. Contact us

Questions, requests, and complaints all go to [[email protected]]. Write to [Your business name], [your country or state].

How the privacy policy generator works

1

Fill in the details

Your business name, site, and contact email, then the data you collect, your reasons for collecting it, and the providers you send it to.

2

Watch the policy build

Clauses appear and disappear as you answer. Tick the EU box and the legal-basis and GDPR rights sections show up. Say you sell data and serve California, and the opt-out section comes with it.

3

Download and publish

Take the policy as HTML for your site, Word for your lawyer, or PDF for your records. Nothing you typed ever left your device.

Free, private, and aligned with the GDPR and the CCPA

Most privacy policy generators put your business details through their servers, then paywall the download and give you back a watermarked sample. This one works differently, and the document it writes is built around the disclosures that GDPR Article 13 and the CCPA expect a business to publish:

01

100% in your browser

The form, the preview, and the HTML, Word, and PDF files are all built by JavaScript on your device. Your business name, your email, and your answers are never uploaded.

02

No account, no email wall

There is nothing to sign up for and nothing to verify. Close the tab and the answers are gone from memory.

03

The whole document, free

You get every clause, not a preview with the useful half removed, and the download has no watermark and no credit link back to us.

What the generated policy includes

  1. Who you are, where you are based, and how to reach you.
  2. The categories of personal data you collect.
  3. Why you collect each category.
  4. Your legal basis under GDPR Article 6, when you serve EU or UK users.
  5. The cookies you set and how consent is handled.
  6. The recipients you share data with, or a statement that you share with nobody.
  7. How long you keep the data and what happens when that period ends.
  8. Whether you transfer data outside the EU or the UK, and the safeguard you rely on when you do.
  9. The GDPR rights of access, rectification, erasure, restriction, portability, and objection, plus the right to lodge a complaint with a supervisory authority under Article 77.
  10. The CCPA rights to know, delete, correct, opt out of sale or sharing, limit the use of sensitive information, and be free from retaliation for using any of them.
  11. A "Do Not Sell or Share My Personal Information" section, when California applies and you sell or share, naming the categories you sell or share and who receives them.
  12. A children's section citing COPPA or GDPR Article 8, depending on the age you set.

Every document carries this line: "Draft template - not legal advice. Have qualified counsel review before publishing."

Which document do I need?

Three documents get confused with each other constantly. They answer different questions, and most sites end up publishing all three.

Privacy policy

What personal data you collect, why, who you share it with, and how people exercise their rights. Required as soon as you collect an email address. This is the document you are generating above.

GDPR Art. 13, CCPA notice at collection

Cookie policy

The specific cookies and trackers you set, what each one does, how long it lasts, and how someone withdraws consent. This is the page a consent banner links to.

The policy above covers your cookie categories, not each individual cookie. Generate a cookie policy

Terms and conditions

The contract between you and your users: what you promise, what they agree to, how accounts end, and who is liable when something goes wrong. Not a privacy document at all.

Generate terms and conditions

Working with a vendor that processes personal data for you? That relationship also needs a data processing agreement under GDPR Article 28, which is a contract between the two of you rather than a notice to the public.

Built for every kind of business

A solo store and a growing SaaS need the same disclosures written about different practices. The form scopes the policy to how you actually operate. If you collect personal data through forms, BlockSurvey handles that side with GDPR-ready surveys, where responses are encrypted before they reach a server.

E-commerce stores

Cover payment processors, shipping partners, and abandoned-cart email in one document, and satisfy the policy link Shopify and Stripe both ask for.

SaaS and web apps

Name your hosting, analytics, and support tools as processors, and state a legal basis for each purpose before an enterprise buyer asks you to.

Mobile apps

Get the published policy URL that App Store Connect and Google Play both require before a build can ship, and keep it consistent with your data safety answers.

Agencies and freelancers

Draft a starting policy for a client site in a few minutes, hand the Word file to their counsel, and publish the HTML once it comes back approved.

Bloggers and creators

Say what your analytics, newsletter, and ad network actually do with reader data, which is what ad networks and affiliate programs check for.

Startups

Publish a real policy on day one instead of a copied one, and update it as your stack changes rather than after a customer's security review flags it.

Collecting personal data through forms or surveys?

A policy describes what you do with data. BlockSurvey changes what you can do with it: responses are encrypted on the respondent's device, so the server stores nothing readable. Collect with privacy-first, GDPR-ready surveys.

More free privacy tools

Browse all privacy tools

These tools run in your browser because that is how we build everything. The same idea, applied to research: privacy-first surveys with end-to-end encryption.

Frequently asked questions

What is a privacy policy and do I need one?

A privacy policy is the public notice that tells people what personal data you collect, why you collect it, who you share it with, and how they can get it deleted. You need one as soon as you collect any personal data, including an email address on a contact form. The GDPR requires this notice under Articles 13 and 14, the CCPA requires it for businesses that meet its thresholds in California, and Apple, Google, Shopify, and Stripe all require a published policy before you can go live.

Which laws does this privacy policy generator cover?

It covers the GDPR and the CCPA as amended by the CPRA. The GDPR sections carry the disclosures Articles 13 and 14 ask for: who the controller is, what you collect, why, the legal basis under Article 6, who receives the data, how long you keep it, whether it leaves the EU, and the rights in Chapter 3, including the right under Article 77 to complain to a supervisory authority. The CCPA sections carry the notice at collection, the categories of personal information, whether you sell or share any of it and with whom, the rights to know, delete, correct, opt out, and limit the use of sensitive information, and the rule against retaliating when someone uses them. Answer the two questions about EU and California users and the matching sections appear.

Is this a substitute for legal advice?

No. This tool generates a starting-point privacy policy aligned with the GDPR and the CCPA, but it is not legal advice and may not cover every requirement for your business or jurisdiction. Have it reviewed by qualified legal counsel before you publish or rely on it.

Does my data leave the browser?

No. The form and the document are held in the memory of the page you are looking at. Your business name, contact email, and every answer you give are turned into the policy by JavaScript running on your device, and the downloads are built there too. Nothing is posted to a server, which is why the tool needs no account.

What formats can I download?

HTML, Word (.doc), and PDF, plus a plain-text copy you can paste anywhere. The HTML file is the one to hand to a developer or paste into a CMS page, the Word file is for a lawyer to mark up, and the PDF is for your records.

Do I need a cookie policy and terms as well?

Usually yes, and they are different documents. A privacy policy explains what you do with personal data. A cookie policy explains the specific cookies and trackers you set and is what a consent banner links to. Terms and conditions are the contract between you and your users. Many sites publish all three and link them from the footer.

How often should I update my privacy policy?

Review it whenever what you do with data changes: a new analytics tool, a new payment processor, a new country, a new category of data. Both the GDPR and the CCPA expect the notice to describe your current practice, not your practice from two years ago. Change the effective date each time you republish and keep the old version on file.

Does the generated policy work for a Shopify store or a mobile app?

Yes. Pick the matching entity type in the form and describe the data you actually collect, and the document adjusts. App stores have their own extra requirements: Apple wants a privacy policy link in App Store Connect and a filled-in privacy nutrition label, and Google Play wants a policy URL plus a Data safety form. The policy you generate here satisfies the link requirement; the store forms still need to be filled in to match it.

Do you store what I enter into the form?

No. The policy is assembled in your browser from your answers and nothing you type is sent to or kept on a server. Copy or download the result before leaving the page, since reloading clears the form.

How is this different from a paid privacy policy generator?

Paid generators charge for the same GDPR/CCPA clauses and often gate the download or add a watermark. This one produces the same coverage with no sign-up, no watermark, and no cap on regenerating it, because there is no backend metering usage.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.